First Floor, Victoria Buildings, 8, Triq l-Għenieq,Naxxar NXR3622, Malta

The GDPR – What led to it following Directive 95/46/EC?

by Dr Edric Micallef Figallo – Associate

The following is the fifth article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta. The previous article may be viewed here.

This article will give a brief overview of what led to the GDPR following Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, hereinafter “Directive”.

As stated in the previous article in this series “The importance of the Directive was that for the first time within the EU, the EU legislature adopted a legislative instrument which provided for greater harmonisation for data privacy law within the bloc.” In effect, the EU legislator deemed that such a level of harmonisation no longer met contemporary needs, and resorted to drafting and giving force to a Regulation, which under EU law has direct applicability in all EU Member States and becomes part of the legal order of the Member States without needing further intervention. In fact, the preamble to the GDPR states that:

“(9) The objectives and principles of Directive 95/46/EC remain sound, but it has not prevented fragmentation in the implementation of data protection across the Union, legal uncertainty or a widespread public perception that there are significant risks to the protection of natural persons, in particular with regard to online activity. Differences in the level of protection of the rights and freedoms of natural persons, in particular the right to the protection of personal data, with regard to the processing of personal data in the Member States may prevent the free flow of personal data throughout the Union. Those differences may therefore constitute an obstacle to the pursuit of economic activities at the level of the Union, distort competition and impede authorities in the discharge of their responsibilities under Union law. Such a difference in levels of protection is due to the existence of differences in the implementation and application of Directive 95/46/EC.

(10) In order to ensure a consistent and high level of protection of natural persons and to remove the obstacles to flows of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. Consistent and homogenous application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data should be ensured throughout the Union. (omissis)”

The GDPR essentially came about due to (i) the above requirement of having a consistent EU wide data protection regime; and (ii) besides the said choice of legislative instrument, for the said reasons, to implement new and better data protection safeguards and rights for data subjects.

What is new for the data subject?

The GDPR is a more comprehensive regime and also introduces new and more rights for data subjects when compared to the Directive. Amongst others, we have the right to data portability and the right to erasure.

The data portability right allows the data subject to receive the personal data concerning him as provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

The right to erasure, also referred to as the right to be forgotten, is a new right provided by the GDPR which in brief provides that the “data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”

The above rights are subject to limitations, and there are also other obligations provided by the GDPR, of which some are new, and which we shall be dealing with in coming articles.


Disclaimer: This article is not to be considered as legal advice, and is not to be acted on as such. Should you require further information or legal assistance, please do not hesitate to contact Dr Edric Micallef Figallo on