By 1995 the Internet as we understand it today cemented as a commercial success. Unlike the United States the EU used to have the Data Protection Directive. This directive required each state in the European Union to pass laws meeting the Directives standards. The importance of this was a unified privacy law respected across the European Union. Prior to the Directive’s existence states of the European Union held wildly different privacy laws. This made it very hard for businesses to meet privacy standards when doing business across states! The Directive made this process easier by setting a standard for the bare minimum set of privacy protections that must be met across each state.

The Directive recognized personal data as any information that could distinguish a person. Even the Directive had strict requirements for data collection. In addition to providing a valid reason for personal data collection the organization was required to prove one of the following:

1. Clear Consent: There had to be proof the person was aware that their personal data was being processed and voluntarily agreed to it.

2. Necessary by Contract: There had to be proof personal data collection was necessary to carry out the business’s responsibilities as set out by contract.

3. Legal Obligation: Processing personal data was required by law.

4. Vital Interests: Processing personal data was necessary to protect human life.

5. Proof of Public Interest: Processing personal data was necessary to conduct a task in service of the public or under official authority granted to the controller.

6. Legitimate Interests: In the EU a data controller is any organization or person that decides why and how personal data gets collected and used. However care had to be demonstrated that the individual’s rights were not violated.

Legitimate interests were the most problematic. Data controllers wrestled their own private interests and arguments on whether they sufficiently protected their individual rights were hotly contested. When no ground was found processing the personal data was unlawful regardless of how carefully it was collected.

Exceptions to Prohibitions on Data Collection

By default the Directive banned the collection of data on a person’s race, ethnicity, religion, political views, trade-union membership, and healthcare data. There were specific exceptions:

1. Explicit Consent: Such data could only be collected if the person explicitly agreed to allow the processing of such personal data.

2. Employment Law Obligations: Processing personal data was required to verify a person’s background for employment.

3. Vital Interests: The person was unable to voluntarily consent and the processing of personal data was necessary to preserve human life.

4. Nonprofit Activities: A political, philosophical, religious, or trade-union organization processed data on its own members without revealing it to outsiders.

5. Public Data: If the owner of the personal data published said data to the public online then there were no restrictions on sharing the data.

6. Legal Justification: Processing the personal data was necessary to establish, exercise, or defend a legal claim.

Healthcare professionals were allowed to process personal data without the general prohibition.

Rights of Individuals

Individuals had the right to receive confirmation from a controller on whether their personal data was being processed, the purpose, and the categories of recipients receiving the data. Individuals could receive the data without excessive delay or cost. If the person found the data wrong or incomplete the individual can ask for the data to be corrected. If no longer needed or collected illegally the individual had the right to demand the data be deleted.

Individuals also had the right to object to data being collected. For example in the case of direct marketing the individual had the right to opt out of receiving marketing materials at any time—without any cause.

A special case of these rights included the right of the individual to object to being affected by a decision made by a completely automated process evaluating a person’s profile such as for job performance, credibility, or reliability.

Replacement of Data Protection Directive by the GDPR

The GDPR passed on May 25 2018. By being a regulation instead of a directive it eliminated the complexity of organizations having to comply with 28 distinct national laws and replaced them with a set of unified national rules. This made it much easier for organizations to pass minimal privacy requirements.

Historically the real best defense against privacy violators is to fine them for misconduct. Fines for violation of the GDPR could get as high as 20 million Euro or 4% of a company’s global annual revenue.

Under GDPR organizations were also required to notify supervisors of data breaches, appoint data protection officers for certain organizations. GDPR also added more rules on profiling and automated decision making.

Although GDPR replaced the Directive the Directive cemented the vocabulary of modern data protection law by restricting the purposes, data, decisions, and authorities authorized to handle personal data.

In the next article I will continue with the history of the GDPR tied to the Data Protection Directive. Until then take care!