The governance of data protection is the topic of the day; especially, in the European Union, there has been nearly 20-year of history of governing personal data. In this thesis, it is intended to get into the nitty-gritty of the aftermaths the legislation of 1995’s Data Protection Directive, including the challenges that EU faced in such course of data protection, and the beginning of the legislative process of 2016’s General Data Protection Regulation, or GDPR, which was later served as the replacement of 1995’s Data Protection Directive. The thesis is separated into two parts; in the first part, we lays out the difference of the outgoing and incoming data protection of the EU. In the second part of the research, we are intended to narrow down these differences by observing the legislative process of GDPR. By the help of the approach of Multi-level governance, it also grants clear picture of the identification of different actors from different levels in the EU. After the enacting of Data Protection Directive, following the integration of the EU, sub-national actor, such as Data Protection Agencies, gradually lost their say on such issue. On the other hand, supra-national actors, such as the EU Commission and the European Parliament are gaining their authority and power over the topic of data protection. The interest groups, which can easily transcend the traditional national borders, were also teamed up with each other in the EU level for getting involved in the legislative process of GDPR. Data Protection Issue in EU is becoming an issue of left-right ideology spat instead of fully national concerns. Most importantly, the systemic design of the EU allows all actors to chip in either the governance of data protection or the legislative progress of the new data protection law—GDPR.