An overview of the important regulatory events leading up to the GDPR.
OECD Guidelines
Both the GDPR and Directive 95/46/EC are based on an even older set of principles that still hold true today. The Organisation for Economic Co-operation and Development (OECD) published its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data — a set of recommendations endorsed by both the EU and the US, adopted on 23 September 1980, proposing eight principles for the processing of personal data:
- Collection Limitation — limits to collection; data obtained by lawful and fair means, with knowledge or consent where appropriate.
- Data Quality — data relevant to its purpose, accurate, complete and kept up to date.
- Purpose Specification — purposes specified at collection; data not used beyond the original intention without notice.
- Use Limitation — data not used for purposes outside the original specified purpose, except with consent or legal authority.
- Security Safeguards — data protected by reasonable security against loss, unauthorised access, destruction or disclosure.
- Openness — a general policy of openness about practices and policies relating to personal data.
- Individual Participation — the right to know whether a controller holds your data, and to access, challenge and rectify it.
- Accountability — data controllers should be accountable for complying with these measures.
Directive 95/46/EC
The Data Protection Directive 95/46/EC of 24 October 1995 was the European Union's answer to the division of privacy regulations across the EU. Its major goals included the harmonization of data protection laws and the regulation of transfers of personal data to 'third countries' outside of the Union. It established independent public authorities — Data Protection Authorities (DPAs) — in each member state to supervise the application of the directive and serve as the regulatory body for interactions with businesses and citizens.
GDPR Proposal
Although Directive 95/46/EC was meant to bring together the laws of different member states, it was still a directive, which left room for interpretation during transposition into national law. This, along with today's rapidly changing data landscape, led to the necessity for another update. As a regulation and not a directive, the GDPR became immediately enforceable law in all member states. Social media and cloud storage were not a reality in 1995, when only about 1% of the European population was using the internet — the GDPR updates the standards to fit modern technology while remaining general enough to protect the fundamental rights of individuals through future waves of innovation.
CJEU Cases — Weltimmo
The Weltimmo case, decided on 1 October 2015, resulted in the ruling that companies must comply with local data privacy laws if they have 'establishments' in member states outside that which holds their European headquarters — directly relevant to the one-stop-shop debate within the GDPR.
Collapse of the 'Safe Harbour' Agreement
Only five days after Weltimmo, the CJEU declared the Safe Harbour scheme for EU–US data transfers invalid. Around 4,500 companies relied on this framework as their main legal basis for transfers. The case was brought by Austrian student Max Schrems following the NSA revelations by Edward Snowden, and it was ruled that US public authorities were outside the scope of Safe Harbour and had conflicting laws that prevailed over the scheme.
The information contained within this resource does in no way constitute legal advice. Any person who intends to rely upon or use this information is solely responsible for independently verifying it and obtaining independent expert advice if required.
Questions about data protection?
We advise on GDPR and data-privacy compliance for business.