European Convention on Human Rights (ECHR)

A Council of Europe treaty from 1950 protecting human rights, including Article 8 on respect for private and family life. Enforced by the European Court of Human Rights.

The 1995 Data Protection Directive that harmonized Member State laws but required national implementation. It was repealed and replaced by the GDPR in 2018.

The highest level of EU law: the treaties (TEU, TFEU) and the EU Charter. It sets the framework and limits for secondary law like the GDPR.

European Convention on Human Rights, a Council of Europe treaty protecting human rights, including the right to respect for private and family life in Article 8.

European Data Protection Board, the EU body that promotes consistent application of the GDPR and issues guidelines and binding decisions.

General Data Protection Regulation (EU) 2016/679, the main EU data protection regulation in force since 25 May 2018.

Foundations of European Data Protection: History, Values and Legal Sources — CIPP/E Exam Prep: Mastering European Data Protection Law and the GDPR

Step 1 – Why Europe Cares So Much About Data Protection

Why This Module Matters

The GDPR is not just a tech or compliance law. It is built on European fundamental rights. To understand exam questions, you need to see where those rights come from and how EU law is structured.

Post‑War Background

After World War II, Europeans had fresh memories of totalitarian surveillance. Population registers, secret police files, and informants were used to persecute groups. This trauma pushed privacy to the center of law.

Two Legal Layers

There are two key layers: the Council of Europe, with the ECHR and Convention 108+, and the European Union, with its treaties and the EU Charter. Both influence how we read the GDPR today.

Why It Matters for GDPR

The CJEU interprets the GDPR through the lens of fundamental rights to privacy and data protection. Famous cases on data transfers and surveillance show that rights shape every GDPR rule.

Step 2 – Core European Fundamental Rights: ECHR and EU Charter

ECHR Basics

The ECHR is a Council of Europe treaty from 1950, enforced by the European Court of Human Rights. Article 8 protects the right to respect for private and family life, home and correspondence.

Article 8 ECHR

Article 8 ECHR has been read broadly to cover many privacy situations, such as state surveillance and interception of communications. It is a key foundation for European privacy thinking.

EU Charter Basics

The EU Charter became legally binding in 2009. It applies when EU institutions or Member States act within EU law. It is enforced by the Court of Justice of the EU in Luxembourg.

Charter Articles 7 and 8

Article 7 of the Charter protects private and family life. Article 8 goes further: it creates a separate right to protection of personal data, including fair processing, access, and independent supervision.

Impact on GDPR

The GDPR must respect the Charter. The CJEU interprets GDPR rules through Articles 7 and 8, while the ECHR provides a wider European privacy context that still influences Member States.

Step 3 – Quick Thought Exercise: Rights in Action

Imagine you are assessing a new government security law in an EU Member State that allows:

Bulk collection of all citizens' internet traffic data for 5 years,
Very limited judicial oversight,
No clear rights for individuals to access, correct, or delete data.

Your task (mentally, or note down answers):

Which fundamental rights instruments would you look at to assess whether this law is compatible with European standards?
Which specific articles would be most relevant?
Would you expect this to be challenged more under ECHR Article 8, EU Charter Articles 7 and 8, or both?

Hint for reflection:

Ask yourself: Is this mainly about state surveillance, data processing rules, or both?
Think about which court would review which aspect: ECtHR in Strasbourg vs. CJEU in Luxembourg.

There is no single “correct” answer here, but you should be able to name the right instruments and articles and explain in one or two sentences why they matter.

Step 4 – From Early Data Protection Laws to Directive 95/46/EC

National Pioneers

In the 1970s and 1980s, countries like Germany (Hesse 1970), Sweden (1973), and France (1978) adopted early data protection laws, mainly to control computerized government databases.

Convention 108

In 1981, the Council of Europe adopted Convention 108, the first binding international treaty on data protection. It set high‑level principles like fair processing and purpose limitation.

Directive 95/46/EC

The 1995 Data Protection Directive aimed to harmonize Member State laws and enable free data movement. As a directive, it needed national implementing laws and created independent DPAs.

Limitations of the Directive

By the 2010s, the Directive looked outdated: internet and smartphones had changed data use, and national implementations differed, causing fragmentation and legal uncertainty.

Need for Reform

Policy makers wanted a single, modern, directly applicable framework with stronger, more consistent enforcement across the EU. This led to the creation of the GDPR.

Step 5 – The GDPR: Key Shifts From the Old Directive

GDPR Basics

The GDPR (Regulation 2016/679) was adopted in 2016 and has applied since 25 May 2018. It repealed Directive 95/46/EC and created a single, modern EU data protection framework.

Regulation vs Directive

Unlike a directive, a regulation is directly applicable in all Member States. The GDPR seeks maximum harmonization but still allows some national flexibility, for example in employment and child consent age.

Enforcement Changes

The GDPR introduced the one‑stop‑shop for cross‑border cases, empowered the EDPB to issue binding decisions, and allowed much higher fines, up to 20 million EUR or 4% of global turnover.

