A brief timeline
In this day and age, privacy is something that is of utmost importance, especially with all the new technology coming out which can also prove to be detrimentally destructive instead of productive at times. However, the right to privacy has existed for multiple decades and is integrated into the rule of law through constitutions.
The legal significance of the right to privacy predates recent data protection regulations and is rooted in constitutional law. Many countries’ constitutional charters have included references to protecting this right. Below is a brief timeline of how privacy laws not only came into existence but also changed over time.
1789: US Bill of Rights
In 1798, The Bill of Rights was passed, it outlined the “right of individuals to feel secure in their bodies, homes, documents, and belongings, and to be protected from unjustified searches and confiscations.”
1948: United Nations Declaration of Human Rights
In 1948, The Universal Declaration of Human Rights, a landmark document in the history of human rights crafted by a United Nations panel chaired by Eleanor Roosevelt, this declaration incorporated a fundamental right to privacy. Article 12 of this declaration affirmed that “No one shall be subjected to arbitrary interference with their privacy, family, home, or correspondence, nor to attacks upon their honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
1950: European Convention on Human Rights
In 1950, Article 8 of the European Convention on Human Rights, was formulated by the Council of Europe, and it protects the “private and family life, his home and his correspondence” of individuals, by the UN Declaration of Human Rights. Nevertheless, these safeguards can be limited under specific conditions that are required to be “by law” and “necessary in a democratic society.
1974: FERPA and Privacy Act
In 1974, the Family Educational Rights and Privacy Act (FERPA) was legislated to safeguard the privacy of student education records and grant parents the right to access their children’s records. Additionally, the Privacy Act of 1974 established rules and regulations for the management of personally identifiable information by federal agencies, foreign or domestic.
1981: Convention 108
In 1981, the first international agreement was created to not only protect people from the possible misuse of their personal information but also to regulate the global transfer of such information. It included basic principles that still impact modern data protection and privacy laws and it was called Convention 108
1995: EU Data Protection Directive
The European Union’s Data Protection Directive was the first instrument aimed at harmonized data protection within the European union. It established foundational data protection principles that would later be enshrined in the GDPR, such as transparency and proportionality. The Data Protection Directive created a baseline of data protection that was echoed in data protection legislation globally.
2002: ePrivacy Directive
In force since 2002, the Directive on Privacy and Electronic Communications was designed to meet the needs of digital technologies, complement the Data Protection Directive, and cover all issues of private electronic communication, while also improving transparency and security for users. Importantly, the ePrivacy Directive was a very important and essential step taken to counter the unregulated tracking technology and governing cookies.
2005: APEC Privacy Framework
The APEC Privacy Framework was published in 2005, it is intended to provide clear guidance and direction to businesses and government entities in APEC economies on common privacy issues and the impact of privacy on the way legitimate business practices and government functions are to be conducted. Moreover, the APEC Privacy Framework was modelled on the OECD Guidelines, although it has been shaped to tackle the different legal characteristics and contexts of the APEC region. In particular, the APEC Privacy Framework establishes the nine principles for preventing harm, notice, collection, limitations, uses of personal information, choice, integrity of personal information, security safeguards, access and correction, and accountability.
2012: European Charter of Fundamental Rights of the European Union
In 2012, the second legal tool to ensure the protection of fundamental and human rights in Europe after ECHR was passed called ‘The European Charter of Fundamental Rights of the European Union’. While the ECHR was drafted by the CoE and applies to 47 Member States, the Charter applies only to the EU Member States. Interestingly, Article 7 of the Charter and the abovementioned Article 8 of the ECHR both provide for a similar right of privacy for ‘private and family life, home, and communications’; however, Article 8 of the Charter goes further and provides a separate and distinct right to data protection, stating that ‘everyone has the right to the protection of personal data concerning him or her’.
2013-2020: Schrems I and II
On 6 October 2015 an important advancement was made in the world of privacy laws, the Court of Justice of the European Union (‘CJEU’) stated that the European Commission had failed to fully guarantee adequate data protection safeguards and invalidated the Safe Harbor. Subsequently, in 2020, the CJEU, in its decision Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (‘the Schrems II Case’), declared invalid the European Commission’s decision on the adequacy of the protection offered by the EU-US Privacy Shield, the mechanism that replaced the Safe Harbor regime in 2016.
Specifically, the CJEU ruled that the US regulations on access and use by US authorities of data originating in the EU had limitations that did not meet the standards of adequacy required by EU law, considering the principle of proportionality. Indeed, the CJEU considered that surveillance programs based on US law were not limited to what is strictly necessary and proportional as required by EU law.
Despite their ruling, the CJEU upheld the general validity of Standard Contractual Clauses (‘SCCs’), but emphasized that organizations relying on SCCs must “verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country ensures adequate protection, under EU law, under the SCC, and where necessary, adopt additional safeguards to those offered by those clauses”.
2014: Malabo Convention
In 2014, the African Union Convention on Cybersecurity and Personal Data Protection (‘the Malabo Convention’), was adopted. It is an important data protection international agreement in Africa, aimed to establish a legal framework for cybersecurity and data protection within the African Union Member States, as well as define objectives for the same. Moreover, the preamble of the Malabo Convention further highlights that it seeks to address the need for harmonized legislation in the area of electronic commerce, personal data protection, and cybersecurity in Member States, and also establish a mechanism capable of combating violations of privacy that may be generated by personal data collection, processing, transmission, storage as well as use in each Member State.
2016-2018: Introduction of the GDPR
The EU adopted the General Data Protection Regulation (GDPR) in 2016, and it became enforceable on 25 May 2018. This regulation replaced the Data Protection Directive and modernized privacy laws in the EU to align with the digital era. Due to its thoroughness, the GDPR is regarded as a standard for privacy protection. Its principles and responsibilities have had a global impact on laws and initiatives, and its applicability beyond EU borders has resulted in increased enforcement actions and legal precedents.
2017: European Commission proposal for ePrivacy Regulation
The ePrivacy Regulation Draft was initially suggested in 2017, and since then, there have been numerous debates and updated versions. Its purpose is to modernize regulations concerning privacy and digital communications to align with the GDPR. Negotiations are ongoing, and it’s uncertain when the ePrivacy Regulation Draft will be completed and enacted.
2020: CCPA
In 2020, California became the first state in the US to implement a comprehensive data protection regulation. The California Consumer Privacy Act (‘CCPA’) imposes requirements on specific businesses that operate in California and grants certain privileges to consumers, such as the right to access, the right to have their information deleted, and the right to opt out of the sale of their personal data. The CCPA has subsequently influenced the introduction of data protection laws at both the state and federal level in other parts of the US.
Disclaimer
All the information on this website is published in good faith and for general information purposes only. Dishuz does not make any warranties about the completeness, reliability, and accuracy of this information. Any action you take upon the information you find on this website (dishuz.net), is strictly at your own risk. Will not be liable for any losses and/or damages in connection with the use of our website.
From our website, you can visit other websites by following hyperlinks to such external sites. While we strive to provide only quality links to useful and ethical websites, we have no control over the content and nature of these sites. These links to other websites do not imply a recommendation for all the content found on these sites. Site owners and content may change without notice and may occur before we have the opportunity to remove a link that may have gone ‘bad’.