Samuel D. Warren and Louis Brandeis argue in the Harvard Law Review article ‘The Right to Privacy’ for the ‘right to be left alone’ as a definition of privacy.

The Universal Declaration of Human Rights includes privacy protection, that is the ‘Right to Privacy’, in Article 12.

The Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms lists the right to respect for private and family life in Article 8.

The Supreme Court of Norway decides on the first national major case on right to privacy (To mistenkelige personer | Two Suspicious Individuals; Rt-1952-1217).

The UN International Covenant on Civil and Political Rights lists the protection against interference in privacy in Article 17.

The US Freedom of Information Act (FOIA) provides the public the right to request access to records from any federal agency.

The German state of Hesse adopts the world’s first data protection law.

The Swedish Data Protection Act (No. 289 of 1973) becomes the first national data protection law.

Germany adopts its Federal Data Protection Act.

Denmark’s Private Registers Act and Public Authorities’ Registers Act are adopted.

Norwary’s Personal Data Registers Act is passed.

France’s Informatique et Libertés Law n° 78-17 is adopted.

First Austrian data protection law enters into force.

The first International Conference of Data Protection and Privacy Commissioners takes place as the global forum for data protection and privacy authorities. It has become today’s Global Privacy Assembly.

The OECD publishes its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The European Commission presents its recommendation relating to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Within them, it raises the prospect of proposing an EEC instrument if EEC member states do not ratify the Council of Europe Convention.

The Council of Europe adopts Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS 108). It entails the right to privacy as a legal imperative.

In its Decision on the constitutionality of the 1983 Census Act the German Federal Constitutional Court rules on census data. It emphasises the connection between data protection and individual liberties. The ruling is considered milestone of data protection.

The UK Data Protection Act enters into force.

The Committee of Ministers of the Council of Europe adopts its Recommendation R(87)15 regulating the use of personal data in the police sector.

The UN publishes its Final Report on the Guidelines for the Regulation of Computerized Personal Data Files.

The UN International Convention on the Rights of the Child enshrined the protection against interference in privacy in its Article 16.

The UN revises its Guidelines for the Regulation of Computerized Personal Data Files E/CN.4/1990/72-EN.

The European Commission proposes a Directive on the protection of individuals with regard to the processing of personal data.

The European Commission’s draft Directive on the protection of individuals with regard to the processing of personal data is revised following the European Parliament’s amendments. The title of the draft directive is amended by the words ‘and on the free movement of such data’.

PC Brown is charged with UK Data Protection Act 1984 offense of using personal data for a purpose other than that described in the Data Protection Register. The ruling is later on repealed.

The European Data Protection Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data is adopted. It roots in an internal market justification based on Article 114 TFEU. It reflects technological advances and includes new terms such as ‘processing’, ‘sensitive personal data’ and ‘consent’.

The [first Italian regulation of data protection framework n. 675/96(https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/28335]) is adopted. It implements EC Directive 95/46/EC. In 2003 it will be replaced by the Italian Legislative Decree 196/2003 an a Codice in materia di protezione dei dati personali.

The US Framework for Global Electronic Commerce comes into place.

The first Greek law for the protection of individuals from the processing of personal data is adopted (Law 2472/1997). It implements EC Directive 95/46/EC.

The EU’s Data Protection Directive 95/46/EC enters into force.

The UK Data Protection Act enters into force.

The EU Commission takes its Safe Harbour EU-US adequacy decision 2000/520/EC concerning data transfer rules.

First law 138(1)/2001 on processing of personal data in Cyprus. The law harmonises national law with the European Directive 95/46/EC.

The EU adopts Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

The Commonwealth Model Privacy Bill and the Commonwealth Model Bill on the Protection of Personal Information are endorsed by the Commonwealth Law Ministers.

The EU Directive 2002/58/EC on privacy and electronic communication (‘ePrivacy’) on processing of personal data and the protection of privacy in the electronic communications sector is adopted. The directive will be amended in 2009.

The Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services (‘framework directive’) is adopted.

The Special Eurobarometer 196 on Data Protection is published.

The APEC endorses its Privacy Framework. The framework underlines the importance of effective privacy protections for trade and economic growth in the region.

The ISO/IEC Standard 27002 (Information technology — Security techniques — Code of practice for information security management) sets up principles for initiating, implementing, maintaining, and improving information security management in an organisation. The standard has been revised in 2013.

The International Conference of Data Protection and Privacy Commissioners (ICDPPC) adopts the Montreux Declaration on the protection of personal data and privacy in a globalised world. It advocates for a universal right respecting diversities.

The EU Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks is adopted. It will be declared invalid by Court of Justice in 2014 for violating fundamental rights.

The OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy are adopted.

