Data Privacy: US, EU, GDPR

Questions and Answers

A multinational corporation headquartered outside the EU processes personal data of EU residents. Under what conditions does GDPR apply to this corporation?

• GDPR applies only if the corporation has a physical office within the EU.
• GDPR never applies to organizations outside the EU, regardless of the data they process.
• GDPR applies only if the corporation voluntarily complies with GDPR standards.
• GDPR applies only if the data processing is directly related to offering goods or services to EU residents, or monitoring their behavior within the EU. (correct)

A data controller relies on 'legitimate interest' as the justification for processing personal data. Which of the following scenarios would most likely be considered an invalid application of 'legitimate interest' under GDPR?

• Processing customer data to prevent fraud and ensure network security, where the benefits are balanced against the individual's privacy expectations.
• Processing personal data for direct marketing purposes without providing individuals an easy and consistent opt-out mechanism. (correct)
• Processing employee data for payroll and human resources management purposes, as required by local labor laws.
• Processing data to comply with a legal obligation to which the controller is subject.

A data breach occurs at a company that processes personal data on behalf of a controller. Under GDPR, what are the potential liabilities and obligations of the data processor?

• The data processor is only liable if the data processing agreement explicitly states so; otherwise, the controller bears full responsibility.
• The data processor's liability is limited to the fees paid by the data controller under their contract.
• The data processor is jointly and severally liable with the controller, and they must notify the controller without undue delay after becoming aware of a data breach. (correct)
• The data processor has no direct liability to data subjects; only the data controller can be held liable.

A company intends to collect and process biometric data (facial recognition) of its employees for security purposes. Which of the following conditions would be considered a valid justification for processing this special category of data under GDPR?

The processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment law, provided it is authorized by Union or Member State law. (A)

A data subject exercises their 'right to be forgotten' (right to erasure) under GDPR. In which of the following scenarios might the controller legitimately refuse the erasure request?

The processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject. (B)

A U.S.-based company collects personal data from EU citizens. The company stores and processes this data exclusively in the U.S. Which legal mechanism is MOST appropriate for ensuring GDPR compliance regarding the transfer of this data?

Implementation of Standard Contractual Clauses (SCCs) approved by the European Commission, combined with supplementary measures to ensure equivalent protection in the U.S. (B)

A research institution plans to use anonymized patient data for a study on a rare disease. After the data is fully anonymized, does GDPR still apply to this research?

No, if the data is truly anonymized in such a manner that the data subject is no longer identifiable, GDPR does not apply. (D)

A company updates its privacy policy to comply with GDPR. If a user continues to use the company's services after the updated policy goes into effect, is this considered valid consent under GDPR?

No, consent must be a clear affirmative act (e.g., ticking a box) and freely given; continued use is not sufficient. (D)

A large social media company suffers a data breach affecting millions of users. While the company quickly contains the breach and notifies affected users, it delays notifying the supervisory authority beyond the 72-hour deadline. What are the potential consequences under GDPR?

The company may face a fine of up to 2% of its annual global turnover for failing to notify the supervisory authority within the required timeframe, in addition to other potential penalties related to the breach itself. (D)

A company is establishing a data retention policy for customer data. Under GDPR principles, what is the MOST appropriate approach?

Retain customer data only for as long as necessary to fulfill the purposes for which it was collected, and securely delete or anonymize it after that period. (D)

In the context of US data privacy laws, which of the following statements accurately reflects a key difference between state and federal approaches?

State laws often introduce broader, more general data privacy rights (like CCPA), whereas federal laws tend to be sector-specific. (D)

A small business in the US experiences a data breach affecting customer data. What factors will determine the business's legal obligations following the breach?

The business must consider a combination of federal laws (if applicable), state data breach notification laws, and potentially sector-specific regulations depending on the nature of the data and the industry. (C)

A hospital uses AI to predict patient readmission rates. The AI uses patient demographics, medical history, and social determinants of health. How does GDPR's principle of 'fairness' apply in this context?

GDPR's fairness principle requires the hospital to ensure the AI does not perpetuate or amplify existing societal biases, leading to discriminatory outcomes based on race, gender, or socioeconomic status. (B)

A technology company collects location data from users through its mobile app. Which scenario poses the MOST significant risk of violating the GDPR principle of 'purpose limitation'?

Storing location data indefinitely and using it for unspecified future research purposes without obtaining new explicit consent. (D)

A consumer living in California requests that a company delete their personal data under the California Consumer Privacy Act (CCPA). However, the company refuses the request, claiming that it needs the data to complete a pending transaction that the consumer initiated. Is the company's refusal justified under the CCPA?

Yes, the CCPA allows businesses to retain personal information if it is necessary to complete the transaction for which the personal information was collected. (B)

An organization collects browsing history data to profile users for targeted advertising, arguing that it increases ad relevance and user satisfaction. What is a critical challenge this organization faces in justifying this processing under GDPR?

Demonstrating legitimate interests while ensuring users can easily object to profiling without detriment. (A)

A data controller processes personal data based on consent. Which of the following scenarios would render that consent invalid under GDPR?

The consent was obtained through a pre-ticked box on a website form. (D)

A company suffers a data breach and determines that the most sensitive data exposed was encrypted using an industry-standard encryption algorithm. However, the encryption keys were stored on the same server as the encrypted data. What GDPR principle is MOST directly implicated by this scenario?

