Past Releases and Reports
About Privacilla
Privacy Fundamentals
Privacy and Government
Privacy and Business
Online Privacy
Financial Privacy
Medical Privacy
Send a directive to Privacilla!
Your Source for Privacy Policy from a Free-market, Pro-technology Perspective

Click to return to the Privacy and Government outline

Home > Privacy and Government > Privacy Law Governing the Government Sector > Important Directives, Guidelines, and Studies > The EU Data Privacy Directive

The EU Data Privacy Directive

Though it is not law in the United States, the European Union's Data Protection Directive is an important document in privacy debates today. Agreed to among European bureaucrats in 1995, the directive required member countries of the EU to adopt laws that implement its terms.

The Directive creates rights for persons about whom information is collected, known as "data subjects." Entities that collect information must give data subjects notice explaining who is collecting the data, who will ultimately have access to it, and why the data is being collected. Data subjects also have the right to access and correct data about them.

This top-down, bureaucratic model imposes heavy costs and inconveniences on European businesses compared to the American system in which information flows freely and only harmful uses of information are prevented or punished. The Directive is also inconsistent in many respects with free speech.

The Directive creates stricter rules for companies that want to use data in direct marketing, or to transfer the data for other companies for that use. The data subject must be explicitly informed of these plans and given the chance to object. Stricter rules also govern sensitive information relating to racial and ethnic background, political affiliation, religious or philosophical beliefs, trade-union membership, sexual preferences, and health. Before this information may be collected the data subject must give explicit consent. There are exceptions to this rule for employment contracts, non-profits, and the legal system, among other things.

In order not to completely disrupt life in Europe, the Directive is riddled with exceptions. For example, data may be kept for personal and household use like an address book. Synagogues, trade unions, churches, and other non-profits are permitted to keep even "sensitive" information about their members. National governments are permitted to exempt journalists from provisions of the directive, if the government thinks free speech might outweigh privacy interests.

Ironically, because governments are the most voracious collectors, users, and sometime abusers of personal information, governments may exempt themselves from the Directive when it conflicts with their own interests in taxation or law enforcement. Though it is inspired by the bloody use some European governments made of sensitive personal information in the last century, the Data Privacy Directive does not hit that mark. The Directive fails to address privacy coherently because it does not recognize a rather fundamental premise: the vast difference in rights, powers, and incentives between governments and the private sector.

In order for American companies to transfer information about data subjects with European businesses, the EU and the U.S. Commerce Department negotiated an agreement. Called the "safe harbor" agreement, it outlines the conditions under which U.S. companies may receive information about EU data subjects. U.S. companies may also enter into special data protection contracts.

On May 16, 2003, the European Commission released its review of the Directive and its implementation. Eleven of the 15 EU Member states missed the 1998 deadline for adopting the Directive's terms in their national laws. France had yet to implement the Directive, while Luxembourg and Ireland had only done so in 2002.

Significant differences in the way Member states have implemented the Directive are impeding information flows in Europe, and internationally as well. The Commission suspects that many "unauthorized" or illegal transfers of data are occuring. Despite requests from four Member countries, the EC declined to propose simplifying or harmonizing changes to the Directive. It will consider making such amendments in 2005.


Enforced Standards Versus Evolution by General Acceptance: A Comparative Study of E-Commerce Privacy Disclosure and Practice in The U.S. and The U.K.; Karim Jamal et al., AEI-Brookings Joint Center on Regulatory Studies (July 2003)

Report on the transposition of Directive 95/46/EC, Commission of the European Communities (May 15, 2003)

Safe Harbor Web site, U.S. Department of Commerce (includes link to "Safe Harbor List" of companies adhering to safe harbor principles)

Concerns Regarding the EU Data Directive, by Professor Jacob Palme, Stockholm University (November 30, 2000)

EU-US "Safe Harbor" Privacy Arrangement U.S. Department of Commerce (July 21, 2000)

Privacy and Human Rights: Comparing the United States to Europe by Solveig Singleton, Cato Institute (December 1, 1999)

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Comments? (Subject: EUDirective)

[updated 07/26/03]

©2000-2003 All content subject to the Privacilla Public License.