The UN Global Pulse is established. It is a UN Secretary-General initiative on big data and artificial intelligence for development, humanitarian action, and peace. It advocates for the accountable and responsible use of data and provides expertise to UN partners and to governments in developing data privacy and data protection frameworks.

The EU Lisbon Treaty enters into force. With it, data protection becomes a fundamental right under EU law (Art.8), related to, but distinct from the right to privacy (Art.7). The treaty brings the EU Charter of Fundamental Rights into effect.

The EU Directive 2002/58/EC on privacy and electronic communication (‘ePrivacy’) is amended.

The EU Commission consultation process on a General Data Protection Regulation (GDPR) closes. It gathers 167 replies.

The EU Electronic Communications Regulations are further developed. They offers a response to email addresses and mobile numbers becoming targets and means of marketing and sales campaigns.

Wikileaks publishes secret information, news leaks, classified media provided by anonymous sources.

The Economic Community of West African States (ECOWAS) adopts its Supplementary Act on data protection A/SA.1/01/10 as a binding regional agreement. It specifies the required content of data privacy laws and requires member states to establish a data protection authority.

The East African Community (EAC) adopts its Framework for Cyberlaws.

The EU Commission publishes its Communication COM(2010)609 on ‘A comprehensive approach on personal data protection in the European Union’

The ISO 29100 privacy framework specifies a common privacy terminology; defines actors and their roles in processing personally identifiable information: describes privacy safeguarding considerations; and provides references to known privacy principles for information technology. It is reviewed in 2017.

A new EU Commission consultation process on a General Data Protection Regulation (GDPR) receives 288 replies.

The Special Eurobarometer 359 on Attitudes on Data Protection and Electronic Identity in the European Union is published

The Global Privacy Enforcement Network (GPEN) adopts an institutional Action Plan.

In various jurisdictions Google Streetview vehicles collected more than just images as they mapped landscape; they also intercepted communications over private Wi-Fi networks. A large number of investigators and regulators find that data included fully identifiable personal details. Google pays fines and faces other sanctions in numerous jurisdictions.

The EU Commission COM/2012/011 proposes a regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘General Data Protection Regulation’).

The UN General Assembly adopts resolution A/RES/68/167 on ‘The right to privacy in the digital age’. It expresses concern about the negative impact surveillance and interception of communications may have on human rights.

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data are revised.

The EU Regulation No. 611/2013 on the measures applicable to the notification of personal data breaches under EU Directive 2002/58/EC on privacy and electronic communication (‘ePrivacy’) is adopted.

Edward Snowden (NSA) revelations about surveillance and spying practices of the US and UK secret services become public.

The Yahoo Data Breach occurs. Until 2017, Yahoo will not announce that in 2013 data from more than one billion user accounts was harvested in hacking attacks.

The first reading of the proposal for an EU regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘General Data Protection Regulation’) takes place in the European Parliament.

The UN High Commissioner for Human Rights publishes its report on 'The right to privacy in the digital age' A/HRC/27/37.

The UN Global Pulse establishes a Data Privacy Advisory Group to discuss the use and non-use of data for global development, peace and humanitarian action in response to the ‘data revolution’.

The Court of Justice of the EU rules the EU Data Retention Directive 2006/24/EC invalid and rules on the ‘right to be forgotten’. It finds that European law gives people the right to ask search engines like Google to remove results for queries that include their name. This concept becomes known as ‘right to be forgotten’.

The [US Federal Trade Commission (FTC) finds TRUSTe]9https://www.ftc.gov/news-events/press-releases/2014/11/truste-settles-ftc-charges-it-deceived-consumers-through-its), a provider of privacy trustmarks, misleading consumers by false claims of being non-profit, of belonging to specific data protection schemes (like the EU-U.S. Safe Harbour Framework and the COPPA Safe Harbor), of being re-certified each year.

The African Union Convention on Cyber Security and Protection of Personal Data is adopted.

Mandated by the UN Human Rights Council Resolution 28/16, the UN Human Rights Office of the High Commissioner appoints a Special Rapporteur on the right to privacy.

The Trans-Pacific Partnership Agreement addresses the balancing of data protection laws against trade considerations. It imposes limits on the extent of data protection regulation that signatories can provide in their national laws.

The European Data Protection Supervisor (EDPS) comments on the proposal for the EU’s General Data Protection Regulation (GDPR).

The Court of Justice of the EU rules on Schrems 1 and invalidates Safe Harbour.

The Special Eurobarometer 431 on Data protection is published.

The negotiations on the US-EU data protection and privacy ‘umbrella agreement’ are finalised. The agreement regulates data transfer for law enforcement and enters into force in 2016.

The Council of the EU decided on a general approach towards the proposal for the EU’s General Data Protection Regulation (GDPR).

