Data Privacy and GDPR Handbook.

Intro -- Data Privacy and GDPR Handbook -- Contents -- 1 Origins and Concepts of Data Privacy -- 1.1 Questions and Challenges of Data Privacy -- 1.1.1 But Cupid Turned Out to Be Not OK -- 1.2 The Conundrum of Voluntary Information -- 1.3 What Is Data Privacy? -- 1.3.1 Physical Privacy -- 1.3.2 Social Privacy Norms -- 1.3.3 Privacy in a Technology-Driven Society -- 1.4 Doctrine of Information Privacy -- 1.4.1 Information Sharing Empowers the Recipient -- 1.4.2 Monetary Value of Individual Privacy -- 1.4.3 "Digital Public Spaces" -- 1.4.4 A Model Data Economy -- 1.5 Notice-and-Choice versus Privacy-as-Trust -- 1.6 Notice-and-Choice in the US -- 1.7 Enforcement of Notice-and-Choice Privacy Laws -- 1.7.1 Broken Trust and FTC Enforcement -- 1.7.2 The Notice-and-Choice Model Falls Short -- 1.8 Privacy-as-Trust: An Alternative Model -- 1.9 Applying Privacy-as-Trust in Practice: The US Federal Trade Commission -- 1.9.1 Facebook as an Example -- 1.10 Additional Challenges in the Era of Big Data and Social Robots -- 1.10.1 What Is a Social Robot? -- 1.10.2 Trust and Privacy -- 1.10.3 Legal Framework for Governing Social Robots -- 1.11 The General Data Protection Regulation (GDPR) -- 1.12 Chapter Overview -- Notes -- 2 A Brief History of Data Privacy -- 2.1 Privacy as One's Castle -- 2.1.1 Individuals' "Castles" Were Not Enough -- 2.2 Extending Beyond the "Castle" -- 2.3 Formation of Privacy Tort Laws -- 2.3.1 A Privacy Tort Framework -- 2.4 The Roots of Privacy in Europe and the Commonwealth -- 2.5 Privacy Encroachment in the Digital Age -- 2.5.1 Early Digital Privacy Laws Were Organic -- 2.5.2 Growth in Commercial Value of Individual Data -- 2.6 The Gramm-Leach-Bliley Act Tilted the Dynamic against Privacy -- 2.7 Emergence of Economic Value of Individual Data for Digital Businesses.

2.7.1 The Shock of the 9/11 Attacks Affected Privacy Protection Initiatives -- 2.7.2 Surveillance and Data Collection Was Rapidly Commercialized -- 2.7.3 Easing of Privacy Standards by the NSA Set the Tone at the Top -- 2.8 Legislative Initiatives to Protect Individuals' Data Privacy -- 2.9 The EU Path -- 2.9.1 The Internet Rights Revolution -- 2.9.2 Social Revolutions -- 2.10 End of the Wild West? -- 2.11 Data as an Extension of Personal Privacy -- 2.12 Cambridge Analytica: A Step Too Far -- 2.13 The Context of Privacy in Law Enforcement -- Summary -- Notes -- 3 GDPR's Scope of Application -- 3.1 When Does GDPR Apply? -- 3.1.1 "Processing" of Data -- 3.1.1.1 Manual Processing -- 3.1.2 "Personal Data" -- 3.1.2.1 Relative Criteria for Identifiability -- 3.1.2.2 Individual Circumstances -- 3.1.2.3 Special Cases -- 3.1.2.4 Anonymization -- 3.1.2.5 Pseudonymization -- 3.1.3 Exempted Activities under GDPR -- 3.2 The Key Players under GDPR -- 3.3 Territorial Scope of GDPR -- 3.3.1 Physical Presence in the EU -- 3.3.2 Processing Done in the Context of the Activities -- 3.3.3 Users Based in the EU -- 3.3.4 "Time of Stay" Standard -- 3.4 Operation of Public International Law -- Notes -- 4 Technical and Organizational Requirements under GDPR -- 4.1 Accountability -- 4.2 The Data Controller -- 4.2.1 Responsibilities of the Controller -- 4.2.1.1 Demonstration -- 4.2.1.2 Data Protection Policies -- 4.2.1.3 Adherence -- 4.2.2 Joint Controllers and Allocating Liability -- 4.2.2.1 Additional Obligations Placed on Joint Controllers -- 4.2.2.2 Joint and Several Liabilities -- 4.2.2.3 Controllers Outside of the EU -- 4.2.3 The Duty to Cooperate with the SA -- 4.3 Technical and Organizational Measures -- 4.3.1 Maintain a Data-Protection Level -- 4.3.2 Minimum Requirements for Holding a Data Protection Level -- 4.3.3 Weighing the Risks -- 4.3.3.1 Risk to the Business.

