Data Privacy: US, EU, GDPR

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to Lesson

Podcast

Play an AI-generated podcast conversation about this lesson
Download our mobile app to listen on the go
Get App

Questions and Answers

A multinational corporation headquartered outside the EU processes personal data of EU residents. Under what conditions does GDPR apply to this corporation?

  • GDPR applies only if the corporation has a physical office within the EU.
  • GDPR never applies to organizations outside the EU, regardless of the data they process.
  • GDPR applies only if the corporation voluntarily complies with GDPR standards.
  • GDPR applies only if the data processing is directly related to offering goods or services to EU residents, or monitoring their behavior within the EU. (correct)

A data controller relies on 'legitimate interest' as the justification for processing personal data. Which of the following scenarios would most likely be considered an invalid application of 'legitimate interest' under GDPR?

  • Processing customer data to prevent fraud and ensure network security, where the benefits are balanced against the individual's privacy expectations.
  • Processing personal data for direct marketing purposes without providing individuals an easy and consistent opt-out mechanism. (correct)
  • Processing employee data for payroll and human resources management purposes, as required by local labor laws.
  • Processing data to comply with a legal obligation to which the controller is subject.

A data breach occurs at a company that processes personal data on behalf of a controller. Under GDPR, what are the potential liabilities and obligations of the data processor?

  • The data processor is only liable if the data processing agreement explicitly states so; otherwise, the controller bears full responsibility.
  • The data processor's liability is limited to the fees paid by the data controller under their contract.
  • The data processor is jointly and severally liable with the controller, and they must notify the controller without undue delay after becoming aware of a data breach. (correct)
  • The data processor has no direct liability to data subjects; only the data controller can be held liable.

A company intends to collect and process biometric data (facial recognition) of its employees for security purposes. Which of the following conditions would be considered a valid justification for processing this special category of data under GDPR?

<p>The processing is necessary for carrying out the obligations and exercising specific rights of the controller or the data subject in the field of employment law, provided it is authorized by Union or Member State law. (A)</p> Signup and view all the answers

A data subject exercises their 'right to be forgotten' (right to erasure) under GDPR. In which of the following scenarios might the controller legitimately refuse the erasure request?

<p>The processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject. (B)</p> Signup and view all the answers

A U.S.-based company collects personal data from EU citizens. The company stores and processes this data exclusively in the U.S. Which legal mechanism is MOST appropriate for ensuring GDPR compliance regarding the transfer of this data?

<p>Implementation of Standard Contractual Clauses (SCCs) approved by the European Commission, combined with supplementary measures to ensure equivalent protection in the U.S. (B)</p> Signup and view all the answers

A research institution plans to use anonymized patient data for a study on a rare disease. After the data is fully anonymized, does GDPR still apply to this research?

<p>No, if the data is truly anonymized in such a manner that the data subject is no longer identifiable, GDPR does not apply. (D)</p> Signup and view all the answers

A company updates its privacy policy to comply with GDPR. If a user continues to use the company's services after the updated policy goes into effect, is this considered valid consent under GDPR?

<p>No, consent must be a clear affirmative act (e.g., ticking a box) and freely given; continued use is not sufficient. (D)</p> Signup and view all the answers

A large social media company suffers a data breach affecting millions of users. While the company quickly contains the breach and notifies affected users, it delays notifying the supervisory authority beyond the 72-hour deadline. What are the potential consequences under GDPR?

<p>The company may face a fine of up to 2% of its annual global turnover for failing to notify the supervisory authority within the required timeframe, in addition to other potential penalties related to the breach itself. (D)</p> Signup and view all the answers

A company is establishing a data retention policy for customer data. Under GDPR principles, what is the MOST appropriate approach?

<p>Retain customer data only for as long as necessary to fulfill the purposes for which it was collected, and securely delete or anonymize it after that period. (D)</p> Signup and view all the answers

In the context of US data privacy laws, which of the following statements accurately reflects a key difference between state and federal approaches?

<p>State laws often introduce broader, more general data privacy rights (like CCPA), whereas federal laws tend to be sector-specific. (D)</p> Signup and view all the answers

A small business in the US experiences a data breach affecting customer data. What factors will determine the business's legal obligations following the breach?

