Directive 95/46/EC

Directive 95/46/EC
User:Verdy p, User:-xfi-, User:Paddu, User:Nightstallion, User:Funakoshi, User:J · Public domain · source
Title	Directive 95/46/EC
Enacted by	European Parliament and Council of the European Union
Adopted	24 October 1995
Published	1995
Status	Repealed (superseded by General Data Protection Regulation)

Contents

Directive 95/46/EC was a landmark European Union instrument adopted by the European Parliament and the Council of the European Union on 24 October 1995 to regulate processing of personal data and to facilitate free movement of such data across European Economic Area member states. It sought to harmonize national frameworks among France, Germany, Italy, Spain, United Kingdom, Netherlands, Sweden, Belgium, and other EU member states while engaging with international partners such as the Organisation for Economic Co-operation and Development and the Council of Europe. The Directive influenced subsequent instruments including the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and shaped debates in institutions like the European Commission and the Court of Justice of the European Union.

Background and Objectives

The Directive emerged amid technological shifts exemplified by initiatives in Silicon Valley, developments by entities such as Microsoft Corporation and IBM, and transatlantic discussions involving the United States Department of Commerce and the Privacy and Civil Liberties Oversight Board. Drafting drew on principles from the Organisation for Economic Co-operation and Development Guidelines, precedents like the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), and rulings from the European Court of Human Rights. Its primary objectives were to protect fundamental rights recognized by the Charter of Fundamental Rights of the European Union, ensure free flow of information among European Free Trade Association and EU states, and provide legal certainty for multinational corporations such as Siemens AG and Philips operating across France and Germany.

The Directive defined technical and legal categories drawn from instruments affecting entities such as Europol, Eurostat, World Trade Organization, and national supervisory authorities like the Information Commissioner's Office in the United Kingdom and the Commission Nationale de l'Informatique et des Libertés in France. It distinguished processing activities by public bodies such as European Central Bank units and private actors such as Deutsche Telekom AG subsidiaries, and set out definitions for "data controller" and "data processor" comparable to terminology in instruments used by Council of Europe and United Nations agencies. Coverage excluded certain activities under treaty regimes overseen by bodies like the North Atlantic Treaty Organization and intergovernmental arrangements such as the Schengen Agreement where specific rules applied.

The Directive enshrined principles including lawful processing, purpose limitation, data quality, transparency, security, and data subject rights, echoing norms in documents like the Universal Declaration of Human Rights, rulings of the European Court of Justice, and standards promoted by the International Organization for Standardization. Controllers were required to implement safeguards similar to practices advocated by ISO/IEC JTC 1 and to respect data subject rights aligned with jurisprudence from the Court of Justice of the European Union and the European Court of Human Rights. Provisions addressed cross-border transfers to third countries, invoking adequacy assessments analogous to debates involving the United States Department of Commerce, the European Commission, and trade partners such as Canada and Japan.

Implementation relied on national adoption by legislatures including the Bundestag in Germany, the Assemblée nationale in France, and the Cortes Generales in Spain, and on enforcement by supervisory authorities modelled after institutions like the Information Commissioner’s Office and the Bundesdatenschutzbeauftragter. Enforcement mechanisms interfaced with judicial systems exemplified by the Court of Justice of the European Union and national courts such as the High Court (England and Wales), and involved administrative procedures influenced by practices in Netherlands and Sweden. Multinational compliance programs by firms such as SAP SE and Accenture implemented governance frameworks to meet obligations under the Directive.

The Directive significantly influenced privacy law in jurisdictions including Poland, Hungary, Greece, Portugal, and Ireland, and shaped corporate practices at Google LLC, Facebook, Inc., and Amazon.com. Critics pointed to fragmentation from divergent national implementations in the European Union and to limitations identified in analyses from bodies such as the European Data Protection Supervisor and the Organisation for Economic Co-operation and Development. Scholars and litigants invoked comparative frameworks from the United States Supreme Court, policy reports by Amnesty International and Human Rights Watch, and debates in forums like the World Economic Forum to argue both for stronger individual rights and for streamlined cross-border data flows.

The Directive was repealed and its objectives recast by the General Data Protection Regulation (Regulation (EU) 2016/679), enacted by the European Commission and the European Parliament to create a directly applicable, harmonized regime across European Union member states, replacing the directive’s reliance on national transposition. The transition prompted coordinated action by national authorities including the Irish Data Protection Commission and the Hamburg Commissioner for Data Protection and Freedom of Information, and influenced international dialogues with counterparts in United States, Canada, Australia, and Japan regarding adequacy decisions and data transfer mechanisms such as those addressed in exchanges between the European Commission and the United States Department of Commerce.