4.3.3.2 Risk to Consumers -- 4.3.3.3 Risks Caused by Third Parties -- 4.3.4 The Network and Information Systems Directive -- 4.4 Duty to Maintain Records of Processing Activities -- 4.4.1 Content of Controller's Records -- 4.4.2 Content of Processor's Records -- 4.4.3 Exceptions to the Duty -- 4.5 Data Protection Impact Assessments -- 4.5.1 Types of Processing That Require DPIA -- 4.5.2 Scope of Assessment -- 4.5.2.1 Determining the Risk -- 4.5.2.2 Contents of the DPIA -- 4.5.2.3 Involvement of the DPO -- 4.5.2.4 Prior Consultation -- 4.5.3 Business Plan Oversight -- 4.6 The Data Protection Officer -- 4.6.1 Designation of DPO -- 4.6.2 Qualifications and Hiring a DPO -- 4.6.3 Position of the DPO -- 4.6.4 Tasks of the DPO -- 4.6.5 An Inherent Conflict of Interest? -- 4.6.6 DPO Liability -- 4.7 Data Protection by Design and Default -- 4.7.1 Data Protection at the Outset -- 4.7.2 Balancing the Amount of Protection -- 4.7.3 Applying Data Protection by Design -- 4.7.4 Special Case: Blockchain Technology and GDPR -- 4.8 Data Security during Processing -- 4.8.1 Data Security Measures -- 4.8.2 Determining the Risk Posed -- 4.8.3 Data Protection Management Systems: A "Technical and Organizational Measure" -- 4.9 Personal Data Breaches -- 4.9.1 Overview of Data Breaches -- 4.9.1.1 Types of Data Breaches -- 4.9.1.2 Damage Caused by Data Breaches -- 4.9.1.3 Degrees of Data Breaches -- 4.9.1.4 Types of Cyber-Threats -- 4.9.1.5 Practically Implementing Cyber-Security -- 4.9.1.6 Combating Cyber-Security Threats -- 4.9.1.7 Breach Response Plan -- 4.9.1.8 Manual versus Automated Cyber-Security -- 4.9.1.9 Cyber-Security Insurance -- 4.9.2 The Controller's Duty to Notify -- 4.9.2.1 Excusable Delays -- 4.9.2.2 Contents of Notification -- 4.9.2.3 Exception -- 4.9.3 Controller's Duty to Communicate the Breach to Data Subjects -- 4.9.3.1 A Timely Communication.

