Domain 1: The most challenging CIPP/E domain?

Domain 1 questions are the most challenging for the respondents to our on-line CIPP/E.

Do you know:

• Which instrument first included the principle that member states should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties which would create obstacles to trans-border data flows of personal data beyond what is required for that protection?
• Which treaty promoted the Charter of Fundamental Rights of the European Union to the same status as a treaty, making it legally binding on members?

Only 20% of respondents to our on-line quiz got the first question right, and 42% got the correct answer to the second.  How did you go?

If you’re taking the CIPP/E, it’s not sufficient to know all about the GDPR.  You also need to understand the context.  You need to be up to speed with how the EU works, the difference between the Council of Europe, the EU and the EEA and the different conventions, treaties, directives and regulations relevant to data protection in Europe. This can be tricky, particularly for any non-Europeans who may get confused by the Council of Europe, the European Council and the Council of the EU…  But this is the focus of Domain 1 of the CIPP/E

There will be between 4 and 10 questions on the exam covering subject matter from this Domain, so it is worth taking a little time to familiarise yourself with the content.

Below are some topes to help you master Domain 1.

The CIPP/E Body of Knowledge

As a starting point, always refer back to the CIPP/E Body of Knowledge as your main reference point for the material you need to know.  Ensure you’re comfortable with all the subject matter listed there.

You can find the IAPP’s CIPP/E Exam Blueprint here.   

Please Note:  The body of knowledge and exam for CIPP/E were updated on 1 July 2021. Read this blog post to find out more about the update.

Domain 1 CIPP/E – What do you need to know?

As part of the background to understanding current data protection law in Europe, it is important to be able to:

• Know the history of human rights, privacy, and data protection law in Europe leading up to the current EU legislative framework;
• Differentiate between the Council of Europe and the European Union, including member state composition and legislation related to privacy and data protection;
• Understand the functions of the EU’s legislative, policy-making and judicial institutions, specifically as they apply to data protection law,

EU Institutions

The institutions of the European Union form the framework for co-operation between the 27 member states of the EU. Of these institutions, the European Commission is the only one that can initiate legislation. It submits its proposals to the European Parliament and the Council of Ministers, to be approved or rejected. Commissioners are appointed by the Council of Ministers and then approved by the parliament.

The parliament has responsibility for supervising the 27 commissioners making up the European Commission and is the only institution with the power to sack them.

All legislation must be approved by both the Council and the European Parliament. Once legislation has been passed, the European Court of Justice makes sure it is interpreted uniformly across all the member states.

EU Treaties

The first treaty, which established the European Economic Community (EEC), was signed in Rome in 1957. There have been five subsequent treaties – the Single European Act (1986), the Treaty of Maastricht (1992), the Treaty of Amsterdam (1997), the Treaty of Nice (2001) and the Treaty of Lisbon (2007).

Development of EU Data Protection Law

The origins and historical context of European data protection law, include the following:

•  1948 UN adopted Universal Declaration of Human Rights: Art 12 – “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honour or reputation”
• 1950 Council of Europe ratified the Convention on Human Rights
•  1966 UN adopts International Covenant on Civil and Political Rights: Art 17 – provides protection against arbitrary interference with an individual’s privacy
• 1980 OECD issues “Guidelines on Privacy and Trans border Flows of Personal Data”
• 1981 Council of Europe ‘Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’ renders data protection a legal imperative
• 1995 EU Data Protection Directive issued
• 2000 Charter of Fundamental Rights of the EU
• 2002 EU ePrivacy Directive issued
• 2016 EU General Data Protection Regulation approved by the EU
•  2018 EU General Data Protection Regulation becomes enforceable
• 2018 Convention 108 + opened for signature

Sources/Bases for Right to Privacy/Data protection

Universal Declaration of Human Rights 1948

• Adopted by the General Assembly of the United Nations (International – not EU body)
• Included:
• ·       Right to a private life (Art 12)
• ·       Right to freedom of expression (Art 19)
• ·       Balance of rights (Art 29)

European Convention on Human Rights (ECHR) 1950

Council of Europe opened Convention for ratification in 1950. Reflect UN DHR and includes:

• Art 8 right to private life
• Art 10 right to freedom of expression
• Balance between rights (Art 10(2))
• Became enforceable in 1953. Establishes human rights across Europe (more broadly than just EU) that are enforceable via the European Court of Human Rights.

