On 23 September 1980, the Organisation for Economic Co-Operation and Development adopted a set of guidelines concerning data protection and transborder data flows. Following on from those guidelines, the EU enacted the Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data (the “Convention”) in 1981. Within the EU, Member States had divergent laws on data protection and the EU took the view that it would be better to harmonise the laws of all Member States so that people could look to one standard when conducting Processing activity within the EU. At least, that was one of the aspirations. In 1995, after years of discussion the European Data Protection Directive 95/46 EC (the “Directive”) was eventually adopted.
Unfortunately, the Directive only sets out the minimum standard of data protection for Member States to implement. Member States are entitled to keep or to implement data protection rules which surpass the standard of the Directive. That, coupled with the fact that the Directive leaves Member States with some choices on the implementation of certain areas, means that complete harmonisation of data protection law throughout the EU has not occurred. As a result, businesses Processing data in more than one Member State need to be aware of the data protection legislation in each Member State. Nevertheless, the Directive sets out the minimum standard that all Member States are obliged to respect.