When it comes to data privacy and the legislation that surrounds it, Europe has long been at the forefront of development. Even now – with the recent institution of the GDPR, and the ePrivacy Regulation on its way – the European Union (EU) paves the way for the global treatment of personal data.
But why has Europe taken the lead on this ongoing mission?
You may be surprised to learn that at the epicenter of data privacy is Germany, with roots stemming from the country’s darkest years under a Nazi regime.
Germany has gone from the most infamous abuser of personal data, to the nation forging new worldwide standards for the protection of that data.
Why is Germany at the center of digital privacy, and how did it get there?
Furthermore, why does a century of German history matter for you and your business today?
Table of Contents:
- 1933-1945: The Height of Data Abuse
- 1970: The Start of a New Era
- 1977: The First Federal Effort
- 1983: The Cornerstone of EU Privacy is Formed
- 1995: The Early Days of Data Privacy in the Digital Age
- 2014: Control is Put Back in the Hands of Users
- 2018: The Future of Data Privacy Begins
1933 – 1945: The Height of Data Abuse
We rarely acknowledge the presence and power of data collection that existed before the days of the internet and social media.
But in the 1930s and 40s, Nazi Germany collected masses of personal data through census cards, logging the results in early processing systems known as Hollerith machines.

This information was used against those who granted it, classifying German citizens by their race, sexuality, politics, ability, affiliations, and religion.
The subsequent detainment, torture, and murder of people based on these classifications has gone down in infamy as one of the most ghastly periods in modern history – the Holocaust.
Working alongside the German government at the center of this genocide was IBM (International Business Machines). IBM has long stood at the helm of data collection, as the manufacturer of the first punch-card tabulating machines (Hollerith machines) in 1911, and the largest computer company in the world today.
Of IBM’s involvement in the abuse of data lending fuel to the horrors of the Holocaust, human rights journalist, Edwin Black writes:
IBM used its exclusive punch card technology and its global monopoly on information technology to organize, systematize, and accelerate Hitler’s anti-Jewish program.
IBM – the largest computer company in the world – continues to monopolize the gateways through which personal data is transmitted.
This isn’t to say that IBM is, or will ever again be, involved in the kind of atrocities it was in the 1930s and 40s. However, this shows that the movement of data today is not so different to what it was back then – so much so that the same company has maintained control over the largest gateways of personal data for the past 100+ years.
As much as we like to believe that data will never be abused to the extent it was during the Holocaust, it’s become apparent that personal data needs to be protected by the law and by the companies that handle it.
If you want to know more about IBM’s involvement in the Holocaust, Edwin Black’s book, IBM and the Holocaust: The Strategic Alliance Between Nazi Germany and America’s Most Powerful Corporation, outlines the haunting relationship that defined a dark era.
1970: The Start of a New Era
Less than thirty years after the atrocities carried out in Germany through abusive processing of personal data, the first data privacy law in the world was passed in the very same country.
In 1970, in the West Germany state of Hessen, the Bundesdatenschutzgesetz (BDSG) was passed after the 1960s brought about calls for privacy regulations.
This landmark legislation was the first of its kind, detailing protections afforded to personal data and handling standards for the processing of that data.
Over the next seven years, other German states followed suit (such as Rhineland-Palatinate in 1974), until the first federal privacy law was adopted in 1977.
1977: The First Federal Effort
Passed in 1977 and put into effect on January 1st of 1978, the German Federal Data Protection Act (BDSG) became the first federal law governing the protection of personal data.
In the The Privacy, Data Protection and Cybersecurity Law Review – Edition 4, authors Nikola Werry, Benjamin Kirschbaum, and Jens Marwin-Koch write:
These acts established basic principles of data protection, such as the requirement of a legal permission or the data subject’s consent for any processing of personal data.
The act was a revised version of the BDSG that emerged in Hessen in 1970, and expanded the provisions to apply to all German citizens.
It continues to serve as the foundation for German privacy law, with the BDSG still in effect today, having undergone decades of revisions and amendments.
1983: The Cornerstone of EU Privacy is Formed
In 1983, the German Federal Constitutional Court ruled certain provisions of the Census Act unconstitutional, and declared the right to self-determination over one’s data, stating:
The basic right warrants (…) the capacity of the individual to determine in principle the disclosure and use of his/her personal data.
