We use cookies to ensure that we give you the best experience on our website. Cookies enable us to provide you core functionalities such as security, network management and accessibility. They improve usability and performance through various features such as language recognition, search results and thereby improve what we offer to you.

For more information, please visit our Privacy Policy

EUROPEAN DATA PROTECTION: 4 HIDDEN ROOTS

European Data Protection: 4 Hidden Roots
03 Jun

European Data Protection: 4 Hidden Roots

2 | CIPP-E Preparation | CIPP/E exam preparation European data protection gdpr Convention 108 OECD Privacy Guidelines data protection history Council of Europe EU institutions

European data protection did not arrive with the GDPR in 2018; it inherited a structure built over seventy years, and the CIPP/E exam still tests that structure in its first domain. Candidates who begin their reading at the General Data Protection Regulation tend to lose the questions that ask where a principle came from or which body produced it. The earlier instruments are not history for its own sake; they explain why the GDPR looks the way it does and why several of its ideas predate it by decades. Four roots carry most of the marks.

Why European data protection has a long memory

The IAPP publishes a Body of Knowledge (BoK) for each certification, the document that sets out every topic the exam can test, and for the CIPP/E it opens with origins rather than the GDPR. That is deliberate. The first domain rewards a candidate who can place each instrument in sequence and say what it added. You will be tested on the order of events more than on the exact dates, though knowing the dates does no harm.

The right that had to be carved out

European data protection began as a branch of human rights. The Universal Declaration of Human Rights in 1948 named privacy as a protected interest, and the European Convention on Human Rights gave it binding force across the Council of Europe's members from the 1950s. Privacy, though, is broader than data; the spread of automated processing in the 1970s showed that personal data needed its own, narrower right. That separation, privacy as the parent idea and data protection as the distinct child, is the conceptual root from which everything else grows.

The first instruments: OECD Guidelines and Convention 108

Two texts turned the idea into workable principles. The OECD Privacy Guidelines of 1980 set out collection limitation, purpose specification, use limitation and accountability, the vocabulary you still meet in the GDPR. A common trip is to confuse these with the OECD's Guidelines for Multinational Enterprises from 1976; only the 1980 Privacy Guidelines are the data protection instrument the curriculum tests. A year later, Convention 108 became the first legally binding international treaty on data protection, open for signature in 1981 under the Council of Europe. The Guidelines persuaded; the Convention bound. That difference between a recommendation and a treaty is worth holding onto.

What Convention 108+ modernised

Convention 108 was built for a world without the internet, so the Council of Europe modernised it. It adopted the amending protocol known as Convention 108+ in 2018, the same year the GDPR began to apply. The update added duties around transparency, breach notification, proportionality and stronger oversight, bringing the treaty closer to the GDPR's level. Accession still matters because Convention 108+ is open to states well beyond Europe, which makes it one of the few bridges between European data protection and the rest of the world. For exam purposes, treat it as the treaty layer running in parallel to EU law, not as part of it.

The EU line and the European data protection institutions

The European Union built its own track on top of that foundation. The Data Protection Directive of 1995 harmonised national laws and introduced terms such as processing, controller and consent; the ePrivacy Directive of 2002 added rules for electronic communications; and the General Data Protection Regulation replaced the 1995 Directive in 2018. Reading the origins of data protection law in one sweep makes the progression click. Alongside the legislation sits an institutional map, and candidates need the European institutions that shape data protection clear in their heads: which body drafts, which adjudicates and which supervises. The interplay of Convention 108+, the GDPR and the newer digital statutes is set out in Convention 108+ and the wider regulatory picture.

The traps that catch candidates

Two confusions cost more marks than any others. The first is the Council of Europe against the European Union; the Council of Europe produced the Convention and runs the European Court of Human Rights, while the EU produced the Directives and the GDPR and runs the Court of Justice. They are separate organisations with overlapping membership, not one body under two names. The second is the directive against the regulation; a directive sets a goal that each member state writes into its own law, which is why the 1995 Directive produced many national variations, whereas a regulation applies directly and uniformly, which is why the GDPR did not. Keep those two pairs straight and the first domain stops being slippery.

A clean grasp of European data protection, from the human-rights starting point through to the GDPR, turns a fiddly part of the syllabus into reliable points. To fix the sequence in your memory, work through the free Data Protection Timeline; it lays out the milestones from 1948 to the present so the order, and the logic behind it, stays put. For a structured way to cover the rest, a CIPP/E study roadmap and the CIPP/E Body of Knowledge and exam blueprint are the next two stops.

Share this Post

CIPP/E Prep Suite

CIPP/E Prep Suite

Study - Practice - Certify

GET CERTIFIED!

Ready to kick-start your career?

GET STARTED NOW

Categories

About The Blog

Stay up to date with the latest news, background articles, and tips for your study.

Our latest video

22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.