Last Updated on December 2, 2021
For many of us in the US, privacy laws like the California Privacy Rights Act (CPRA) or the EU’s General Data Protection Regulation (GDPR) are seen as a recent, consumer-motivated reaction to tech companies misusing our personal data without our knowledge or consent. But in Europe and many other parts of the world, citizens’ understanding of the intent and importance of privacy laws is fundamentally different.
On a recent episode of The Virtual CISO Podcast, Jason Powell, GRC and Privacy Consultant at Pivot Point Security shared this deeper historical perspective with host John Verry, Pivot Point Security CISO and Managing Partner.
The roots of modern privacy legislation
Our present-day view of privacy rights actually has its origins in post-World War II democratic Europe.
Jason explains: “Following World War II the authoritarian governments that were associated with Russia and later the Soviet Union very quickly put together a structure of—there’s no other way to say it—secret police. These people were sent out to spy and track their fellow citizens based on a number of things, like racial/ethnic origin, political beliefs, labor union membership, religious beliefs, whether you had a mental or physical disability, sex life or sexual orientation, all sorts of things.
“And these secret police had entire archives full of information about otherwise law-abiding citizens. As a result, these people were systematically spied upon, tracked, blackmailed, jailed, tortured, and in some cases murdered. So, the people in free Europe really had an interest in ensuring that nothing like this was going to happen anytime in the near future. Those free countries in Europe started to put together national laws that forbade the unlawful collection of personal information,” Jason relates.
Eventually these national laws were codified in a 1980 publication from the Organization for Economic Cooperation and Development, called in privacy circles the OECD guidelines. These were updated in 1995 by The Data Protection Directive (DPD), the immediate precursor to GDPR in 2016.
The DPD mandated that EU nations embody these privacy principles in their national laws. GDPR further modernized those laws and made them more consistent across countries.
Keeping us free from discrimination
This view was eye-opening to John, as it is for many people: “This is anti-discriminatory. It goes back decades and it’s really about peoples’ personal freedoms. It’s not about their personal information. It’s about them not being discriminated against by governmental entities and corporations based on that personal information.”
“Not only that: if you were gay in 1949 in Hungary, you might find yourself in a shallow grave on the side of the road with a bullet in the back of your head,” Jason recounts. “So, for many people in authoritarian Europe, your privacy was a matter of life and death.”
That’s something worth keeping in mind as our use of technology digitizes more and more data about us, making it easier for third parties to access and harder for us to control.
Looking to prioritize privacy in your organization? This podcast with Jason Powell will help you formulate the best strategy: https://pivotpointsecurity.com/podcasts/ep66-jason-powell-private-practices-how-to-prioritize-privacy-in-your-organization/
Want to dig deeper into privacy issues? Check out this related post: https://pivotpointsecurity.com/blog/how-privacy-is-driving-the-need-for-information-governance/