Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

The European Union Directive on the Protection of Personal Data became effective October 1998. It comprises a general framework of data protection practices for the processing of personal data, which it defines as "any information relating to an identified or identifiable natural person," about European Union citizens. It requires each of the sixteen EU Member States to enact laws governing the "processing of personal data."

Significantly, the Directive obligates EU Member States to prohibit data transfers to non-European countries that do not have "adequate levels of protection" for personal data. The European Commission expressed concern that some of the data protection practices of the United States (e.g., self-regulatory privacy initiatives) would not be deemed "adequate protection" under the Directive.

U.S. and EU officials engaged in informal dialogue concerning implementation of the directive. The dialogue focused on the goals of enhancing data protection for European citizens while maintaining the free flow of personal information between Europe and the United States. On November 4, 1998, former U.S. Department of Commerce Undersecretary for International Trade David L. Aaron proposed a “safe harbor” for U.S. companies that choose to adhere to certain privacy principles. After extensive discussions, on March 14, 2000, the European Commission and the United States finalized the Safe Harbor Agreement.