How did we get here?
An overview of important regulatory events leading up to the GDPR
Although there is no doubt that the rules and regulations surrounding data privacy needed updating, both the GDPR and the Directive 95/46/EC are based on an even older set of principles that still hold true today. The Organisation for Economic Co-operation and Development (OECD) published its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was a set of recommendations endorsed by both the EU and the US that set out to protect personal data and the fundamental human right of privacy. The document was originally adopted on 23 September 1980 and proposed the following eight principles for the processing of personal data:
Collection Limitation Principle
There should be limits to the collection of personal data, data should be obtained by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle
Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Purpose Specification Principle
The purpose for the collection of data should be specified at the time of collection and data should not be used for anything other than its original intention without again notifying the data subject.
Use Limitation Principle
Personal data should not be used for purposes outside of the original intended and specified purpose, except with the consent of the data subject or the authority of the law.
Security Safeguards Principle
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
There should be a general policy of openness about developments, practices and policies with respect to personal data. Individuals should have easy access to information about their personal data, who is holding it, and what they are using it for.
Individual Participation Principle
An individual should have the right to know if a controller has data about him/her and to have access to that data in an intelligible form for a charge, if any, that is not excessive. An individual should also have the right to challenge a controller for refusing to grant access to his/her data, as well as challenging the accuracy of the data. Should such data be found to be inaccurate, the data should be erased or rectified.
Data controllers should be accountable for complying with the measures detailed above.
These guidelines were the basis of many national laws regarding data privacy, however, they were non-binding and the levels of data protection varied greatly even amongst different EU member states.
The Data Protection Directive 95/46/EC of 24 October 1995 was the European Union’s answer to the division of privacy regulations across the EU. It’s major goals included the harmonization of data protection laws and the transfer of personal data to “third countries” outside of the Union. It established independent public authorities called Data Protection Authorities (DPAs) in each member state in order to supervise the application of this directive and serve as the regulatory body for interactions with businesses and citizens. It also provided for the allowance of transfers of personal data to third countries, on the condition that said countries were authorized as having adequate levels of protection for the data that would be guaranteed to be comparable to those protections within the EU. Overall, the directive stays true to the original recommendation of the OECD and the core concepts of privacy as a fundamental human right.
Although Directive 95/46/EC was meant to bring together the laws of different member states, it was still a directive, which left some room for interpretation during the transposition into individual national law. This fact, along with today’s rapidly changing data landscape, has led to the necessity for another update to the regulatory environment of the EU.
The GDPR is a much larger piece of legislation and the changes it brings, along with the impacts it to businesses, can be found in our key points summary here. Most importantly, as a regulation and not a directive, it is enforceable law in all member states and for anyone with EU data subjects.
The main principles on privacy are still true to form with both the previous directive and the OECD guidelines, however, social media and cloud storage were not a reality in 1995 as only about 1% of the European population was using the internet. With modern technology, we are creating more personal data than ever before, and the processing of that data has become ubiquitous. The GDPR is designed to fit today’s technology while remaining general to protect the fundamental rights of individuals throughout future waves of innovation.
There were two cases brought before the Court of Justice of the European Union (CJEU) dealing with data privacy in the run-up to the GDPR go-live. The case of Weltimmo affects the realm of one-stop-shop regulation within the EU, and the case ruling Safe Harbour invalid affects the realm of EU-US data transfers.
An already controversial topic, the idea of a one-stop-shop for data privacy regulation first arose out of the previous directive, intending to cut some of the red tape for businesses. However, the Weltimmo case on 1 October 2015 resulted in the ruling that companies must comply with local data privacy laws if they have “establishments” in member states outside that which holds their European headquarters.
Although the GDPR was already attempting to fix this imperfect system before the CJEU ruling, there are still many issues to be worked out. Chief among these is the split between the DPAs of businesses and individuals. Regulators want to make life easier for businesses by allowing them to only register and deal with one national DPA, yet they also want individuals to be able to go to their own respective DPA, which may very well be different from the businesses’. For more analysis on the debate surrounding one-stop-shop in the GDPR, click here.
Collapse of ‘Safe-Harbour Agreement’
Only five days after the Weltimmo ruling, the CJEU came down with another ruling affecting data privacy, this time declaring the Safe Harbour scheme for EU-US data transfers to be invalid. While it was not the only way to transfer data to the US from the EU, around 4,500 companies relied on this framework as their main legal basis for transfers. The case was originally brought about by Austrian student Max Schrems, following the NSA revelations by Edward Snowden. It was ruled that the US public authorities were not only outside of the scope of Safe Harbour, but also have conflicting laws that prevail over the scheme in certain circumstances. It is yet to be seen if the extended scope of the GDPR (affecting all of the businesses processing EU personal data) will entirely replace the Safe Harbour scheme. There is also hope for a so called Safe Harbour 2.0 to relieve the pressure on businesses to find other legal forms of data transfer, which would likely be in effect well before the GDPR.