The Data Protection Directive and GPDR
Before the General Data Protection Regulation (GDPR) came into effect in May 2018, the primary data protection legislation in the European Union was the Data Protection Directive (DPD) 95/46/EC. The DPD was adopted in 1995 and provided a framework for the protection of personal data within the European Union. However, the DPD was seen as outdated and not sufficiently robust in the face of technological advancements, and there were also inconsistencies in how it was implemented across different EU member states. The GDPR was therefore introduced to replace the DPD and provide a more modern, harmonized, and effective framework for data protection across the EU. Read more about GDPR here.
Background of the Data Protection Directive
The DPD was introduced in response to the increasing use of electronic data processing and computer technology in the EU in the 1980s and 1990s. This technological development led to concerns that personal data could be easily misused, leading to violations of individual privacy and freedom. The DPD was aimed at establishing minimum standards for the protection of personal data and ensuring that EU citizens’ rights to privacy were respected in the digital age.
The Main Provisions of the Data Protection Directive
The DPD was a comprehensive piece of legislation that covered all aspects of the collection, processing, and storage of personal data. Its main provisions included:
1. Personal Data Definition
The DPD defined personal data as any information relating to an identified or identifiable natural person. This included not only data such as names and addresses but also data that could identify individuals indirectly, such as IP addresses or cookie data.
2. Data Processing Principles
The DPD established six principles that data controllers had to adhere to when processing personal data. These principles were:
- Personal data must be processed fairly and lawfully.
- Personal data must be collected for specified, explicit, and legitimate purposes and not be further processed in a way incompatible with those purposes.
- Personal data must be adequate, relevant, and not excessive in relation to the purposes for which they are processed.
- Personal data must be accurate and, where necessary, kept up to date.
- Personal data must not be kept for longer than is necessary for the purposes for which they were collected.
- Appropriate technical and organizational measures must be taken to protect personal data from unauthorized or unlawful processing.
Data Subject Rights in the DPD
The DPD granted a number of rights to data subjects, including the right to access their personal data, the right to have inaccurate data corrected, and the right to object to the processing of their data. Data subjects also had the right to request that their data be deleted if it was no longer necessary for the purposes for which it was collected.
4. Data Controller Obligations in the DPD
The DPD established obligations for data controllers, including the requirement to register with a supervisory authority, provide data subjects with certain information, and obtain consent before processing sensitive personal data.
5. Data Transfer in the DPD
The DPD regulated the transfer of personal data outside the EU, requiring data controllers to ensure that adequate protection was in place before transferring data to countries outside the EU.
Impact of the Data Protection Directive
The DPD had a significant impact on data protection in the EU. It established a framework for the protection of personal data and ensured that EU citizens’ privacy rights were respected in the digital age. The DPD also paved the way for the GDPR, which replaced it in 2018.
However, the DPD was not without its limitations. Its provisions were not always clear, and it was often difficult to enforce. There were also inconsistencies in how the DPD was implemented across different EU member states, leading to confusion and a lack of harmonization.