The history of personal data protection: how did GDPR come about?

Since the entry into force on May 25, 2018 of the European regulation on the protection of personal data (General Data Protection Regulation - GDPR), 6 months have passed. This law applies even to the territory of the Russian Federation, but only indirectly and not always. Details on the territorial application of the GDPR can be found in the recent European Data Protection Board (European Data Protection Board).

For this and not only reason, the protection of personal data in our country is deprived of serious attention from both the lawyers and the general public. You can often come across the opinion that the GDPR is simply an artificial, groundless innovation by European legislators. In fact, this regulation is the result of a long-term development of the concept of fundamental human rights and freedoms, which began long before May 25, 2018.
')
How did GDPR come about and where did the need for data privacy come from? To understand this question, you need to refer to the history of the development of personal data protection.

Right to privacy

In 1890, two American lawyers, S. D. Warren and L. D. Brendays, publish in The Harvard Law Review an article entitled The Right to Privacy , which describes “the right to be left alone”. ").

Almost immediately, or more precisely in the first half of the 20th century, the right to private life formulated is reflected in American judicial practice.
This idea quickly spreads outside the United States. In 1948, the right to privacy was recorded along with other fundamental rights and freedoms in the Universal Declaration of Human Rights (article 12), and in 1950 - in the European Convention on Human Rights (article 8).

The heightened attention to human rights at that point in time is due primarily to the devastating effects of the Second World War. This was reflected in the definition of the right to privacy:

“Everyone has the right to respect for his personal and family life, his home and his correspondence”, - ECHR.

The main priorities of that time were the most significant social issues of the postwar period: the inviolability of personal and family life, the secret of correspondence. The problem of protecting personal data, which seemed to be a logical consequence of the right to privacy, was not the object of widespread attention.

The birth of the right to protection of personal data

At the beginning of the second half of the 20th century, information technologies are beginning to develop, allowing much faster processing of much more information. In the 1960s, these technologies became more and more accessible to a wide range of people, which causes some concern for the Council of Europe.

So, in 1968, the Parliamentary Assembly publishes recommendation No. 509 . It expresses concern about possible threats to the right to privacy as a result of the use of new technologies for data processing.

As a result, the Assembly commissioned the Human Rights Committee to study this issue. Many consider this point as a starting point for Data Privacy.

The first reaction follows from Germany, where on the land of Hessen in 1970, the first ever law on personal data was adopted. It is important to note that this was only a local law that was applied exclusively on the territory of this land, and not at the federal level.

Then react the United States. In 1974, the Privacy Act was adopted, in which the US Congress first establishes a link between the right to privacy and personal data. This law indicates that a person’s personal life may be directly affected as a result of the collection, use and dissemination of personal information by public authorities.

Neither one nor the other legal act can be called a full-fledged law regulating the processing of personal information. However, the right to protection of personal data begins to emerge from the shadow of the right to privacy.

The first legislation in the field of personal data protection

Germany is becoming the main pioneer in the field of Data Privacy: the first national law on personal data ( Bundesdatenschutzgesetz ) appears in 1977 in the Federal Republic of Germany. The special attitude of the German public to this issue is primarily associated with local historical events.

The fact is that in the middle of the twentieth century the Germans experienced two contradictory political regimes: on the one hand, the Third Reich, on the other hand, the FRG and the GDR. These systems were based, among other things, on mass surveillance of the population.

Such upheavals led to the fact that confidentiality subsequently turned out to be in great demand in this country. That is why Germany is still considered one of the world leaders in the protection of privacy and personal data.

Another significant country for Data Privacy is France, which is just one year behind Germany. The adoption in 1978 of the law on informatics and civil liberties was also associated with local events.

In the early 1970s, the French government developed the SAFARI project, the purpose of which was to create a single data registry using a social insurance number, which would make it possible to identify any citizen. Processing of all this information was planned to carry out thanks to advanced at that point in time computing technologies.

In 1974, the newspaper Le Monde published an article on this subject called “ SAFARI ou la chasse aux Français ” (SAFARI or the hunt for the French), which provokes a scandal on mass surveillance.

Under public pressure, the government was forced to retreat, which led to the adoption of the aforementioned law and the creation of a commission on informatics and civil liberties . However, it was not possible to avoid the implementation of the project, but the new commission was able to establish certain restrictions on the processing of personal data.

Entering the international level

German and French laws are becoming the cornerstone for personal data and give a significant impetus to the development of this sphere. More and more countries and international organizations are beginning to pay attention to the problem.

