Data Protection Law: How It All Got Started
As data professionals, we tend to get trapped in the vicious cycle of “what comes next” and often do not take the time to understand the past. This article looks at the history of EU data protection law because, as Winston Churchill once said, “the farther back you can look, the farther forward you are likely to see”. Although US scholars point to the Fair Information Practices (FIPs) of 1973 as the root of modern informational privacy in the US, there is no evidence connecting FIPs to EU data protection law. In fact, the development of data protection law in the EU has a distinct and separate history. To be sure, there is nothing peculiarly European about the the struggle of individual versus computer, but there is something very peculiar about how the EU understood the struggle and chose to address it from the start.
Concerns about the effects of computer-based record keeping in Europe date back to the late 1960s, when digital electronic computers first started to collect and process personal data. In the UK, a committee conducted a thorough study of the subject (the “Younger Committee”) and concluded that existing remedies, including privacy remedies under common law, were inadequate to address this new threat. The Younger report, issued one year before the FIPs report, identified data processing principles that are the root of today’s EU data protection law. Even before the Younger Report was issued, other EU countries had taken the position that a new type of law was required in order to address the risks of automated processing of personal data. In Germany, the state of Hesse adopted the world’s first legislative act designed specifically toward regulated automated data processing in the public sector on October 7,1970. A number of other German states followed suit. In 1969, when strong opposition erupted in Sweden to the collection of census data in a manner designed to facilitate automated data processing, a task force was formed to study the problems that computerized record keeping could create, which led to the enactment of a Data Law in July of 1973.
The common thread to these initial reactions to computer-based record keeping in Europe is the acknowledgment that automated data processing creates risks for individuals that existing legal frameworks, including privacy frameworks, could not adequately address. Data protection law fills this perceived regulatory vacuum. Its founding principle is that automated processing of personal data must be fair and the baseline assumption is that automated processing harms individuals unless the processing is done in compliance with the data management practices mandated by data protection law. This is why, as opposed to privacy law, exercising rights granted under data protection law does not require proof of harm. Automated processing is the harm.
In 1973, the Council of Europe (CoE) issued a resolution on the protection of individuals vis-a-vis electronic data processing banks in the private sector, followed by a 1974 resolution on specific to data banks in the public sector. These non-binding resolutions advanced the goal of fairness in processing. Those principles are the root of the data processing principles in GDPR and its predecessor directive. In order to achieve fairness in processing, data protection law has historically focused on two specific risks caused by automated processing of personal data: the risk of intrusion in private life and the risk of unfair discrimination. Those who were surprised by the “new right” enacted through article 22 of GDPR (the so called “right to an explanation”) where likely not aware that the stated goal of data protection law has always been fairness in processing. Where a decision that significantly affects an individual is made by an algorithm, a right to data protection logically demands an explanation of the reasons underpinning the decision that enables evaluation of whether discrimination has taken place.
Because resolutions are non-binding, the Council of Europe worked diligently towards the adoption of a binding treaty. In 1981, Convention 108 was open for signature. It has been ratified by all EU member states, and to this day is the only binding international agreement on data protection law. Signatory states were already required to enact regulations that ensured respect for private life under Article 8 of the European Convention for Human Rights (ECHR). Joining Convention 108 requires those same states to enact additional legislation that ensures a different right: the right to data protection.
Convention 108 addressed an additional issue: transborder data flows. Privacy protections differed across European jurisdictions, which led some EU Member states to restrict data transfers to other EU Member states prior to Convention 108. The convention set a general rule that signatory countries “shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorization transborder flows of personal information”. Further, where a signatory country has specific regulations protecting personal data, transfers may be restricted only if the importing jurisdiction does not provide “equivalent protection”. This 1981 rule is the foundation of EU cross-border data transfer requirements to this day.
Another landmark development in data protection law was the Treaty of Lisbon of 2007. Among other things, the Treaty enacted the Charter of Fundamental Rights, which functions as the EU equivalent of the US Constitution bill of rights. The Charter recognizes privacy (Article 7) and data protection (Article 8) as distinct and equally important fundamental rights. In contrast, data protection is not expressly recognized by either the US constitution or any State constitution.
Modern data protection law is the outcome of EU’s peculiar approach to balancing the risks and benefits of automated data processing. This “not so new” approach has influenced European policy for over fifty years. Data protection law will continue to evolve to achieve its goal of ensuring fairness in processing. Understanding EU’s perspective is the key to accurately predict the future of data protection law.