2.1 Origins & Rationale of EU Data Protection

Key Takeaways

  • European data protection treats privacy as a fundamental human right, not a consumer or contractual interest, which shapes every GDPR rule the exam tests.
  • Council of Europe Convention 108 (1981) was the first binding international treaty on automated personal-data processing and is open to non-European states.
  • The 1980 OECD Privacy Guidelines introduced eight principles (collection limitation, purpose specification, accountability, and more) that still echo in GDPR Article 5.
  • Post-WWII fear of state surveillance and 1970s computing power drove the first data laws, beginning with the German state of Hesse in 1970 and Sweden in 1973.
Last updated: June 2026

Why Origins Matter on the CIPP/E

Quick Answer: European data protection rests on the idea that controlling your own personal data is a fundamental right, traceable to post-WWII human-rights thinking, the 1980 OECD Guidelines, and the 1981 Convention 108. Domain I tests this lineage because it explains why the General Data Protection Regulation (GDPR) is rights-based and strict rather than market-driven.

The Certified Information Privacy Professional/Europe (CIPP/E) is the International Association of Privacy Professionals (IAPP) credential for EU privacy law. The exam delivers 90 multiple-choice questions (75 scored, 15 unscored pre-test items), allows 2.5 hours, and is scored on a 100-500 scale with a passing score of 300; the current registration fee is USD 550. The blueprint is split across roughly six domains, and Domain I — "Introduction to European Data Protection" — sets the historical and constitutional stage that every later answer depends on.

The exam opens with history because the rationale behind the law drives how every later rule is interpreted. Unlike the United States, where privacy is fragmented, sectoral (HIPAA for health, GLBA for finance, COPPA for children), and grounded in consumer-protection and tort concepts, the European model is omnibus (one law covering all sectors) and treats personal-data protection as a value in itself.

Privacy as a Fundamental Right

After World War II, European states reacted to the abuse of population registries and identity cards by authoritarian regimes — Nazi-era census data was used to locate targeted populations. This experience hardwired a rights-based approach: privacy was written into human-rights instruments rather than left to contract or the market.

The arrival of mainframe computing in the 1960s and 1970s sharpened the fear that the state and large companies could build detailed citizen profiles. Lawmakers responded with the world's first dedicated statutes:

YearJurisdictionSignificance
1970Hesse, GermanyWorld's first data protection law (regional/Land level)
1973SwedenFirst national data protection act (Datalagen)
1977Germany (Federal)Early comprehensive national law (BDSG)
1978FranceLoi Informatique et Libertés; created the CNIL regulator

Common trap: candidates pick Sweden as the first law. Sweden was first national; Hesse (1970) was first anywhere. These laws shared one worry — automated processing of personal data created risks that pre-computer privacy concepts (trespass, defamation, confidentiality) could not address. A German constitutional milestone reinforced this: the 1983 Federal Constitutional Court census ruling recognized a right to informational self-determination, the idea that individuals decide who knows what about them — a phrase you may see echoed in exam stems about the rationale for EU law.

The OECD Guidelines (1980)

The Organisation for Economic Co-operation and Development (OECD) issued its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980 (updated 2013). They were influential but non-binding (soft law), aimed at harmonizing national rules so that data flows between trading nations would not be blocked. The OECD set out eight principles that map closely onto modern GDPR concepts:

OECD PrincipleModern GDPR Echo
Collection LimitationLawfulness, fairness (Art. 5(1)(a))
Data QualityAccuracy (Art. 5(1)(d))
Purpose SpecificationPurpose limitation (Art. 5(1)(b))
Use LimitationPurpose limitation (Art. 5(1)(b))
Security SafeguardsIntegrity & confidentiality (Art. 5(1)(f))
OpennessTransparency (Art. 5(1)(a))
Individual ParticipationData subject rights (Arts. 15-22)
AccountabilityAccountability (Art. 5(2))

Worked example: a stem asks where the GDPR's requirement that a controller "demonstrate compliance" originated. The answer traces to the OECD Accountability principle, later codified in Article 5(2). Knowing this mapping lets you reason about origin questions rather than memorize them. Remember the headline distinction the exam loves: OECD Guidelines = soft law (recommendation); Convention 108 = hard law (treaty).

Council of Europe Convention 108 (1981)

Where the OECD Guidelines were soft law, the Council of Europe's Convention 108 (full name: Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data) was the first legally binding international treaty on data protection. Points the exam may test:

  • It is open to non-European countries, giving it global reach (states such as Argentina, Uruguay, Mauritius, and Mexico have joined).
  • It established core obligations on data quality, security, and special categories of sensitive data, plus rights for individuals.
  • It was modernized as "Convention 108+" via an Amending Protocol (CETS 223) opened for signature in 2018, aligning it more closely with the GDPR. As of 2026 Convention 108+ has not yet entered into force — it requires 38 of the 55 parties to ratify (about 33 had done so in early 2025), so treat it as "modernised but pending" on the exam.

Critical distinction: keep Convention 108 (a Council of Europe treaty) separate from EU law. The Council of Europe is not the European Union — a trap explored fully in Section 2.2.

Putting the timeline together for exam recall, the rationale evolves in four layers: (1) post-war human-rights instruments establish privacy as a fundamental value; (2) 1970s national statutes (Hesse 1970, Sweden 1973) respond to automated processing; (3) the 1980 OECD Guidelines harmonize principles as soft law; and (4) the 1981 Convention 108 makes them binding by treaty. Each layer feeds the 1995 Directive and ultimately the GDPR. When a stem asks for the earliest binding source, choose Convention 108; the earliest principles source, choose the OECD Guidelines; and the earliest law of any kind, choose Hesse.

Test Your Knowledge

Which instrument was the first legally binding international treaty addressing the automated processing of personal data?

A
B
C
D
Test Your Knowledge

Which OECD principle most directly corresponds to the GDPR's accountability obligation in Article 5(2)?

A
B
C
D
Test Your Knowledge

Which statement about the world's first data protection laws is correct?

A
B
C
D