Germany (in 1977) and France (in 1978) were the first countries to adopt laws concerning processing of personal data. Initially, the rationale behind these rules was to protect the citizens’ privacy vis-à-vis public administration. The role of these rules changed in the 1990s, when the use of the Internet and information processing technologies became widespread among both businesses and individuals, and so did the threat for data privacy.
These early national laws inspired OECD’s Recommendations Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data, adopted in 1980 and the Council of Europe’s Convention for the protection of individuals with regard to automatic processing of personal data, adopted in 1981 (known as Convention 108). These documents, and in particular the second one, helped shape the EU data protection framework.
Data protection rules has been harmonised at the EU level by the Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Personal Data Directive"). This framework is completed by the Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector ("e-Privacy Directive").
The Personal Data Directive was replaced by the General Data Protection Regulation (GDPR) which has entered into force on 25 May 2018. It is probably the single most ambitious piece of EU legislation in its whole history. It drew a lot of media attention and gave data protection a much more prominent place, mostly due to the significantly increased administrative fines that can now go up to 200,000 EUR.
Soon, the e-Privacy Regulation, which is still under negotiation as for 2019, will replace the e-Privacy Directive.
Directives do not apply directly in the legal systems of the Member States; in order to be effective, they need to be implemented (transposed) into national laws. Such instruments harmonise laws of EU Member States, but do not fully unify them, as the choice of "forms and means" to achieve the standards set out in directives is left to national legislators. On the other hand, Regulations have direct effect and take precedence over national laws, and they create a unified framework across all the Member States.
However, the GDPR expressly leaves some aspects to be regulated at the level of Member States laws. This is why EU Member States still maintain national rules in the field of data protection (which, obviously, have been adapted to the common framework of the GDPR), and that in some areas (including research) differences among Member States may still exist.
National laws governing the processing of personal data include, e.g.:
- in Germany: Bundesdatenschutzgesetz (BDSG) at the level of the Federation, and Landesdatenschutzgesetze (LDSG) at the level of each state;
- in France: Loi informatique et libertés (LIL);
- in the UK: the Data Protection Act.
Art. 29 of the Personal Data Directive created the Data Protection Working Party (referred to as art. 29 Working Party, or WP29), a European body made up of representatives of national data protection authorities of each EU Member State. Under the GDPR, the body was renamed European Data Protection Board, and given some additional powers. The opinions and guidelines of WP29/EDPB are not formally binding, but they have great persuasive authority and are often followed very closely by national authorities.
Every EU Member State has its own Data Protection Authority:
- in Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) at the federal level, and local authorities (full list available at: https://www.bfdi.bund.de/bfdi_wiki/index.php/Aufsichtsbehörden_und_Landesdatenschutzbeauftragte#Nordrhein-Westfalen) in each state;
- in France: Commission nationale de l'informatique et des libertés (CNIL];
- in the UK: Information Commissioners’ Office (ICO).
Under the GDPR, it is now mandatory (at least for institutions like universities or research institutes) to appoint a Data Protection Officer (DPO), who serves as a liaison between the institution and its employees and the national data protection authority. Do not hesitate to contact the DPO at your institution — he/she will help you with all your questions concerning personal data processing.