What is data protection law?

From Convention 108 to the GDPR, this article traces the evolution of European data protection law, explaining its history, constitutional foundations, core principles, and global influence. It shows why data protection is a distinct legal discipline built on accountability and transparency.

Share
What is data protection law?

Many US scholars and practitioners misunderstand the nature of data protection law. They conceptualize it as a branch of informational privacy law ignoring the fact that data protection law regulates both public and private personal information and was created to protect interests other than the interest of individuals in preserving their privacy.

One helpful analogy to understand the right to data protection in Europe is this: In the same way that US citizens have a constitutional right to bear arms, which is different and distinct from, but connected with, their right to self defense; Europeans have a right to data protection, which is different and distinct from, yet connected with, their right to privacy.

But, what is the history, essence and present implementation of data protection all about?



Data protection law originated in several European jurisdictions in the 1970s as a reaction to the rise of computers. The consensus in Europe at the time was that existing law (including privacy law) would not be able to effectively protect individual rights from the risks brought about by the use of automated data processing systems.

The Council of Europe (an international organization to which all EU countries belong) played a key role in the development of data protection law. In 1973 and 74 it issued two influential resolutions that were the seeds from which data protection law sprouted and laid down the data protection processing principles that to this day are at the core of EU data protection law. Most importantly, on January 28 of 1981, the Council opened for signature the ‘Convention for the Protection of Individuals with regard to Automated Processing of Personal Data’ (known as ‘Convention 108’). This convention is remains to this day the only international binding agreement in the field of data protection law. Incidentally it is the reason why Europeans celebrate Data Protection Day annually on January 28th. The original name given to this new legal field was ‘protection of individuals with regard to automated processing of personal data’. This name was clearly too long and was eventually shortened to ‘Data Protection Law’.

Read more about Convention 108

Early data protection laws regulated only the automated processing of personal data (that is to say, digitized personal data), but in 1995 the EU data protection directive expanded the material scope of data protection law to include filing systems.

The approach that EU data protection law took to ensuring individuals would be protected from the risk of computers was twofold: on one hand the law was designed to, quite literally, control how computers are allowed to “think” about humans (what they can learn about us, what they must forget about us and when, for what purposes they can use what they know about us, what decisions they can make about us, and how they are supposed to explain all of that to us) and, on the other hand, the law granted specific rights to individuals that could be exceeded against any entity that had control over the processing of personal data related to the individual.

The key point is that, as opposed to informational privacy law, data protection law was not designed to protect private information from disclosure but to protect people from a specific form of technology: computers. Perhaps the history of Europe best explains the European desire to ensure information technologies are used in an ethical manner and their inherent mistrust towards computers. Although the potential for good in new technology surely did not escape European lawmakers, the question of how the holocaust would have looked, if a database capable of tracking the whereabouts and religion of all european citizens existed at the time, was likely not far from their minds either.

Read more about the history of data protection law



There are several examples of early data protection laws in the EU but the first pan-European data protection law was enacted in 1995 and remained in effect until it was derogated in 2016. It’s framework was built on four core tenets that have proven strong enough to drive effective compliance yet flexible enough to adapt to the ever-changing nature of technology. These tenets were not changed by the General Data Protection Regulation (GDPR).

(1) Technology must be built to serve humankind

The overarching goal of data protection law is to ensure that technology is designed ‘to serve mankind’. To prevent unethical uses of technology, data protection distinguishes between permissible and non permissible purposes. EU data protection law identifies six categories of purposes (called ‘lawful basis’) that constitute the universe of what is permissible and outlaws the use of digitized personal data for any purposes that fall outside of those six categories. It could be said that the general rule under data protection law is that you are ‘guilty’ of unlawful processing unless you can prove your ‘innocence’ by identifying your lawful basis for processing.

As opposed to privacy law, data protection law is purpose-centric not consent-centric. Data protection laws across the globe today define what purposes are permitted typically following the EU example of including a list of permitted “lawful basis” for processing. The specific list varies from country to country but, as a general rule, what data protection outlaws is any processing that does not revert back to the benefit of the individual involved or society as a whole. In other words, the pure monetization of personal data is outlawed under data protection law.

