From Directive 95/46 to the GDPR: The Legislative Framework

The GDPR did not appear from nowhere. Its predecessor was Directive 95/46/EC, the EU Data Protection Directive of nineteen ninety-five. Now here is the key concept: it was a directive, not a regulation.

A directive sets out a result that member states must achieve, but each state writes its own national law to get there. The consequence was twenty-eight different national data protection laws across the EU, similar in spirit but inconsistent in detail, which made compliance for cross-border businesses genuinely difficult. Directive 95/46 was repealed when the GDPR took effect on the twenty-fifth of May twenty eighteen.

You should recognise 95/46 as the law the GDPR replaced.

When the EU modernised the law, it deliberately chose a different instrument. The General Data Protection Regulation is Regulation (EU) 2016 slash 679. A regulation, unlike a directive, applies directly and uniformly in every member state without each one passing its own version.

That is the whole point of the GDPR: harmonisation, one rulebook for the entire Union. The exam expects you to explain that a regulation harmonises more than a directive did, and that this was the reason for the switch. It is not perfectly uniform, member states retained some flexibility in certain areas, for example the age of digital consent and rules for employment data, but it is far more harmonised than the patchwork of 95/46.

One more point of vocabulary for the exam: a regulation is binding in its entirety and directly applicable, whereas a directive binds member states only as to the result and leaves the form and methods to national law. That single contrast explains most of the difference between the old regime and the new one.

The GDPR is not the only instrument you must know. Directive 2002/58/EC, the ePrivacy Directive, governs privacy in the electronic communications sector, things like cookies, electronic direct marketing, and traffic and location data. It was amended in two thousand nine, and that amendment is why websites must obtain consent before storing non-essential cookies; people often call it the cookie law.

The ePrivacy Directive sits alongside the GDPR and is more specific, so for cookies and email marketing it often takes the lead. A note for the exam and for currency: a long-proposed ePrivacy Regulation was meant to replace this directive, but it has not yet been adopted, so the 2002/58 directive remains in force. We will return to cookies in Domain five.

Two more directives round out the framework. Directive 2016/680, the Law Enforcement Directive, governs the processing of personal data by police and criminal-justice authorities for preventing, investigating, and prosecuting crime. It was adopted on the same day as the GDPR and is sometimes called its sister instrument; the GDPR generally does not apply where the Law Enforcement Directive does.

And the older Directive 2000/31/EC, the e-Commerce Directive, set early rules for online services and intermediary liability. For the exam, simply recognise these by number and know that each carves out its own domain so you do not apply the GDPR where one of them governs instead.

The current Body of Knowledge also asks you to place two newer instruments. NIS2, Directive (EU) 2022 slash 2555, is the EU's second Network and Information Security Directive; it raises cybersecurity obligations for essential and important entities, and although it overlaps with the GDPR's security duties, it is a separate regime with its own incident-reporting rules. The EU Artificial Intelligence Act, Regulation (EU) 2024 slash 1689, sets risk-based rules for AI systems, banning some uses outright and tightly regulating high-risk ones.

It is not data protection law as such, but it interacts heavily with the GDPR wherever AI processes personal data. You will not be examined deeply on these, but you should know they exist and roughly what they do.

Here is the framework in one breath. The old Directive 95/46 was replaced by the GDPR, Regulation 2016/679, and the move from a directive to a regulation gave Europe a single, more harmonised rulebook. The ePrivacy Directive, 2002/58, handles cookies and electronic marketing.

The Law Enforcement Directive, 2016/680, handles policing, and the e-Commerce Directive, 2000/31, handles online services. NIS2 and the EU AI Act are newer neighbours that interact with the GDPR without replacing it. Next, we finish Domain one by looking at harmonisation, Brexit, and the goals the GDPR was actually written to achieve.

Go test yourself on the legislative framework.