Domain 1: The most challenging CIPP/E domain?

Domain 1 questions are the most challenging for the respondents to our on-line CIPP/E.

Do you know:

  • Which instrument first included the principle that member states should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties which would create obstacles to trans-border data flows of personal data beyond what is required for that protection?
  • Which treaty promoted the Charter of Fundamental Rights of the European Union to the same status as a treaty, making it legally binding on members?

Only 20% of respondents to our on-line quiz got the first question right, and 42% got the correct answer to the second.  How did you go?

If you’re taking the CIPP/E, it’s not sufficient to know all about the GDPR.  You also need to understand the context.  You need to be up to speed with how the EU works, the difference between the Council of Europe, the EU and the EEA and the different conventions, treaties, directives and regulations relevant to data protection in Europe. This can be tricky, particularly for any non-Europeans who may get confused by the Council of Europe, the European Council and the Council of the EU…  But this is the focus of Domain 1 of the CIPP/E

There will be between 4 and 10 questions on the exam covering subject matter from this Domain, so it is worth taking a little time to familiarise yourself with the content.

Below are some topes to help you master Domain 1.

The CIPP/E Body of Knowledge

As a starting point, always refer back to the CIPP/E Body of Knowledge as your main reference point for the material you need to know.  Ensure you’re comfortable with all the subject matter listed there.

Origins  of Data Protection Law: 1.       Rationale for data protection 2. Human rights laws 3. Early laws and regulations 4. The need for a harmonised European approach 5. The Treaty of Lisbon 6. A modernised framework
European Union Institutions: 1.Council of Europe 2. European Court of Human Rights 3. European Parliament 4. European Commission 5. European Council 6. European Court of Justice

Legislative Framework:


1. The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (The CoE Convention) 2. The EU Data Protection Directive (95/46/EC) 3. The EU Directive on Privacy and Electronic Communications (2002/58/EC) – as amended 4. The EU Directive on Electronic Commerce (2000/31/EC) 5. European data retention regimes 6. The General Data Protection Regulation (GDPR) and related legislation

You can find the IAPP’s CIPP/E Exam Blueprint here.   

Please Note:  The body of knowledge and exam for CIPP/E were updated on 1 July 2021. Read this blog post to find out more about the update.

Domain 1 CIPP/E – What do you need to know?

As part of the background to understanding current data protection law in Europe, it is important to be able to:

  • Know the history of human rights, privacy, and data protection law in Europe leading up to the current EU legislative framework;
  • Differentiate between the Council of Europe and the European Union, including member state composition and legislation related to privacy and data protection;
  • Understand the functions of the EU’s legislative, policy-making and judicial institutions, specifically as they apply to data protection law,

EU Institutions

The institutions of the European Union form the framework for co-operation between the 27 member states of the EU. Of these institutions, the European Commission is the only one that can initiate legislation. It submits its proposals to the European Parliament and the Council of Ministers, to be approved or rejected. Commissioners are appointed by the Council of Ministers and then approved by the parliament.

The parliament has responsibility for supervising the 27 commissioners making up the European Commission and is the only institution with the power to sack them.

All legislation must be approved by both the Council and the European Parliament. Once legislation has been passed, the European Court of Justice makes sure it is interpreted uniformly across all the member states.

EU Treaties

The first treaty, which established the European Economic Community (EEC), was signed in Rome in 1957. There have been five subsequent treaties – the Single European Act (1986), the Treaty of Maastricht (1992), the Treaty of Amsterdam (1997), the Treaty of Nice (2001) and the Treaty of Lisbon (2007).

Treaties establishing the EU
Treaty of Rome 1957 Signed on 25 March 1957 by Belgium, France, Italy, Luxembourg, the Netherlands and West Germany and came into force on 1 January 1958.

Creates Common Market / European Economic Community (EEC)

Single European Act 1986 The Single European Act (SEA) was the first major revision of the 1957 Treaty of Rome. The Act set the European Community an objective of establishing a single market by 31 December 1992, and codified European Political Cooperation, the forerunner of the European Union’s Common Foreign and Security Policy.
Treaty of Maastricht 1992 The treaty founded the European Union and established its pillar structure which stayed in place until the Lisbon Treaty came into force in 2009. The treaty also greatly expanded the competences of the EEC/EU and led to the creation of the single European currency, the euro.
Treaty of Amsterdam 1997 Member states agreed to transfer certain powers from national governments to the European Parliament across diverse areas, including legislating on immigration, adopting civil and criminal laws, and enacting foreign and security policy (CFSP), as well as implementing institutional changes for expansion as new member nations join the EU. The Amsterdam Treaty did not settle all institutional questions. Work was still in progress on reforming the institutions to make them capable of operating effectively and democratically in a much enlarged EU. The most pressing issues were the composition of the Commission and the weighting of Member States’ votes upon qualified majority voting. These questions were addressed in the Treaty of Lisbon.
Treaty of Nice 2001 Reformed the institutional structure of the European Union to withstand eastward expansion, a task which was originally intended to have been done by the Amsterdam Treaty, but failed to be addressed at the time.
Treaty of Lisbon 2007 The Treaty of Lisbon (initially known as the Reform Treaty) is an international agreement that amends the two treaties which form the constitutional basis of the European Union (EU): the Maastricht Treaty (1993) and the Treaty of Rome (1957).

