News & Perspectives

Timeline of laws that have shaped data protection in the EU and the US

This text is automatically translated for your convenience. You can read the text in:

English Swedish (original) Give feedback
Play
00:00 / 00:00

A summary of the events that led up to the GDPR and the CLOUD Act, which today are two of the applicable laws governing, among other things, personal data protection and disclosure of data.

Why a timeline?

Over the past twenty years, the Internet and the digital society have affected individuals, public authorities, and companies alike. EU and U.S. legislation on personal data protection has moved in two different directions, but has tried to meet at certain points. Below is a summary of what leads up to the GDPR and the CLOUD Act, which today are two of the governing pieces of legislation.


   Read white paper
  1. 1995
    24 October

    The European Parliament and the Council of the EU adopt the Data Protection Directive1. This leads to the introduction of the Swedish Personal Data Act (PUL)2 three years later.

  2. 1998
    24 October

    Exactly three years after the Data Protection Directive3, PUL enters into force in Sweden. The previous Data Act then ceases to apply.

  3. 2000
    26 June

    The U.S. and the European Commission conclude the “Safe Harbor” agreement, declaring that U.S. organizations that have self-certified by registering with the U.S. Department of Commerce are automatically, if certain documentation is in place, deemed to meet the EU’s adequacy requirements for personal data protection4.

  4. 2002
    13 February

    The EU reviews the compliance of the now self-certified organizations and notes that compliance looks rather poor5.

  5. 2006
    26 October

    The “USA Patriot Act” becomes law in the U.S. The Patriot Act gives U.S. authorities expanded powers during investigations to obtain information from IT companies, e.g., cloud providers, via FISA orders and National Security Letters6.

  6. 2008
    2 December

    An external review is carried out of the then 1,597 self-certified organizations under Safe Harbor, of which 488 are outright incorrect registrations, leaving 1,109 correct registrations. Of these 1,109, only 348 appear on paper to meet the stated requirements. A recommendation is made to the EU to renegotiate Safe Harbor7.

  7. 2010
    5 February

    The European Commission adopts Standard Contractual Clauses8.

  8. 2011
    28 June

    Microsoft UK explains that since the Patriot Act trumps Safe Harbor and Microsoft as a company is subject to U.S. law, Microsoft cannot withhold data from the U.S. government even if it is stored outside the U.S., under the Patriot Act. But the “Stored Communications Act” simultaneously prohibits this. This lays the groundwork for the later, much-discussed case “US vs. Microsoft”9.

  9. 2011
    18 August

    Austrian Max Schrems files 16 different complaints about Facebook’s privacy violations with the Irish Data Protection Commissioner, since Facebook in Europe is represented by an Irish subsidiary10.

  10. 2013
    5 June

    Edward Snowden leaks a large trove of documents from the NSA to journalists. It becomes known that the NSA, both through secret backdoor access and interception, has access to a large quantity of information on the Internet containing personal data, where non-U.S. citizens are given no special protection at all. Many had suspected this, but now a large set of documents is released confirming the scope of several major access programs11.

  11. 2013
    4 December

    A judge in the Southern District of New York issues to Microsoft a search warrant for data that turned out to be stored on servers in Ireland. Microsoft argues it cannot comply and instead asks law enforcement to use the existing bilateral cooperation treaties (MLAT — Mutual Legal Assistance Treaty) between the U.S. and Ireland, and request the data from the Irish authorities instead. The U.S. government does not consider this necessary and takes the matter to court12.

  12. 2013
    26 June

    Max Schrems submits his 23rd complaint regarding Facebook to the Irish Data Protection Commissioner, who does not want to take up the case, which Schrems appeals. The complaint concerns Facebook’s transfer of data to the U.S., which entails data being transferred to the NSA given the new revelations from Edward Snowden, and that in light of this there can hardly be equivalent personal data protection in the U.S. as EU law requires.

    Perhaps the most important core argument is a strong definitional difference between U.S. and European law as to when an intrusion into a person’s privacy is deemed to have occurred in the context of surveillance.

    Under U.S. law, the intrusion is considered to occur only when a human has read the content in question, whereas under European law the intrusion occurs already when the electronic information representing the personal information is processed, regardless of whether a human has read it or not.

