Origin and Evolution of Data Privacy Laws

Data Privacy Insights > Posts > Data Privacy Laws and Regulations > General Data Protection Regulations > Origin and Evolution of Data Privacy Laws
Abhishek Kushwaha

Law Student, Amity Law School, Delhi

Privacy is not at all a new concept and goes way back, the first recognised instance is the semayne case  in 1604 which stated That the house of everyone is to him as his castle and fortress. Then it was in the year 1890 when Justice Louis Brandeis and a Boston based Attorney Mr. Samuel Warren co-wrote the famous article “The Right to Privacy”, in the Harvard Law Review. In the article “Privacy is described as a right to be let alone and a right of each individual to determine, under ordinary circumstances, what his or her thoughts, sentiments, and emotions shall be when in communication with others.”

In a book Privacy and Freedom, Author Alan Westin summarized the discussion on privacy and defined privacy based on all of these points. “Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. Viewed in terms of the relation of the individual to social participation, privacy is the voluntary and temporary withdrawal of a person from the general society through physical or psychological means, either in a state of solitude or small-group intimacy or, when among larger groups, in a condition of anonymity or reserve”

It was only in the 1970s that the first modern day Data Privacy Laws came into place. It was in Hesse, Germany that the  modern data privacy law came into being in reaction to the rising concerns about computing advancements and privacy in the processing of personal data. Along these lines in 1973, Sweden created their first national privacy law called the Data Act, which criminalized data theft and gave data subjects freedom to access their records. In 1978, the German Federal Data Protection Act established a basic data protection standard such as the requirement of consent for the processing of personal data. And by 1979, many EU member states followed and had incorporated data protection laws as fundamental rights into their legislation.


There was a landmark case in German Constitutional Court in 1983  also known as the Right of Informational Self-Determination case. The court held that all the citizens should have basic rights to self-determination on their personal data. In the final verdict the court said that individuals should be protected against the unlimited collection, storage, use, and disclosure of their personal data. 

In the year 1995 as computer technology advanced and there was a free flow of information, The European Union came up with a Directive on Data Protection, which laid down the minimum standards of personal data protection upon the member states and protected the rights of individuals regarding the movement of personal data between the European Union’s Member states. It was under this directive that individuals had rights of access, access to supervisory authorities, and data was transferred outside of the European Union only if there was “an adequate level of protection”. However, the law was implemented differently in each EU state, leading to some countries lacking stronger laws and oversight.

In 2000, came the Safe Harbor Arrangement which was a set of principles that was meant to rectify the different data privacy laws between the United States and the European Union to better facilitate the flow of information between them. But Ultimately, they were invalidated by the European Court of Justice in 2015 because under U.S. law, U.S. intelligence agencies had unrestricted access to the data of EU citizens. And In 2016, the EU-US Privacy Shield was adopted to replace Safe Harbor. 

The year 2009 came with the Personal Data Privacy and Security Act. In the United States of America, the data protection laws had been broken up by the state itself. A bill was proposed to increase the protection of personal data by companies and government agencies, set restrictions on data sharing and further to criminalize identity theft and privacy violation. But that bill never saw the light of the day. 

Finally it was in the 2016 That the General Data Protection Regulations came into light. This was a time when data breaches were happening and the organisations around the world were given a two-year lead to update their security measures and protocols. There are many provisions in the legislation, which seek to unite the EU under a stricter set of rules, including a right for data subjects to be forgotten, affirmative consent, comprehensive and timely data breach notifications, plain language for terms of service agreements, and fines of up to four percent of an organization’s total worldwide annual turnover if found in violation.

Even now, the General Data Protection Regulations hope to include many of the stipulations from these past acts under one umbrella that will ultimately benefit the individual citizen and its right to privacy. 

Ayottaz can help you understand more about how to become Data Privacy-aware and become future-ready

Leave a Reply

Your email address will not be published. Required fields are marked *