<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=2038511469714819&amp;ev=PageView&amp;noscript=1">

Data Privacy Act: A Brief History of Modern Data Privacy Laws

10 Apr., 2018

Data privacy acts have been around a lot longer than you may remember. As the GDPR gets ready to go into effect, find out how data privacy laws have changed in the modern age.

data-privacy-lawsThe General Data Protection Regulation is about to go into full effect next month. By no means is it the first data privacy law, and though it’s the most robust set of legislation yet when it comes to personal data protection, it likely won’t be the last one either. As the GDPR revs up, let’s look back at the various modern data privacy laws that have been passed over the years.

The 1970s – The First Modern Data Privacy Laws

In Hesse, Germany the first modern data privacy law came into being in reaction to concerns about computing advancements and privacy in the processing of personal data. In 1973, Sweden created the first national privacy law called the Data Act, which criminalized data theft and gave data subjects freedom to access their records. In 1978, the German Federal Data Protection Act established basic data protection standards such as the requirement of consent for the processing of personal data. By 1979, many EU member states had incorporated data protection laws as fundamental rights into their legislation.

1983 – Right of Informational Self-Determination in Germany

In a landmark case over the invasive nature of a national census survey, the German Federal Constitutional Court decided citizens should have a basic human right to self-determination over their personal data. In the ruling, it’s established that individuals should be protected against the unlimited collection, storage, use, and disclosure of their personal data.

1995 – The EU Directive on Data Protection

As computer technology advanced and free flow of information grew widespread, the European Union enacted the Directive on Data Protection, which imposed the minimum standards of personal data protection upon member states and protected the rights of individuals regarding the movement of personal data between EU member states. Under the directive, individuals had rights of access, access to supervisory authorities, and data was transferred outside of the EU so long as there was “an adequate level of protection”. However, the law was implemented differently in each EU state, leading to some countries lacking stronger laws and oversight.

2000 – Safe Harbor Arrangement

This was a set of principles meant to rectify the different data privacy laws between the United States and the European Union to better facilitate the flow of information between the two regions. Ultimately, they were invalidated by the European Court of Justice in 2015 because under U.S. law, U.S. intelligence agencies had unrestricted access to the data of EU citizens. In 2016, the EU-US Privacy Shield was adopted to replace Safe Harbor, but its future remains in question.

2009 – Personal Data Privacy and Security Act of 2009

Over in the United States, data protection laws had been broken up by state. Beyond some legislation governing financial and health information, there was (and still is) no unifying federal legislation that protects the personal data of its citizenry at large. In 2009, a bill was proposed that would increase the protection of personal data by companies and government agencies, set restrictions on data sharing, and further criminalize identity theft and data privacy violations. The bill never passed.

2016 – The GDPR

As data breaches and scandals soar, organizations around the world were given a two-year lead start to update security measures and protocols in time for the biggest set of data privacy laws yet. There are many provisions in the legislation, which seeks to unite the European Union under one set of stricter rules, including a right for data subjects to be forgotten, affirmative consent, comprehensive and timely data breach notifications, plain language for terms of service agreements, and fines of up to four percent of an organization's total worldwide annual turnover if found in violation.

And that brings us to today, a time when the GDPR hopes to include many of the stipulations from these past acts under one umbrella that will ultimately benefit the individual citizen. To figure out a data security strategy for your own company and ensure your policy complies with recent data privacy laws, contact eperi to learn more. 

Article sources: iapp.org (PDF file), Scholarly Commons of the George Washington University Law School (PDF file)

Recommended for You

Free eBook: Global Compliance - What the C-Suite Should Know about Compliance Regulations When Moving to Cloud Services


Share Button: LinkedIn Share Button: XING