    The Irish Data Protection Commissioner does not want to take this up, citing the Safe Harbor decision, which says that the U.S. is an approved third country, and that the DPC therefore cannot investigate the matter, and that unless Schrems can prove that he has been surveilled by the NSA there is nothing to investigate. Max appeals to the courts, which in turn refer the case to the Court of Justice of the EU for a preliminary ruling, as the “CFR” entered into force after Safe Harbor was adopted.

  13. 2015
    6 October

    The Court of Justice of the EU decides in its reply to the Irish court that Safe Harbor is invalid and therefore ceases to apply in its entirety. Organizations that rely on the agreement for their data transfers are given a three-month reprieve by the Article 29 Working Party before European data protection authorities begin reviewing cases, and DPAs may indeed investigate similar cases13 14 15.

  14. 2015
    1 December

    In December, Schrems again raised the issue with the Irish data protection authority, arguing that the CJEU decision should be applied to Facebook as a whole, i.e., including SCCs but also Privacy Shield, since they contain the same mass-surveillance exceptions as Safe Harbor had16. The Irish DPC initially said that Schrems’ concerns about EU citizens’ ability to seek redress in U.S. courts in cases of mass surveillance are well-founded.

  15. 2016
    2 February

    On February 2, the European Commission agrees with the U.S. on the “EU-US Privacy Shield,” a replacement for the previous Safe Harbor.

    Privacy Shield addresses some of the shortcomings of Safe Harbor, but not all17. For example, nothing has changed regarding the discrepancy between U.S. and EU law as to when the actual intrusion into a person’s privacy occurs during surveillance.

  16. 2018
    12 April

    The Irish High Court moves forward with Schrems 2.0 and refers its questions to the CJEU after an appeal from Facebook is denied. Schrems comments:

    “The question in this case does not seem to be if Facebook can win it, but to what extent the Court of Justice will prohibit Facebook’s EU-US data transfers.”

    He added that, in the long-term, “the only reasonable solution is to cut back on mass surveillance laws”. If such a solution isn’t available between the EU and US, he said,

    “Facebook would have to split global and US services in two systems and keep European data outside of reach for US authorities, or face billions in penalties under the upcoming EU data protection regulation”18.

  17. 2018
    23 March

    The CLOUD Act passes into law. Among other things, the law amends the U.S. “Stored Communications Act” to enable U.S. companies to disclose information regardless of where it is stored, without regard to the other country’s potential legislation.

    The law also allows the President to enter into bilateral agreements with other countries regarding their ability to request the disclosure of information from the U.S. — requests that must, however, be reviewed before execution.

  18. 2018
    17 April

    The US vs. Microsoft appeal to the U.S. Supreme Court is dropped because the CLOUD Act has rendered the case unnecessary. The U.S. reformulated its request for disclosure under the new legislation and no dispute remains between Microsoft and the U.S.


   Read white paper

Sources

  1. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995
  2. Personal Data Act (1998:204)
  3. Data Protection Directive
  4. Decision on the adequacy of the Safe Harbor scheme
  5. European Commission on Safe Harbor
  6. The USA Patriot Act
  7. Galexia, 2008
  8. Decision on Standard Contractual Clauses
  9. ZDNet, 2011
  10. Original complaints by Max Schrems
  11. Timeline of Edward Snowden’s revelations, Al Jazeera
  12. CDT, 2014
  13. C‐362/14, EU:C:2015:650
  14. European Parliament - From Safe Harbour to Privacy Shield
  15. Statement by the Article 29 Working Party
  16. Max Schrems’ updated complaint regarding Facebook and PRISM
  17. European Commission decision on the EU-US Privacy Shield
  18. Rebecca Hill, The Register

Safespring offers flexible and high-performance cloud infrastructure services.

Our Nordic solution provides you with the confidence that you can meet legal and regulatory requirements, such as GDPR, with ease.

Optimize your service with:

Watch demo

Let one of our Cloud Architects show you our platform.

Watch demo
Safespring Linkedin Safespring X Safespring GitHub Safespring YouTube Safespring Facebook

Choose language

English flag

Certifications

ISO 27001 FR2000

© Safespring AB (559075-0245) 2017-2026