The history of personal data protection: how GDPR appeared

Since the entry into force on May 25, 2018 of the European regulation on personal data protection (General Data Protection Regulation - GDPR), 6 months have passed. This law applies even to the territory of the Russian Federation, but only indirectly and not always. Details of territorial application GDPR can be found in a recent guideline of the European Data Protection Board (European Data Protection Board).

For this and not only reason, the protection of personal data in our country is deprived of serious attention from both the lawyers and the general public. One can often come across the opinion that the GDPR is simply an artificial, groundless innovation of European legislators. In fact, this regulation is the result of a long-term development of the concept of fundamental human rights and freedoms, which began long before May 25, 2018.

How did the GDPR come about and where did the need for data privacy come from? To understand this issue, you need to refer to the history of the development of personal data protection.

Right to privacy

In 1890, two American lawyers, S. D. Warren and L. D. Brendays, publish an article in The Harvard Law Review, The Right to Privacy , which describes “the right to be left alone” ").

Almost immediately, or rather, in the first half of the 20th century, the right to private life was reflected in American judicial practice.
This idea quickly spreads outside the United States. In 1948, the right to privacy is fixed together with other fundamental rights and freedoms in the Universal Declaration of Human Rights (article 12), and in 1950 - in the European Convention on Human Rights (article 8).

The heightened focus on human rights at that point in time is due primarily to the devastating effects of the Second World War. This was reflected in the definition of the right to privacy:

“Everyone has the right to respect for his personal and family life, his home and his correspondence,” the ECHR.

The main priority of that time was the most significant social issues of the postwar period: the inviolability of personal and family life, the secret of correspondence. The problem of the protection of personal data, which seemed to be a logical consequence of the right to privacy, was not the object of widespread attention.

The birth of the right to protection of personal data

At the beginning of the second half of the 20th century, information technologies begin to develop, allowing much faster processing of much more information. In the 60s, these technologies are becoming more accessible to a wide range of people, which causes some concern to the Council of Europe.

So, in 1968, the Parliamentary Assembly publishes recommendation No. 509 . It expresses concern about possible threats to the right to privacy as a result of the use of new technologies for data processing.

As a result, the Assembly commissioned the Human Rights Committee to study this issue. Many consider this point as a starting point for Data Privacy.

The first reaction follows from Germany, where on the land of Hessen in 1970, the first ever law on personal data was adopted. It is important to note that this was only a local law that was applied exclusively on the territory of this land, and not at the federal level.

Then react the United States. In 1974, the Privacy Act was adopted , in which the US Congress first establishes a link between the right to privacy and personal data. This law indicates that a person’s personal life may be directly affected as a result of the collection, use and dissemination of personal information by public authorities.

Neither one nor the other legal act can be called a full-fledged law regulating the processing of personal information. However, the right to protection of personal data begins to emerge from the shadow of the right to privacy.

The first legislation in the field of personal data protection

Germany is becoming the main pioneer in the field of Data Privacy: the first national law on personal data ( Bundesdatenschutzgesetz ) appears in 1977 in the Federal Republic of Germany. The special attitude of the German public to this issue is primarily associated with local historical events.

The fact is that in the middle of the twentieth century the Germans experienced two contradictory political regimes: on the one hand, the Third Reich, on the other hand, the FRG and the GDR. These systems were based, among other things, on mass surveillance of the population.

Such upheavals led to the fact that confidentiality subsequently appeared in this country extremely in demand. That is why Germany is still considered one of the world leaders in the protection of privacy and personal data.

Another significant country for Data Privacy is France, which is just one year behind Germany. The adoption of the Informatics and Civil Liberties Act in 1978 was also linked to local events.

In the early 1970s, the French government developed the SAFARI project, the purpose of which was to create a unified register of data using a social insurance number, which would make it possible to identify any citizen. Processing of all this information was planned to carry out thanks to the advanced at that point in time computing technology.

In 1974, the newspaper Le Monde publishes an article on it entitled “ SAFARI ou la chasse aux Français"(SAFARI or hunting for the French), than provokes a scandal on the subject of mass surveillance.

Under public pressure, the government was forced to retreat, which led to the adoption of the aforementioned law and the creation of a commission on informatics and civil liberties . However, it was not possible to avoid the implementation of the project, but the new commission was able to establish certain restrictions on the processing of personal data.

Entering the international level

German and French laws are becoming the cornerstone for personal data and give a significant impetus to the development of this sphere. More and more countries and international organizations are beginning to pay attention to the problem.