<p>The business must consider a combination of federal laws (if applicable), state data breach notification laws, and potentially sector-specific regulations depending on the nature of the data and the industry. (C)</p> Signup and view all the answers

A hospital uses AI to predict patient readmission rates. The AI uses patient demographics, medical history, and social determinants of health. How does GDPR's principle of 'fairness' apply in this context?

<p>GDPR's fairness principle requires the hospital to ensure the AI does not perpetuate or amplify existing societal biases, leading to discriminatory outcomes based on race, gender, or socioeconomic status. (B)</p> Signup and view all the answers

A technology company collects location data from users through its mobile app. Which scenario poses the MOST significant risk of violating the GDPR principle of 'purpose limitation'?

<p>Storing location data indefinitely and using it for unspecified future research purposes without obtaining new explicit consent. (D)</p> Signup and view all the answers

A consumer living in California requests that a company delete their personal data under the California Consumer Privacy Act (CCPA). However, the company refuses the request, claiming that it needs the data to complete a pending transaction that the consumer initiated. Is the company's refusal justified under the CCPA?

<p>Yes, the CCPA allows businesses to retain personal information if it is necessary to complete the transaction for which the personal information was collected. (B)</p> Signup and view all the answers

An organization collects browsing history data to profile users for targeted advertising, arguing that it increases ad relevance and user satisfaction. What is a critical challenge this organization faces in justifying this processing under GDPR?

<p>Demonstrating legitimate interests while ensuring users can easily object to profiling without detriment. (A)</p> Signup and view all the answers

A data controller processes personal data based on consent. Which of the following scenarios would render that consent invalid under GDPR?

<p>The consent was obtained through a pre-ticked box on a website form. (D)</p> Signup and view all the answers

A company suffers a data breach and determines that the most sensitive data exposed was encrypted using an industry-standard encryption algorithm. However, the encryption keys were stored on the same server as the encrypted data. What GDPR principle is MOST directly implicated by this scenario?

<p>Integrity and Confidentiality (B)</p> Signup and view all the answers

An AI algorithm is used by a bank to automatically assess loan applications. The algorithm disproportionately denies loan applications from individuals in a specific ethnic group. Which of the following GDPR principles is most clearly violated?

<p>Lawfulness, fairness and Transparency (C)</p> Signup and view all the answers

What is the main impact of the Schrems II ruling on data transfers between the EU and the US?

<p>It invalidated the Privacy Shield framework and requires companies to assess whether the laws in the recipient country offer equivalent protection to EU law when relying on Standard Contractual Clauses (SCCs). (B)</p> Signup and view all the answers

Flashcards

Data privacy and processing regulations

Rules governing collection and processing of data that can identify a natural person.

General Data Protection Regulation (GDPR)

An EU regulation designed to protect the data and privacy of all individuals within the European Union.

Lawfulness, fairness and transparency

Ensuring data is processed fairly, lawfully, and transparently.

Purpose limitation

The principle that data should only be collected for specified, explicit and legitimate purposes.

Signup and view all the flashcards

Data minimization

Ensuring that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Signup and view all the flashcards

Accuracy

Data should be accurate and kept up to date. Inaccurate data should be rectified or erased.

Signup and view all the flashcards

Storage limitation

Data must be kept for no longer than is necessary for the purposes for which the personal data are processed.

Signup and view all the flashcards

Integrity and confidentiality

Data must be processed in a manner that ensures appropriate security of the personal data.

Signup and view all the flashcards

Consent

A lawful basis for processing personal data where the data subject has given clear consent for their data to be processed for a specific purpose.

Signup and view all the flashcards

Performance of a contract

Processing is necessary for the performance of a contract to which the data subject is a party.

Signup and view all the flashcards

Compliance with legal obligation

Processing is necessary for compliance with a legal obligation to which the controller is subject.

Signup and view all the flashcards

Protection of vital interest

Processing is necessary in order to protect the vital interests of the data subject or of another natural person.

