History of Data Privacy Laws
In 1877, Thomas Edison was putting the finishing touches on what he referred to as his favorite invention. Was it the telephone? Lightbulb? Nope: the phonograph. While this would lay the foundation for the wildly successful record player, these initial devices would both record and play back audio on either paper or malleable metal tapes or tubes. Fast forward just over a decade later in 1888 and George Eastman released the Kodak Camera, the first patented commercially available camera. Both of these technologies rocked the world and while the vast majority were left in awe, it wasn’t long before some began to question the use of these new devices.
In 1890, Samuel Warren and Louis Brandeis, published a 42 page article called “The Right to Privacy” in the Harvard Law review, which is one of the first known writings recognizing the importance of consent when being photographed or recorded. Even with the most elementary level of technology available, society was beginning to comment on the importance of privacy and the right to be left alone. While legislation from all around the world has shifted and morphed to meet the needs of new technology, the precedent has remained the same: the right to be left alone. In this article, we will review the History of Data Privacy Legislation, some examples of where we started as well as where we’re heading.
For the sake of brevity, let’s take another leap forward in time to the 1960-70s. I know, I know, 100 hundred years is quite the leap, but not much happened: a couple wars, women’s suffrage, radio, machine guns, color photo--not to mention video, nuclear missile extravaganza, you get the picture. There’s a lot going on in this modern world and the mantra just like any technological advancement is invention first, regulation later.
Early Data Protection Laws
In 1967, the United States led the pack with The Freedom of Information Act (FOIA). While this sounds like a massive leap in the right direction, this really just meant people could request information about themselves from government agencies. Sweden takes the cake with the first federal privacy law in 1973 with the passing of the Data Act which criminalized data theft. Germany later expounded on the Data Act with the passing of the German Federal Data Protection Act in 1978 and established basic data protection standards including consent for the processing of personal data.
Again, in 1983, we saw Germany with another push to protect data and the German Federal Constitutional Court decided it was a basic human right to determine how your personal information was used or more formally, the right of informational self-determination. Over the next decade or so we saw major advances in computer technology which results in the European Union's Directive of Data Protection in 1995 which updated protection laws to included more up to date language and proposed minimum necessary requirements for data security to protect sensitive information, though state level legislation led to different areas having differing levels of data protection.
In 1996, the Health Insurance Portability and Security Act (HIPAA) was passed in the United States to further streamline and legislate the safeguarding of an individual's health information. This Law has been amended and expanded multiple times in the decades following its passage. Then in 1998 the European Union passed the Data Privacy Act which served to regulate the transmission of personal data within the EU as well as for data traveling outside the EU.
Now with all of these different data privacy laws floating around the globe, it was difficult for international business to make sure they were complying with all the different data protection laws. Because of this, in 2000, the European Union and United States corroborated on the Safe Harbor Act to streamline the secure transfer of sensitive data between the United States and European Union. However, this Safe Harbor Arrangement gave the United States unrestricted access to every citizen of the European Union, and they did not like this at all. Even so, it wasn’t until 2015 that the European Court of Justice invalidated the Safe Harbor Arrangement and replaced it with the EU-US Privacy Shield in 2016.
Again, in 2016, we have the passing of the GDPR or the General Data Protection Regulation by the European Union, to date the most comprehensive data protection legislation to date. The GDPR goes above and beyond any prior data protection law with nearly 88 pages that emphasize the importance of accountability, consent, and security. It also has by far the largest fines of any data protection legislation of up to 20 million British Pounds or 4% of global revenue, whichever is greater. For example, that would leave Facebook at just shy of 3.5 billion dollars in fines based off of 2020’s revenue alone.
Data Privacy Laws in the United States
Jump back across the pond to the United States, and we find ourselves with new statewide legislation such as the California Consumer Data Privacy Act, Virginia Consumer Data Protection Act, and many more laws proposed in state legislatures. A lack of centralized legislation leaves companies with a laundry list of laws to keep track of in the event of doing business in not just multiple countries but even multiple states within the United States. There is a major need for the standardization of data privacy laws in the US and abroad. While GDPR hopes to bring a bit of uniformity to the European Union, the United States has yet to standard Data Protection legislation any higher than the state level.
Overall, we’ve come a long way since the days of Edison and Eastman and Warren and Brandeis’ “Right to Privacy.” Ultimately, as technology progresses, laws and legislation will continue to have to be malleable and adaptable in order to cover this uncharted territory we often face in data protection. So while the subject has gone through quite a bit of changes over the years, the premise remains the same: people just want the right to be left alone.