MBF Knowledge Base
MBF · MBF Knowledge Base Home · EU General Data Protection Regulation - How Did We Get Here?

EU General Data Protection Regulation - How Did We Get Here?

All information here was borrowed from the GDPR website https://eugdpr.org

An overview of important regulatory events leading up to the GDPR.

OECD Guidelines

Although there is no doubt that the rules and regulations surrounding data privacy needed updating, both the GDPR and the Directive 95/46/EC are based on an even older set of principles that still hold true today. The Organisation for Economic Co-operation and Development (OECD) published its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was a set of recommendations endorsed by both the EU and the US that set out to protect personal data and the fundamental human right of privacy. The document was originally adopted on 23 September 1980 and proposed the following eight principles for the processing of personal data:

Collection Limitation Principle

There should be limits to the collection of personal data, data should be obtained by lawful and fair means, and where appropriate, with the knowledge or consent of the data subject.

Data Quality Principle

Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose Specification Principle

The purpose for the collection of data should be specified at the time of collection and data should not be used for anything other than its original intention without again notifying the data subject.

Use Limitation Principle

Personal data should not be used for purposes outside of the original intended and specified purpose, except with the consent of the data subject or the authority of the law.

Security Safeguards Principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

Openness Principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Individuals should have easy access to information about their personal data, who is holding it, and what they are using it for.

Individual Participation Principle

An individual should have the right to know if a controller has data about him/her and to have access to that data in an intelligible form for a charge, if any, that is not excessive. An individual should also have the right to challenge a controller for refusing to grant access to his/her data, as well as challenging the accuracy of the data. Should such data be found to be inaccurate, the data should be erased or rectified.

Accountability Principle

Data controllers should be accountable for complying with the measures detailed above. These guidelines were the basis of many national laws regarding data privacy, however, they were non-binding and the levels of data protection varied greatly even amongst different EU member states.