It’s important to understand the context and history of data protection laws while discussing data protection laws and data privacy.
Here’s the first of the two parts of an outline and a brief history of data protection laws.
The origin of data protection law in the 19th century
1890: It all started with a small article.
In its December 15 1890, the Harvard Law Review published an article titled The Right to Privacy.
It was written by Boston attorney Samuel D Warren and future US Supreme Court associate justice Louis Brandeis.
It forms the basis of much of what we have as privacy laws today.
It was considered such an important article that N Roscoe Pound, the famed American legal expert, called that the authors were responsible for “nothing less than adding a chapter to our law.”
It talks about privacy laws the right to enjoy life – the right to be let alone.
Data protection laws in the first half of the 20th century
1948: The Universal Declaration of Human Rights
The next major event in the history of privacy laws had to wait for nearly six decades.
The United Nations (UN) adopted The Universal Declaration of Human Rights officially as its resolution in Paris on December 10, 1948. The draft was laid out by the French jurist Rene Cassin. Eight countries, including the erstwhile USSR and some East European nations, chose not to vote during the resolution. It was no surprise, for these countries had a less than enviable record of human rights.
While it wasn’t legally binding, it provided both a foundation and a strong point of reference for all subsequent laws and guidelines.
1950: The EU Convention on Human Rights
The original focus of the European Convention on Human Rights (ECHR) was protecting human rights in general.
The EU Convention was partly in response to the World War II during which a very large number of civilians had suffered. Partly it was also in response to the rise of communism in the USSR and East Europe. The totalitarian system that emerged under communism had little patience for human rights. It was also meant to further democratic principles.
The Convention was the key factor behind establishment of European Court of Human Right, headquartered today in Strasbourg, France.
Data protection laws in the US in the 2nd half of the 20th century
1967: Freedom of Information Act (FOIA), United States
It was the turn of the USA to act; the focus returned to information protection.
US President Lyndon B Johnson reluctantly signed the amendment. It was talked about the federal government’s responsibility in terms of disclosures and release of documents controlled by the US federal government. Major amendments came up following the Watergate scandal of 1972.
The FOIA gave rights to citizens to access government documents after they had been de-classified.
1973: Fair Information Practice Principles (FIPPS), USA
The FOIA hadn’t covered everything so the FIPPS attempted filling the gaps.
This was, arguably, the first law that clearly addressed the multiple complexities arising out of automation data processing. Additionally, the focus on personal data began to emerge. The five key areas were: Notice, Consent, Access, Integrity and Enforcement
Yet, it failed to impress legal scholars, at least in part because the FIPPS makes no mention of a dedicated privacy agency.
Data protection laws actually began in the last quarter of 20th century
1973: Sweden’s Data Act
Sweden’s Data Act, world’s first national data protection law, was enacted in 1973 and came into effect in 1974.
The law dealt with automated processing systems that carried data of living persons. It was stipulated that exporting data of Swedish citizens would require a license. However, the licensing was soon stalled because export of that data made Sweden highly susceptible to terrorist attacks.
It was superseded by Data Personal Act 1998 that implemented the 1995 UN directive.
1978: France’s Act No 78-17
The law was adapted in January 1978 in France.
Titled Data Processing, Data Files and Individual Liberties, this set of French rules was often considered generous. It sought to keep the context of international co-operation. In today’s world where individuals are increasingly judging each other based on what they see on each other’s social media channels, this law explicitly prohibited government to make decisions on the basis of any automatic processing of data.
It was amended in 2016 into Digital Republic Law.
1979: Ireland’s Public Services Card (PSC)
The PSC allows Irish citizens to access a variety of services.
In many ways, they have become the de facto national IDs. However, they are deemed more intrusive than helpful.
This belief was fueled when Ireland Minister Jim Daley recommended to the EU that these cards be required when someone opens a Twitter, Facebook or Instagram account.
A connection between one’s social media profile and a government-issued card would lead to most serious breach of information in case any social media account was unfairly shared or compromised.
The PSC card wanted to collect bio-metric data, but that “error” was later corrected.
Data protection laws get more international attention
1980: OECD guidelines
In some ways, this was the first truly international set of guidelines because it revolved around Trans-Border Data Flows (TBDF).
The set of guidelines – they weren’t enforceable rules – also realized the massive importance of computers processing huge amounts of information. It richly derived from the writing of Professors Allan Westin and David Flaherty.
The guidelines’ best achievement was its technology-neutral terms.
That meant that the guidelines focused on what data was collected and processed, rather than how.
It was also unique in the sense that it pointed out the need for end-user education.
(To be continued)