What is the Point of Data Protection?
A lot of business people ask us why Europe has added yet more red tape, by introducing new complicated rules and regulations regarding data protection compliance. It is a commonly held misconception that protecting personal information is a new requirement, introduced in an increasingly technological words – nothing could be further from the truth.
In this article we will give a brief background of the development of data protection legislation in Europe, and how and why data subjects’ rights were developed.
Data protection legislation stems back to the Universal Declaration on Human Rights 1948 (‘UDHR”), which was introduced shortly after the conclusion of the Second World War. The aim was to guarantee the rights of every individual everywhere. Article 12 introduced the right to privacy, through the introduction of a right to respect for private and family life. This was the first time that an international instrument defined an individual’s right to protection of their private sphere against intrusion from others, and in particular the State.
In 1950 the European Convention of Human Rights was introduced, which included Article 8, namely the right to respect for private and family life, home and correspondence. This is enforced against contracting parties by the European Court of Human Rights, who ensure that States observe their obligations under the Convention by considering complaints from individuals, groups, NGOs or legal persons alleging violations of the Convention.
The International Covenant on Civil and Political Rights, which was introduced in 1976, proclaims that no one may be subjected to arbitrary or unlawful interferences with their privacy, home or correspondence, nor to unlawful attacks on their honour and reputation. This is an international treaty that commits 169 parties to respecting and ensuring the exercise of individuals’ civil rights, including privacy.
In 1981 the Convention for the Protection of Individuals with regards to Automated Processing of Personal Data (‘Convention 108’) was introduced by The Council of Europe. Convention 108 was opened for signature in 1981. It was, and still remains, the only legally binding international instrument in the data protection field. It applies to all data processing carried out by both the private and public sectors, including data processed by the judiciary and law enforcement agencies.
In 1995 the EU implemented a Directive, which resulted in the Data Protection Act 1988 in the UK. The Directive reflected the data protection principles already outlined in national laws and Convention 108, and expanded upon them. In 2000 this was further expanded upon in Articles 7 and 8 of the EU Charter of Fundamental Rights of the European Union, which subsequently became binding within the whole of the EU in 2009.
Many of these international rights are subject to limitations and exemptions.
There have naturally been many other pieces of European and international legislation which have impacted upon the matter, but the EU decided in 2016 that it was necessary to harmonise and update data protection in the European Union, which was achieved by the introduction of the General Data Protection Regulation (‘GDPR’), which came into force in May 2018.
The UK Government, who stated in 2017 that they wished to be world leaders in the field of data protection compliance, introduced the Data Protection Act 2018, which essentially incorporates GDPR into UK law, but goes much further in a number of areas, such as in the field of national security. GDPR will continue to have direct effect in the UK in any event until such time as Brexit takes place, but irrespective of the Brexit position, data protection compliance will continue to be a legal requirement in the UK for all non-domestic processing of personal data.
As can be seen from the above, the concept of the protection of data subjects’ rights is not a new one in international, European or domestic law. In essence, the reason for the protection of these rights stems from the historical misuse of personal data by the State, but in a digital age, where data can be accessed more freely and continues to increasingly become more valuable, the protection of it, likewise, also becomes more important.