Even though European data protection attempts to craft a harmonized approach to some of the pressing and unwieldy issues in contemporary digital reality, there is much more than is commonly recognised to learn from the different experiences of European countries not only currently but across the whole sweep of this framework’s history.
The transformations wrought by computers and electronic networks began to gather pace from the late 1960s and the first data protection law was passed in Sweden as far back as 1973. Since that time, national data protection frameworks have also continued to multiply and under the Data Protection Directive (DPD) 95/46 they finally became universal across the EU (and indeed the wider European Economic Area (EEA)).
Although the General Data Protection Regulation (GDPR) 2016/679 is in principle now directly applicable across the EU, these national laws remain of great importance. Many issues require national specification and implementation including the constitution of Data Protection Authorities, many aspects of the sensitive data regime, the framework for law enforcement and national security (albeit, as regards the former, as an implementation within the EU of the Law Enforcement Directive 2016/680) and derogations to balance data protection with a whole host of other rights and interests including, most notably, freedom of expression and information.
The website of Cambridge’s Centre for Intellectual Property and Information Law (CIPIL) already has a fair amount of transnational material on the history of not only European intellectual property but also information law including, for example, the complete traveau préparatoires of the DPD. I had hoped for a while to ensure that this was complemented with national information which is also crucial. The Covid19 lockdown and consequent shift of almost all of our professional exchanges into a digital space finally galvanized me into action!
The new listing provides comprehensive details of the pre-DPD (“first generation”), DPD-era (“second generation”) and GDPR-era (“third generation”) laws which have been enacted in EEA States and also in Switzerland and the UK, both of which have had and retain very close links with EU data protection. The listing gives preference to English (or, if not, French) texts wherever these are available. In that regard I was able to draw in particular on translations produced by European Data Protection Authorities (DPAs), other government authorities and by the Council of Europe. These translations are generally excellent but have, to date, been very hard to locate.
The current listing is just a starting point (but should I think keep even the most dedicated data protection aficionado going throughout the Covid lockdown). It will be periodically updated as new translations, especially of national data protection laws enacted under the GDPR, are produced. Beyond this, it is also intended to add considerably more detail on the development of these laws especially with regards to the interface with freedom of expression. Watch this space!
David Erdos is Deputy Director of Centre for Intellectual Property and Information Law (CIPIL) and also WYNG Fellow in Law at Trinity Hall, University of Cambridge