The Evolution of International Data Protection Law: A Path Toward Global Harmony?

January 28, 2025 - Today, as we celebrate Data Privacy Day, it's the perfect moment to reflect on the evolution of International Data Protection Law. From national laws to international regulations, the journey of data protection law reflects the world’s growing recognition of privacy as a fundamental right.

But how did we get here? What are the milestones in this journey? And why does the world still lack a truly unified global standard?

A Global Concern with Local Roots

The right to privacy has long been recognized as fundamental, enshrined in international instruments like the Universal Declaration of Human Rights[1] and the International Covenant on Civil and Political Rights[2]. Yet, it was the rapid growth of technology and globalization that catalyzed the need for specific rules governing the processing of personal data.

Back in the 1980s, few countries had comprehensive data protection laws[3]. Recognizing this gap, organizations like the Council of Europe (CoE) and the Organisation for Economic Co-operation and Development (OECD) stepped in with landmark frameworks. The CoE’s Convention 108[4], adopted in 1981, was the first legally binding international instrument dedicated to data protection. Around the same time, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data[5] aimed to harmonize national regulations to support both privacy and international trade.

The Rise of Regional Standards

Fast-forward to the 1990s, and the European Union (EU) introduced its Directive 95/46/EC[6], which shaped not only European law but also inspired countries worldwide to adopt data protection measures. The directive was pivotal in making data protection a key consideration in cross-border trade, as it prohibited data transfers to countries without "adequate" levels of protection.

This approach had a ripple effect. Nations from Argentina to Japan updated or introduced data protection laws to align with European standards. The EU raised the stakes further with the General Data Protection Regulation (GDPR)[7] in 2018. Unlike the earlier directive, the GDPR is directly binding and set a gold standard for global data protection.

The Challenges of Fragmentation

Despite these advances, the dream of a unified global framework remains elusive. Today, 78% of countries worldwide have data protection laws, according to UNCTAD[8]. However, the diversity of these laws creates significant challenges for organizations operating internationally.

The Convention 108, originally a European regulatory instrument, offers a unique example of a framework open to broader participation. It allows ratification by non-European countries and, since its modernization in 2018[9], even by international organizations. While this marks a step toward inclusivity, fragmentation persists as different regions and nations continue to adopt varying standards and approaches.

This patchwork of regulations leads to legal uncertainties, especially in areas like cross-border data flows. How can businesses navigate compliance when standards differ so drastically from one region to another?

Soft Law and Global Influence

Where legally international binding agreements fall short, soft law instruments often step in. The United Nations adopted Guidelines for the Regulation of Computerized Personal Data Files[10] in 1990, establishing baseline principles for both states and international organizations. Although not binding, these guidelines carry some political weight.

Similarly, the OECD Guidelines and the APEC Privacy Framework[11] emphasize interoperability, fostering cooperation without imposing rules. These initiatives represent steps toward harmonization, even if they lack the enforceability of regulations like the GDPR.

Why Harmonization Matters More Than Ever

In 1981, when Convention 108 was introduced, the internet as we know didn’t exist. Fast forward to 2025, and we’re dealing with big data, AI, social media, and global connectivity. Data is now one of the world’s most valuable resources.

Yet, harmonization is not about uniformity; it’s about finding common ground. The GDPR, for instance, has had a "Brussels effect," influencing laws in countries as diverse as Brazil, South Korea, and South Africa. Still, challenges remain in ensuring that local nuances and cultural values are respected.

What’s Next for Data Protection?

As we celebrate today, let’s ask ourselves: What will the next decade of data protection look like? Will we see a global treaty on data privacy, or will regional and national frameworks continue to dominate? How can we balance innovation, trade, and the fundamental right to privacy?

Let’s keep the conversation going.

[1] OHCHR. Universal Declaration of Human Rights. Available at: https://www.ohchr.org/en/universal-declaration-of-human-rights. Accessed: January 27, 2024.

[2] OHCHR. International Covenant on Civil and Political Rights. Available at: https://www.ohchr.org/en/instruments-mechanisms/instruments/international-covenant-civil-and-political-rights. Accessed: January 27, 2024.

[3] In 1970, the state of Hesse in West Germany introduced the world's first data protection law (“Datenschutzgesetz”), followed by the adoption of the first federal data protection law (“Bundesdatenschutzgesetz”) in 1977. Meanwhile, Sweden has a long-standing history of personal data protection and was the first country to enact national legislation on the matter. The 1973 Data Act established the Swedish Data Protection Authority. Inspired by the German and Swedish examples, France implemented Law No. 78-17 on January 6, 1978, following the "SAFARI" scandal in 1974. This controversy revealed government plans to link nominative files using social security numbers, highlighting the urgent need for data protection regulations.

[4] COE. Convention 108 and Protocols. Available at: https://www.coe.int/en/web/data-protection/convention108-and-protocol. Accessed: January 27, 2025.

[5] OECD. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Available at: https://doi.org/10.1787/9789264196391-en. Accessed: March 20, 2024.

[6] EU. Directive 95/46/EC. Available at: https://eur-lex.europa.eu/legal-content/PT/TXT/?uri=CELEX:31995L0046. Accessed: April 2, 2024.

[7] GDPR. Available at: https://gdpr-info.eu/. Accessed: January 27, 2025.

[8] UN TRADE AND DEVELOPMENT. Data Protection and Privacy Legislation Worldwide. Available at: https://unctad.org/page/data-protection-and-privacy-legislation-worldwide. Accessed: January 27, 2025.

[9] COE. Proposal for a COUNCIL DECISION authorising Member States to sign, in the interest of the European Union, the Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108). Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52018PC0449&from=HU. Accessed: June 3, 2024.

[10] UNITED NATIONS. Guidelines for the Regulation of Computerized Personal Data Files. Available at: https://digitallibrary.un.org/record/43365?v=pdf. Accessed: January 27, 2025.

[11] APEC Privacy Framework. Available at: https://www.apec.org/docs/default-source/Publications/2005/12/APEC-Privacy-Framework/05_ecsg_privacyframewk.pdf. Accessed: March 30, 2024.