Perhaps the history of Europe best explains this restrictive approach. Although the potential for good in new technology surely did not escape European lawmakers, the question of how the holocaust would have looked, if a database capable of tracking the whereabouts and religion of all european citizens existed at the time, was likely not far from their minds either.

(2) Factual control = accountability

Under EU Data Protection Law accountability for data handling is directly proportional to factual control. Any entity that “alone or jointly with others, determines the purposes and means of the processing of personal data” is considered a controller. Entities that act “on behalf” of “controllers” are considered processors”.

Data protection law applies almost the exact same obligations and principles to both the public and private sectors. From the point of view of data protection law, who controls the computer is irrelevant as long as a computer is involved.

Because Europeans see data protection as a fundamental right, very few organizations are exempted from complying with data protection law. By limiting the exemptions and equating control to accountability, EU data protection law effectively creates an unbreakable ‘chain of custody’ over digitized personal data.

(3) Personal does not mean private

Since the goal of data protection law is to protect the individuals from unethical technology, data protection law regulates all digitized information that can be connected to a natural person.

European data protection law has always restricted the processing of ‘personal data’ and, defines the term to mean ‘‘information relating to an identified or identifiable natural person’. This definition is rather short but its scope as interpreted by European courts and data protection authorities is extremely broad

It is important to note that:

  • Information need not be private or confidential to be subject to data protection law. In fact, some of the most widely known things about us -such as our names- and the most public moments of our lives — such as our wedding day— are also unquestionably personal. Proof of a special interest to prevent dissemination or misuse is not needed, and establishing a ‘reasonable expectation of privacy’ is not required. Therefore, publicly available data is subject to data protection law so long as it is ‘personal’ in nature.
  • Information need not be sensitive to be subject to data protection law. EU data protection law has traditionally placed additional restrictions on the processing of ‘special categories’ of information with the goal to prevent discrimination. ‘Special categories’ include data that historically has been a vector for discrimination such as race, religion, political affiliation or sexual orientation (See, Article 9 of the GDPR). However, there is no minimum threshold of sensitivity below which data protection law does not apply.

(4) Transparency is key

A key goal of data protection law has always been to enhance the transparency of data processing.

Transparency is seen as a prerequisite for fairness because, in many ways, compliance with data protection law is a ‘black box’. From granting rights on individuals to requiring the creation and implementation of data management policies, imposing record keeping obligations, and enabling a private right of action, many provisions in data protection law are designed to ensure transparency.



Modern data protection law in the EU is composed of a constitutional right to data protection, statutory data protection law and case law.

Relevant guidelines on data protection law have been provided and will continue to be provided by Supervisory Authorities (SAs), the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS). Although they are informative interpretations of EU data protection law and constitute a road-map for enforcement, they are not in and of themselves ‘law’

(1) Constitutional EU data protection law: Data protection is today a constitutionally recognized in the EU through Article 8 of the Charter of Fundamental rights of the EU and by the constitutions of some EU member states.

The right to data protection is recognized today at the constitutional level through Article 8 of The Charter of Fundamental Rights of the European Union (the “Charter”), which is the EU functional equivalent to the US Bill of Rights. Article 8 states :

“ Protection of personal data.
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”

The right to data protection is also a constitutionally protected right in some (but not all) EU member state jurisdictions.

Read more about constitutional data protection law

(2) Statutory EU data protection law: The best know EU data protection law is the General Data Protection Regulation (GDPR), which provides a general framework for processing of personal data at the Member State level. However, there are other two other EU level laws (Regulation 2018/1725 -the so called ‘Companion Regulation‘ directed to law enforcement agencies- and Directive 1016/680 addressing data handling by the European Institutions) which are instrumental in ensuring effective protection of this right for Europeans. Regulation 2018/1735 and Directive 1016/680 rarely discussed in the US because they are directed to the public sector and, therefore, do not affect US organizations.


