EU Data Protection Timeline
The Evolution of Data Protection: an European Perspective
1890: Publication of "The Right to Privacy"
U.S. attorneys Samuel D. Warren and Louis Brandeis publish the article "The Right to Privacy", which defines privacy as "the right to be let alone". This article serves as a foundational legal and philosophical text, establishing the theoretical framework for the protection of personal privacy as a fundamental right against unauthorized intrusion and disclosure of personal information. Their reflection on privacy as a legal concept sets the stage for future privacy legislation.
1948: Universal Declaration of Human Rights
The United Nations adopts the Universal Declaration of Human Rights, which recognizes the right to privacy as the 12th fundamental human right, establishing privacy as a core principle within international human rights law.
1950: European Convention on Human Rights (ECHR)
Article 8 of the ECHR guarantees the right to respect for private and family life, laying the groundwork for recognizing privacy as a fundamental right within Europe and influencing the development of data protection laws in the region.
1970: First Data Protection Law in Germany
On September 30, 1970, the Landtag of Hesse enacts the first Data Protection Act (Hessisches Datenschutzgesetz), marking a pioneering step in the global development of data protection laws.
1977: Federal Data Protection Act (Bundesdatenschutzgesetz)
At the federal level, the Bundestag and Bundesrat pass the Bundesdatenschutzgesetz, consolidating personal data protection across Germany and setting a standard for data protection frameworks in Europe.
1980: OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
The Organisation for Economic Co-operation and Development (OECD) issues guidelines on the protection of privacy and personal data, addressing the growing use of computers for business transactions and international data flows, thereby promoting a coordinated approach to data protection.
1981: Council of Europe’s Convention 108
The Council of Europe adopts Convention 108, the first binding international treaty on data protection. This treaty establishes the legal basis for data protection rights and sets standards for the processing of personal data across Europe and beyond.
1983: German Federal Constitutional Court Ruling
The Federal Constitutional Court of Germany issues a landmark ruling affirming the right to privacy in the context of population censuses, establishing a crucial precedent for personal data protection jurisprudence.
1992: Maastricht Treaty and the Single Market
The Maastricht Treaty consolidates the European Union (EU) and establishes the Single European Market, enabling the free movement of goods, services, people, and personal data across member states. This process highlights the need to harmonize national data protection laws, setting the stage for the creation of a unified European data protection framework.
1995: Directive 95/46/EC (Data Protection Directive)
The EU adopts Directive 95/46/EC, which harmonizes national data protection laws across the member states. It introduces key concepts such as data processing, sensitive data, and informed consent. The Directive lays the foundation for a common approach to personal data protection within the EU while balancing the free flow of data across borders.
2002: Directive 2002/58/EC (ePrivacy Directive)
This Directive introduces specific provisions for the protection of privacy and personal data in the electronic communications sector, regulating issues such as consent for cookies and protection against unsolicited communications (spam).
2006: Data Retention Directive
The EU adopts a directive on the retention of data generated or processed in the course of electronic communications. The directive is invalidated in 2014 by the Court of Justice of the European Union (CJEU) for violating fundamental rights, particularly privacy.
2009: Electronic Communications Regulations
The evolution of regulations on electronic communications reflects the growing use of email and mobile numbers as primary instruments in marketing and sales activities, influencing the ongoing regulatory environment for data protection.
2010: WikiLeaks Scandal
The non-profit organization WikiLeaks publishes classified information and leaked materials from anonymous sources, sparking a global debate on privacy, national security, and the risks of information exposure in the digital age.
2013: Regulation 611/2013
The European Commission adopts Regulation 611/2013, detailing the measures applicable to the notification of personal data breaches under Directive 2002/58/EC. This regulation enhances the obligations for companies to report breaches promptly and transparently.
2014: Right to Be Forgotten
The Court of Justice of the European Union (CJEU) establishes the "right to be forgotten", allowing EU citizens to request the removal of personal information from search engine results. This ruling introduces a new aspect of digital privacy, empowering individuals to control their online presence.
2016: General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), replaces Directive 95/46/EC. It introduces uniform rules for all EU member states, emphasizing accountability, transparency, and imposing severe penalties for violations. The GDPR strengthens individual privacy rights and introduces new obligations for organizations regarding personal data processing, enhancing data protection standards across Europe.
2018: GDPR Becomes Enforceable
The GDPR becomes applicable on May 25, 2018, fundamentally reshaping how personal data is handled across Europe and beyond. Organizations must now demonstrate compliance with data protection principles, ensuring that personal data is processed lawfully, securely, and with explicit consent.
2018: Cambridge Analytica Scandal
The misuse of personal data of millions of Facebook users by Cambridge Analytica prompts a global investigation and intensifies public concern about data privacy. The scandal amplifies calls for stricter data protection regulations and greater corporate accountability in handling user data.
2020: Schrems II Ruling
The CJEU invalidates the Privacy Shield framework, which governed the transfer of personal data between the EU and the United States. The ruling highlights concerns over U.S. surveillance practices and mandates stricter safeguards for international data transfers, particularly in light of privacy rights protections under the GDPR.
2021: €746 Million Fine for Amazon
The Luxembourg National Data Protection Commission imposes a record €746 million fine on Amazon for violations of the GDPR, specifically related to the processing of personal data for advertising purposes without adequate consent.
2023: €1.2 Billion Fine for Meta
The Irish Data Protection Commission fines Meta €1.2 billion for the unlawful transfer of personal data of EU users to the United States, violating the GDPR's data transfer provisions. This fine underscores the increasing scrutiny of data transfers between the EU and third countries.
2024: Adoption of the Artificial Intelligence Act (AI Act)
The EU adopts the first global regulation on Artificial Intelligence (AI), which introduces a risk-based classification of AI systems and provides regulatory oversight for high-risk AI applications. The Act places significant emphasis on transparency and personal data protection, recognizing that the use of AI presents new challenges for privacy and data security.
https://mydatamychoice.me/timeline
https://starweb.hessen.de/cache/GVBL/1970/00041.pdf