GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws - Adv. Prashant Mali (bill gates book recommendations .TXT) 📗». Author Adv. Prashant Mali
I Sincerely want to put on record my deep appreciation and salute to the team working on this book with special reference to Lawyer Tejal Patel, she has gone extra length to research and formalize the contents of this book.
Author
Prashant Mali [M.Sc. (Computer Science), LL.M] Chevening Cyber Security Fellow (UK) & IVLP (USA) Email: cyberlawconsulting@gmail.com
CHAPTER 1: GENERAL PROVISIONSCHAPTER 1: GENERAL PROVISIONS
Art. 1 GDPR Subject-matter and objectives
This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
Suitable Recitals
(1) Data protection as a fundamental right; (2) Respect of the fundamental rights and freedoms; (3) Directive 95/46/EC harmonization; (4) Data protection in balance with other fundamental rights; (5) Cooperation between Member States to exchange personal data; (6) Ensuring a high level of data protection despite the increased exchange of data; (7) The framework is based on control and certainty; (8) Adoption into national law; (9) Different standards of protection by the Directive 95/46/EC; (10) Harmonised level of data protection despite national scope; (11) Harmonisation of the powers and sanctions; (12) Authorization of the European Parliament and the Council.
COMMENTARY:
The European Union’s (EU) view on data protection is closely linked to privacy issues, which does not appear to always be the right approach in dealing with data protection. The privacy concept as outlined in Art. 8 of the European Convention on Human Rights refers mainly to the right to private and family life, respect of private home and private correspondence. The data protection could include privacy issues but is not limited to them.
Data protection means the right of a person to know which data is gathered in regards to her person, how the data is used, aggregated, protected, and where the data is transmitted. Anyone has the right to have access to that data and to modify it. In all cases, the person has to give his/her consent for that data to be used by another person, government, or any other entity. Data protection values are not essentially privacy related ones. These values cannot be dealt with just through the privacy perspective. They are autonomous values, which grant fundamental rights: the right to data protection as recognised by Article 8 in the Charter of Fundamental Rights of the European Union: “Protection of personal data: Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified”.
The recognition of data protection by the EU legal framework constitutes an important step made towards the recognition of the Data Protection Directive, which for years has been perceived as having two main attributes: granting and protecting the free movement of personal information and the protection of fundamental rights and freedoms of an individual (from the privacy perspective). The recognition of the right to data protection given by the Charter, this could be considered as a way to give more weight to the fundamental rights dimension of the Directive. Some countries in the EU as such France and Germany, perceive privacy as not being related to data protection. Contrarily, other countries such as Belgium and The Netherlands, closely link together data protection to privacy. For this reason, recognising data protection as an individual freedom could help diminish the gaps in interpretation among EU Member States in this field.
Unfortunately, the EU legal framework regarding data protection is quite fragmented. The Directives regulating this area of data protection (Directive 95/46, Directive 2002/58, and Directive 2002/2) are overlapping, cover the same legal field and also have vague definitions (at least regarding the Location Based Services LBS). This comes against normal consumer-provider relations because the consumers will not be effectively and uniformly protected in their rights and the providers, by not knowing and understanding the regulations, will diminish or stop their service that goes against the consumer again because the choice of services in a field will be diminished.
The ruling of European Court of Justice (ECJ) in Case C-101/01, Bodil Lindqvist regarding data protection (the first of its kind), has important implications because it clarifies to individuals and companies that personal data is protected and no one can use it without prior authorization. This was a useful warning given by ECJ to those interested in using, manipulating, and accessing data, with no right or consent. It was a useful start, because since then more and more EU countries used this Directive in the right direction. Also, it was a clarification given to those countries, which did not know what the Directive 95/46/EC meant: data is protected not just through the privacy perspective but as a fundamental right as well.
Ruling on this case, ECJ tried to make a fair balance between fundamental rights and fundamental freedoms as well (the right to data protection and the freedom of expression). Dealing with these sensitive issues, it is always hard to make a decision regarding fundamental rights and harm fundamental freedoms and vice- versa. It is very hard to find the proper balance in ruling in these matters. One cannot acknowledge one fundamental right over another in a categorical manner. In this particular case the human right to data protection was definitely weighting more than the human right to freedom of expression in the ECJ’s view, because someone’s private information has the same value as someone’s right to express his/her owns beliefs, when that person uses a third party’s private information with no consent. In this case, violating fundamental freedoms such data protection for the purpose of expressing personal beliefs was found to be wrong by the ECJ.
As a conclusion, data protection is a fundamental right and should be granted and protected as any other fundamental rights. Many people are not aware that the information concerning their person is protected which leads unfortunately to many abuses from authorities, internet providers, online businesses and many others. We all could hope that in time, following important ECJ rulings as the one described above, people will consider more and more seriously their fundamental right to data protection.
Art. 2 GDPR Material scope
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
This Regulation does not apply to the processing of personal data:
in the course of an activity which falls outside the scope of Union law;
by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
by a natural person in the course of a purely personal or household activity;
by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive.
Suitable Recitals
(13) Taking account of micro, small and medium-sized enterprises; (14) Not applicable to legal persons; (15) Technology neutrality; (16) Not applicable to activities regarding national and common security; (17) Adaptation of Regulation (EC) No 45/2001; (18) Not applicable to personal or household activities; (19) Not applicable to criminal prosecution; (20) Respecting the independence of the judiciary; (21) Liability rules of intermediary service providers shall remain unaffected; (27) Not applicable to data of deceased persons.
COMMENTARY:
The concept of 'personal data processing” is almost identical to that of the Directive, with two "operations” added ("structuring” and "restriction” that replaced
the “blocking"). The notion of “filing system” is strictly identical, namely "any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis" (Art. 4, 2).
This Directive was applied to the processing of personal data, wholly or partly automated, and to the non-automated processing of personal data contained or referred to in a file processed by either the public or the private sector.
The concept of automatic processing covered manual records, from the moment where the data are contained or are intended to be contained in a file. The definitions helping to understand the material scope were therefore logically focused on the concept of "personal data" (Art. 2a), "personal data processing" (Art. 2b) and "personal data filing system” (Art. 2 c).
Article 3, paragraph 2 of the Directive provided two exceptions to its scope: the first exception applied to processing in the course of an activity which falls outside the scope of Community law, such as those related to public security, defence, state security and the activities of the state in areas of criminal law. The second exception provided for in Article 3, paragraph 2, also deals with the processing by a natural person for the exercise of purely personal or household activities, such as correspondence and maintaining of directories of addresses.
Art. 3 GDPR Territorial scope
This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
the monitoring of their behaviour as far as their behaviour takes place within the Union.
This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Suitable Recitals
(22) Processing by an establishment; (23) Applicable to processors not established in the Union if data subjects within the Union are targeted; (24)
Comments (0)