Data Protection: History, Development and

Fundamental Concepts

Dr. TJ McIntyre
Data Protection and Privacy
2016-17

UCD School of Law

Historical development of data

protection law
Why? Response to Nazi Germany? Wider social
conditions? 1970s suspicion of state surveillance?
OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data (1980)
Mayer-Schnberger (1997):
Several generations of laws
First, a response to government & large industry
Hesse (1970), Sweden (1973), etc.
Explicable by looking at organisational change, esp.
the modern welfare state
Taming technology? Taming large organisations?
Establishing new institutions to ensure compliance
why?
A focus exclusively on privacy rather than data

 Second generation
Late 1970s
Response to proliferation of computers, use by
small businesses
Focus now includes privacy
Citizens given own enforcement rights (and e.g.
right to refuse processing for marketing)
Data protection authorities become ombudsman
like bodies and take on an adjudicative role

 Third generation
1980s onwards
Influenced by German authorities recognising a
right to informational self-determination
Greater focus on information and choice on the part
of the individual
Data protection becomes constitutionalised and tied
to privacy rights

 Fourth generation
Greater mandatory protections for the individual
(consent deprecated) in relation to e.g. sensitive
personal data
Sector specific legislation (e.g. ePrivacy Directive)
begins to creep in
Manual files begin to be included
Data protection authorities begin to split their
advocacy and adjudication roles

Data protection v. privacy

Where do the rights originate?
ECHR/Constitution v. CFR/EU law

Can legal persons assert the rights?

Can they be invoked against private parties?

Are they limited to confidential or intimate information?

What is the aim of the right? Fair processing? Remedying
information asymmetry? Protecting consumers? (NB data
portability) Algorithmic accountability?
What interests justify restriction of the rights?
What is the institutional framework for enforcement of the
rights?
Substantive or procedural rights?

Opacity rights or transparency rights?

1981 Convention for the protection of

individuals with regard to the automatic
processing of personal data (Convention 108)
History
Grew out of ECHR/OECD Guidelines
1973 and 1974 Resolutions predated

Ancestor of modern EU data protection law

Wider in scope than EU law regarding bodies
covered
Public sector included

Narrower regarding data covered

Automated personal data files and automatic
processing

Convention 108 concepts

"personal data" means any information relating to

an identified or identifiable individual ("data
subject");
"automated data file" means any set of data
undergoing automatic processing;
"automatic processing" includes the following
operations if carried out in whole or in part by
automated means: storage of data, carrying out of
logical and/or arithmetical operations on those
data, their alteration, erasure, retrieval or
dissemination;
"controller of the file" means the natural or legal
person, public authority, agency or any other body
who is competent according to the national law to
decide what should be the purpose of the
automated data file, which categories of personal

Convention 108 principles

obtained and processed fairly and lawfully;

stored for specified and legitimate purposes and

not used in a way incompatible with those
purposes;
adequate, relevant and not excessive in relation
to the purposes for which they are stored;
accurate and, where necessary, kept up to date;
preserved in a form which permits identification
of the data subjects for no longer than is required
for the purpose for which those data are stored.

Convention 108 special categories of

data
Personal data revealing racial origin, political
opinions or religious or other beliefs, as well as
personal data concerning health or sexual life,
may not be processed automatically unless
domestic law provides appropriate safeguards.
The same shall apply to personal data relating to
criminal convictions.

Other Convention 108 innovations

Data security

Core data subject rights

Mutual assistance
Guarantee of transborder data flows
What was lacking?
Obligation to establish data protection body
Ban on data transfers to non-party states (third
countries)

European/Irish Data Protection Timeline

1981 - Council of Europe
Convention 108

1988 - Data Protection Act

1988 (implementing
Convention 108)

1995 - Data Protection

Directive - 95/46/EC

1997 - First ePrivacy

Directive (97/66/EC)

2002 - Second ePrivacy

Directive (2002/58/EC)

2003 - Second ePrivacy

Directive implemented
(S.I. No. 535 of 2003)

2000- Charter of Fundamental

Rights

2003 - Data Protection

Amendment Act 2003
(implementing 1995 Directive)

2009 - Second ePrivacy

Directive amended
(2009/136/EC)

2007/2009 Treaty of Lisbon

2011 - ePrivacy
amendments implemented
(S.I. No. 336 of 2011)

2016 - General Data Protection

Regulation adopted

2016 - ePrivacy Directive

under review

Thank you
Questions or comments?
Email:

tjmcintyre@ucd.ie

Blog:

www.tjmcintyre.com

Twitter:

@tjmcintyre

UCD School of Law