In 1980, the Organization for Economic Cooperation and Development publishes Guidelines for the protection of personal data, taking into account the continuing development of computer technologies and their use for commercial transactions.

A year later, the first international agreement in the field of Data Privacy is adopted, which becomes the Convention for the Protection of Individuals in the automated processing of personal data . This Convention has become a great achievement in its field. To date, it has been joined by 51 countries, including Russia (it is on this document that the national federal law on personal data is based).

At the same time, the constantly accelerating development of information technologies creates new challenges in the field of data privacy and privacy. The main problem is the emergence of the Internet and its rapid development. The first potential threat is noticed by the European Union, which in 1995 adopted a framework directive on the protection of personal data .

The main purpose of this law is to adapt to new threats and unify the legislation on personal data of EU member states. To this end, the mechanisms provided for by the 1981 International Convention were improved, and new duties for personal data operators and new rights for EU citizens were introduced.

Recent history

By the end of the 90s, the main giants of the Internet began to form. Today they are called the Big Five or GAFAM (Google, Amazon, Facebook, Apple, Microsoft). With the direct participation of listed US corporations, a new system of monetization of commercial activities on the Internet is emerging. The Google search engine and Zuckerberg social network, not having direct sources of capitalization (unlike Amazon or Microsoft), begin to show ads based on an analysis of their users' behavior (targeting). Contextual advertising is rapidly becoming extremely popular and Amazon, Microsoft and Apple are connected to this system.

In order for advertising to remain the most relevant, the five named companies, behind the clear leadership of Facebook and Google, are actively collecting huge amounts of data about users from around the world. At the same time, technologies are rapidly developing, allowing to analyze all this information and identify the peculiarities of users' behavior striking the imagination. All these data and analytical conclusions are sent to America, which has never been very successful in protecting personal data.

In response to contextual advertising, the EU adopts the ePrivacy Directive in 2002, which regulates the use of cookies, which also include the collection of data for advertising.

Following the adoption of this directive, the world is shaken, perhaps, by the main scandals associated with cybersecurity and data as such. Here you can talk about the WikiLeaks of Julian Assange, and about the exposure of the American mass surveillance program PRISM by Edward Snowden.

At the same time, there are major leaks of personal data, both as a result of hacker attacks and as a result of human factors. Their peak occurs in the tenth years. A striking example is the leakage of virtually all of the data from Ashley Madison. This is a Canadian dating site designed for married people. In 2015, the site’s databases were hacked and all private information was uploaded to the network. The result: a significant wave of divorces around the world, several cases of suicide. In addition, data on about 1,200 users from Saudi Arabia, where the punishment for treason reaches the death penalty, is freely available. In such circumstances, it is difficult to underestimate the importance of personal data protection.

In the light of all these events, the European Union finds that it is necessary to update its outdated 1995 directive. The main problem was that it was not applied directly in EU member states, which in turn led to significant differences at the level of national legislations. The new regulations would act directly in each European country and would allow creating an increased level of personal data protection throughout the Union. Discussions with a view to adopting a new law began in 2012, and in 2016 the final text of the regulation was officially published and entered into force on May 25, 2018. A detailed analysis of the GDPR is available here .

Privacy Reform Package

On the GDPR, EU lawmaking activity in the area of ​​privacy has not ceased. The processing of personal data for the purposes of criminal justice is not included in the perimeter of the operation of the regulations, as it requires the establishment of a specific legal regime. Therefore, in 2016, simultaneously with the GDPR, a directive was adopted on the protection of individuals in the automated processing of personal data by public authorities in order to prevent, investigate, detect and prosecute criminal offenses .

In addition, the NIS (Network and Information Security) directive is adopted in the same year. The main objective of this legal act is to ensure a high level of information security for critical infrastructure operators and digital service providers. It is about protecting not only personal data, but the security of any data at all.

All of these many laws are the result of the European Union’s electronic communications, cybersecurity and privacy policy. The EU’s next step should be the adoption of an ePrivacy regulation to replace the 2002 directive of the same name. The main issues on the agenda of this reform are: metadata (Big Data) and all the same cookies. The draft regulation was already published in early 2017.


Thus, the GDPR and other laws in the field of data privacy are far from being a novelty of European legislation. The Privacy Policy together with the entire Privacy Reform Package is the result of more than a century of development of legal thought based on the need to protect the privacy of any citizen.