The Never-Ending Evolution of Data Protection and Data Autonomy

Today is Data Protection Day. Let’s take a look back at the early days of data protection to see how far we’ve come and how far we still have to go.

Jan 28, 2022 - 5 min.

How informed are you when it comes to how your personal data is being accumulated, stored and processed? Do you simply tick all the permission boxes when opening a new website, or do you carefully read through all the fine print? According to the Data Sovereignty Monitor report, overall awareness with regard to our data autonomy rights is on the rise. However, there is still plenty of room for improvement when it comes to broad data literacy. Although many more people are aware of their right to data privacy, there is still a significant knowledge gap when it comes to understanding how personal data is collected and used and what we as users can do to control this. Data Protection Day was established by the Council of Europe 15 years ago with the intent to close this gap and ensure that citizens remain informed and vigilant when it comes to their personal and private information.

In honour of Data Protection Day, we’d like to take a look back at the history of data protection and where we are today. For many of us, it may seem like the discussion around data protection is something new. Or at the very least, a topic that got very hot with the emergence of social media and the steady rise of digitalisation. All of a sudden, everyone was talking about data protection. The discussion was no longer limited to data scientists and IT experts intent on securing our data sovereignty. It was a trending term among politicians, businesses, journalists and even everyday Internet users. 

BDSG: the origin story of data protection

In reality, the discussion around data protection is anything but new. In fact, the Bundesdatenschutzgesetz (BDSG), Germany’s Federal Data Protection Act, celebrated its 45th birthday yesterday. To those of you who know a bit more about data privacy and protection, it will probably come as no surprise that Germany was a data protection regulation trailblazer back in the 1970s. The country has continued to be one of the loudest advocates for some of the most stringent regulations on data autonomy, corporate transparency when it comes to data practices and the overall protection of and autonomy over our personal data. 

Originally called the Act to Protect Against the Abuse of Personal Data in Data Processing, the BDSG was a response to the state amassing a growing data trove as it began relying on automated data processing in different administrative and tax sectors. The BDSG stipulated that data processing was only permissible if the owner of the data expressly allowed it or if the data in question was deemed permissible for use by the BDSG or another legal provision. Furthermore, personal data could only be processed by administrators if it was essential to completing their tasks. This is, of course, a far cry from using personal data to customise product advertisements, uncover intimate and personal details about our lives, and reshape political landscapes.

This Act has served as a foundation, one upon which Europe has since established some of the world’s strongest data protection regulations. 

What does data protection actually mean?

We hear the expression “data protection” being bandied about quite frequently and often in conjunction with tech’s biggest players, which are now being referred to as GAMAM (Google, Amazon, Microsoft, Apple, Meta). But what data are we talking about? And against what or whom is it being protected? 

First things first: it’s important to distinguish between data protection and data security. GAMAM does an excellent job of keeping our data secure using some, and often all, of the most state-of-the-art security practices. These range from two-factor (2FA) and multi-factor authentication (MFA) to encryption in motion and at rest. After all, it is in their best interest to ensure that our data is safe. On the one hand, any reports of data falling into the wrong hands while one of these companies is on watch would result in a media frenzy and could have catastrophic consequences for their professional reputations. On the other hand, the data they have access to is so immensely valuable to their business models that allowing anyone else to access it could have equally dire corporate repercussions. 

So if data is safe with these companies, why do politicians, whistleblowers, data scientists and legal experts expend so much time and energy on fighting for data protection? 

Unlike data security, which is concerned with keeping our data safe from illegal access by hackers, cybercriminals or other third parties, data protection is focused on keeping our data safe from those companies, governments and entities that actually have legal access to our data – access that we willingly, albeit sometimes unknowingly, provide.

This might initially seem counterintuitive. If we freely give companies and governments access to our data, then aren’t we also authorising them to use it as they see fit? Well, no.

Why is data protection important?

As mentioned, the BDSG came into force to explicitly prevent governments from processing our personal data without our express consent. This makes sense. Providing your personal data in order to register for or use a service should not be synonymous with giving up your rights to how your data is used. This concept of data autonomy is intrinsic to data protection. When you share your name, address, phone number, email address or perhaps even your interests, relationship status, professional background and more with a company, there need to be some limitations on how this data is processed. And one of the most popular data protection regulations, the General Data Protection Regulation (GDPR), agrees. 

There have been enough scandals to provide a very clear picture of what can go wrong when our personal data is abused. In the most harmless cases, we are bombarded with intrusive advertising for countless products that might appeal to us based on our personal interests and preferences. In the more disconcerting cases, extensive and detailed personal profiles can be created that provide more insight into our likes, dislikes and personalities than we ourselves even have. In other words, data breeds more data. And if not properly regulated, this data can become a digital gold mine for the highest bidder. 

How are Europe and the UK tackling data protection? 

The General Data Protection Regulation (GDPR) entered into force in May 2018. You might remember it as the year the world was scrambling to understand what a cookie banner was. Or perhaps the year you had to once again give your permission to companies and organisations to send you their newsletters. It was a great moment in time to declutter digitally! 

But the GDPR provided far more than an opportunity to easily unsubscribe from unwanted newsletters. It suddenly placed personal data back into the hands of its owners by making it mandatory to inform people when their personal data is being collected and also allowing them to amend or delete it. Furthermore, the GDPR also obligated companies and administrative bodies to provide immediate notification should there be any severe data breaches. Although the GDPR only protects the data of people residing in EU countries and the UK, it also applies to companies operating outside of the EU that are available in the EU and have access to the data of EU residents. That means GAMAM. 

The UK also has its own Data Protection Act. It consists of data protection principles that govern how, for what purposes and for how long personal data is used and stored. Although this Act only applies to data processors and controllers located in the UK, as mentioned, the protection of data belonging to UK citizens is still covered by the GDPR for the moment. However, this could change as data privacy regulations are tweaked and adapted, a plan which the Information Commissioner’s Office deems necessary in order to ensure innovation and promote growth, particularly for SMEs.

Putting users back in control of their data

The ultimate goal of data protection regulations is to wrest the power over data away from business, corporations and even governments. However, in order to achieve this goal, users have to be willing and informed when it comes time to take responsibility for their data. This goes beyond data privacy concerns. It also means doing their part when it comes to data security. 

Our Nevis Authentication Cloud was designed to give users exactly this kind of autonomy over their personal information. It provides maximum data security while also giving customers the freedom to decide how their data is accessed and used. Our goal has been to provide a customer product that balances usability and safety – one that places the focus on the customer and the user experience. 

Nevis helps companies ensure compliance with all data protection regulations thanks to its stringent security and data access protocols. These include MFA and 2FA as well as controls for providing data usage consent, requesting data deletion and guaranteeing data privacy. Furthermore, our passwordless solution offers easier, faster and more user-friendly access and authentication. Nevis makes security an experience, not just an obligation.


Decisive Factor for More Security: Multi-Factor Authentication