The History of GDPR
The GDPR was the first modern data privacy regulation, serving as the blueprint for various other nations who are all wrestling with the challenges of how best to safeguard their citizens' data on the internet and hold businesses that abuse or misuse that information accountable. But where did GPR come from? Where is it going? In order to answer those questions, we’ll need to take a dive into its history.
The right to privacy was part of the 1950 European Convention on Human Rights, which stated, “Everyone has the right to respect for his or her private and family life, his or her home and correspondence.” From this basis, the European Union has sought to ensure the protection of this right through legislation.
As technology advanced and the Internet was invented, the EU recognized the need for modern protections.
On October 25th, the European Data Protection Directive (Directive 95/46/EC), on the protection of individuals with regard to the processing of personal data and on the free movement of such data, was adopted. This also established the minimum data privacy and security standards, upon which each member state of the European Union based its own implementing law that protected personal data.
The EU Data Protection Directive is based on recommendations first proposed by the Organization for Economic Co-operation and Development (OECD). These recommendations are founded on seven principles:
- Subjects whose data is being collected should be given notice of such collection.
- Subjects whose personal data is being collected should be informed as to the party or parties collecting such data.
- Once collected, personal data should be kept safe and secure from potential abuse, theft, or loss.
- Personal data should not be disclosed or shared with third parties without consent from its subject(s).
- Subjects should be granted access to their personal data and allowed to correct any inaccuracies.
- Data collected should be used only for stated purpose(s) and for no other purposes.
- Subjects should be able to hold personal data collectors accountable for adhering to all seven of these principles.
The Internet was morphing into the data giant it is today. In 2000, a majority of financial institutions offered online banking. In 2006, Facebook opened to the public. In 2011, a Google user sued the company for scanning her emails. It was after that, that Europe’s data protection authority declared the EU needed “a comprehensive approach on personal data protection” and work began to update the 1995 directive.
On June 22nd, Peter Hustinx, the European Data Protection Supervisor (EDPS) at the time, wrote an opinion on EC Communication 'A comprehensive approach on personal data protection in the EU' that went over the need to improve the Market Abuse Directive (MAD) that was released back in 2003. Over the years, the Commission had assessed the application of MAD and identified a number of problems like gaps in regulation of certain instruments and markets, deficiency of effective enforcement (regulators lack certain information and powers and sanctions are either lacking or insufficiently dissuasive), absence of clarity on certain key concepts and administrative burdens on issuers.
Shedding light on these problems and of the important changes brought to the financial landscape through legislative, market and technological developments, the Commission adopted legislative proposals for the reform of MAD. The policy objectives of the proposed revision were to boost investor confidence and market integrity and to keep pace with the new developments in the financial sector.
On the 25th of January, the European Commission (EC), proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. In March, the EDPS welcomed the proposed Regulation, GDPR, as it constituted a huge step forward for data protection in Europe. The proposed rules would strengthen the rights of individuals and make controllers more accountable for how they handle personal data. Furthermore, the role and powers of national supervisory authorities (alone and together) are effectively reinforced.
On July 1st, the Article 29 Working Party adopted WP196 (the “Opinion”) setting out an analysis of the legal framework associated with cloud computing, as well as recommendations directed at both Data Processors and Data Controllers in the European Economic Area (EEA). The Opinion identifies two data protection risks associated with the deployment of cloud computing services, namely: lack of control over the data and lack of information on data processing.
On March 12th, the European Parliament (EP) showed strong support for the GDPR by casting a vote that led to a 621 majority vote that was for it with 10 against and 22 abstentions.
On June 15th, the Council reached a general approach on the data protection regulation that establishes rules adapted to the digital era. The two aims of this regulation were to enhance the level of personal data protection for individuals and to increase business opportunities in the Digital Single Market.
It was on December 25th, that after much negotiation, the European Parliament, the Council and the Commission reached an agreement on the final text for GDPR.
On February 16th, the Article 29 Working Party issued an action plan for the implementation of the GDPR. It was on April 27th that Regulation (EU) 2016/679 (GDPR) of the European Parliament and of the “Council of 27 April 2016” on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (Data Protection Directive). The GDPR enters into force 20 days after publication on May 24th.
January 17th, the European Commission proposes two new regulations on privacy and electronic communications (ePrivacy) and on the data protection rules applicable to EU institutions (Regulation 45/2001) that align the existing rules to the GDPR.
On May 6th, the Member States (The countries that are part of the EU) had to change the Data Protection Directive for the police and justice sectors into national legislation. A proposal was put forward, on May 22nd, for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. This was important due to the strong link between the draft Regulation and the GDPR, it was important that the EU co-legislators found an agreement on the draft Regulation before the 25th of May. When May 25th finally arrived, GDPR was ready to be rolled out. This made all organizations required to be compliant to the new regulation.
Today, the GDPR has been the starting point for data protection laws for countries outside the EU. With the GDPR as a reference, countries and even individual U.S. states are drawing up their own data protection policies. It’s thanks to GDPR that people now know what their data freedoms are and that the regulation has become the starting foundation for any data protection law or regulation outside the EU.