In the 1960s and 70s, several European countries began passing privacy legislation. Spain, Portugal, and Austria enshrined data protection as a Constitutional right. Other countries passed right to privacy legislation. This created inconsistent and overlapping rules on privacy across Europe often frustrating businesses that served customers across member states. The Council of Europe passed Resolutions 73/22, 74/29 in an attempt to harmonize standards across countries. However, the resolutions quickly became outdated due to rapid pace of technology in that era.
In the 1980s, two major international organizations – the OECD and the Council of Europe – adopted a set of data privacy rules to harmonize data protection standards across Europe, namely,
1) OECD Guidelines, and
2) Convention 108.
The concepts introduced by these two organizations have remained core principles of data protection and have been incorporated into the GDPR.
The OECD Guidelines (Non-binding)
The Organization for Economic Cooperation and Development (OECD) was created in the aftermath of the economic destruction from World War II. Its goal is to shape economic policies that foster prosperity, equality, and opportunity for all nations. Its membership consists of EU countries, the Americas and the Pacific, representing 80% of world trade and investment.
In 1980, the OECD developed the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data known as the OECD Guidelines. The Guidelines contain a set of non-binding principles for member states and businesses across EU. The goal of the Guidelines was to harmonize privacy protection across countries and make it easier for businesses to transfer data across borders.
The Guidelines are technology neutral and apply to all data processing (automated and non-automated) in the public and private sector. They are consistent with the CoE resolutions 73/22, 74/29.
Significance:
- The Guidelines introduced a set of 8 principles (Fair Informational Processing Principles) that continue to inform privacy and data protection rules to this date.
- Most of the 8 principles are codified in the GDPR and privacy legislations across the world.
Fair Informational Processing Principles (FIPP)
- Collection Limitation
- Data Quality
- Purpose Specification
- Use Limitation
- Security Safeguards
- Openness
- Individual Participation
- Accountability
The Guidelines are not legally binding. They encourage member states to:
- implement the principles into their domestic law
- encourage international cooperation, and
- continue transborder flow of personal date unless legitimate restrictions apply.
Convention 108 (Legally Binding Treaty)
In 1981, the Council of Europe (CoE) drafted Convention 108 (the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data).
Significance:
- It is the first legally binding international treaty on privacy and data protection.
- The principles introduced in Convention 108 were later incorporated in the Data Directive of 1995, and are now found in Art. 5 of the GDPR.
In 2001, Additional Protocol to Convention 108 added further requirements for Supervisory Authorities in Member States. This was the foundation for DPAs (Data Protection Authority) in EU member states.
