Some words for his unique contribution to the EU data protection acquis – By Professor Vagelis Papakonstantinou 

A few days ago, on 18 March 2023, Prof. Spiros Simitis passed away. Prof. Simitis was the ‘father of data protection’ and, also, my Doktorvater. This blog post is therefore a small tribute to him and an account of what he meant for global data protection and, well, myself (disclaimer: highly personalized and opinionated!). While the latter does not really matter, the former could provide our younger colleagues, and aspiring data protection experts, some insights into why things are as they are today in the data protection field. At an age when data protection has not only secured its continued existence (something highly doubtful back in the day) and is also developing its own sub-fields of study, a glance at its roots, I think, is always useful.

Father of data protection

Prof. Simitis was a third-generation law professor. His grandfather (whose name he carried) taught at Athens Law School from 1890 to 1898. His father, Georgios Simitis, was elected professor at the Athens Law School in 1936. Shortly thereafter trouble began. During WWII and the Axis occupation of Greece, Georgios Simitis participated in the Greek Resistance and was elected to the “Government in the Mountains” (named in this way to distinguish itself from the lawful government, that had fled to British-controlled Egypt).

After WWII ended, Greece suffered from a brutal civil war between the Right and the Left, lasting from 1946 το 1949. The country’s political future was at stake. The Right, with its British and American allies, fought for a Western-type democratic future, while the Left (nominally supported by the Soviets) for a socialist one. Persecutions for political beliefs became customary. A prominent tool to accomplish this was the use of (paper) “files” kept on each citizen.

I would imagine that it was because of these persecutions that both Spiros Simitis and his brother, Costas Simitis (who later became a Prime Minister in Greece) fled the country. They both studied law in Germany (Marburg) and held various academic positions in Germany until the mid-sixties when their paths separated: Costas returned to Greece where the political situation was finally improved for the Left (alas, a short-lived expectation: the Greek military junta was imposed in 1967 and lasted until 1974), while Spiros pursued an academic career in Giessen and Frankfurt.

It was at that time that Simitis wrote the world’s first data protection law: the Hessian Data Protection Act of 1970. By his own account to me, there was global academic discussion during the sixties on the risks posed by computers; the then Hessian Minister-President was an authoritative and decisive enough person to think that his State could come up first with a relevant law. The task was appointed to Simitis, and the first-ever law on data protection saw the light of day, in 1970.

Context is important, and it helps explain many things that are still with us today. First, the issue of computers. While known since the 1940s or even the 1930s, it was during the 1960s that computers emerged from academic labs to enter human societies. Back then they were big and expensive, and only public administrations could actually use them. This immediately raised red flags. Germans knew that only 30 years previously the Nazis were able to persecute Jews far more “effectively” in those countries that kept meticulous public records, whereas countries whose public administrations were not as organized were better able to hide their Jewish populations. Simitis, for his part, knew well how the use of “files” on political beliefs could be used to make the lives of people miserable, even if their life per se was not threatened. Furthermore, all of this was made possible only through paper records processed by hand. What might be the result if computers processed public records far more effectively than anything humanity had witnessed until that time? Thus it was in a way fated that the first data protection law would emerge in Germany and be written by Simitis.

This is why the first Hessian act is aimed only at the public sector and only at computers. The distinction between public and private sector processing is still with us in many EU countries. Automated personal data processing continued to be the focus of the CoE’s Convention 108, released in 1981, an instrument that was also influenced by him. The distinction between automated and manual processing still gives us trouble in the GDPR (hint: manual processing entered the picture only in 1995, in the EU Data Protection Directive, where the Member States claimed that many of their state databases were still in paper; hence the need for a “filing system” in the GDPR).

After the Hessian Data Protection Act was released, the rest is (well-known, I hope) history: Sweden introduced its own Act in 1973, Germany (this time, at the federal level) in 1978, and France also in 1978. After the UK was convinced (by force, through the “adequacy” criterion) to introduce its own Act in 1984, the way was opened for the 1995 EU Directive. The GDPR finally replaced it in 2018.

An important thing to note is the similarity of today’s data protection model with the one that Simitis drafted in 1970. In a 2.5 page/17 article law, all the important elements are there (individual data protection rights, the DPAs (including their independence), the notification system (replaced in the GDPR by the principle of accountability), confidentiality, data minimization, etc.). Most importantly, however, a new field of law was baptized: the reason we talk today about “data protection” and not “information protection” or “files protection” or whatever else is because that first law talked about “data protection” (Datenschutz) and “data protection authorities” (Datenschutzbeauftragter).

Keeper of data protection

While a lot had been accomplished during the 1980s, the survival of this new field of law was far from certain. Most notably, the USA, where all computers were developed, did not share Europe’s enthusiasm about this new field of law. It was thought that it would place an unnecessary burden on its IT industry. This, as everybody knows, is an ongoing discussion, even today – we see it now even with new technologies, such as AI and online platforms: Europe wants to regulate them, but the USA does not.

What is important to note with regard to data protection, however, is that during its critical years in the 1980s, it was developed among an international circle of legal scholars that were influential enough within their respective countries to actively promote it and protect its continued existence. Simitis held a prominent position within this circle. His continued engagement, and prestige, at German, European, and international level meant that data protection had a face, whenever needed – one that could also converse in the local language, Simitis being fluent in English, French, Italian, Greek, and German. Today this is no longer necessary because the “regulation cause” has been taken up by the EU itself. It was, however, data protection, and its early implementations, that showed the European Commission how to get things done.

Doctorvater

I never expected to study in Germany. Because I liked public law I studied French as a second language during my undergraduate years in the Athens Law School. Germany, and German, was only for those interested in private law. However, during these same years, I also discovered that I liked computers (the Web actually started only in the early-1990s).

I was at a loss, for how to combine the two. Knowing English, I found an LLM in IT law in the UK (University of Strathclyde), in one of the few Universities (in fact, only two!) that offered one (France had none, Germany only one). In Glasgow, I was very lucky that the LLM was run by Professor Ian Lloyd, who, upon hearing the phrase “public law and computers”, immediately pointed me toward data protection, a field completely unknown to me until that time. He kindly provided some bibliographic sources. You can imagine my extreme surprise when I saw, for the first time in my life, that there was a Greek professor in Germany who was prominent in the field!

When I finished my LLM I visited Simitis in Frankfurt. Although I did not know any German, he kindly accepted me as his Ph.D. student (upon acquiring the necessary language skills to register with the University, of course!). He was always there for me, even when I had relocation or other, unrelated to my studies, difficulties. When my language skills did not progress as fast as my Ph.D., he kindly offered to help, unearthing a provision in the University statutes allowing for PhDs in English. I may be among the first students in Germany to have taken advantage of these provisions.

When I finished my Ph.D., he suggested that I take up an academic career in data protection. He told me that in Germany I would have no luck due to the language problem and that Greece was difficult too. So, he suggested that I try Belgian or Dutch Universities, which are extremely active in the field and are English-speaking. I thanked him, and left for Athens, hoping for the best, as it was just before the 2004 Olympics and spirits were high. After some 20 years since that exchange, I find myself actually following his advice.

I, therefore, owe Professor Simitis both my involvement with data protection and my passive knowledge of German. Also (hopefully), my effort to help my Ph.D. students as best as I can. What all of us owe him, however, is nothing less than a whole new field of law, that, for the moment at least, is humanity’s single human rights response to the challenges posed by digital technologies.