Data Protection Directive
The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.
Title
Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data
24 October 1995
13 December 1995
24 October 1998
25 May 2018
C311, 27 November 1992, p. 30–61
Regulation (EC) No 1882/2003
The principles set out in the Data Protection Directive were aimed at the protection of fundamental rights and freedoms in the processing of personal data.[1] The General Data Protection Regulation, adopted in April 2016, superseded the Data Protection Directive and became enforceable on 25 May 2018.[2]
Implementation by the member states[edit]
EU directives are addressed to the member states, and are not legally binding for individuals in principle. The member states must transpose the directive into internal law. Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998. All member states had enacted their own data protection legislation.
On 25 January 2012, the European Commission (EC) announced it would be unifying data protection law across a unified European Union via legislation called the "General Data Protection Regulation." The EC's objectives with this legislation included:[17]
The original proposal also dictated that the legislation would in theory "apply for all non-EU companies without any establishment in the EU, provided that the processing of data is directed at EU residents," one of the biggest changes with the new legislation.[17] This change carried on through to the legislation's final approval on 14 April 2016, affecting entities around the world. "The Regulation applies to processing outside the EU that relates to the offering of goods or services to data subjects (individuals) in the EU or the monitoring of their behavior," according to W. Scott Blackmer of the InfoLawGroup, though he added "[i]t is questionable whether European supervisory authorities or consumers would actually try to sue US-based operators over violations of the Regulation."[2] Additional changes include stricter conditions for consent, broader definition of sensitive data, new provisions on protecting children's privacy, and the inclusion of "rights to be forgotten."[2]
The EC then set a compliance date of 25 May 2018, giving businesses around the world a chance to prepare for compliance, review data protection language in contracts, consider transition to international standards, update privacy policies, and review marketing plans.
Comparison with other jurisdictions[edit]
Comparison with United States data protection law[edit]
As of 2003, the United States has no single data protection law comparable to the EU's Data Protection Directive.[18]
United States privacy legislation tends to be adopted on an ad hoc basis, with legislation arising when certain sectors and circumstances require (e.g., the Video Privacy Protection Act of 1988, the Cable Television Protection and Competition Act of 1992,[19] the Fair Credit Reporting Act, and the 1996 Health Insurance Portability and Accountability Act, HIPAA (US)). Therefore, while certain sectors may already satisfy parts of the EU Directive most do not.[20] The United States prefers what it calls a 'sectoral' approach[21] to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone.[22][23] Former US President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology.[24]
The reasoning behind this approach has as much to do with American laissez-faire economics as with different social perspectives.[25] The First Amendment of the United States Constitution guarantees the right to free speech.[26] While free speech is an explicit right guaranteed by the United States Constitution, privacy is an implicit right guaranteed by the Constitution as interpreted by the United States Supreme Court,[27] although it is often an explicit right in many state constitutions.[28]
Europe's extensive privacy regulation is justified with reference to experiences under World War II-era fascist governments and post-War Communist regimes, where there was widespread unchecked use of personal information.[29][30][31] World War II and the post-War period was a time in Europe when disclosure of race or ethnicity led to secret denunciations and seizures that sent friends and neighbours to work camps and concentration camps.[7] In the age of computers, Europeans' guardedness of secret government files has translated into a distrust of corporate databases, and governments in Europe took decided steps to protect personal information from abuses in the years following World War II.[32] (Germany) and France, in particular, set forth comprehensive data protection laws.[33]
Critics of Europe's data policies, however, have said that they have impeded Europe's ability to monetize the data of users on the internet and are the primary reason why there are no Big Tech companies in Europe, with most of them instead being in the United States.[34] Furthermore, with Alibaba and Tencent joining the ranks of the world's 10 most valuable tech companies in recent years,[35] even China is moving ahead of Europe in the performance of its digital economy,[36] which was valued at $5.09 trillion in 2019 (35.8 trillion yuan).[37]
Meanwhile, Europe's preoccupation with the US is likely misplaced in the first place, as China and Russia are increasingly identified by European policymakers as "hybrid threat" aggressors, using a combination of propaganda on social media and hacking to intentionally undermine the functioning of European institutions.[38]