Category Archives: DP History

Brief case-law companion for the GDPR professional

This collection of quotes from relevant case-law has been compiled with the purpose of being useful to all those working with EU data protection law. The majority of the selected findings are part of a “Countdown to the GDPR” I conducted on social media, one month before the Regulation became applicable, under #KnowYourCaseLaw. This exercise was prompted by a couple of reasons.

First, data protection in the EU is much older and wider than the General Data Protection Regulation (GDPR) and it has already invited the highest Courts in Europe to weigh in on the protection of this right. Knowing what those Courts have said is essential.

Data protection law in the EU is not only a matter of pure EU law, but also a matter of protecting human rights following the legal framework of the Council of Europe (starting with Article 8 of the European Convention on Human Rights – ‘ECHR’). The interplay between these two legal regimes is very important, given the fact that the EU recognizes fundamental rights protected by the ECHR as general principles of EU law – see Article 6(3) TEU.

Finally, knowing relevant case-law makes the difference between a good privacy professional and a great one.

What to expect

This is not a comprehensive collection of case-law and it does not provide background for the cases it addresses. The Handbook of data protection law, edition 2018, is a great resource if this is what you are looking for.

This is a collection of specific findings of the Court of Justice of the EU (CJEU), the European Court of Human Rights (ECtHR) and one bonus finding of the German Constitutional Court. There are certainly other interesting findings that have not been included here (how about an “Encyclopedia of interesting findings” for the next project?). The ones that have been included provide insight into specific issues, such as the definition of personal data, what constitutes data related to health, what does freely consent mean or what type of interference with fundamental rights is profiling. Readers will even find a quote from a concurring opinion of an ECtHR judge that is prescient, to say the least.

Enjoy the read!

Brief Case-Law Companion for the GDPR Professional

Going back to basics

Being in the process of writing my thesis, I have realized how important it is to stop from searching through the whirling flux of current information and new developments in the area of privacy and information technology, or more generally “law and technology”, and look back at the beginning of this craziness.

One might find answers for questions she didn’t even know she needed to answer. Or, at least, she might find some reassurance that the legal thought in this field is capable of steadiness and coherence.

This is why I decided to share with you the principles enshrined in the first “internationalization” effort of personal data protection that I know of, RESOLUTION (73) 22 ON THE PROTECTION OF THE PRIVACY OF INDIVIDUALS VIS-A-VIS ELECTRONIC DATA BANKS IN THE PRIVATE SECTOR (Adopted by the Committee of Ministers of the Council of Europe on 26 September 1973).


The information stored should be accurate and should be kept up to date. In general, information relating to the intimate private life of persons or information which might lead to unfair discrimination should not be recorded or, if recorded, should not be disseminated.


The information should be appropriate and relevant with regard to the purpose for which it has been stored.


The information should not be obtained by fraudulent or unfair means.


Rules should be laid down to specify the periods beyond which certain categories of information should no longer be kept or used.


Without appropriate authorisation, information should not be used for purposes other than those for which it has been stored, nor communicated to third parties.


As a general rule, the person concerned should have the right to know the information stored about him, the purpose for which it has been recorded, and particulars of each release of this information.


Every care should be taken to correct inaccurate information and to erase obsolete information or information obtained in an unlawful way.


Precautions should be taken against any abuse or misuse of information. Electronic data banks should be equipped with security systems which bar access to the data held by them to persons not entitled to obtain such information, and which provide for the detection of misdirections of information, whether intentional or not.


Access to the information stored should be confined to persons who have a valid reason to know it. The operating staff of electronic data banks should be bound by rules of conduct aimed at preventing the misuse of data and, in particular, by rules of professional secrecy.


Statistical data should be released only in aggregate form and in such a way that it is impossible to link the information to a particular person.

The original text of the Resolution can be found here.

We encounter access rights, purpose limitation, erasure of obsolete data and even the idea of anonymization. In 1973.

I got my ounce of inspiration from wondering how the essence of these principles are still relevant so many decades after they were published. And I hope you will also find yours.


