CIPP/E Study Guide
IAPP Training · Module 1 - BoK I.B

Module 1 · European data protection timeline

The road to the GDPR: the OECD Guidelines (1980) set harmonised data-flow principles; Convention 108 (1981) was the first binding data protection treaty (automatic processing only); Convention 108+ (Oct 2018) modernised it to align with the GDPR; the Data Protection Directive (1995) required transposition into national law; and the GDPR was adopted 14 April 2016 and became effective 25 May 2018.

  1. 1960s–70s: rising trade, computing and telecoms create conflict between privacy and free data flows; large personal-data banks emerge.
  2. OECD Guidelines (1980): a harmonised, evolving approach facilitating data flows AND protecting personal data; introduced key data-collection principles.
  3. Convention 108 (1981): the first legally binding data protection treaty of Council of Europe members; limited to automatic processing.
  4. Convention 108+ (Oct 2018): modernised to align with the GDPR; signed initially by 20 CoE states (incl. the UK); a route for non-EU countries to adopt GDPR basics.
  5. Data Protection Directive (1995): the precursor to the GDPR; required Member States to transpose it, causing inconsistent application.
  6. CFREU made binding by the Treaty of Lisbon (2007).
  7. Data Retention Directive (2006): metadata retention for law enforcement; struck down by the CJEU in Digital Rights Ireland (2014), though some national laws remain.
  8. GDPR: adopted 14 April 2016; after a 2-year transition fully effective 25 May 2018
Two key dates

The GDPR was adopted on 14 April 2016 and became fully effective after a 2-year transition on 25 May 2018.

Key terms - quick answers

What is “OECD Guidelines”?
1980 guidelines that introduced harmonised data-collection principles underpinning later European and global self-regulatory regimes.
What is “Convention 108”?
1981 Council of Europe treaty - the first legally binding data protection instrument; limited to automatic processing.
What is “Convention 108+”?
Modernised (Oct 2018) version of Convention 108 aligned with the GDPR; a route for non-EU countries to adopt GDPR basics.
What is “Data Protection Directive”?
1995 EU directive, precursor to the GDPR, that Member States had to transpose into local law.