The Court further defined what the right to informational self-determination entails, saying that it is:
the authority of the individual to decide himself, on the basis of the idea of self-determination, when and within what limits information about his private life should be communicated to others.
In short, an individual has the right to decide what personal information can be disclosed to others.
Of the landmark ruling, Colombia Law professor, Anu Bradford says:
That became the cornerstone of the E.U.’s views today.
1995: The Early Days of Data Privacy in the Digital Age
While the foundational bricks of modern data privacy have been laid over the past century, 1995 was the year that ushered in today’s legal framework for the treatment and protection of digital information.
That year, the EU’s Data Protection Directive was adopted.
As one of the founding six nations of the European Union (EU), Germany has shifted its efforts in data privacy to include the scope of all European citizens, rather than German residents alone.
According to Digital Guardian, the directive is based on seven principles:
- Notice – individuals should be notified when their personal data is collected
- Purpose – use of personal data should be limited to the express purpose for which it was collected
- Consent – individual consent should be required before personal data is shared with other parties
- Security – collected data should be secured against abuse or compromise
- Disclosure – data collectors should inform individuals when their personal data is being collected
- Access – individuals should have the ability to access their personal data and correct any inaccuracies
- Accountability – individuals should have a means to hold data collectors accountable to the previous six principles
This directive, and the principles outlined within it, serve as the predecessor to the recently-released GDPR – the most comprehensive data law in the world as of today.
2014: Control is Put Back in the Hands of Users
Before we delve further into the GDPR, let’s examine one of the pivotal moments in the history of European data privacy.
On May 13th of 2014, the Court of Justice of the European Union established the “right to be forgotten”. On this, the EU Commission says:
On the ‘Right to be Forgotten’ : Individuals have the right – under certain conditions – to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data.
You may notice that this right appears differently in its 2014 iteration than what we see today as per the GDPR.
Then, the right was subject to case-by-case scrutiny, and was only applicable in instances of “inaccurate, inadequate, irrelevant, or excessive” information.
Now, under the newest standards for data privacy set by the GDPR, the right to be forgotten is even more sweeping – allowing users to request the deletion of their personal data.
If you want to know more about how to offer users the ability to exercise their right to be forgotten, check out our article about Termly’s data management request tool.
Even though the right to be forgotten continues to evolve, the 2014 court ruling that indoctrinated it into EU law was a critical moment in the timeline of data privacy.
2018: The Future of Data Privacy Begins
These past hundred years have seen a rollercoaster of developments in data privacy, with Germany at the heart of it all.
Just this year, the world was rocked by the General Data Protection Regulation (GDPR) when it took effect on the 25th of May.
The regulation – designed to protect the privacy of European citizens and residents – applies to any business targeting individuals in the EU.
Alongside the GDPR, the ePrivacy Regulation is set to be finalized this year and take effect soon thereafter.
These two laws, working alongside one another, will form a comprehensive and far-reaching legal framework for the protection and privacy of individuals’ personal data.
If you have customers or users in the EU, you are subject to comply with these laws.
While the world of data and the principles that guide its handling often feel like a product of the digital era, this is not entirely the case.
In fact, the actions you take today toward compliance with such laws as the GDPR are a result of decades of development and debate, sprouting from Germany nearly a century ago.
Conclusion
In his piece on IBM’s involvement in the Holocaust, Edwin Black writes:
Various prisoner types were reduced to IBM numbers, with 3 signifying homosexual, 9 for anti-social, and 12 for Gypsy. The IBM number 8 designated a Jew. Inmate death was also reduced to an IBM digit: 3 represented death by natural causes, 4 by execution, 5 by suicide, and code 6 designated “special treatment” in gas chambers.
So why do these offenses of the past matter today – and for the future?
As the legislation dictating data privacy continues to evolve and tighten, many business owners and online operators find themselves frustrated by the legal tightropes they feel forced to walk.
But it’s important to remember – now as much as ever – the dangers of reducing people to numbers by way of their data.
The handling and treatment of personal information should be done with caution, care, and humanity, so that we can continue to move forward in our efforts to protect privacy, and never repeat the horrors of the past.