A Very Short History of Data Protection
Andrew Charlesworth – Reader in IT Law, University of Bristol
The arrival of the General Data Protection Regulation, on 25 May 2018, marks the beginning of another chapter in data protection law. As we prepare for the GDPR, looking back at its prehistory provides some interesting insights into the influences on its focus and regulatory processes.
Concerns about the hazards of unregulated collection and use of personal data predate digital processing. In World War II the use of personal data files collected by Dutch local government by German occupation forces to identify individuals for transport to concentration camps was a harsh early lesson in the unintended secondary uses of personal data. By the 1960s, authors like Vance Packard and Stanton Wheeler were raising concerns about the development of intrusive technologies e.g. hidden cameras, and the growth of the ‘Dossier Society’, particularly the accelerating collection of personal data by government and big business. The spread of computers and databanks through the 1970s increased the capacity and speed of data processing, and the value of personal data.
At this point, two trends that remain influential today began to emerge: the development of cross-border transfers of data, and the recognition that individuals should be able to exercise rights over their personal data. The first rudimentary DP law is widely recognised to be that of Hesse, Germany in 1970, but a more crucial development occurred in 1973, when a US government report set out the Fair Information Practices (FIPs) that became central to modern rights-oriented DP laws. Those practices, identified over 40 years ago, remain evident in the GDPR today: collection limitation, purpose specification, use limitation, data quality, data security, transparency and notification, data subject rights, equivalency and accountability.
Through the 1970s, there was increasing pressure from business for governments to provide clear international standards for personal data processing, to ensure that developing national laws did not become barriers to the cross-border flow of data. This led to the non-binding, but influential, OECD Guidelines in 1980, and a binding Council of Europe Convention in 1981. The OECD Guidelines focused on facilitating international trade and economic co-operation, while the CoE Convention took a more human rights-based approach, building on the CoE’s Convention on Human Rights, particularly Article 8. Recognising the importance of cross-border transfers to its economy, the UK passed a Data Protection Act in 1984. This focused heavily on facilitation of trade, and rather less on matters of privacy rights, in contrast to countries such as Sweden and Germany.
As European nations developed DP laws, EU involvement was inevitable. However, the EU Commission faced a dilemma; it wanted to ensure free movement of data within the Union, but its Member States had widely varying laws and motivations. The EU Data Protection Directive 1995 (DPD) was thus a major compromise: while aiming to harmonise national laws, it left implementation of its requirements – largely based on the FIPs - to the Member States. While this enabled agreement on the legislation, it meant the EU DP environment could develop along 27 different lines – a common complaint of international businesses. Indeed, the DPD was open to many criticisms, e.g. it failed to adapt to changing technology and business practices, it didn’t adequately protect data subject rights, it could be satisfied by ‘tickbox compliance’, it encouraged a view of DP as a ‘bolt-on’ to existing processes, and it failed to engage the public as stakeholders.
The UK Data Protection Act 1998 exemplified many of those complaints. It was inflexible and outdated from the start; its narrow interpretation by the courts made it hard for data subjects to access their personal data, or exercise their rights; organisations assumed, often correctly, that breaches would not be pursued, or that if they were, penalties could be treated as a cost of doing business; and public understanding of, and engagement with, the law was minimal. Adjustments over time addressed some of those issues: the courts recognised that individuals could be compensated for non-financial damage, and the Information Commissioner was given greater powers by legislation, including the ability to impose financial penalties. However, over time, developments in other jurisdictions began to suggest more effective approaches to DP law.
The GDPR builds upon the harmonisation begun by the DPD and existing national laws. It is directly applicable, so its provisions automatically become part of Member States’ national law. The only areas where Member States need national legislation are to address issues that fall outside the GDPR, e.g. national security and policing (implementing a new Directive); issues that the GDPR leaves to Member State discretion, e.g. the nature and role of national regulator; and permitted GDPR exemptions. It derives a ‘constitutional’ underpinning from the EU Charter of Fundamental Rights and Freedoms (Article 7), mirroring similar constitutional rights in some Latin American countries. It requires data controllers designing personal data systems and processes to address DP from the start (Data Privacy by Design), and to consider the effect of such systems and processes upon key stakeholders, including data subjects (Data Protection Impact Assessments), drawing inspiration from countries including Canada, Australia and New Zealand. Data controllers are also now required to notify some personal data breaches to the Information Commissioner or even to data subjects, a requirement derived from practice in the US. Both the Information Commissioner and data controllers are also encouraged to increase public participation as key stakeholders, like the work of the US Federal Trade Commission on privacy in ecommerce.
The GDPR, therefore, is the product of 50 years of international evolution in DP theory and practice, and a model for the ongoing reinvention of the OECD Guidelines and the CoE Convention. While new principles have appeared, e.g. data portability, breach notification, and protection of minors, the FIPs remain a visible and core component. Although the human rights element has increasingly come to the fore, there remains a streak of business pragmatism running through it: the data transfer principle aims to continue to encourage other jurisdictions to enhance their DP laws in the name, not just of data subject rights, but also international trade.
Above all, the new watchword for the GDPR is ‘accountability’ – it’s not enough to be compliant in theory, a data controller must be able to demonstrate that their compliance practice is meaningful, reflexive and ongoing. But by acting accountably, the modern data controller can, in turn, demonstrate the advantages, to both data controllers and data subjects of DP regulation that is developed by and for those with direct knowledge and experience of the environment to be regulated, such as the use of modern CCTV, IPTV and Internet of Things (IoT) deployments.
Council of Europe, Convention for the Protection of Human Rights and Fundamental Freedom, Rome, 4.XI.1950
Vance Packard, The Naked Society, New York: David McKay Co. 1964.
Stanton Wheeler, On Record: Files and Dossiers in American Life, New York: Russell Sage Foundation. 1969.
Hessisches Datenschutzgesetz (The Hesse Data Protection Act), Gesetz und Verordungsblatt I. (1970), 625.
OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).
OECD, Revised Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2013).
Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108) (1981).
Council of Europe, Draft modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data (2016).
Federal Trade Commission: Protecting Consumer Privacy