History of privacy legislation and the Dutch DPA

Protection of privacy

The concept of privacy has been around worldwide for a long time. But it was only with the advent of photography and film that real attention was paid to protecting privacy. The development of the portable camera in 1888 in particular contributed to this. 

This increased focus on privacy protection led to the first legally oriented definition of privacy in 1890: ‘the right to be let alone’, by American lawyers Warren en Brandeis. This definition has been the starting point of privacy legislation, first in the United States and later in Europe. 

Privacy as a human right

In 1798, the rights of citizens in the Netherlands were laid down for the first time in the Constitution of the Batavian People, the first Dutch constitution. In 1848 the constitution was amended under Thorbecke. The non-discrimination principle of 'equal entitlement to protection of person and property' was then established. This means that everyone should be treated equally.

There have also been registrations of people for a very long time, such as church registers of births and marriages and population registers. During WWII, it became clear how easy it was to track down Jews using these population registers. Partly because of this, several human rights treaties were concluded after the war. 

1948: Universal Declaration of Human Rights (UDHR)

In 1948, the United Nations (UN) adopted the UDHR. This sets out the general principles of human rights. The UDHR forms the basis for human rights instruments of the UN and regional organisations such as the Council of Europe, the Organisation of American States and the African Union. 

Article 12 sets out the right to privacy: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." 

The UDHR has no binding force. This means that countries are not obliged to adhere to it. It was agreed, however, that, in addition to the UDHR, treaties would be drawn up with binding obligations. These became the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights, both from 1966. 

1950: European Convention on Human Rights (ECHR)

The Council of Europe's ECHR is based on the UDHR. The ECHR also recognises the right to privacy. This is enshrined as a fundamental human right in Article 8: "Everyone has the right to respect for his private and family life, his home and his correspondence." 

1966: International Covenant on Civil and Political Rights (ICCPR)

In 1966, the UN adopted the ICCPR. Countries that sign up to the covenant are obliged to respect the human rights set out in the covenant. 

Article 17 sets out the right to privacy: "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation." 

In 1976, the ICCPR entered into force. This means that from then on, countries that signed the ICCPR must adhere to it. The UN Human Rights Committee monitors whether they actually do this. 

Right to protection of personal data

The advent of computers made it possible to automatically process large amounts of personal data. This created the need for a new right: the right to protection of personal data.

Enforcement and supervision

Enforcement and (the lack of) supervision have always been the most difficult points of privacy legislation. Over time, supervision has become increasingly strict and improved. With the introduction of the GDPR, the powers of data protection authorities have increased significantly.

1973/1974: Council of Europe Resolutions

In 1973, the Resolution on the protection of the privacy of individuals vis-a-vis electronic data banks in the private sector was adopted. And in 1974 the variant for the public sector. 

The principles of these resolutions – although less extensive – are essentially the same as those of the GDPR. For example, Article 2: "The information should be appropriate and relevant with regard to the purpose for which it has been stored." This is in line with the principle of purpose limitation from the GDPR.

Supervision

These resolutions do not yet contain any information on monitoring compliance with the rules.

1981: Council of Europe Data Protection Convention

In 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was adopted. This convention is also called the Strasbourg Convention or Convention 108. 

The convention laid the foundation for the European data protection. It is an elaboration of the right to respect for privacy, as laid down in Article 8 of the ECHR. The convention defines fundamental privacy rights in more concrete terms than the Council of Europe resolutions of 1973/74. 

The Data Protection Convention was signed on 28 January 1981. In 2007, the Council of Europe and the European Commission therefore declared 28 January as European Data Protection Day.

Supervision

For the first time, there is an addition about the enforcement of the rules. However, this is only a first call for a form of supervision, which is certainly not legally comprehensive. 

Privacy as a fundamental right

In the Netherlands, the desire arose to enshrine the right to privacy in the Constitution. This was partly due to commotion surrounding the 1971 census, rapid growth in automated data processing and a strong expansion and modernisation of government administration. 

1983: Protection of privacy in the Dutch Constitution

Since 1983, Article 10, paragraph 1, of the Constitution has protected the right to respect for privacy. Until 1983, only aspects of privacy – the confidentiality of correspondence and the inviolability of the home – were constitutionally protected. This is therefore the first time that the protection of privacy has been explicitly named as a fundamental right.

In addition, the second and third paragraphs of Article 10 instruct the legislator to establish rules for the protection of personal data. This has led to the Personal Data Registration Act. 