Development of EU Data Protection Law

The origins and historical context of European data protection law, include the following:

  •  1948 UN adopted Universal Declaration of Human Rights: Art 12 – “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence nor to attacks upon his honour or reputation”
  • 1950 Council of Europe ratified the Convention on Human Rights
  •  1966 UN adopts International Covenant on Civil and Political Rights: Art 17 – provides protection against arbitrary interference with an individual’s privacy
  • 1980 OECD issues “Guidelines on Privacy and Trans border Flows of Personal Data”
  • 1981 Council of Europe ‘Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’ renders data protection a legal imperative
  • 1995 EU Data Protection Directive issued
  • 2000 Charter of Fundamental Rights of the EU
  • 2002 EU ePrivacy Directive issued
  • 2016 EU General Data Protection Regulation approved by the EU
  •  2018 EU General Data Protection Regulation becomes enforceable
  • 2018 Convention 108 + opened for signature

Sources/Bases for Right to Privacy/Data protection

Universal Declaration of Human Rights 1948

  • Adopted by the General Assembly of the United Nations (International – not EU body)
  • Included:
  • ·       Right to a private life (Art 12)
  • ·       Right to freedom of expression (Art 19)
  • ·       Balance of rights (Art 29)

European Convention on Human Rights (ECHR) 1950

Council of Europe opened Convention for ratification in 1950. Reflect UN DHR and includes:

  • Art 8 right to private life
  • Art 10 right to freedom of expression
  • Balance between rights (Art 10(2))
  • Became enforceable in 1953. Establishes human rights across Europe (more broadly than just EU) that are enforceable via the European Court of Human Rights.

Convention 108 1981

  • Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.  Adopted by the Council of Europe. Opened for signature in 1981.
  • First legally binding international instrument in area of data protection (must be implemented into local law by signatories).
  • Set out basic principles + special rules for transborder data flows (introduced idea of ‘adequacy’).
  • Did not result in ‘harmonised’ development of data protection laws by Council of Europe members.
  • Three main parts of Convention 108:
  • 1. Law provisions (basic principles)
    2. Rules on trans-border data flows
    3. Mutual assistance / DPA

EU Data Protection Directive 1995

  • Used Convention 108 as benchmark for development of Data Protection Directive.  Passed by the EU in 1995.
  • Intention to introduce more harmonised set of data protection provisions.

EU Charter of Fundamental Rights 2000

  • Passed by EU in 2000.
  • Includes same general principles as in ECHR but specifically refers to protection of personal data.
  • Must be implemented into local law
  • Given binding legal effect in 2009 when Treaty of Lisbon came into effect.

General Data Protection Regulation 2016

  • Passed by EU in 2016.
  • Became effective in 2018.
  • Binding law applying to member countries (no need for local law to implement).

How can we help?

You may find the following posts helpful:

Other references

Other useful resources covering the Domain 1 subject matter include:

EU History: Timeline of the development of the EU:

EU Treaties: OS.7.Treaties.pdf (

EU Institutions:

EEA and data protection: Data Protection | European Free Trade Association (

UN Declaration of Human Rights: Universal Declaration of Human Rights | United Nations

OECD Guidelines: OECD Privacy Guidelines – OECD

Council of Europe and Convention 108:

Want to test your CIPP/E Domain 1 knowledge?

Think you’re ready to take on Domain 1 or just want to assess your current understanding, or get a feel for what the exam questions in this area might be like?

We’ve created a set of practice exam questions just for Domain 1.

Enter your details below to access our free history of data privacy practice exam. It is written to help you prepare for the CIPP/E.

Photo by cottonbro from Pexels

Not sure if the CIPP/E is for you?

If you want to check your current knowledge or get a sense of what the CIPP/E exam might cover, try our mini quiz, accessible here.

Prepare with us for the CIPP/E Exam

If you are thinking of taking the CIPP/E certification exam, an instructor-led preparatory course is a great option. The training classes are widely recognised as the best preparatory resource for test takers – and they’re a great resource for helping you learn the history of data privacy.

Privacy108 runs regular CIPP/E training seminars, either by 4 x 4-hour on-line sessions or 2 days in a classroom. The course covers all of the CIPP/E body of knowledge.  As an authorised IAPP training provider all the course materials are provided by IAPP, and are prepared and regularly updated by the IAPP team of privacy specialists.

Lead instructor Dr Jodie Siganto is one of Australia’s foremost privacy experts and is a certified IAPP instructor, holding the CIPM, CIPP/E and CIPT certifications (in addition to the CISSP and CISM).   

Exclusive access to additional CIPP/E resources

To help ensure your success, Privacy 108 has developed additional supporting study material, available exclusively to people who train with Privacy 108.  This includes:

  • Additional practice exam questions
  • Study guides for each of the domains
  • Glossary and flashcards.

This is in addition to the IAPP course notes comprehensive CIPP/E textbook and a 25-question practice exam, provided by IAPP.

For more information or to register. 

Privacy108 Survey Monkey Data History Request

Enter your details below to access our free history of data privacy practice exam. It is written to help you prepare for the CIPP/E.

  • We collect and handle all personal information in accordance with our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.