Destination GDPR - how did we arrive here?
A brief history of data protection legislation
You’ve probably heard that the toughest data privacy law in European business history - the General Data Protection Regulation (GDPR) - comes into effect in May 2018 but, how did we reach this point?
We have created a timeline of the journey towards the enforcement of the GDPR, showing key milestones which led to the creation of the latest data protection legislation. For those who want the detail, the not-so-brief history can be read below too:
UN Declaration of Human Rights (1948)
A direct result of the tragic experience of the Second World War, in December 1948 The Universal Declaration of Human Rights was adopted by the UN General Assembly. With the end of that war, and the creation of the United Nations, the international community vowed never again to allow atrocities like those seen during this conflict to happen again. World leaders decided to complement the UN Charter with a road map to guarantee the rights of every individual everywhere. The document they considered would become the Universal Declaration of Human Rights in 1948.
EU Convention on Human Rights (1950)
Two years after the UN Declaration of Human Rights, the founding member states of the European Union sought to give local resonance to the Universal Charter. Let’s look at two of the 14 Articles in the EU Convention on Human Rights in a bit more detail…
Article 8 – Right to respect for private and family life
1. “Everyone has the right to respect for his private and family life, his home and his correspondence.”
2. “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
Article 10 – Right to Freedom of Expression
1.“Everyone has the right to freedom of expression.”
2.“This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.”
While Article 10 was primarily intended to protect the right of individuals to hold opinions which might differ from the majority, without fearing persecution or threat, it was quickly adopted by the media as justification for their gathering, processing and publication of personal information in news reports and articles. While the two Articles complemented each other in the original UN Declaration, the adoption of Article 10 by the media led to an apparent contradiction between the two – protection of privacy on one hand, justification for breaching that privacy by publication of information on the other.
OECD Guidelines on Data Protection (1980)
The Organisation for Economic Co-Operation and Development (OECD) is an international organisation which monitors and measures industrial productivity and global flows of trade and investment, and works to tackle what it perceives as threats to such international trade between nations.
In the late 1970’s, the OECD perceived just such a threat from the increasing use of technology to conduct international trade. The organisation recognised that, unless steps were taken, concerns about the increased processing of personal data would cause governments to limit such processing, thereby hampering the free market economy. Therefore, in early 1980, the OECD issued its Guidelines on Data Protection. While it had no legal or political powers, the organisation was nonetheless very influential and these Guidelines came at a time when the European Union was finalising its own formal legislation regarding the use of personal data in business and commercial activities.
The particular focus on the use of computers to process business transactions can be seen in the priority given to the processing of automated data within the Guidelines, almost to the exclusion of manual (paper-based) data.
The EU Data Protection Convention – Treaty 108 (1981)
Following almost immediately after the publication of the OECD Guidelines, the publication of the EU Data Protection Convention (also known as Treaty 108), differed from the Guidelines in one crucial way – the Convention was promoted across the Member States of the European Union with a legal imperative. Member States were given clear instructions to implement this legislation in their own, domestic legislation.
The Convention had strong echoes of the OECD Guidelines, not least in the way in which it focused on the automated processing of personal data, to the neglect of manual (paper-based) data. This reflects the level of concern which existed at the EU level at that time regarding the volume and extent of data processing using computerised technology. However, this oversight became a significant problem for the enforcement of Data Protection legislation in the following years.
Under Articles which were closely aligned with the Principles set out in the OECD Guidelines, the Convention set out a series of rules which related to the manner in which personal data which was being processed automatically, should be managed and protected. In addition, the Convention set out specific rights for individuals whose personal data is being processed.
Member States were then invited to indicate to the Council their willingness to accede to the Convention. Adoption occurred at various speeds across the Member States, and since they were permitted to do so, individual states interpreted and enforced the legislation with varying levels of focus, emphasis and scope.
For example, in the UK, the Convention became the Data Protection Act (1984), and a few years later formed the basis for a well-known and precedent-setting case when a member of the police force was accused of abusing personal data to which he had access.
Case Study: PC Brown, 1993
Brown, a UK police officer, in an effort to help a friend who ran a debt collection agency, (Capital Investigations Ltd), requested that a police colleague access the Police National Computer (PNC) to retrieve some personal information.
There was no evidence to prove that the personal information was relayed or disclosed to Capital Investigations or indeed used by the police officer in any other way other than merely bringing the data up on a screen. The officer was charged with the UK Data Protection Act 1984 offence of using personal data for a purpose other than that described in the Data Protection Register, but the ruling was overturned upon appeal.
The House of Lords held that the word ‘use’ was to be given its ordinary meaning and that in this case the officer did not use the data, it was merely retrieved from a database and viewed.
The PC Brown case was dismissed on appeal based on a particular interpretation of the word ‘use’. Under subsequent legislation, namely the 1995 Data Protection Directive, the term ‘processing’ allowed a much broader interpretation of data usage, and the outcome of this appeal might have been very different. As it was, PC Brown was exonerated and returned to duty.
The European Data Protection Directive (1995)
The European legislators recognised that there were going to be difficulties enforcing the 1981 Convention, not least with the outcome of the PC Brown case. Therefore, in the early 1990’s, they went back to the drawing board and began re-drafting the legislation.
In parallel, the world of technology was going through more changes, with mobile technology, e-mail and the World Wide Web becoming inextricably linked to the expansion of global commercial markets. The new legislation would reflect these technological advances, as well as showing evidence that the legislators had learned lessons from the fate of the 1981 Convention.
The focus of the European Data Protection Directive would be on the protection of individual privacy and the control of processing of personal data. There was no longer a prescriptive list of the types of processing which were covered by the legislation. Neither was there a narrow focus on automated processing – manual records, such as contracts, correspondence and certificates were back within the scope of the Directive.
The Data Protection Directive also introduced some new concepts and terms to the language of privacy protection: Processing; Sensitive Personal Data; Manual Data; Relevant Filing System and Consent.
The EU Electronic Communications Regulations (2003) and Privacy and Electronic Communications Regulations (PECR)
Further reflecting the evolution of commercial and technological innovation, in the early years of the 21st century, one of the fastest-growing sectors in commercial activity was the use of electronic media to promote and sell products to the general public. The email addresses and mobile phone numbers of individuals became prime currency in conducting marketing and sales campaigns, and the general public were starting to be bombarded by unsolicited and largely unwelcome advertising. Therefore, the European legislators considered it necessary to again regulate for the protection of the privacy and confidentiality of the personal data of its citizens, this time focusing specifically on the use of their data for marketing purposes using electronic media.
In March 2003, data protection laws were updated to keep pace with the latest communications technologies. The introduction of a new EU Directive on Privacy and Electronic Communications led to the Privacy and Electronic Communications Regulations 2003 which came into effect in December. The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act, giving people specific privacy rights in relation to electronic communications.
The General Data Protection Regulation (2016)
Following four years of discussion, the GDPR was approved by the EU Parliament on 14 April 2016 and an enforcement date of 25 May 2018 was set.
The GDPR replaces the 1995 Data Protection Directive and has been designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations across the region approach data privacy. Once it comes into force, non-compliant organisations will face severe penalties of up to 4% of worldwide turnover, not to mention the potentially catastrophic reputational damage.
It’s no secret that the GDPR is expected to have a significant effect on any organisation which processes the personal data of its customers, from financial institutions which process billions of data transactions and financial records annually, through to charities which rely on marketing to donors for fundraising. With so much to do to achieve compliance, and the stakes being so high, it’s easy for those responsible for data protection to feel their heart sink at the prospect of this forthcoming change in legislation. But, opportunities are also presented by this change and these should not be overlooked.