4.9.3.2 Contents of the Communication -- 4.9.3.3 Exceptions -- 4.10 Codes of Conduct and Certifications -- 4.10.1 Purpose and Relationship under GDPR -- 4.10.2 Codes of Conduct -- 4.10.2.1 Codes of Conduct by Associations -- 4.10.2.2 Monitoring Approved Codes of Conduct -- 4.10.3 Certification -- 4.10.3.1 Certification Bodies -- 4.10.3.2 Factors for Granting Accreditation to Certification Bodies -- 4.10.3.3 Responsibilities of Certification Bodies -- 4.10.3.4 The Certification Mechanisms -- 4.11 The Data Processor -- 4.11.1 Relationship between Processor and Controller -- 4.11.2 Responsibilities of Controller in Selecting a Processor -- 4.11.2.1 Sufficient Guarantees -- 4.11.2.2 Maintaining Processing Contracts -- 4.11.2.3 Standard Contractual Clauses -- 4.11.3 Duties of the Processor -- 4.11.4 Subprocessors -- Notes -- 5 Material Requisites for Processing under GDPR -- 5.1 The Central Principles of Processing -- 5.1.1 Lawful, Fair, and Transparent Processing of Data -- 5.1.2 Processing Limited to a "Purpose" -- 5.1.2.1 Restriction on Processing and Exceeding the Purpose -- 5.1.2.2 The "Compatibility" Test -- 5.1.2.3 Processing That Does Not Require Identification -- 5.1.3 Data Minimization and Accuracy -- 5.1.4 Storage of Data -- 5.1.5 Integrity and Confidentiality of the Operation -- 5.2 Legal Grounds for Data Processing -- 5.2.1 Processing Based on Consent -- 5.2.1.1 What Constitutes Consent? -- 5.2.1.2 Consent of a Child -- 5.2.1.3 NYOB.eu versus Google, Facebook, Whatsapp, and Instagram: A Case Study on Consent -- 5.2.2 Processing Based on Legal Sanction -- 5.2.2.1 Formation or Performance of a Contract -- 5.2.2.2 Compliance with a Legal Obligation -- 5.2.2.3 Protection of Vital Interests -- 5.2.2.4 Public Interest and Exercise of Official Authority -- 5.2.2.5 Exercising Legitimate Interests -- 5.2.3 Changing the Processing "Purpose".

5.2.4 Special Categories of Data -- 5.2.4.1 What Is "Special" Data? -- 5.2.4.2 Location and Behavioral Data -- 5.2.4.3 Processing Data Relating to Criminal Convictions -- 5.2.4.4 The Exceptions to the Rule -- 5.2.4.5 New Technologies Involving Special Data -- 5.2.4.6 Developing the Law Further -- 5.3 International Data Transfers -- 5.3.1 Adequacy Decisions and "Safe" Countries -- 5.3.1.1 Determining Adequacy -- 5.3.1.2 Application of the Factors -- 5.3.1.3 Revocation of the Adequacy Decision -- 5.3.2 Explicit Consent -- 5.3.3 Standard Contractual Clauses -- 5.3.3.1 Overview of Commission Decisions -- 5.3.3.2 Content of SCCs -- 5.3.3.3 Consequences of Breaching the Conditions of SCCs -- 5.3.4 The EU-US Privacy Shield -- 5.3.5 Binding Corporate Rules -- 5.3.5.1 Legally Mandated Clauses -- 5.3.5.2 Conditions for Approval -- 5.3.6 Transfers Made with or without Authorization -- 5.3.6.1 International Data Transfers without the SA's Authorization -- 5.3.6.2 International Data Transfers with SA's Authorization -- 5.3.6.3 Implementing Appropriate Safeguards -- 5.3.7 Derogations -- 5.3.7.1 Permitted Derogations -- 5.3.7.2 Unauthorized Derogations -- 5.3.7.3 Transfers Not Authorized by EU -- 5.3.8 Controllers Outside of the EU -- 5.4 Intragroup Processing Privileges -- 5.5 Cooperation Obligation on EU Bodies -- 5.6 Foreign Law in Conflict with GDPR -- Notes -- 6 Data Subjects' Rights -- 6.1 The Controller's Duty of Transparency -- 6.1.1 Creating the Modalities -- 6.1.2 Facilitating Information Requests -- 6.1.3 Providing Information to Data Subjects -- 6.1.4 The Notification Obligation -- 6.2 The Digital Miranda Rights -- 6.2.1 Accountability Information -- 6.2.2 Transparency Information -- 6.2.3 Timing -- 6.2.4 Defenses for Not Providing Information -- 6.3 The Right of Access -- 6.3.1 Accessing Personal Data -- 6.3.2 Charging a "Reasonable Fee".

6.4 Right of Rectification.

Description based on publisher supplied metadata and other sources.

Electronic reproduction. Ann Arbor, Michigan : ProQuest Ebook Central, 2024. Available via World Wide Web. Access may be limited to ProQuest Ebook Central affiliated libraries.