Today marks the 39th anniversary of the Council of Europe's "Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data", or, more catchily, Convention 108. It is the root treaty that spawned the first European Union-wide data protection laws, including the General Data Protection Regulation (GDPR), as well as similar laws in Canada, Australia, India, Japan, Argentina, Uruguay, Mexico, and more.
Its anniversary is why in the United States, as declared in previous years by Congress, we celebrate National Data Privacy Day. Meanwhile, across the Atlantic, the nations of the Council of Europe—including the European Union, Russia, Norway, and their neighbours—will be celebrating Data Protection Day. Others around the globe, will be relishing 24 hours of simple, undiluted Privacy Day, sans any mention of "data" at all.
It is, perhaps, a reflection of the haphazard way that modern digital privacy is globally interpreted and enforced, that the world can't even lock down a consistent term for the concept's unofficial birthday.
It's tempting, too, to use that as an opportunity to loudly ponder on cultural differences between the United States’ and the rest of the world’s conceptions of privacy. But the history of data protection and Convention 108 shows that while naming things can be hard, the fundamental principles behind the wish to keep your personal data under control in the online world really are simple and more universal than the terminology.
Long before the personal computer revolution, the popular image of computing was wrapped tightly around their potential abuse as an invader of privacy—primarily, but by no means exclusively, led the state. In 1965, American journalist Vance Packard, famous for "Hidden Persuaders", his searing critique of modern advertising, wrote "The Naked Society", which showed the public the risks of the automated collection of personal data into vast "data banks"—especially by the U.S. government. The first digital privacy law, the Datenschutz, which passed in the German state of Hesse in 1970, was also aimed solely at government data collection and misuse.
The name of that law, translated literally into other languages, ultimately became the term of art: "data protection". It was clear that a term was needed. In an international legal environment where even the plain term "privacy" was difficult to map to equivalent phrases in other languages, adding computers to the mix just made things worse. What was “data privacy” in English, in French was called l'informatique et des libertés, and in Swedish data och integritet. In 1983, a German constitutional court ruling on the census coined the term informationelle Selbstbestimmun or informational self-determination, as another way of expressing a similar idea: "the authority of the individual to decide himself, on the basis of the idea of self-determination, when and within what limits information about his private life should be communicated to others”.
Ultimately, Europe settled on data protection as the broader umbrella term, giving birth the Data Protection Directive in 1995, the embedding of data protection as a fundamental human right in 2000's EU Charter of Fundamental Rights, and most recently in the General Data Protection Regulation.
In the United States, you didn't hear as much talk of "data protection" as a term, at least before companies started sending those GDPR update e-mails in 2018. And because the U.S. model of online privacy protections since the 1970s has largely been a patchwork of judicial decisions, state law, and narrowly-scoped and specialized statutes, rather than a single encompassing Federal law, it's hard to say that the American system has a simple legal term for what Convention 108 relatively succinctly expresses.
But as earlier European jurists showed, just because you don't have a local name—or a law—for it, doesn't mean that people don't know what you're talking about. When California lawmakers drafted and passed its Consumer Privacy Act in 2018, its authors paid little attention to compatibility with the GDPR.
But, looking at the two side-by-side, what is clear is that the overarching principles embodied in Convention 108, are there to see in the CCPA too. A right of disclosure: you can find out what data is being held on you. A right of erasure: you can fix what's there. The underlying principles of data are similar, wherever you live, and whatever language you use.
There are 132 jurisdictions that have data privacy(or protection) laws, covering similar concerns in different ways, sometimes using different terms. In Mexico you might speak of “ARCO rights” (Access, Rectification, Cancellation and Opposition); in Brazil you could refer to habeas data. The names change, but the aims are the same.
This isn't a comparative legal analysis (nor, as we fun-loving EFFers often like to say at parties, is this legal advice). The many differences between how privacy laws interpret the actions of the private and public sector will be fought over for decades—and rightly so. The most subtle differences can lead to vast differences in outcomes; not least the varying emphasis laws can have on privacy violations by the state, by corporations, and by individuals.
But at a time when politicians around the world are emphasizing or bemoaning the differences between countries and cultures, it's worth remembering that human rights are universal.
When new technology enhances or undermines those human rights, we may, briefly, believe that everything has changed. We may struggle to name our feelings, or reach the same explanations as to why those feelings should be listened to. We may even conclude that some nations are doomed by fate or circumstance to react differently to those new circumstances.
But just because one culture doesn't have a law in place, or hasn't yet coined a term in its own language, doesn't mean that those in it don't share the universal delight at exercising a right more strongly, or dismay at having a human need ignored or disrupted. Call it data protection, data privacy, or just plain privacy: it's a need that's been felt since the first widespread uses of computing in society. And it’s a right we need to fight for, globally, every day, in every country.