Background and Rationale:

The notion of privacy and invasion of one’s private space have existed in the human consciousness for a long time. In 1890, Samuel Warren and Justice Louis Brandeis framed a common law right to privacy for the first time in an essay titled, “The Right to Privacy“. This was the first time privacy was framed as a legal right (or the right to be let alone). This seminal essay has subsequently led to legal definitions of privacy and data protection. 

In the 1930s and 40s, private companies in Germany used data processors for personal data on race and ethnicity to identify Jewish and other minority groups. This personal information was arguably used to persecute Jewish people during World War II. In the aftermath of the war, European nations pledged to protect human rights. Privacy was identified as a fundamental human right and codified as such by several European nations.

After World War II, there was a significant increase in the use of technology that led to extensive collection, processing, sharing, and transfer of personal data of citizens within European countries. Individual privacy rights began eroding. The legal rules for protection of individual privacy were limited to confidentiality and tort law (a civil suit to redress harm caused by another). These were proving inadequate to protect individual privacy rights. European nationals felt the need for modernized and harmonized privacy standards which could balance advancement in technology, the transnational flow of data, and respect individual rights for privacy and data.

In 2018, the General Data Protection Regulation (GDPR) came into force. It is considered to be the toughest privacy and security law