2.4 From the 1995 Directive to the GDPR

Key Takeaways

  • Directive 95/46/EC required member states to transpose it into national law, which produced 28 fragmented regimes; the GDPR is a Regulation that applies directly and uniformly.
  • The GDPR (Regulation 2016/679) was adopted in April 2016 and became applicable on 25 May 2018, repealing the 1995 Directive.
  • A Regulation is directly applicable without national implementation, while a Directive sets goals each member state must transpose, allowing local variation.
  • The Law Enforcement Directive (LED, 2016/680) governs processing by police and criminal-justice authorities, and the ePrivacy Directive (2002/58/EC) covers electronic communications, cookies, and direct marketing.
Last updated: June 2026

Why the GDPR Replaced the 1995 Directive

Quick Answer: Directive 95/46/EC had to be transposed into each country's own law, creating fragmentation, inconsistent enforcement, and uncertainty for cross-border business. The GDPR (Regulation 2016/679), adopted in April 2016 and applicable from 25 May 2018, replaced it with a single directly applicable rulebook for all member states.

This transition is heavily tested. Fix the timeline cold: the Commission proposed the GDPR in 2012; it was adopted in April 2016; there was a two-year transition; and it became applicable on 25 May 2018, the date it repealed Directive 95/46/EC. Candidates routinely confuse "adopted" (2016) with "applicable" (2018) — the exam exploits that gap. The conceptual heart of the topic, though, is the difference between a Regulation and a Directive.

Regulation vs Directive

This is one of the most exam-relevant distinctions in Domain I:

FeatureRegulationDirective
Legal effectDirectly applicable in all member states (Art. 288 TFEU)Sets a result to achieve; must be transposed into national law
UniformityOne identical text EU-wideNational variation permitted
Need for national lawNone to take effectYes — each state passes implementing legislation
ExamplesGDPR (2016/679)1995 Directive (95/46/EC); ePrivacy (2002/58/EC); LED (2016/680)

Because the GDPR is a Regulation, it does not require national implementing laws to take effect. However, it is not perfectly uniform: it contains roughly 50 "opening clauses" (also called derogations or margins of manoeuvre) that let member states add or vary detail — for example on the age of consent for information-society services (between 13 and 16), employee data, special-category data, and national identification numbers. Trap: the existence of opening clauses does not make the GDPR a Directive; it remains directly applicable, with limited, defined national customization.

The 1995 Data Protection Directive

Directive 95/46/EC was the EU's first comprehensive data protection law, with twin goals that survive into the GDPR's Article 1:

  1. Protect the fundamental rights of individuals regarding their personal data.
  2. Enable the free flow of personal data within the internal market.

Its weakness was structural. As a Directive, it generated 28 different national laws (one per member state of that era), with divergent definitions, supervisory powers, notification regimes, and penalty levels. A business operating across borders faced a costly patchwork, and regulators struggled to act consistently. The GDPR's drafters cured this in three ways:

  • Chose the Regulation instrument for one rulebook.
  • Added a one-stop-shop so a multinational deals primarily with a single lead supervisory authority.
  • Introduced harmonized, deterrent administrative fines — up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher, for the most serious breaches (a lower tier caps at EUR 10 million or 2%).

Worked example: under the 1995 Directive a fine for the same breach might be trivial in one state and significant in another; under the GDPR the ceiling is identical EU-wide, which is precisely the harmonization the exam expects you to identify as the upgrade.

Two further upgrades the exam tests: the GDPR introduced direct obligations on processors (the 1995 Directive regulated mainly controllers), and it expanded extraterritorial reach under Article 3 to non-EU businesses that offer goods/services to, or monitor the behaviour of, people in the EU. A US-only e-commerce site that ships to and tracks EU customers is therefore caught by the GDPR even with no EU establishment — something the 1995 Directive struggled to reach.

The Companion Instruments: LED and ePrivacy

The GDPR does not stand alone — two related instruments are tested:

  • Law Enforcement Directive (LED), Directive 2016/680 — adopted alongside the GDPR as part of the 2016 "data protection package." It governs processing of personal data by competent authorities for the prevention, investigation, detection, or prosecution of criminal offences or execution of penalties. Because it is a Directive, member states transpose it. Key exam point: police and criminal-justice processing falls under the LED, not the GDPR — the GDPR explicitly excludes that activity from its material scope (Art. 2).
  • ePrivacy Directive, Directive 2002/58/EC (amended by 2009/136/EC) — the "cookie law." It covers confidentiality of electronic communications, cookies and similar tracking (requiring consent for non-essential cookies), unsolicited direct marketing (the rules behind email opt-in/opt-out), and traffic/location data. It is lex specialis: where it applies, its specific rules take precedence over the general GDPR, though the GDPR's consent standard fills the gaps. A long-pending ePrivacy Regulation is intended to eventually replace it.
InstrumentTypeScope
GDPR (2016/679)RegulationGeneral personal-data processing
LED (2016/680)DirectivePolice / criminal-justice processing
ePrivacy (2002/58/EC)DirectiveElectronic communications, cookies, e-marketing

Worked scenario: a website sets advertising cookies and sends a marketing newsletter to EU users. The cookie consent and e-marketing opt-in rules come from the ePrivacy Directive (as transposed nationally), while the processing of the resulting personal data — lawful basis, retention, data subject rights — is governed by the GDPR. The two apply together, with ePrivacy as lex specialis on the consent-to-place trigger. If the same site is run by the national police to investigate crime, the LED governs instead.

Being able to route a fact pattern to the correct instrument — GDPR, LED, or ePrivacy — is exactly the skill Domain I rewards.

Test Your Knowledge

What is the central legal difference between the GDPR and the 1995 Data Protection Directive?

A
B
C
D
Test Your Knowledge

Processing of personal data by national police for the investigation of a criminal offence is governed primarily by which instrument?

A
B
C
D
Test Your Knowledge

The GDPR was adopted in April 2016 but did not become applicable until which date?

A
B
C
D