The IT Law Wiki


Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Off. J.L. 281 (Nov. 23, 1995) (full-text) ("1995 Data Protection Directive").


The Directive became effective October 1998. It comprises a general framework of data protection practices for the processing of personal data, which it defines as "any information relating to an identified or identifiable natural person," about European Union citizens. It requires each of the EU Member States to enact laws governing the "processing of personal data." The EU’s 27 member countries have implemented this framework in their own national laws.[1]

Data transfers to non-EU Countries[]

Significantly, the Directive obligates EU Member States to prohibit data transfers to non-European countries that do not have "adequate levels of protection" for personal data.[2] Such transfers are regulated by Articles 25 and 26 of the Directive.

According to Article 25(1), a transfer of personal data “may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.” The essential concern of the Directive on this point is to ensure that personal data lawfully processed in the EU (and the EEA) remain subject to safeguards when transferred to third countries.

The Directive thus determines the situations where personal data may be transferred to third countries. The preferred solution under Article 25 of the Directive is one where there is an adequate level of protection; this can be assessed by the Member States or by the European Commission.[3] But there also exist situations where the level of protection has not been assessed and determined but where personal data may nevertheless be transferred to the third country:

  • the controller adduces additional safeguards with respect to the protection of privacy and fundamental rights (e.g. by using appropriate contractual clauses or binding corporate rules)[4];
  • the controller adopts the Commission’s standard contractual clauses[5];
  • the controller can refer to one of the six derogations listed in Article 26(1).

The Directive does not cover transfers of personal data in the course of judicial and police cooperation activities falling within Titles V and VI of the Treaty on European Union.

EU-US Safe Harbor Agreement[]

The European Commission expressed concern that some of the data protection practices of the United States (e.g., self-regulatory privacy initiatives) would not be deemed "adequate protection" under the Directive.

U.S. and EU officials engaged in informal dialogue concerning implementation of the directive. The dialogue focused on the goals of enhancing data protection for European citizens while maintaining the free flow of personal information between Europe and the United States. On November 4, 1998, former U.S. Department of Commerce Undersecretary for International Trade David L. Aaron proposed a “safe harbor” for U.S. companies that choose to adhere to certain privacy principles. After extensive discussions, on March 14, 2000, the European Commission and the United States finalized the U.S.-EU Safe Harbor Framework.


[D]espite the fact that the Data Protection Directive's core values have survived the test of time, its actual interpretation and formalities have become increasingly excessive, leading to burdensome and sometimes questionable obligations for data controllers, which may create unnecessary competitive disadvantage for European companies. The interpretation of the Data Protection Directive should therefore return to its core values. Moreover, the Directive should leave the assumption that data processing is restricted to a few centralised entities. Instead, it should take into account the decentralised, global and online processing of personal data in today's information society.[6]

Recent developments[]

On January 25, 2012, the European Commission proposed a data protection reform package, including a Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("General Data Protection Regulation"),[7] which will replace Directive 95/46/EC.


  1. See European Commission, Status of Implementation of Directive 95/46 on the Protection of Individuals with Regard to the Processing of Personal Data (listing national laws).
  2. A country is considered to have “adequate” data protections if the European Commission certifies that its laws and regulations maintain the same levels of protection as the EU law.
  3. The Commission has the power to make determinations of adequacy that are binding on EU (and EEA) Member States. Article 25(6)2.
  4. Article 26(2).
  5. Article 26(4).
  6. Legal Analysis of a Single Market for the Information Society, at 4.
  7. General Data Protection Regulation (full-text).