EU data protection law began on this day 25 years ago with the publication of the EU Commission’s first Proposal for a Data Protection Directive. That proposal was built on concepts such as mainframe computers and desktop PCs, which were parts of centralised, structured and carefully managed information technology systems. Such concepts dated back to Europe’s original data protection law, the Strasbourg Convention of 1981. On 5 November 1990, those concepts still provided a valid basis for the EU proposal, though for only a few more days.

While the EU Commission was busying itself with its proposal, an English researcher, Tim Berners-Lee, was working on an obscure project at the European Organisation for Nuclear Research (CERN) in Switzerland. That project involved hyper-text and other technologies which would enable Berners-Lee to invent the first web-page. The record is sketchy as to when precisely that page was uploaded to CERN’s computers; the 13 November 1990 is the earliest known date, though it may have been uploaded slightly earlier. From that web page would come the World Wide Web, with widely dispersed technology, easy data access and a potential for anarchy instead of governance.

As its name suggests the World Wide Web is global—neither national nor European. Hence, once it was invented, the EU proposal was out of date.

Out of date as it was, the EU proposal would go onto meet significant resistance in the EU Council. It would be withdrawn and replaced with an alternative in 1992. This 1992 proposal would be further debated and negotiated before enactment as Directive 95/46 (the Directive). But the EU’s error was not that it did not enact more up-to-date data protection laws—though it could have. The EU’s error was that it did not develop better information technologies in parallel with its legislation.

The Directive was not a bad law; it was innovative legislation for its time, benefitting remarkably clever legal drafting.

It may not be as relevant as it could be to some modern and not-so-modern technologies, but for such an old law to continue to have any relevance at all is itself remarkable. The Directive gave Europeans real protections: obligations of relevance, security and accuracy; rights of access and rectification; supervisory authorities and access to the courts. Such protections have real benefits: identity theft has never been a problem in the EU, unlike the U.S. So, for example, a European whose credit history has been stolen can force banks and others to rectify their records with relative ease. An American cannot.

Unfortunately, clever EU legislation has proven no match for U.S. technological innovation over the past 25 years. A European may have invented the World Wide Web, but it is Americans who have built upon Berners-Lee’s invention.

The EU is at present discussing the replacement of the Directive with the proposed General Data Protection Regulation. Some are convinced that "modern and robust and uniform data protection rules in the EU will be a competitive advantage for our businesses in the digital age.” Modernised and effective data protection rules may well confer advantages upon EU business, particularly by enabling easier access to the EU’s single market. But as well as new laws, the EU needs vibrant start-ups and adaptive incumbents to take advantage of whatever opportunities the EU’s single market and the global economy may provide.

photo credit: 3D Scales of Justice via photopin (license)