What You Need to Know About the History of Data Privacy for Your CIPP/E Exam

If you’re reading this, you likely already know that the CIPP/E is the IAPP’s European privacy certification. To pass the exam, you must understand data protection, privacy terminology, and implementation best practices for Europe.  

But first, you’ll need to tackle the origins, history and framework of European data law (all included in Domain I for the CIPP/E). This study guide outlines what you need to know plus some tips on conquering Domain I of the CIPP/E exam. 

Why Study the History of Data Privacy? 

European data privacy laws didn’t start with the GDPR – and the GDPR isn’t the only European law. Today’s data privacy laws make a lot more sense when you look backwards in time to discover why the laws exist, and how they’ve developed from human rights. When you know this, it becomes easier to understand them – and to act in a way that’s consistent with the spirit of the laws.  

What Do You Need to Know About the History of Data Privacy in Europe? 

You can find the IAPP’s CIPP/E Exam Blueprint here.   

Please Note:  The body of knowledge and exam for CIPP/E were updated on 1 July 2021. Read this blog post to find out more about the update.

But this is what you’ll need to know about the history and framework of data privacy in Europe. 

You need to know the origins and historical context of European data protection law, including: 

1. Rationale for data protection, 
2. Human rights laws, 
3. Early laws and regulations, 
4. The need for a harmonised European approach, 
5. The Treaty of Lisbon, and  
6. A modernised framework. 

You need to know about these European institutions & the roles they play in data privacy:  

1. Council of Europe, 
2. European Court of Human Rights,  
3. European Parliament, 
4. European Commission,  
5. European Council, and 
6. European Court of Justice. 

You must understand the legislative framework, specifically: 

1. The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (Convention 108),  
2. The EU Data Protection Directive (95/46/EC), 
3. The EU Directive on Privacy and Electronic Communications (2002/58/EC) – as amended, 
4. The EU Directive on Electronic Commerce (2000/31/EC),  
5. European Data Retention Regimes, and 
6. The General Data Protection Regulation (GDPR) and related legislation. 

Where to Focus Your Studies of the History of European Data Privacy 

As you can see, the blueprint for the exam provided by IAPP is quite vague. If you were to dive headfirst into the content and academic writing about any of the topics in the blueprint, you could easily spend more than 30 hours on each. (And IAPP suggests 30 hours of personal study for the exam.)   This is particularly true for non-Europeans who don’t have a background in either European Human Rights or the different European Institutions, like the Council of Europe and the European Union and the roles each play. 

Here’s where to focus your efforts:  

The Origin and History of Data Privacy Law 

Human Rights Law 

Spend time focusing on the articles in human rights charters that detail a person’s right to privacy -and the restrictions placed on that right (the general right to privacy is the foundation for the more specific controls around the processing of personal data). The right to privacy is never absolute. And privacy law tries to balance the right to privacy with economic and public interests that justify interference with it, including the right to freedom of expression. Explore the reasons deemed important enough to justify the interference.   Appreciate the importance of trying to striking the right balance.   

Early Laws and Regulations 

Throughout the 60s and 70s, European countries adopted piecemeal laws to protect the data privacy of their citizens. 

Formal international agreements began to emerge early in the 80s.  The most important are: 

• The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, and  
• Council of Europe Convention 108.  

Read and understand these documents and explore the context in which they were written. The Preface to the OECD text is useful, as is this Medium article about the history of Convention 108. 

The EU and the Treaty of Lisbon (2007) 

This article succinctly outlines the background to the Treaty of Lisbon, one of the important Treaties for the development of the EU, alongside its rationale and scope. 

A Modernised Framework

You’ll need to know and understand the rationale behind the GDPR and Convention 108+ for this section of the exam. By exploring the history behind these regulations, you’re better placed to understand their contents. As such, we strongly suggest researching the history before delving into the contents of each.  

European Institutions 

Within the EU, different institutions have different powers, to make laws, to make adequacy decisions, to preside over judicial proceedings and to approve Standard Contractual Clauses and Binding Corporate Rules. For each of the institutions outlined in the IAPP Exam Blueprint, you should know: 

• Where the institution gets its power.  
• The rationale behind the institution  
• The functions of the institution. 
• How the institution works in practice, including: 
• The job titles of people who work there, 
• What job they do,  
• Who they report to, and  
• Its relationship to other institutions. 
• How the institution is involved in data protection.  

Studying the Legislative Framework 

For each of the regulations (Convention 108, ePrivacy Directive, GDPR) in the IAPP Exam Blueprint, you should: 

• Know the background behind the regulations. 
• Have a holistic view of its content. 
• Be certain whether it is current law or if it has been superseded by another regulation.  
• Know whether it has been amended. 
• Understand its place within the broader framework (what it achieves, its relationship to other regulations, etc).   
• Know whether it is enforceable and, if so, by which body.  

Practical Tips for Preparing for Your IAPP CIPP/E Exam 

• Make sure you are really comfortable with all the material in the CIPP/E Body of Knowledge. 
• You MUST read and be very familiar with the GDPR itself, particularly Articles 3 – 40.  You will get very detailed questions about the GDPR.  
• Have some knowledge of the history of the EU and the relevant treaties, especially the Treaty of Lisbon and the EU Charter of Fundamental Human Rights.
• Read the Candidate Handbook before you arrive at the test. It’s incredibly valuable to know what the processes and policies are before you arrive. Here’s the 2021 Candidate Handbook. 
• The first three (3) chapters of the iapp text book cover the Domain I material. It’s helpful to read those.
• If you’ve time, also read the European Council Handbook on European Data Protection Law – 2018 
• Listen to The Privacy Advisor podcast to get familiar with privacy issues when you’re on the go. 
• Test Your Knowledge with the Privacy 108 Practice Exam. You can access it by completing the contact form below.  

For more information about preparing for the CIPP/E exam, check our previous post on exam-prep tips. 

Not sure if the CIPP/E is for you?

If you want to check your current knowledge or get a sense of what the CIPP/E exam might cover, try our mini quiz, accessible here.

Train with Privacy 108  

Privacy 108 runs regular CIPP/E training seminars, as an authorised IAPP training provider.

Lead instructor Dr Jodie Siganto is one of Australia’s foremost privacy experts and is a certified IAPP instructor. The training classes are widely recognised as the best preparatory resource for test takers – and they’re a great resource for helping you learn the history of data privacy.

In addition to the class, you’ll receive the comprehensive CIPP/E textbook and a 25-question practice exam, plus access to additional exam prep resources, including more practice exam questions, exclusively available through Privacy 108. 

For more information or to register.