Learn about the EU's Data Protection Directive in Data Protection 101, our series on the fundamentals of information security.
Definition of the Data Protection Directive
Adopted in 1995 by the European Union, the Data Protection Directive is officially known as Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Data Protection Directive is binding within the member states of the EU and regulates how personal data is collected and processed in the European Union.
How the Data Protection Directive Works
The Data Protection Directive is built on the seven principles of the Organization for Economic Cooperation and Development’s Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data. Created in 1980, those seven principles include:
- Notice – individuals should be notified when their personal data is collected
- Purpose – use of personal data should be limited to the express purpose for which it was collected
- Consent – individual consent should be required before personal data is shared with other parties
- Security – collected data should be secured against abuse or compromise
- Disclosure – data collectors should inform individuals when their personal data is being collected
- Access – individuals should have the ability to access their personal data and correct any inaccuracies
- Accountability – individuals should have a means to hold data collectors accountable to the previous six principles
These guidelines were non-binding, however, and data privacy laws changed depending on where you were located in Europe. As the European Commission realized that data flows were being hindered by disparate data privacy laws throughout EU states, they adopted the OECD guidelines into the Data Protection Directive, a binding set of data protection requirements for EU member states.
Article 2a of the Data Protection Directive defines personal data as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." In essence, data becomes personal if any portion of the information can be linked to a particular person. This is considered the case even if that specific person cannot make the link themselves. Examples of personal data protected by the DPD include:
- Government issued identification numbers
- Credit card numbers
- Bank statements
Benefits of the Data Protection Directive
Personal data is highly valuable to its owners. The Data Protection Directive was created to protect personal data both when responsible parties operate within the EU and also when controllers use equipment in the EU to process personal data. This means that even controllers outside of the EU must comply with the directive if they are processing personal data inside the EU. Not to mention, all controllers have to notify their governing body before processing all forms of personal data. The notification must be detailed with information such as:
- The intended purpose of the processing
- The controller’s name and address
- Categories of data subjects
- The types of data being collected
- Which recipients can view the data
- Whether transfers will be made to other countries
- The types of protective measures are being taken to ensure the security of processing similar data
GDPR Survival Kit
The Data Protection Directive is being phased out and will be taken over by General Data Protection Regulation (GDPR)
In January 2012, the European Commission submitted a draft proposal for a comprehensive reform of data protection rules in the EU. The EC hoped that through creation of a single, EU-wide law, fragmentation and expensive administrative measures associated with implementing and enforcing the DPD across different member states can be eliminated. This also aimed to facilitate cross-border cooperation in terms of the fight against crime and terrorism.
On December 15, 2015, the European Parliament, Council, and Commission reached an agreement on the new data protection rules, the EU General Data Protection Regulation. The result is a much more modern and collaborative data protection framework across the EU. The GDPR text was finalized on April 8, 2016 and approved by the European Parliament on April 14, 2016.
A history of EU data protection regulations leading up to the GDPR.
The GDPR supersedes the Data Protection Directive and will fully phase out the DPD and become national law for all EU Member States by May 25, 2018. The GDPR builds on the key tenets of the DPD with more specific data protection requirements, a global scope, and stiffer enforcement as well as non-compliance penalties. As a result, citizens will have more control over their personal data and more recourse if personal data is misused, while data controllers and processers will be required to protect sensitive personal data by design. Finally, the GDPR offers a much simpler regulatory environment for businesses that collect or process EU citizens’ and residents’ personal data.