Why Europe Protects Data: Origins, Human Rights & Convention 108

To understand European privacy law, you have to understand that in Europe, privacy is not a consumer-protection afterthought. It is a fundamental human right, rooted in the memory of twentieth-century surveillance states. The foundational text is the European Convention on Human Rights, drafted by the Council of Europe in nineteen fifty.

Its Article 8 guarantees everyone the right to respect for their private and family life, home, and correspondence. That single sentence is the seed from which everything else grows. The exam's Domain one expects you to know this lineage, so let's walk it carefully, because the rest of the course makes far more sense once you see where the ideas began.

As computers began processing personal information in the nineteen seventies, the Council of Europe acted. In nineteen eighty-one it opened for signature the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data, known by its treaty number, Convention 108. This was the world's first binding international treaty on data protection, and it set out core ideas you will recognise everywhere in the GDPR: that personal data must be obtained fairly, stored for specified purposes, kept accurate, and held no longer than necessary.

Convention 108 has since been modernised as Convention 108+, which updates it for the internet age and aligns it more closely with the GDPR. Note for the exam: Convention 108 is a Council of Europe instrument, and it is open to countries outside Europe, which is part of why its influence is global.

Around the same time, in nineteen eighty, the Organisation for Economic Co-operation and Development published its Privacy Guidelines. Unlike Convention 108, the OECD Guidelines are not binding, but they have been enormously influential because they articulated a clean set of fair information principles: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and, crucially, accountability. If those words sound familiar, they should, because they map almost directly onto the principles in Article 5 of the GDPR that you will study in Domain two.

The OECD Guidelines are where the modern vocabulary of privacy was first written down in one place.

Now here is a distinction the exam loves. The Charter of Fundamental Rights of the European Union contains two separate rights. Article 7 protects respect for private and family life, the classic privacy right.

But Article 8 goes further: it creates a distinct, standalone fundamental right to the protection of personal data, with its own conditions, fair processing, a lawful basis, a right of access, and supervision by an independent authority. Europe is unusual in treating data protection as its own fundamental right, separate from general privacy. The Charter became legally binding when the Treaty of Lisbon entered into force in two thousand nine, and that same treaty produced Article 16 of the Treaty on the Functioning of the European Union, which gives the EU the explicit legal power to make data protection law.

That Article 16 is the constitutional anchor for the GDPR itself.

Let's nail down a comparison the exam tests directly, because candidates trip on it. The European Convention on Human Rights is a Council of Europe instrument, and the court that enforces it is the European Court of Human Rights, sitting in Strasbourg. The Charter of Fundamental Rights is a European Union instrument, and the court that interprets it is the Court of Justice of the European Union, in Luxembourg.

Both have an Article 8, but they belong to two different legal orders with two different courts. When an exam question mentions Article 8, read carefully to see whether it means the Convention or the Charter, because the right answer often turns on that distinction.

So here is the chain to remember. The European Convention on Human Rights and its Article 8 came first. Convention 108 in nineteen eighty-one made data protection a binding treaty obligation.

The OECD Guidelines gave us the fair information principles. The Charter of Fundamental Rights elevated data protection to a standalone right in its Article 8, and the Treaty of Lisbon made the Charter binding while Article 16 of the TFEU gave the EU power to legislate. That is the foundation.

Next, we meet the European institutions, the Commission, the Parliament, the Council, and the courts, that turn these principles into enforceable law. Now go test yourself on Domain one's history.