Extraterritorial Reach

Article 3 GDPR extends the law to non‑EU organizations that offer goods or services to people in the EU or monitor their behavior there. This is a key difference from the old Directive.

Rights and Duties

The GDPR strengthened data subject rights and imposed new accountability duties on controllers, such as DPIAs, data protection by design and default, and DPO appointments in specific situations.

Step 6 – Primary vs Secondary EU Law: Where Does GDPR Fit?

Primary EU Law

Primary law includes the TEU, TFEU, and the EU Charter. Article 16 TFEU and Charter Articles 7 and 8 provide the constitutional basis for EU data protection rules.

Secondary EU Law

Secondary law is made under the treaties. It includes regulations, directives, and decisions. The GDPR is a regulation; the Law Enforcement Directive is a directive for police and criminal justice.

ePrivacy Context

In communications privacy, the ePrivacy Directive 2002/58/EC, as amended, still applies via national laws. A new ePrivacy Regulation has been discussed, but as of 2026 the Directive remains in force.

Soft Law and Guidance

EDPB guidelines and national DPA guidance are not binding legislation but strongly influence how the GDPR is interpreted and are frequently referenced in practice and in the exam.

Hierarchy Overview

Think of the hierarchy as: 1) Treaties and Charter, 2) GDPR and other regulations/directives, 3) EDPB and DPA guidance plus case law interpreting these instruments.

Step 7 – How EU Law and Member State Law Interact (With Examples)

Opening Clauses

The GDPR is directly applicable, but it contains opening clauses where Member States can add or adjust rules. This is where national variations arise.

Example: Child Consent Age

Article 8 GDPR allows Member States to set the age at which children can consent to online services between 13 and 16. This means the valid consent age differs across the EU.

Example: Employment Data

Under Article 88 GDPR, Member States can adopt specific rules for employee data. As a result, workplace monitoring and HR data practices can vary by country.

Example: Freedom of Expression

Article 85 GDPR lets Member States balance data protection with journalism and other expressive activities, often by granting exemptions or derogations from some GDPR rules.

Beyond the GDPR

Law enforcement, national security, and many communications privacy issues are governed by other EU instruments and national laws, not only by the GDPR.

Step 8 – Quick Check: History and Legal Sources

Test your understanding of the historical and legal foundations before moving on.

Which statement best describes the relationship between the GDPR and the EU Charter of Fundamental Rights?

The GDPR is primary EU law and overrides the Charter when they conflict.
The GDPR is secondary EU law and must be interpreted in line with Charter rights, especially Articles 7 and 8.
The Charter only applies to non‑EU countries, so it has no impact on GDPR interpretation.
The Charter and the GDPR are both non‑binding soft law instruments.

Show Answer

Answer: B) The GDPR is secondary EU law and must be interpreted in line with Charter rights, especially Articles 7 and 8.

The GDPR is secondary EU law. It must comply with and be interpreted consistently with primary law, including the EU Charter. Articles 7 and 8 of the Charter, protecting private life and personal data, are central to GDPR interpretation.

Step 9 – Key Terms Review

Flip through these flashcards to reinforce the core concepts for this module.

European Convention on Human Rights (ECHR): A Council of Europe treaty from 1950 protecting human rights, including Article 8 on respect for private and family life. Enforced by the European Court of Human Rights.
EU Charter of Fundamental Rights: Binding since 2009, it codifies fundamental rights in EU law. Article 7 protects private and family life; Article 8 recognizes a distinct right to protection of personal data.
Directive 95/46/EC: The 1995 Data Protection Directive that harmonized Member State laws but required national implementation. It was repealed and replaced by the GDPR in 2018.
GDPR (Regulation 2016/679): A directly applicable EU regulation on data protection, in force since May 2018, with extraterritorial reach, stronger enforcement, and enhanced data subject rights.
Primary EU law: The highest level of EU law: the treaties (TEU, TFEU) and the EU Charter. It sets the framework and limits for secondary law like the GDPR.
Secondary EU law: Law adopted under the treaties, including regulations, directives, and decisions. The GDPR is secondary law.
EDPB (European Data Protection Board): The EU body of national data protection authorities and the EDPB Chair. It issues guidelines and binding decisions to ensure consistent GDPR application.
Opening clause (in GDPR): A provision that allows or requires Member States to adopt more specific rules, leading to national variations (e.g., employment data, child consent age).

Step 10 – Applied Scenario Quiz

Apply what you have learned to a realistic exam‑style scenario.

A US company with no offices in the EU tracks EU users' behavior online for targeted advertising. Which is the BEST explanation of why the GDPR may still apply?

Because the ECHR has extraterritorial effect on all companies worldwide.
Because the GDPR applies to all companies processing any personal data, regardless of location.
Because Article 3 GDPR gives the Regulation extraterritorial reach when goods or services are offered to people in the EU or their behavior is monitored there.
Because the EU Charter automatically binds all private companies worldwide.