Note: This is the 2nd part of the series: History of Data Protection Laws. If you haven’t read the History of Data Protection Laws Part 1, we recommend you do so before you read this post.
This post covers the remaining acts and guidelines till the end of the 20th century.
The first part traced the evolution of Data Protection Laws from 1890 to the 1980, when OECD guidelines brought more international attention to data privacy.
However, OECD guidelines weren’t comprehensive. And considering the speed at which computational power was increasing and impacting data collection, more technology-neutral laws were required.
1981: European Council: Data Protection Convention Treaty
The preamble clearly states that the purpose of the convention is “to protect every individual…with regard to the processing of their personal data, thereby contributing to respect for …the right to privacy.”
It also defines the processing of which kind of data is covered under the convention (genetic data, biometric data, racial origin, health and so on). Looking back it’s easy to connect the dots: the groundwork for GDPR is visible in that the Convention defines data controllers and data processors, among other things. The Convention goes ahead and asks controllers (and processors, when applicable) to take adequate security measures while processing, storing, sharing, disclosing or editing data.
It also clearly laid down the rights of the data subject.
1983: Census Judgment, Germany
In 1983, The Federal Constitutional Court (FCC) of Germany expressed a serious concern over a society in which people no longer know who knows what about them.
Further in the verdict, the FCC laid down six principles:
- Data collection, banned by default. Data collection would need permission.
- Direct collection. Collect data from the individual only. (Read no buying / selling of data).
- Data economy. Destroy data after a reasonable period.
- Data minimization. Collect as little data as possible.
- Data Transparency. The individual must know her data is being collected.
- Collect data only if it is unavoidable.
The understanding of why data privacy is important had emerged immediately post World War II, when the Nazi Germany collected data with a malafide intention of persecuting minorities.
The Federal Constitutional Court of Germany reached a fundamental decision regarding the census judgment. The verdict is considered a milestone of data protection.
1988: Data Protection Act Ireland
Interestingly, while the Americas remained relatively silent, European nations had swung into action. Putting an individual’s privacy rights first, Ireland framed and put into action its Data Privacy Act in 1988.
The act laid down guidelines for the collection and use of data. Further, it sought to offer protection against any potential harmful usage of the data so collected. Ireland laid down 8 principles, which were largely similar to the 1983 Census Judgment of Germany. An additional feature (missing from the FCC principles above) was added: It gave the individual the right to have a copy of their data on request. It also gave what it termed “duty of care”. That meant that the data collectors are expected to make sure their data collection activities should not cause damage or distress to data subjects.
The Act was further consolidated in 2003. Subsequently, the two Acts are jointly referred to for legal purposes.
1988: Privacy Act Australia
The same year as Ireland came up with its Data Protection Act, Australia brought into force a similar act, the Privacy Act.
Owing to the Commonwealth status, the Act was detailed in a number of ways. The most interesting feature was that it empowered the authorities to see how the Australian Privacy Principles (APP) may be applied. Further, it also allowed authorities to impose additional requirements if it deemed fit.
Since the healthcare industry handles a great deal of data, the Act devotes Part IX, #95, to the healthcare industry.
1993: New Zealand Privacy Act
(If Australia comes, can New Zealand be far behind? Silly joke, sorry!)
The Act is not considered among the top Privacy Acts for a number of reasons. That’s because it recognizes Privacy is relative and contextual. As a result, the Privacy Commissioner will have to factor in a number of things like international guidelines (which didn’t exist in a solid form in back then), in addition to human rights. The result is individuals find it challenging to find out who holds what information about them.
The Act has 12 principles that govern data collection and processing agencies.
Interestingly, there aren’t really punishments, only remedies. Consequently, barring one exception, the principles aren’t enforceable in the court of law – you can only seek remedies.
1995: The European Data Protection Directive
While it did not have all the teeth, it was a move in the right direction because of the following reasons:
- It considered technology was changing in a massive way.
- It covered terms like consent and sensitive personal data.
- It lays down a simple but powerful condition: Do not process data unless when certain conditions are met.
It required member states to set up a body that would supervise data protection levels and advise governments about measures and regulations. Further it is empowered to initiate legal proceedings if it senses violations. Individuals can lodge complaints in the court or with the authority.
Note that it was a directive so it wasn’t always enforceable in all member states.
1998: United Kingdom Data Protection Act
This is the last major event in the history of data protection acts of the 20th century.
The Act picked up from where the 1995 European Data Protection Directive had left, replacing the earlier 1984 Act.
It laid down 8 data protection principles. The two important ones were
- Personal data will be obtained only for specific purpose.
- Personal data cannot be transferred outside the European Union, unless the place where the data is transferred as adequate practices in place.
This is the end of the 2nd part of our series on the history of Data Protection laws. Stay tuned for part 3!