Signup and view all the flashcards

Performance of public interest task

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Signup and view all the flashcards

Legitimate interest

Balancing the interests of the data controller with the rights and freedoms of the data subject.

Signup and view all the flashcards

Ratification of inaccurate data

The right to have inaccurate personal data rectified.

Signup and view all the flashcards

Erasure of data

The right to have personal data erased.

Signup and view all the flashcards

Restrict data processing

The right to restrict the processing of personal data.

Signup and view all the flashcards

Receive the data processed

The right to receive personal data in a structured, commonly used and machine-readable format.

Signup and view all the flashcards

Object processing

the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her

Signup and view all the flashcards

Controller liability

The controller is responsible for ensuring data protection requirements are met.

Signup and view all the flashcards

Study Notes

  • Data privacy and processing regulations govern the collection and processing of sensitive data, especially where a natural person can be identified.

Sources in the US

  • Codified standards include:
    • State Constitutions
    • Federal Laws (addressing specific areas of data privacy)
    • State laws
  • Case law (including torts)
  • Principles
  • Legal doctrine

Sources in the EU

  • Codified standards include:
    • European Convention on Human Rights: Guarantees the right to respect for private and family life.
    • Constitutions
    • GDPR (Regulation 2016/679)
    • Directive 2016/680: Addresses data use for public purposes like law enforcement.
  • Case law (ECJ and national courts)
  • Principles

General Data Protection Regulation (GDPR)

  • Applies based on territorial scope to personal data.
  • Governs relationships between data subject, data controller, data processor, and recipient.
  • Regulates data processing.

GDPR Rules

  • Data controllers, processors, and recipients must comply with processing principles and have a lawful justification for processing data.
  • Special categories of data require special justification.
  • Data subjects have specific rights.
  • Controllers, processors, and recipients are responsible for data security.

Principles of Processing

  • Lawfulness, fairness, and transparency are key.
  • Purpose limitation: Data must be processed for specified and legitimate purposes.
  • Data minimization: Only necessary data should be processed.
  • Accuracy: Data must be accurate and kept up to date.
  • Storage limitation: Data should not be kept longer than necessary.
  • Integrity and confidentiality: Data must be kept secure.

Lawful Justification for Processing

  • Consent must be freely given.
  • Necessary for the performance of a contract.
  • Compliance with a legal obligation.
  • Protection of vital interests of a natural person.
  • Task performed in the public interest.
  • Legitimate interest pursued by the controller or a third party.

Special Justification

  • Processing data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning a person’s sex life or sexual orientation is generally prohibited.
  • Processing of special categories is allowed with explicit consent or when necessary to carry out controller obligations.
  • Processing of special categories is allowed to protect the vital interests of the data subject or another person. Article 9 of GDPR provides further details.

Data Subject Rights

  • Right to ratification of inaccurate data.
  • Right to erasure of data ("right to be forgotten").
  • Right to restrict data processing.
  • Right to receive processed data.
  • Right to object to processing.

Breach and Liability

  • The controller is liable by default.
  • Liability cannot be contractually transferred.
  • Data subjects can always bring claims against the controller.
  • Fines are based on turnover.
  • A controller can avoid liability by proving they are not responsible for the event causing damage.
  • Controllers can bring claims against processors.

US Regulations Example

  • Sephora was fined $1.2M under CCPA for ignoring user opt-out requests (2022).

EU Regulations Example

  • Google was fined €50M under GDPR for lack of transparent consent (France, 2019).

GDPR Scope Example

  • WhatsApp was fined €225M for unclear data-sharing with Facebook (2021).

GDPR Principles Example

  • British Airways was fined £20M for poor security exposing 400K customer records (2019).

Lawful Justification Example

  • TikTok was fined €345M for processing child data without valid consent (2023).

Special Category Data Example

  • Grindr was fined $11M for sharing HIV status with advertisers (2021).

Data Subject Rights Example

  • Austrian Post was fined for political profiling without consent (2019).

Breach & Liability Example

  • Meta was fined €1.2B for unlawful EU-US data transfers (2023).

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Quiz Team

More Like This

Use Quizgecko on...
Browser
Browser