Convention 108 1981

• Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.  Adopted by the Council of Europe. Opened for signature in 1981.
• First legally binding international instrument in area of data protection (must be implemented into local law by signatories).
• Set out basic principles + special rules for transborder data flows (introduced idea of ‘adequacy’).
• Did not result in ‘harmonised’ development of data protection laws by Council of Europe members.
• Three main parts of Convention 108:
• 1. Law provisions (basic principles)
  2. Rules on trans-border data flows
  3. Mutual assistance / DPA

EU Data Protection Directive 1995

• Used Convention 108 as benchmark for development of Data Protection Directive.  Passed by the EU in 1995.
• Intention to introduce more harmonised set of data protection provisions.

EU Charter of Fundamental Rights 2000

• Passed by EU in 2000.
• Includes same general principles as in ECHR but specifically refers to protection of personal data.
• Must be implemented into local law
• Given binding legal effect in 2009 when Treaty of Lisbon came into effect.

General Data Protection Regulation 2016

• Passed by EU in 2016.
• Became effective in 2018.
• Binding law applying to member countries (no need for local law to implement).

How can we help?

You may find the following posts helpful:

• CIPP/E and the History of Data Privacy – Privacy 108
• A Privacy Glossary With Key Terms for CIPP/E (Plus a Free Quiz!) – Privacy 108 | Australian Data Privacy & Security Consulting
• Free on-line GDPR Training: Our Top 5 Picks – Privacy 108 | Australian Data Privacy & Security Consulting
• Preparing for the iapp CIPP/E Exam? Some exam prep tips – Privacy 108 | Australian Data Privacy & Security Consulting

Other references

Other useful resources covering the Domain 1 subject matter include:

EU History: Timeline of the development of the EU:

EU Treaties: OS.7.Treaties.pdf (civitas.org.uk)

EU Institutions:

• How EU institutions work: Overview – BBC News
• How the EU works: a video guide – BBC News

EEA and data protection: Data Protection | European Free Trade Association (efta.int)

UN Declaration of Human Rights: Universal Declaration of Human Rights | United Nations

OECD Guidelines: OECD Privacy Guidelines – OECD

Council of Europe and Convention 108:

• Council of Europe: Convention 108 and Protocols (coe.int)
• Council of Europe Data Protection Handbook: https://www.echr.coe.int/Documents/Handbook_data_protection_ENG.pdf
• this Medium article about the history of Convention 108.
• Copy of the Convention: Search on Treaties (coe.int)

Want to test your CIPP/E Domain 1 knowledge?

Think you’re ready to take on Domain 1 or just want to assess your current understanding, or get a feel for what the exam questions in this area might be like?

We’ve created a set of practice exam questions just for Domain 1.

Enter your details below to access our free history of data privacy practice exam. It is written to help you prepare for the CIPP/E.

Not sure if the CIPP/E is for you?

If you want to check your current knowledge or get a sense of what the CIPP/E exam might cover, try our mini quiz, accessible here.

Prepare with us for the CIPP/E Exam

If you are thinking of taking the CIPP/E certification exam, an instructor-led preparatory course is a great option. The training classes are widely recognised as the best preparatory resource for test takers – and they’re a great resource for helping you learn the history of data privacy.

Privacy 108 runs regular CIPP/E training seminars, either by 4 x 4-hour on-line sessions or 2 days in a classroom. The course covers all of the CIPP/E body of knowledge.  As an authorised IAPP training provider all the course materials are provided by IAPP, and are prepared and regularly updated by the IAPP team of privacy specialists.

Lead instructor Dr Jodie Siganto is one of Australia’s foremost privacy experts and is a certified IAPP instructor, holding the CIPM, CIPP/E and CIPT certifications (in addition to the CISSP and CISM).   

Exclusive access to additional CIPP/E resources

To help ensure your success, Privacy 108 has developed additional supporting study material, available exclusively to people who train with Privacy 108.  This includes:

• Additional practice exam questions
• Study guides for each of the domains
• Glossary and flashcards.

This is in addition to the IAPP course notes comprehensive CIPP/E textbook and a 25-question practice exam, provided by IAPP.

For more information or to register.