Katana VentraIP

Data Protection Directive

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

Title

Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data

24 October 1995

13 December 1995

24 October 1998

25 May 2018

C311, 27 November 1992, p. 30–61

Regulation (EC) No 1882/2003

The principles set out in the Data Protection Directive were aimed at the protection of fundamental rights and freedoms in the processing of personal data.[1] The General Data Protection Regulation, adopted in April 2016, superseded the Data Protection Directive and became enforceable on 25 May 2018.[2]

when the data subject has given his consent.

when the processing is necessary for the performance of or the entering into a contract.

when processing is necessary for compliance with a legal obligation.

when processing is necessary in order to protect the vital interests of the data subject.

processing is necessary for the performance of a task carried out in the or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.

public interest

processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are over-ridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or not being processed in compliance with the data protection rules. (art. 12)

Implementation by the member states[edit]

EU directives are addressed to the member states, and are not legally binding for individuals in principle. The member states must transpose the directive into internal law. Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998. All member states had enacted their own data protection legislation.

the harmonisation of 27 national data protection regulations into one unified regulation;

the improvement of corporate data transfer rules outside the European Union; and

the improvement of user control over personal identifying data.

On 25 January 2012, the European Commission (EC) announced it would be unifying data protection law across a unified European Union via legislation called the "General Data Protection Regulation." The EC's objectives with this legislation included:[17]


The original proposal also dictated that the legislation would in theory "apply for all non-EU companies without any establishment in the EU, provided that the processing of data is directed at EU residents," one of the biggest changes with the new legislation.[17] This change carried on through to the legislation's final approval on 14 April 2016, affecting entities around the world. "The Regulation applies to processing outside the EU that relates to the offering of goods or services to data subjects (individuals) in the EU or the monitoring of their behavior," according to W. Scott Blackmer of the InfoLawGroup, though he added "[i]t is questionable whether European supervisory authorities or consumers would actually try to sue US-based operators over violations of the Regulation."[2] Additional changes include stricter conditions for consent, broader definition of sensitive data, new provisions on protecting children's privacy, and the inclusion of "rights to be forgotten."[2]


The EC then set a compliance date of 25 May 2018, giving businesses around the world a chance to prepare for compliance, review data protection language in contracts, consider transition to international standards, update privacy policies, and review marketing plans.

Comparison with other jurisdictions[edit]

Comparison with United States data protection law[edit]

As of 2003, the United States has no single data protection law comparable to the EU's Data Protection Directive.[18]


United States privacy legislation tends to be adopted on an ad hoc basis, with legislation arising when certain sectors and circumstances require (e.g., the Video Privacy Protection Act of 1988, the Cable Television Protection and Competition Act of 1992,[19] the Fair Credit Reporting Act, and the 1996 Health Insurance Portability and Accountability Act, HIPAA (US)). Therefore, while certain sectors may already satisfy parts of the EU Directive most do not.[20] The United States prefers what it calls a 'sectoral' approach[21] to data protection legislation, which relies on a combination of legislation, regulation, and self-regulation, rather than governmental regulation alone.[22][23] Former US President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology.[24]


The reasoning behind this approach has as much to do with American laissez-faire economics as with different social perspectives.[25] The First Amendment of the United States Constitution guarantees the right to free speech.[26] While free speech is an explicit right guaranteed by the United States Constitution, privacy is an implicit right guaranteed by the Constitution as interpreted by the United States Supreme Court,[27] although it is often an explicit right in many state constitutions.[28]


Europe's extensive privacy regulation is justified with reference to experiences under World War II-era fascist governments and post-War Communist regimes, where there was widespread unchecked use of personal information.[29][30][31] World War II and the post-War period was a time in Europe when disclosure of race or ethnicity led to secret denunciations and seizures that sent friends and neighbours to work camps and concentration camps.[7] In the age of computers, Europeans' guardedness of secret government files has translated into a distrust of corporate databases, and governments in Europe took decided steps to protect personal information from abuses in the years following World War II.[32] (Germany) and France, in particular, set forth comprehensive data protection laws.[33]


Critics of Europe's data policies, however, have said that they have impeded Europe's ability to monetize the data of users on the internet and are the primary reason why there are no Big Tech companies in Europe, with most of them instead being in the United States.[34] Furthermore, with Alibaba and Tencent joining the ranks of the world's 10 most valuable tech companies in recent years,[35] even China is moving ahead of Europe in the performance of its digital economy,[36] which was valued at $5.09 trillion in 2019 (35.8 trillion yuan).[37]


Meanwhile, Europe's preoccupation with the US is likely misplaced in the first place, as China and Russia are increasingly identified by European policymakers as "hybrid threat" aggressors, using a combination of propaganda on social media and hacking to intentionally undermine the functioning of European institutions.[38]

(Directive on protection of individuals with regard to the processing of personal data and on the free movement of such data)

Directive 95/46/EC

EU data protection page

(Safe harbour principle)

2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council

(Directive on privacy and electronic communications)

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002

Procedure file for the proposed revised legal framework (General Data Protection Regulation)

Procedure 2012/0011/COD