International: The evolution of the right to privacy and data protection
Data Privacy Day is held on 28 January each year on the anniversary of when the Council of Europe's ('CoE') Convention of Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') was opened for signature, representing the first legally binding international treaty for privacy and data protection. OneTrust DataGuidance has compiled a short legal history of the right to privacy and data protection across the globe, highlighting the fundamental historical and legal developments, which have laid the foundations for the right of privacy and data protection as it exists today.
For a summary of Convention 108 and its amending protocols, see our previous Insight on International: Origins of Data Privacy Day - Convention 108.
A brief timeline
The right to privacy integrated into the rule of law through constitutions
The right to privacy had legal relevance long before the recent data protection regulations, finding some of its foundations in constitutional law. References to the protection of this right has often been included in the constitutional charters of countries around the world.
1789: US Bill of Rights
The Bill of Rights details a 'right of people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures'.
1890: The right to be let alone
American lawyers Samuel Warren and Louis Brandeis publish their ground-breaking Article, 'The Right to Privacy', on the Harvard Law Review, where privacy is described as 'the right to be let alone'.
Brandeis and Warren identified technology as the driving force behind the development and subsequent protection of privacy, warning that 'instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life'.
1948: United Nations Declaration of Human Rights
The United Nations ('UN') Declaration of Human Rights, a milestone document in the history of human rights drafted by a UN committee chaired by Eleanor Roosevelt, enshrines a rudimentary right to privacy. Article 12 provides that 'No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks'.
1950: European Convention on Human Rights
Drafted by the CoE, Article 8 of the European Convention on Human Rights ('ECHR') follows the UN Declaration of Human Rights and provides protection for an individual's 'private and family life, his home and his correspondence', although subject to certain restrictions that are 'in accordance with law' and 'necessary in a democratic society'.
1974: FERPA and Privacy Act
Enacted in 1974, the American Family Educational Rights and Privacy Act ('FERPA') protects the privacy of student education records. Among other things, it provides parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education record.
In the same year, the Privacy Act of 1974, was enacted in the US and established a Code of Fair Information Practice on the collection, maintenance, use, and dissemination of personally identifiable information by federal agencies. This created one of the first frameworks for balancing the need to process information about individuals with the rights of individuals to be protected against unjustified invasions of their privacy.
1980: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data ('OECD Guidelines') is one of the first international efforts toward a harmonised privacy framework, although they are not legally binding for members. In particular, among other things, the OECD guidelines established the seven principles of notice, purpose, consent, security, disclosure, access, and accountability.
1981: Convention 108
Convention 108 is the first binding international instrument aimed at protecting individuals against abuses derived from the collection and processing of personal data, and sought to regulate the cross-border flow of personal data. Convention 108 contains foundational concepts which are reflected in modern data protection and privacy laws today.
1995: EU Data Protection Directive
The European Union's Data Protection Directive (Directive (EU) 95/46/EC) ('the Data Protection Directive') is the predecessor to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and was the first instrument aimed at harmonised data protection within the union. It established foundational data protection principles that would later be enshrined in the GDPR, such as, transparency and proportionality. The Data Protection Directive created a baseline of data protection that was echoed in data protection legislation globally.
1996-1999: United States' HIPAA, COPPA, and GLBA
The late-1990s saw increased sector-specific privacy regulation in the US. Three significant privacy legislations which continue to shape the US privacy landscape were enacted, namely: the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), the Children's Online Privacy Protection Act ('COPPA'), and the Gramm–Leach–Bliley Act ('GLBA').
HIPAA is applicable in the health care sector and establishes requirements for the processing of healthcare information and protects personally identifiable information processed by healthcare and health insurance industries. COPPA on the other hand, provide protections for minor and regulates personal information processing of children under 13 years of age, both in and outside of the US. It includes information about what organisations must include in their privacy policies, how to verify consent from parents, and how websites should protect children's safety and privacy online.
The GLBA which is applicable to the financial sector stipulates that companies are under a duty to outline their information sharing practices to all customers, including the kind of information they collect and the third parties with whom they may share the information. The GLBA also requires that financial institutions provide customers their right to opt-out of third-party disclosures of this kind.
2002: ePrivacy Directive
In force since 2002, the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive') was designed to meet the needs of digital technologies, complement the Data Protection Directive, and cover all issues of private electronic communication, while also improving transparency and security for users. Importantly, the ePrivacy Directive established a regulation governing cookies and tracking technology, which was largely unregulated at the time.
2005: APEC Privacy Framework
The APEC Privacy Framework, published in 2005, is intended to provide clear guidance and direction to businesses and government entities in APEC economies on common privacy issues and the impact of privacy upon the way legitimate business practices and government functions are to be conducted. Moreover, the APEC Privacy Framework was modelled on the OECD Guidelines, although it has been shaped to tackle the different legal characteristics and context of the APEC region. In particular, the APEC Privacy Framework establishes the nine principles for preventing harm, notice, collection, limitations, uses of personal information, choice, integrity of personal information, security safeguards, access and correction, and accountability.:
2012: European Charter of Fundamental Rights of the European Union
The European Charter of Fundamental Rights of the European Union ('the Charter') is the second legal tool to ensure the protection of fundamental and human rights in Europe after the ECHR. While the ECHR was drafted by the CoE and applies to 47 Member States, the Charter applies only to the EU Member States. Interestingly, Article 7 of the Charter and the abovementioned Article 8 of the ECHR both provide for a similar right of privacy for 'private and family life, home and communications'; however Article 8 of the Charter goes further and provides a separate and distinct right to data protection, stating that 'everyone has the right to the protection of personal data concerning him or her'.
