EU data privacy laws

European privacy law is grounded in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, which guarantee respect for private and family life and the protection of personal data. Similar protections appear in Article 8 of the European Convention on Human Rights. Under Article 16 of the Treaty on the Functioning of the European Union, the protection of personal data is recognized as a fundamental right, and EU institutions are empowered to legislate rules for data protection and the free movement of data, subject to oversight by independent authorities. The earlier framework of Directive 95/46/EC (Data Protection Directive) and Directive 2002/58/EC (E-Privacy Directive) established the foundation for EU privacy law. These have since been overtaken by more comprehensive legislation.

The General Data Protection Regulation (Regulation (EU) 2016/679), entered into force in May of 2018, is now the central instrument of EU data protection law. The GDPR creates a uniform set of directly applicable rules across all member states, including enhanced rights for individuals, strict consent requirements, obligations for data controllers and processors, and significant penalties for noncompliance. The proposed E-Privacy Regulation (EDPR) was intended to replace the E-Privacy Directive. After years of stalled negotiations, the European Commission withdrew the proposal in 2025, citing both the absence of political consensus and its outdated scope. As a result, the E-Privacy Directive continues to regulate privacy in electronic communications, implemented through national laws. 

The Data Governance Act (Regulation (EU) 2022/868), applicable since September 2023, establishes mechanisms for trustworthy data sharing and reuse across the EU. It creates a framework for data intermediaries, promotes the availability of public sector data for re-use, and sets conditions for cross-border data sharing in the public interest. The Data Act (Regulation (EU) 2023/2854), which went into force in September of 2025, expands the EU’s data strategy beyond personal information by creating rules for access to and use of data generated by connected devices and digital services. The Data Act seeks to ensure that users (rather than manufacturers or service providers) have meaningful control over the data their products generate. It also sets standards for fair business-to-business data sharing, requires transparency in terms of contracts, and introduces obligations for non-EU providers that place products or services on the EU market to maintain a representative within the European Union for oversight and enforcement.

[Last reviewed in September of 2025 by the Wex Definitions Team] 

Wex

• COMMERCE
• technology
• internet law
• wex articles
• business law
• international law
• EU law
• type