In 1980, the Organization for Economic Cooperation and Development publishes Guidelines for the protection of personal data, taking into account the continued development of computer technologies and their use for commercial transactions.

A year later, the first international agreement in the field of Data Privacy is adopted, which becomes the Convention for the Protection of Individuals in the Automatic Processing of Personal Data. This Convention has become a great achievement in its field. To date, 51 countries have joined it, including Russia (it is on this document that the Russian federal law on personal data is based).

At the same time, the constantly accelerating development of information technologies creates new problems in the field of data privacy and privacy. The main problem is the emergence of the Internet and its rapid development. The first potential threat is noticed by the European Union, which in 1995 adopted a framework directive on the protection of personal data .

The main purpose of this law is to adapt to new threats and unify the legislation on personal data of EU member states. To this end, the mechanisms provided for by the 1981 International Convention were improved, and new duties for personal data operators and new rights for EU citizens were introduced.

Recent history

By the end of the 90s, the main giants of the Internet began to form. Today they are called the Big Five or GAFAM (Google, Amazon, Facebook, Apple, Microsoft). With the direct participation of listed US corporations, a new system of monetization of commercial activities on the Internet is emerging. The Google search engine and Zuckerberg social network, having no direct sources of capitalization (unlike Amazon or Microsoft), begin to show ads based on an analysis of their users' behavior (targeting). Contextual advertising is quickly becoming extremely popular and Amazon, Microsoft and Apple are connected to this system.

In order for advertising to remain the most relevant, the five companies named, behind the clear leadership of Facebook and Google, are actively collecting huge amounts of data about users from around the world. At the same time, technologies are rapidly developing that allow analyzing all this information and identifying the peculiarities of users' behavior striking the imagination. All these data and analytical conclusions are sent to America, which has never been very successful in protecting personal data.

In response to contextual advertising, the EU adopts the ePrivacy Directive in 2002 , which regulates the use of cookies, which also include the collection of data for advertising.

Following the adoption of this directive, the world is shaken, perhaps, by the main scandals associated with cybersecurity and data as such. Here you can talk about WikiLeaks by Julian Assange, and Edward Snowden's exposure of the American mass surveillance program PRISM.

At the same time, there are major leaks of personal data, both as a result of hacker attacks and as a result of human factors. Their peak occurs in the tenth years. A striking example is the leakage of virtually all Ashley Madison data. This is a Canadian dating site designed for married people. In 2015, the site’s databases were hacked and all private information was uploaded to the network. The result: a significant wave of divorces around the world, several cases of suicide. In addition, data on about 1,200 users from Saudi Arabia, where the punishment for treason reaches the death penalty, is freely available. In such circumstances, it is difficult to underestimate the importance of personal data protection.

In the light of all these events, the European Union finds that it is necessary to update its outdated 1995 directive. The main problem was that it was not applied directly in the EU member states, which in turn led to significant differences at the level of national legislations. The new regulations would act directly in every European country and would allow creating an increased level of protection of personal data throughout the Union. Discussions with a view to adopting a new law began in 2012, and in 2016 the final text of the regulation was officially published and entered into force on May 25, 2018. A detailed analysis of the GDPR is available here .

Privacy Reform Package

On the GDPR, the lawmaking activity of the European Union in the field of privacy has not stopped. The processing of personal data for the purposes of criminal justice is not included in the perimeter of the operation of the regulations, as it requires the establishment of a specific legal regime. Therefore, in 2016, simultaneously with the GDPR, a directive was adopted on the protection of individuals in the automated processing of personal data by public authorities in order to prevent, investigate, detect and prosecute criminal offenses .

In addition, the NIS directive is adopted in the same year.(Network and Information Security). The main task of this legal act is to ensure a high level of information security for critical infrastructure operators and digital service providers. It is about protecting not only personal data, but the security of any data in general.

All of these numerous laws are the result of the European Union’s electronic communications, cybersecurity and privacy policy. The EU’s next step should be the adoption of an ePrivacy regulation to replace the 2002 directive of the same name. The main issues on the agenda for this reform are the metadata (Big Data) and all the same cookies. The draft regulation was already published in early 2017.


Thus, the GDPR and other laws in the field of data privacy are far from being a novelty of European legislation. The Privacy Policy together with the entire Privacy Reform Package is the result of more than a century of development of legal thought based on the need to protect the privacy of any citizen.