It took 15 years for UK to pass it's Data Protection Act

The history of data protection legislation section of this blog continues today with the story of how UK needed 15 years to transform the initiative data protection regulation into law. The process started in 1969 and ended in 1984. You will further find a detailed history of the struggle to pass this bill:

It was end sixties that the United Kingdom Parliament began to be worried by increasing computerization and its consequences for the privacy of the individual citizen. Several Members of Parliament introduced Bills, but without success. (See for example the Data Surveillance Bill 1969 by Kenneth Baker and the Personal Records (computers) bill 1969 by Lord Windlesham).

The debate in and outside Parliament only really got under way with the publication in 1970 of a report by Justice, the British section of the international Commission of Jurists, entitled Privacy and the law. The Right of Privacy Bill contained in an annex to the report was introduced into Parliament virtually unchanged as a Private Member’s Bill by Brian Walden, M.P..

The ensuing debate in the House of Commons let to the setting up of the Committee on Privacy, also known as the Younger Committee, which presented its final report in 1972.

Following on from the Younger Report, three years later the Government published a White Paper, entitled Computers and Privacy.

The need for a data protection law was recognized both by the Government and the Parliament.

To this end a Committee on Data Protection was set up under the chairmanship of Lindop. The Lindop Report was published in December 1978. It contained thorough recommendations both as to the aims to be achieved and on the substance of future data protection legislation.

Following the Lindop Report, the government published in April 1982 a new White Paper containing a proposed Bill.

The first reading of the DPA Bill took place in the House of Lords on December 21, 1982. Passage of the Bill was stopped when Parliament was dissolved on May 13, 1983. An amended version was discussed in the House of Lords on June 23, 1983. It passed to the House of Commons on November 3, of that year, returning to the House of Lords on June 29, 1984. The DPA received the Royal Assent on July 12, 1984.

The Bill did not pass through the house of Parliament without a struggle. Compared to other British statutes it had relatively long Parliamentary history. It appears from the debates that this was due in great part to the complexity of the subject-matter. Members of both Houses were regularly perplexed by the technical subject matter of the Bill and the complexity of its structure.

Source: A.C.M. Nugter, Transborder Flow of Personal Data within the EC, Springer, Netherlands, 1990 (p. 107 – 109)

You can find the book here: Transborder Flow of Personal Data Within the EC (Computer/law series)

DP history: Which was the first country to adopt a Data protection law?

Why did governments and legislatures thought that the personal information collected by different entities should be protected? When did they discover the society needs such regulations?

I will try to answer these questions in my new category “DP history”. I keep reposting news about countries which pass for the first time data protection legislation. But how about the ones that first discovered this need in their societies? So, I figured I should provide valuable information in this regard also.

I will start by answering the question “Which was the first country to adopt a Data Protection law?”.

The answer is Germany. Well, Germany was a “door opener” not only in nation-wide data protection regulation, but also in data protection law in general, as its land of Hesse adopted the first ever law with regard to the protection of personal data in 1970.

However, I will write today a few facts about the Federal law on the protection of personal data adopted by the German Parliament: Bundesdatenschutzgesetz.

It was as early as 1969 that the German Parliament requested the Government “to introduce without delay a statute regulating the computerized processing of personal information.”

The first draft of the Bill appeared in 1973, but it was not until November 10, 1976 that the Bundestag approved the Act on the Protection against the Misuse of Personal Data in Data Processing. The President of the Republic signed the definitive version on January 1, 1977.

However, in the intervening period a number of lander (German states) had passed laws on the protection of personal data as far as public bodies were concerned.

The Federal Act covers processing of personal data at Federal Level, at Land level to the extent that no Land regulation exists, and also data in the private sector.

So, it took about 8 years to transform the recognized need of protection personal data into law. But you will see tomorrow that in one European country it took 15 years! Why do you think such legislation was so problematic to be passed?

Source: A.C.M. Nugter, Transborder Flow of Personal Data within the EC, Springer, Olanda, 1990. You can find the book here:

Transborder Flow of Personal Data Within the EC (Computer/law series)