Directive 95/46/EC, the Data Protection Directive, passed by the European Parliament and Council in 1995 regulates the processing of personal data in the European Union. Its official title is, "Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data". As discussed in the Tip of the Night for March 27, 2016, Article 26(2) of the Directive allows for data to be transferred using model contracts outside the safe harbor framework, and Article 26 also states conditions under which data can be transferred to third countries that don’t provide an adequate level of protection. See the Tip of the Night for February 27, 2016.

The Directive itself has a very broad scope and does not just apply to data in which a person is explicitly identified. It covers any data that can be used, even indirectly, to make a connection to a specific individual, even if the person possessing the data cannot make the connection themselves. Processing includes collection, disclosing, and erasing data.

Processing can only take place if three conditions are met:

1. Transparency - the individual is aware that his or her data is being processed. The controller has to provide their contact information and also disclose the purpose for the processing and the recipients of the processed data.

2. Legitimate Purpose - The data cannot be processed in a way that is incompatible with explicit legitimate purposes.

3. Proportionality - the collected data has be relevant for the purposes for which it collected. If the data is inaccurate, an effort must be taken to make sure that is corrected.

Article 14 allows the data subject to object to the processing of the data for direct marketing.

Article 15 gives, "the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc."

Each state that participates in the Data Protection Directive has to establish a supervisory authority responsible for starting legal proceedings when the directive has been violated. The controller files a report concerning the processed data with the authority that then files it in a public register.

Article 29 Working Parties were created under the Data Protection Directive to monitor the extent to which personal data is protected in countries outside the EU.

The Data Protection Directive is not legally binding on EU states. The state have to convert the principles of the directive in their own local laws.

As the Tip of the Night for April 13, 2016 noted, the Data Protection Directive will be replaced in 2018 by the General Data Protection Regulation.