Image from page 31 of “Brockville illustrated, 1894 : its growth, resources, commerce, manufacturing interests, educational advantages : also sketches of the leading business concerns which contribute to the city’s progress and prosperity / IABI
“As regards the requirements stemming from Regulation 2016/679, it should be noted that the purpose of that regulation is, inter alia, as is apparent from recital 10 thereof, to ensure a high level of protection of natural persons within the European Union and, to that end, to ensure a consistent and homogeneous application of the rules for the protection of the fundamental rights and freedoms of such natural persons with regard to the processing of personal data throughout the European Union”
La Quadrature Du Net Paragraph 207 (See also Schrems II paragraph 101).

The GDPR has been implemented at the Member State Level through the enactment of Member State laws. There are numerous ways in which EU countries can either derogate or enhance the protections of GDPR and, therefore, data protection requirements diverge to some degree from country to country.

(3) EU data protection law case law: Finally, there is abundant case law on data protection law, both at the EU level and at the member state level. Some of it predates GDPR but is still relevant.

New case law is being created both at the Member State level and through the European Court of Justice.

Read an article on EU data protection case law by topic


EU data protection law can be best analyzed and understood by looking into its scope (territorial and material), its principles, the purposes for which processing is allowed, and the rights and obligations it creates.

(1) Territorial scope of EU data protection law: EU data protection law applies to entities ‘established’ in the EU and to those ‘targeting’ individuals in the EU with their products or servicesThe territorial scope of EU data protection law was expanded in 2016 through GDPR. The location of the equipment used for processing is no longer a factor for determination of territorial scope although such location could constitute be one of the factors used to conclude a “establishment’ within the EU exist. In addition, EU data protection law applies to the processing where, by virtue of public international law, Member State law applies (Article 3 of GDPR).

Read more about the territorial scope of EU data protection law

(2) Material scope of EU data protection law: As a general rule,all computerized processing of personal data is within the material scope of EU data protection law and all entities are required to abide by it (including non-for-profits, public entities, and private organizations regardless of their size).

Read more about the material scope of EU data protection law

(3) EU data protection principles: There are seven data protection principles under EU data protection law. The principles lie at the heart of the law and, although they don’t give hard and fast rules, they embody the spirit of the regulatory framework. Therefore, compliance with the principles is a fundamental building block to any good data protection practice.

Read more about the EU data protection principles

(4) Valid purposes for processing (lawful basis) under EU data protection law: Controllers must have a valid lawful basis in order to lawfully process personal data under EU data protection law. There are six lawful bases available for processing (consent, contractual necessity, legal obligation, vital interest, public interest/official authority, and legitimate interest).

No single basis is ’better’ or more important than the others — the most appropriate basis depends on the processing purpose and relationship of the controller to the individual. Processing special category data requires controllers to identify both a lawful basis for general processing and an additional condition for processing this type of data. Processing criminal conviction data or data about offenses may also require the identification of an additional condition for processing set by Member State law.

Read more about lawful basis for processing under EU data protection law

(5) Data subject rights under EU data protection law. In addition to having a constitutional right to data protection, in order to ensure individuals are protected in the context of automated data processing, modern EU data protection law provides eight specific rights: the right to be informed, the right to access, the right to erase, the right to request corrections, the right to object, the right to restrict processing, the right to data portability and certain rights in connection with automated-decision making (including profiling).

Read more about the rights of data subjects under EU data protection law

(6) Obligations under EU data protection law: Controllers and processors must comply with obligations related to data transfers; record maintenance; implementation of data protection by design & default; performance of data protection impact assessments; appointment of data protection officers & representatives; payment of fees; security and data breach notification.

In addition, the creation and adherence to Codes of Conduct and Certifications is promoted as a means to demonstrate compliance.

Read more about the obligations that apply to controllers and processors under EU data protection law.


Image from page 635 of “American bee journal” (1861) — IABI

Data protection law is the law of computers. It’s intent is to place human beings at the center of technological development. It has its roots in the EU but has today spread across the globe.

