Directive 95/46/EC (The Data Protection Directive – 1995)

Background:

  • Domestic laws adopted by member states to meet obligations under Convention 108 proved inconsistent resulting in varying degrees of privacy protections across EU.
  • Significant technological advanced after 1981, when Convention 108 opened for signature.

Goal

  • To set minimum standards for privacy and security across EU in order to achieve consistent application of data protection.
  • Create level playing field for businesses and promote data flow across borders while protecting individual privacy.

Structure of Data Protection Directive

  • 72 Recitals* and 34 Articles.
  • Core data processing principles
    • lawfulness and fairness,
    • purpose limitation,
    • data minimization,
    • accuracy,
    • storage limitation,
    • safeguards for special categories data
    • integrity and confidentiality
  • Data subject rights (DSAR or SAR)
    • explicit consent for processing of personal data
    • right to access personal data
    • right to rectification, erasure or blocking of personal data
    • right to object processing of personal data
    • information about the controller
    • Remedies
  • Other notables
    • Creation of the Working Party in Article 29 set up to protect data subject rights (forever known as the WP29)
    • Transfer of personal data to third countries based on adequacy decisions by the EC (European Commission)
    • Supervisory authorities required in member states

Failure:

  • “A ‘directive’ is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.” – as per the European Union.
  • The domestic laws implemented within Member States led to an inconsistent application of the Directive across EU. As a result data protection rights of users varied across EU and created a patchwork of obligations for businesses.
  • The rise of internet post-1995 and technological advancement in leaps and bounds rapidly outpaced the Directive and data protections proved inadequate.

Successor – GDPR

  • In 2016, the Directive was repealed by the GDPR.
  • On 24 May 2018, the Directive became invalid and stopped being in force.

*What is a Recital? “Recitals set out the reasons for the contents of the enacting terms (i.e. the articles) of an act.” – EU Publication Office