The forgotten Data Protection Regulation that started it all

This is the first episode in our miniseries on the history of European data privacy regulation and transatlantic frameworks.

A new transatlantic data privacy framework is in the works this year. Nobody can say if it will survive eventual challenges in court. But a look back on history can help understand the legal uncertainty caused by the back and forth between the courts and the executive branches on both sides of the Atlantic.

So, without further ado, meet the EU Data Protection Directive (DPD), the OG data protection regulation.

In a Time before GDPR

Comprehensive data protection regulation goes back much further than the one legislation everyone knows – the GDPR.

On October 24, 1995, the EU adopted the Data Protection Directive to harmonize differing national legislation on data privacy protection in the EU.

Its goal was to facilitate information flows within the EU, to strengthen the EU’s internal market and to foster the development of the information-based economy, specifically the web and ecommerce.

The DPD takes effect on 24 October, 1998.

The Directive prohibited the transfer of personal data to any nation outside the EU that does not meet the EU test of “adequacy” in regard to privacy protections.

The European Commission expressed concern that some of the data protection practices of the United States would not be deemed “adequate protection” under the Directive.

The Directive potentially threatened to disrupt or, in some limited cases, even prevent the transfer of data between the EU and the United States.

The reason for the dissimilarities in the two regulatory regimes appear to lie in fundamentally different approaches to the issue of privacy.

European Privacy vs. American Privacy

The right to privacy is a fundamental human right recognised in the European Convention for the Protection of Human Rights and Fundamental Freedoms and the general principles of European Community laws. Thus, the EU implemented privacy protection by enacting comprehensive legislation.

By contrast, the United States has focused on industry sectors, overseeing the collection and use of data through a mix of legislation, regulation, and industry self-regulation, such as federal rules applicable to medical records.

Moreover, US companies tend to view private data as a valuable commercial asset rather than as an individual asset. In practice, this usually means the consumer must “opt out” of customer lists and sales promotions; in Europe on the other hand, customers generally have to “opt in” to commercial marketing schemes.

To solve this problem, a framework for data transfers from the EU to the US was needed. It became known as Safe Harbor.

Next time in our series: From the DPD to Safe Harbor