Integrity and Confidentiality (B)

An AI algorithm is used by a bank to automatically assess loan applications. The algorithm disproportionately denies loan applications from individuals in a specific ethnic group. Which of the following GDPR principles is most clearly violated?

Lawfulness, fairness and Transparency (C)

What is the main impact of the Schrems II ruling on data transfers between the EU and the US?

It invalidated the Privacy Shield framework and requires companies to assess whether the laws in the recipient country offer equivalent protection to EU law when relying on Standard Contractual Clauses (SCCs). (B)

Flashcards

Data privacy and processing regulations

Rules governing collection and processing of data that can identify a natural person.

General Data Protection Regulation (GDPR)

An EU regulation designed to protect the data and privacy of all individuals within the European Union.

Lawfulness, fairness and transparency

Ensuring data is processed fairly, lawfully, and transparently.

Purpose limitation

The principle that data should only be collected for specified, explicit and legitimate purposes.

Data minimization

Ensuring that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy

Data should be accurate and kept up to date. Inaccurate data should be rectified or erased.

Storage limitation

Data must be kept for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality

Data must be processed in a manner that ensures appropriate security of the personal data.

Consent

A lawful basis for processing personal data where the data subject has given clear consent for their data to be processed for a specific purpose.

Performance of a contract

Processing is necessary for the performance of a contract to which the data subject is a party.

Compliance with legal obligation

Processing is necessary for compliance with a legal obligation to which the controller is subject.

Protection of vital interest

Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Performance of public interest task

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Legitimate interest

Balancing the interests of the data controller with the rights and freedoms of the data subject.

Ratification of inaccurate data

The right to have inaccurate personal data rectified.

Erasure of data

The right to have personal data erased.

Restrict data processing

The right to restrict the processing of personal data.

Receive the data processed

The right to receive personal data in a structured, commonly used and machine-readable format.

Object processing

the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her

Controller liability

The controller is responsible for ensuring data protection requirements are met.

Study Notes

• Data privacy and processing regulations govern the collection and processing of sensitive data, especially where a natural person can be identified.

Sources in the US

• Codified standards include:
  • State Constitutions
  • Federal Laws (addressing specific areas of data privacy)
  • State laws
• Case law (including torts)
• Principles
• Legal doctrine

Sources in the EU

• Codified standards include:
  • European Convention on Human Rights: Guarantees the right to respect for private and family life.
  • Constitutions
  • GDPR (Regulation 2016/679)
  • Directive 2016/680: Addresses data use for public purposes like law enforcement.
• Case law (ECJ and national courts)
• Principles

General Data Protection Regulation (GDPR)

• Applies based on territorial scope to personal data.
• Governs relationships between data subject, data controller, data processor, and recipient.
• Regulates data processing.

GDPR Rules

• Data controllers, processors, and recipients must comply with processing principles and have a lawful justification for processing data.
• Special categories of data require special justification.
• Data subjects have specific rights.
• Controllers, processors, and recipients are responsible for data security.

Principles of Processing

• Lawfulness, fairness, and transparency are key.
• Purpose limitation: Data must be processed for specified and legitimate purposes.
• Data minimization: Only necessary data should be processed.
• Accuracy: Data must be accurate and kept up to date.
• Storage limitation: Data should not be kept longer than necessary.
• Integrity and confidentiality: Data must be kept secure.

Lawful Justification for Processing

• Consent must be freely given.
• Necessary for the performance of a contract.
• Compliance with a legal obligation.
• Protection of vital interests of a natural person.
• Task performed in the public interest.
• Legitimate interest pursued by the controller or a third party.

Special Justification

• Processing data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning a person’s sex life or sexual orientation is generally prohibited.
• Processing of special categories is allowed with explicit consent or when necessary to carry out controller obligations.
• Processing of special categories is allowed to protect the vital interests of the data subject or another person. Article 9 of GDPR provides further details.

Data Subject Rights

• Right to ratification of inaccurate data.
• Right to erasure of data ("right to be forgotten").
• Right to restrict data processing.
• Right to receive processed data.
• Right to object to processing.

Breach and Liability

• The controller is liable by default.
• Liability cannot be contractually transferred.
• Data subjects can always bring claims against the controller.
• Fines are based on turnover.
• A controller can avoid liability by proving they are not responsible for the event causing damage.
• Controllers can bring claims against processors.

US Regulations Example

• Sephora was fined $1.2M under CCPA for ignoring user opt-out requests (2022).

EU Regulations Example

• Google was fined €50M under GDPR for lack of transparent consent (France, 2019).

GDPR Scope Example

• WhatsApp was fined €225M for unclear data-sharing with Facebook (2021).

GDPR Principles Example

• British Airways was fined £20M for poor security exposing 400K customer records (2019).

Lawful Justification Example

• TikTok was fined €345M for processing child data without valid consent (2023).

Special Category Data Example

• Grindr was fined $11M for sharing HIV status with advertisers (2021).

Data Subject Rights Example

• Austrian Post was fined for political profiling without consent (2019).

Breach & Liability Example

• Meta was fined €1.2B for unlawful EU-US data transfers (2023).