Americans do not have a right to data protection recognized under US law today. That could change some day. Data protection law was created to ensure that the will of the people will not be trampled by the power of those who control technology and the will of the American people may make it the law of the land someday.

Additional resources

Laws

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Brexit

UK GDPR https://ukgdpr.fieldfisher.com/

Resources

  • “The EU Data Protection Regime: Setting Global Standards for the Right to Personal Data Protection”. Report of the XXIX FIDE Congress 2020, with overview reports by Orla LynskeyAnna Buchta and Herke Kranenborg, in addition to country reports by prominent lawyers from each Member State. Includes analysis, trends, European and national case-law, approaches in national implementation.
  • Data protection officer handbook (2019): By Douwe Korff and Marie Georges This Handbook was prepared for and is used in the EU‐funded “T4DATA” training‐of-trainers programme. Part I explains the history and development of European data protection law and provides an overview of European data protection instruments including the Council of Europe Convention and its “Modernisation” and the various EU data protection instruments relating to Justice and Home Affairs, the CFSP and the EU institutions, before focusing on the GDPR in Part II. The final part (Part III) consists of detailed practical advice on the various tasks of the Data Protection Officer now institutionalised by the GDPR. Although produced for the T4DATA programme that focusses on DPOs in the public sector, it is hoped that the Handbook will be useful also to anyone else interested in the application of the GDPR, including DPOs in the private sector. It is made publicly available under a “Creative Commons” (CC) License.

Case law

C-92/09 VOLKER UND MARKUS SCHECKE GBR V. LAND HESSEN, AND C-93/09, EIFERT V. LAND HESSEN AND BUNDESANSTALT FUR LANDWIRTSCHAFT UND ERNAHRUNG, 9.Nov.2010 (“SCHECKE”) (Interference with the fundamental rights of privacy and data protection: Chapter of Fundamental Rights Article 52(1) accepts that limitations may be imposed on rights under the Chapter of Fundamental Rights, as long as they are provided by law, respect the essence of those rights and are proportionate (necessary and genuinely meet objectives of general interest recognized by the EU or the need to protect the rights and freedoms of others.) The CJEU concluded that by imposing an obligation to publish personal data relating to each natural person who was a beneficiary of aid from certain agricultural funds without drawing a distinction based on relevant criteria, such as the periods during which those persons received such aid, the frequency of such aid or the nature and amount thereof, the Council and the Commission had exceeded the limits imposed by the principle of proportionality. In this case, the interference is not proportionate as “there is nothing to show that lawmakers made an effort to strike a balance” with respect to the data of natural persons.)

Foundational articles

Territorial scope of EU Data Protection Law

Material scope of EU Data Protection Law

Data Protection Principles under EU Data Protection Law

Valid purposes for processing under EU Data Protection Law

Data subject rights under EU Data Protection Law

Controller and processor obligations under EU Data Protection Law

Enforcement

Regulators

GDPR Enforcement tracker

Other resources

Decision of the EEA Joint Committee No 154/2018 of 6 July 2018 amending Annex XI (Electronic communication, audiovisual services and information society) and Protocol 37 (containing the list provided for in Article 101) to the EEA Agreement [2018/1022]

EDPB Releases Opinion on Interplay Between the ePrivacy Directive and the GDPR and a Statement on the ePrivacy Regulation / Hunton Blog

GDPR interactive Whiteboard (by Pof. Solove)

One year under the EU GDPR. An implementation progress report Access Now

Handbook on European Data Protection Law (2018 edition) by European Union Agency for Fundamental Rights, European Court of Human Rights, Council of Europe and the European Data Protection Supervisor.

Dataset Search has indexed almost 25 million of these datasets, giving you a single place to search for datasets and find links to where the data is.

WP Opinion 5/2019 on online social networking

CNIL Guide on GDPR for developers

Reform of EU Intermediary Online Liability — European Parliament Report

The biggest GDPR fines to date / Wasel & Wasel Ltd Blog/ (June, 2020)

EDPS Data protection brochure