The forgotten Data Protection Regulation that started it all
This is the first episode in our miniseries on the history of European data privacy regulation and transatlantic frameworks.
A new transatlantic data privacy framework is in the works this year. Nobody can say if it will survive eventual challenges in court. But a look back on history can help understand the legal uncertainty caused by the back and forth between the courts and the executive branches on both sides of the Atlantic.
So, without further ado, meet the EU Data Protection Directive (DPD), the OG data protection regulation.
In a Time before GDPR
Comprehensive data protection regulation goes back much further than the one legislation everyone knows – the GDPR.
On October 24, 1995, the EU adopted the Data Protection Directive to harmonize differing national legislation on data privacy protection in the EU.
Its goal was to facilitate information flows within the EU, to strengthen the EU’s internal market and to foster the development of the information-based economy, specifically the web and ecommerce.
The DPD takes effect on 24 October, 1998.
The Directive prohibited the transfer of personal data to any nation outside the EU that does not meet the EU test of “adequacy” in regard to privacy protections.
The European Commission expressed concern that some of the data protection practices of the United States would not be deemed “adequate protection” under the Directive.
The Directive potentially threatened to disrupt or, in some limited cases, even prevent the transfer of data between the EU and the United States.
The reason for the dissimilarities in the two regulatory regimes appear to lie in fundamentally different approaches to the issue of privacy.
European Privacy vs. American Privacy
The right to privacy is a fundamental human right recognised in the European Convention for the Protection of Human Rights and Fundamental Freedoms and the general principles of European Community laws. Thus, the EU implemented privacy protection by enacting comprehensive legislation.
By contrast, the United States has focused on industry sectors, overseeing the collection and use of data through a mix of legislation, regulation, and industry self-regulation, such as federal rules applicable to medical records.
Moreover, US companies tend to view private data as a valuable commercial asset rather than as an individual asset. In practice, this usually means the consumer must “opt out” of customer lists and sales promotions; in Europe on the other hand, customers generally have to “opt in” to commercial marketing schemes.
To solve this problem, a framework for data transfers from the EU to the US was needed. It became known as Safe Harbor.
Next time in our series: From the DPD to Safe Harbor
More articles
Digital Fingerprinting explained: applications, benefits, and privacy-friendly alternatives
Digital fingerprinting captures unique device and behavior traits, offering insights for security, marketing, and compliance challenges.
Synthetic Data in Digital Marketing: Current Trends and Applications
Synthetic data offers a privacy-compliant, scalable solution to modern marketing challenges caused by data scarcity and regulatory constraints.
Building Resilience against Analytics Outages: The Power of Raw Data Collection
Raw data tracking solutions provide businesses with reliable data collection, mitigating the risks of platform outages such as the recent GA4 disruption.