1989: Personal Data Registration Act (Wpr)

In 1989, the Personal Data Registration Act (Wpr) was introduced. This establishes for the first time general rules for the creation and use of files containing personal data. 

The Wpr also made it possible for the Netherlands to participate in the aforementioned Council of Europe Data Protection Convention of 1981. This convention contains basic principles for the protection of personal data that each participating country must implement. 

Supervision

Part of the Wpr was the establishment of a data protection agency: the Registratiekamer ('Registration Board'). This is a predecessor of the Dutch DPA. The Registratiekamer maintained a register of organisations that processed personal data. In addition, it provided information on data protection and advice on new laws and regulations.

First EU privacy law

A first step in harmonising (aligning) privacy rules within the EU is the 1995 Data Protection Directive (Directive 95/46/EC). This Directive required EU Member States to harmonise their privacy laws within the limits set by the Directive.

1995: Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data

This Directive 95/46/EC is the first privacy law in the EU. All EU Member States created their own national legislation based on the directive.

Supervision

Article 28 of the Directive requires each Member State to appoint a supervisory authority.

2001: Personal Data Protection Act (Wbp)

The Personal Data Protection Act (Wbp) is the Dutch implementation of the 1995 EU directive. It replaces the Personal Data Registration Act of 1989.

Supervision

The Registratiekamer changed into the College bescherming persoonsgegevens ('Board for the protection of personal data' or CBP). The CBP was given new (enforcement) powers, such as the power to impose a penalty payment order or a fine of up to EUR 820,000. 

Data protection as a fundamental right

For a long time, the protection of fundamental rights was not clearly regulated in EU law. There was therefore a need for a document that clearly sets out fundamental rights. That came in 2000: the EU Charter of Fundamental Rights. 

2000-2009: EU Charter of Fundamental Rights and Treaty of Lisbon

In 2000, the EU Charter of Fundamental Rights was adopted. It was not yet legally binding at that time. This only became the case on 1 December 2009, with the entry into force of the Treaty of Lisbon. 

Article 8 of the Charter made the protection of personal data an independent fundamental right. This was a milestone in the protection of personal data. The article is the foundation on which the GDPR is built.

Supervision

Independent supervision is an explicit part of the Charter.

Current privacy legislation

The fact that EU member states had different privacy laws made enforcement and supervision complex. In addition, this created regulatory pressure for companies operating in several Member States. This created the need to align privacy laws in the EU. 

2018: GDPR and LED

In 2012, a draft General Data Protection Regulation (GDPR) was available after a long period of negotiations. So far, this is the most lobbied for process in the EU. This means that many interest groups tried to influence the choices.

In addition to the GDPR, a separate European directive was introduced for data protection by authorities responsible for law enforcement, including the police and the judiciary. This is the Directive on data protection in the law enforcement sector (Law Enforcement Directive or LED). 

The GDPR was adopted in 2016. Organisations were given until 2018 to prepare. 

The GDPR came into effect on 25 May 2018. 

The Wbp was therefore repealed. On a number of points under the GDPR, countries still had to legislate themselves. In the Netherlands, this was done for most part in the General Data Protection Regulation Implementation Act (UAVG).

The LED had to be transposed by the countries into their own national legislation. In the Netherlands, it was implemented in, among other things, the Police Data Act (Dutch Wpg) and the Judicial Data and Criminal Records Act (Dutch Wjsg).

Supervision

As of 1 January 2016, the name of the CBP changed to the Dutch Data Protection Authority (Dutch DPA). This name change only applied 'in society', as stated in Article 51 of the Wbp. CBP was kept as its formal name. 

As of 25 May 2018 (with the entry into force of the GDPR), the formal name also became Dutch Data Protection Authority. From 1 January 2016, the Dutch DPA was able to impose fines and organisations were required to immediately report serious data breaches. 

The GDPR and the LED regulate the tasks and powers of the Dutch DPA as a supervisory authority. The duties and powers of the Dutch DPA as set out in the GDPR and the LED are further elaborated in the UAVG, Wpg and Wjsg.

The GDPR gave the Dutch DPA the authority to impose fines of up to EUR 20 million or 4% of annual turnover. It also received more enforcement instruments, such as imposing a reprimand or a processing ban. 

Since 2018, the national data protection authorities have been working together in the European Data Protection Board (EDPB).