A modernised framework

The need for a modernised data protection framework

By early 2010s, EU member states once again realized that the existing framework on privacy protection, the Data Protection Directive of 1995 (Directive 95/46/EC), was falling behind technological advancement. The need for an EU Regulation had emerged.

Directive vs. Regulation:

EU law states that: “A ‘regulation’ is a binding legislative act. It must be applied in its entirety across the EU”. A directive merely sets out goals. Countries can devise their own laws on achieving those goals.
Member state laws had adopted Directive 95/46/EC which set out goals for privacy and data protection. However, data protection was still fragmented within the EU territory. Additionally, Directive 95/46/EC lacked enforcement mechanisms.

In 2015, the European Parliament, the European Commission, and the Council of European Union finalized the text for a General Data Protection Regulation that would apply across EU as a binding legislation

In 2016, the GDPR (Regulation 2016/679) entered into force and Directive 95/46/EC was repealed. EU member states and industry were given two years to plan for compliance.

On May 25, 2018, the GDPR began applying across the entire EU territory (i.e. GDPR compliance was required for all) and the Directive was no longer in force.

Origins and Historical Context of Data Protection Law

European Union Institutions

Legislative Framework