The European Directive of the 90s: when the EU got serious about privacy

Today we all talk about the GDPR as if it had always existed. But no, before that there was the EU’s first major attempt to bring order to the issue of privacy: Directive 95/46/EC, approved in the mid-90s. And believe me, it was a huge leap at the time.

Why was a directive needed?

Think of Europe in the 90s: each country had its own approach to data protection rules. Some had quite advanced laws (Germany, France), others were lagging behind. The problem was obvious: data was beginning to flow more and more between countries, and without a common framework it was chaos.

The EU’s idea was simple: if we want trust in the single market and want companies to operate at a European level, we need basic rules of the game that apply equally to everyone.

The basic principles

The Directive introduced several principles that today seem like common sense, but at the time were new:

  • Information and transparency: people had to know what data was collected and for what purpose.

  • Consent: no using your data without permission (except in justified cases).

  • Proportionality: collecting only the data needed, not a “just in case”.

  • Data quality: keeping information up to date and accurate.

  • Security: protecting data against unauthorized access or loss.

Rights for individuals

The Directive also recognized rights for citizens which, notably, were the seed of what we now know as ARCO rights:

  • Access: being able to know what data they held about you.

  • Rectification: correcting errors.

  • Erasure: requesting data to be deleted when it was no longer needed.

  • Objection: refusing certain types of processing.

These rights marked a turning point, because we went from being passive subjects (the administration or company decided everything) to having a say in how our data was used.

International transfers

Another important point was the transfer of data outside the EU. The Directive stated: data may only be sent to countries that offer an adequate level of protection. This, in practice, opened an endless debate about whether the United States provided sufficient guarantees… a debate that continues today.

The legacy

Directive 95/46/EC wasn’t perfect. It was complex, allowed room for states to interpret it, and over time it fell short in the face of the explosion of the Internet and social networks. But without it, the GDPR wouldn’t exist. It was the EU’s first serious step in saying: “privacy matters, and here are the rules”.

Looking back, this Directive was like the dress rehearsal before the main act of the GDPR. It taught us that without common rules, privacy is left in no-man’s-land. And also that citizens can’t be ignored: they must have clear rights regarding their own data.

In short: the 90s weren’t just the era of Eurodance and Tamagotchis — it was also when Europe began to take data protection seriously. And we still feel the effects today.