From camera to online data: how privacy legislation became more important
You're walking through a busy shopping street and suddenly someone takes a picture of you. You're probably thinking: hey, is that allowed? That feeling of discomfort is at the heart of our privacy law.
On this page
Below is a bird's-eye view of how privacy legislation and the AP came into being. Looking for a step-by-step timeline? Then read the full, extended version of this story: History of privacy legislation and the AP.
Nowadays, almost everyone has a smartphone with a good camera but in 1888, the first portable camera became available. That made a big difference, because suddenly, everyone could take pictures anywhere, anytime.
Interesting for the tabloids, but do we as a society want that? The answer from American lawyers Warren and Brandeis was clear: no. They formulated the first definition of privacy in 1890: the right to be let alone.
Privacy as a human right
The importance of privacy – and specifically the protection of personal data – was demonstrated by World War II. Thanks to the excellent population registers, the occupier had no problems tracking down specific population groups. To prevent a recurrence, many countries agreed that people's personal data needed to be better protected.
The mass violations of fundamental rights during the war have led to stronger agreements on human rights, including privacy:
- 1948: The United Nations (UN) enshrined the right to privacy in the Universal Declaration of Human Rights (UDHR).
- 1950: Europe followed with the European Convention on Human Rights (ECHR). Here too, privacy is a fundamental right.
This declaration and convention are the basis of almost all subsequent privacy laws. Yet they remained quite general in nature.
1950: The European Convention on Human Rights (ECHR) makes privacy a fundamental right.
The influence of computers
The advent of computers changed a lot. Companies and governments were suddenly able to collect and process large amounts of personal data. This included tax data, customer files and membership lists.
This was a new development that raised concerns, as there were no clear rules yet for creating databases on such a large scale. Who is allowed to collect which data? And what are they allowed to do with them? The need arose for a new fundamental right: the right to protection of personal data, as part of the broader right to privacy.
In 1973, an initial reply was given. The Council of Europe wrote recommendations on how personal data should be protected. For example, it states that you may only collect data if you know what you need them for. This idea is clearly reflected in later privacy legislation.
Making rules is one thing, making sure everyone follows them is another. The first step towards this was made in 1981. That is when the European Data Protection Convention was adopted. For the first time, specific rules for data protection were introduced, with a call for supervision and enforcement. This convention laid the foundation for the European data protection.
1981: The European Data Protection Convention provides specific rules for the protection of personal data. This convention was signed on 28 January 1981. That is why 28 January has been declared European Privacy Day.
Privacy as a fundamental right in the Netherlands
In the Netherlands, the desire arose to provide additional protection for privacy in the Constitution. We have had rules for the equal treatment of citizens since 1848, but those rules did not take into account the digital processing of personal data.
In 1983, the right to privacy became an official fundamental right thanks to Article 10 of the Dutch Constitution. The government had work to do, because rules also had to be drawn up for the protection of personal data.
This happened for the first time in 1989, with the Personal Data Registration Act (Wpr). This was the first general Dutch privacy act. The so-called Registratiekamer, a forerunner of the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, was established for independent supervision and enforcement.
1983: The Dutch Constitution makes privacy a fundamental right.
Europe presents a common front
Within the European Union (EU), countries at the time created different national laws to protect privacy. This was inconvenient for companies, governments and citizens. That is why the EU tried to present a common front.
The starting shot was given in 1995. The first EU Privacy Directive (95/46/EC) required all EU Member States to adapt their national laws. For example, the Directive states that each Member State must appoint a supervisory authority. The Netherlands implemented the Directive in 2001 with the Personal Data Protection Act (Wbp).
1995: Data Protection Directive, the first privacy law in the EU.
The Registratiekamer became College bescherming persoonsgegevens, or CBP. The CBP was given more options to ensure that everyone complied with the law, such as imposing an order subject to a penalty or an administrative fine.
The next milestone was on 1 December 2009. That is when the EU Charter of Fundamental Rights came into effect. This ensured that the protection of personal data became an independent fundamental right throughout the EU. The Charter also states that Member States must have an independent authority to monitor compliance with the rules, i.e. a data protection authority. Furthermore, the Charter ensures that the tasks of the supervisory authority are laid down in the EU Constitution. This means that EU member states cannot simply decide to stop doing this.
2009: Charter of Fundamental Rights of the EU, which established the protection of personal data as an independent fundamental right. It stipulates that an independent authority must monitor compliance with these rules. The Charter came into effect on 1 December 2009.
The big step: the GDPR and the Dutch RGR
But what exactly does this fundamental right entail, and how do you ensure that everyone adheres to it? This requires explanation, enforcement and supervision. That is easier said than done, because EU Member States had different laws on privacy and personal data protection. Moreover, these rules did not match each other. So one country had stricter privacy rules than the other.
That changed with the General Data Protection Regulation (GDPR) and the Directive on data protection in the law enforcement sector (Dutch RGR). The Dutch RGR is a special directive for data protection by authorities charged with law enforcement, including the police and the judiciary.
Since then, one set of rules has applied to the entire EU. This makes it clearer for companies, the government and citizens what is and is not allowed, wherever you are in the EU. The GDPR and the Dutch RGR came into effect on 25 May 2018 and together form the main legislation for the protection of personal data in the EU.
2018: GDPR and Dutch RGR, which ensure that the same legislation for the protection of personal data applies throughout the EU. The GDPR and Dutch RGR came into effect on 25 May 2018. The Dutch RGR had to be transposed by the countries into national legislation.
On 25 May 2018, the Dutch Data Protection Authority (AP) became the official independent supervisory authority for the GDPR, the GDPR Implementation Act (UAVG) and the Dutch RGR. The AP is the successor to the CBP.
As a supervisory authority, the AP ensures that everyone complies with the GDPR and the Dutch RGR. And that personal data are processed lawfully, properly and transparently. And therefore, for example, not in a discriminatory manner. We answer questions from citizens and organisations, investigate complaints and, if necessary, take enforcement action. For example, by imposing a fine. We also verify new laws and regulations regarding the processing of personal data.