Data Privacy: Evolution and History of Modern Data Privacy

by admin

Modern data privacy has a history that goes back to a time before the World Wide Web and when the internet was more a nascent concept than a global tool.

The First Data Protection Law

In 1970 the German state of Hesse enacted the first data protection act in the world known as Datenschutzgesetz (DSG; data protection law). This act was followed by similar acts around the world and was entered into German federal law in 1977.

Organization for Economic Cooperation and Development (OECD) Privacy Requirements and Privacy Foundations

The 1980 Organization for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data have broadly classified privacy principles. OECD member countries considered it necessary to develop guidelines that would help to harmonize national privacy legislation and, while upholding such human rights, would at the same time prevent interruptions in international flows of data. They represent a consensus on basic principles that can be built into existing national legislation or serve as a basis for legislation in those countries that do not yet have it.

The guidelines are as follows:

  • Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  • Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up to date.
  • Purpose Specification Principle: The purposes for which personal data is collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
  • Use Limitation Principle: Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified except with the consent of the data subject or by the authority of law.
  • Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data.
  • Openness Principle: There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
  • Individual Participation Principle: An individual should have the right:
    • to obtain from a data controller, or otherwise, confirmation of whether the data controller has data relating to him
    • to have communicated to him, data relating to him
      • within a reasonable time
      • at a charge, if any, that is not excessive
      • in a reasonable manner; and
      • in a form that is readily intelligible to him
    • to be given reasons if a request is denied, and to be able to challenge such denial; and
    • to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amended.
  • Accountability Principle: A data controller should be accountable for complying with measures that give effect to the principles stated above.

EU Data Protection Directive (95/46/EC)

The European Commission’s Directive on Data Protection went into effect in October of 1998 and prohibits the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection. While the United States and the EU share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy from that taken by the EU.

On November 4, 2010, the European Commission set out a strategy to strengthen EU data protection rules (IP/10/1462 and MEMO/10/542). The goals were to protect individuals’ data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU.

The Commission invited reactions to its ideas and carried out a separate public consultation to revise the EU’s 1995 Data Protection Directive (95/46/EC). The strategy was translated into a comprehensive reform of the EU’s Data Protection Directive on January 25, 2012, with the proposal of a formal framework for data protection reform.

The proposals focus on how to modernize the EU framework for data protection rules through a series of key goals:

  • Strengthening individuals’ rights so that the collection and use of personal data is limited to the minimum necessary. Individuals should be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example, when surfing online, and should have the “right to be forgotten” when their data is no longer needed or “the right to erasure” if they want their data to be deleted.
  • Enhancing the single market dimension by reducing the administrative burden on companies and ensuring a true level playing field.
  • Revising data protection rules in police and criminal justice areas so that individuals’ personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.
  • Ensuring high levels of protection for data transferred outside the EU by improving and streamlining procedures for international data transfers.
  • More effective enforcement of the rules, by strengthening and further harmonizing the role and powers of data protection authorities.

These provisions apply in all business/social sectors; thus, they cover the processing of personal data in cloud computing services.

Furthermore, the European Union enacted a privacy directive, the E-Privacy Directive 2002/58/EC, “concerning the processing of personal data and the protection of privacy in the electronic communications sector.” This directive contains provisions concerning data breaches and the use of cookies.

General Data Protection Regulation (GDPR)

On December 15, 2015, the European Parliament, the Council, and the Commission reached agreement on the new data protection rules that are meant to replace the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals about the processing of personal data and on the free movement of such data.

On May 4, 2016, the official texts of the regulation and the directive were published in the EU Official Journal. While the regulation entered into force on May 24, 2016, it was applied starting on May 25, 2018.

The directive entered into force on May 5, 2016, and EU member states had to adopt it into their national law by May 6, 2018.

The EU General Data Protection Regulation (GDPR) replaces (although it references it for details) the Data Protection Directive 95/46/EC and is designed to:

  • Harmonize data privacy laws across Europe
  • Protect and empower all EU citizens’ data privacy
  • Reshape the way organizations across the region approach data privacy

Other imperatives include:

  • Increased territorial scope (extraterritorial applicability)
  • Penalties
  • Consent
  • Data subject rights
  • Breach notification
  • Right to access
  • Right to be forgotten
  • Data portability
  • Privacy by design
  • Data protection officers

Countries with national laws that adhere to the GDPR include:  

All EU countries, Andorra, Singapore, Switzerland, Japan, Israel, Australia, Argentina, Uruguay, and Canada  

Countries without national laws that adhere to the GDPR include:  

The United States (unless the entity receiving/processing the data subscribes to the Privacy Shield program or creates standard contractual language/policy compliant with the GDPR)

Next article in series – Data Privacy: Contractual & Regulated Private Data

Leave a Reply

Your email address will not be published. Required fields are marked *