The US Federal Trade Commission (FTC) finds Snapchat to be misleading their consumers about the range of data practices. Snapchat’s promise that messages would disappear forever is found to be untrue.

The UN Data Privacy Policy Group convenes. It is an UN Inter-agency group co-chaired by the UN Global Pulse and the UN Office of Information and Communications Technology (OICT). Its objectives are dialogue and information sharing on data privacy and protection within the UN system; existing efforts on data privacy and protection; and a practical UN System-wide framework on data privacy and data protection.

The first report of UN Special Rapporteur on the right to privacy is submitted to Human Rights Council A/HRC/31/64.

The EU adopts the General Data Protection Regulation (EU) 2016/679 (GDPR). It is applicable as of May 2018.

The EU Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purpose of law enforcement is adopted.

The EU Commission takes its implementation decision on the EU-US Privacy Shield.

The EU Commission proposes new regulations on privacy and electronic communications (ePrivacy) COM(2017)10 as well as on the [data protection rules applicable to EU institutions COM(2017)8](file:///C:/Users/gumbach/AppData/Local/Temp/1_en_act_part1_v6_4_41158.pdf) to align the existing rules on the topics to the EU’s GDPR.

The Court of Justice of the EU case Schrems 2 challenges standard contractual clauses as also covered by the US-EU data protection and privacy ‘umbrella agreement’. The question is whether, EU law applies to the transfer of the data across borders in “circumstances in which personal data is transferred by a private company from a European Union (EU) member state to a private company in a third country for a commercial purpose”.

The UN Development Group (UNDG) adopts general guidance on data privacy, data protection and data ethics.

The first UN World Data Forum takes place in Cape Town.

China adopts its Cybersecurity Law.

The Council of European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS 108) is modernised (CETS 223)

The second UN World Data Forum takes place in Dubai.

The UN Personal Data Protection and Privacy Principles are adopted by UN High Level Committee on Management (HLCM).

California’s Consumer Privacy Act (CCPA is adopted.

Brazil’s General Data Protection Law is adopted and enters into effect in 2020.

The Chinese Personal Information Security Specification are published.

The Cambridge Analytica scandal exposes major data breaches through illegally harvesting Facebook data of millions of users.

The Irish High Court referred eleven questions to the Court of Justice of the EU for a preliminary ruling on Schrems 2.

The General Data Protection Regulation (EU) 2016/679 (GDPR) enters into force.

The European Electronic Communications Code Directive (EU) 2018/1972 is adopted.

The draft Indian Personal Data Protection Bill is prepared and presented to Parliament by the Ministry of Electronics and Information Technology.

The proposal for a Regulation (EC) 2018/1725 on the protection of personal data in EU institutions targets the protection of individuals with regard to the processing of personal data by EU institutions, bodies, offices and agencies and on the free movement of such data. It repeals Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The EU Commission launches proceedings against 19 member states for delays on the transposition of EU Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purpose of law enforcement

The ISO Standard 27701 (Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines) extends to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management Systems (PIMS).

The EU Commission publishes its Communication COM(2019)374 on ‘Data protection rules as a trust-enabler in the EU and beyond – taking stock’.

India’s draft Personal Data Protection Bill is tabled in Parliament.

The Court of Justice of the EU’s Schrems II hearing and the advocate general’s opinion support standard contractual clauses (SCC) for data transfers between EU and non-EU countries.

The US Federal Trade Commission’s $5 billion Facebook fine settles a series of privacy violations linked to the misuse of data through Cambridge Analytica.

Kenya passed its Personal Data Protection Bill.

The Special Eurobarometer 487a on the Charter of Fundamental Rights and the General Data Protection Regulation is published.

The EU-Japan joint adequacy decision allows for the transfer of personal data between the two jurisdictions.

The French Data Protection Authority fines Google with 50 million euros for lack of transparency and valid consent surrounding the use of data for ads personalisation. It is the first large fine imposed under the GDPR.

The City of Hamburg/Germany Commissioner for Data Protection and Freedom of Information opens an urgency administrative proceeding regarding Google's Home Speech Assistant.

China releases draft Personal Information Protection Law for Public Comment.

The third UN World Data Forum takes place online.

The EU GDPR review due in May is delayed to June. In its assessment report, the EU Commission assesses the first two years of the GDPR positively.

The Court of Justice of the EU rules on Schrems 2. The Court affirmed the validity of standard contractual clauses (SCCs) for data transfers. It however invalidated Commission Decision 2016/1250 which was the legal basis of the EU-US Privacy Shield. The judgment will have implications for the future regulation of international data transfers.

The European Parliament passes its resolution P9_TA(2021)0256 on the Schrems 2 judgement of the Court of Justice of the EU.