2013-2020: Schrems I and II
On 6 October 2015, the Court of Justice of the European Union ('CJEU') stated that the European Commission had failed to fully guarantee adequate data protection safeguards, and invalidated the Safe Harbor. Subsequently, in 2020, the CJEU, in its decision Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), declared invalid the European Commission's decision on the adequacy of the protection offered by the EU-US Privacy Shield, the mechanism that replaced the Safe Harbor regime in 2016.
Specifically, the CJEU ruled that the US regulations on access and use by US authorities of data originating in the EU had limitations that did not meet the standards of adequacy required by EU law, in light of the principle of proportionality. Indeed, the CJEU considered that surveillance programmes based on US law were not limited to what is strictly necessary and proportional as required by EU law.
Despite their ruling, the CJEU, upheld the general validity of Standard Contractual Clauses ('SCCs'), but emphasised that organisations relying on SCCs must 'verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country ensures adequate protection, under EU law, pursuant to the SCC, and where necessary, adopt additional safeguards to those offered by those clauses'.
2014: Malabo Convention
The African Union Convention on Cyber Security and Personal Data Protection ('the Malabo Convention'), adopted in 2014, is an important data protection international agreement in Africa, and it aims to establish a legal framework for cybersecurity and data protection within the African Union Member States, as well as defines objectives for the same. Moreover, the preamble of the Malabo Convention further highlights that it seeks to address the need for harmonised legislation in the area of electronic commerce, personal data protection, and cybersecurity in Member States, and establish in each Member State a mechanism capable of combating violations of privacy that may be generated by personal data collection, processing, transmission, storage, and use.
2016-2018: Introduction of the GDPR
In 2016, the EU adopted the GDPR, which entered into effect on 25 May 2018, replacing the Data Protection Directive and updating EU privacy legislation for the age of the internet. The GDPR is considered a privacy benchmark, due to the comprehensive nature of the Regulation. Its definitions, data protection principles, data subject rights, as well as obligations for controllers and processors have been replicated in numerous laws and initiatives around the world. The GDPR's extra-territorial application encourages national supervisory authorities to increase their enforcement, which has led to increased enforcement actions and case law from national courts as well as the CJEU.
2017: European Commission proposal for ePrivacy Regulation
The Draft ePrivacy Regulation was originally proposed in 2017, following which there have been several discussions and new drafts released. The Draft ePrivacy Regulation has been designed to update requirements related to privacy and electronic communications and harmonise these with the GDPR. Currently, negotiations are still ongoing and it remains to be seen when the Draft ePrivacy Regulation will be finalised and become law.
In 2020, California became the first US State to enact a comprehensive data protection law. The California Consumer Privacy Act ('CCPA') creates obligations for certain businesses operating in California and provides certain rights for consumers, such as the right of access, the right of deletion, and the right to opt-out of the sale of their personal information. The CCPA has inspired subsequently data protection legislation passed and introduced in other US States, and at the Federal level.
2021: China's Personal Information Protection Law
The Personal Information Protection Law ('PIPL') is China's first comprehensive data protection law, and outlines requirements for personal information handlers. In line with international standards, the PIPL establishes duties for personal information handlers, such as the appointment of a personal information protection officer and includes provisions on conducting personal information protection impact assessments, creates restrictions on international data transfers, as well as provides individual rights.
The right to privacy in 2023 and beyond
Privacy and data protection is an ever-changing field with new and amended data protection and privacy laws emerging to keep pace with technological advancements. In particular, 2023 saw and will continue to see the expansion of privacy laws with a number of privacy laws entering into effect and progressing through national legislatures. A notable mention is the American Data Privacy and Protection Act ('ADDPA') which represents the first bi-partisan federal data protection legislation in the US and is currently under consideration in the U.S. House of Representatives. If adopted the ADDPA will significantly change the existing privacy landscape in the US.
On the other side of the ocean, the European legislator did not stand idly by, in fact, the future of privacy regulation in Europe also promises to be eventful. More specifically, the following regulations, among other things, will enter into force:
- Regulation (EU) 2022/868 of 30 May 2022 on European Data Governance and amending Regulation (EU) 2018/1724 (Data Governance Act) will apply in full from 24 September 2023.
- Regulation (EU) 2022/1925 of 14 September 2022 on Contestable and Fair Markets in the Digital Sector and Amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) will move into its implementation phase and start to apply as of 2 May 2023.
- Regulation (EU) 2022/2065 of 19 October 2022 on a Single Market For Digital Services and Amending Directive 2000/31/EC (Digital Services Act) will enter into force cross the territory of the EU 15 months after its entry into force, or from 1 January 2024, whichever is later.
Marcello Ferraresi Privacy Analyst