The European Union’s framework for judicial cooperation has evolved significantly over recent decades, reflecting the increasingly transnational character of serious crime. Within this framework, Eurojust performs a central coordinating function, supporting national authorities in the investigation and prosecution of cross-border criminal activity. The effectiveness of Eurojust’s mandate, however, depends in part on the availability of legally certain mechanisms for exchanging operational personal information in its cooperation with third countries.
The 2025 evaluation of the Eurojust Regulation by the European Commission identifies persistent constraints affecting international cooperation, most notably the limited availability of adequacy decisions under Article 57 and legally binding international cooperation agreements under Article 58(1)(a). These provisions constitute the principal legal pathways through which Eurojust may exchange personal data with non-EU partners. Their practical application is therefore directly linked to the operational capacity of Eurojust in an international context.
Adequacy decisions under the Law Enforcement Directive (LED), available for use not only by Member State law enforcement authorities but also by Eurojust, are designed to ensure that personal data transferred to third countries remains subject to safeguards that are essentially equivalent to those guaranteed within the European Union. In principle, this mechanism provides a balance between legal certainty and a high standard of protection for fundamental rights. In practice, however, the number of adequacy decisions adopted under the Directive remains highly deficient. To date, only the United Kingdom has been recognised as providing an adequate level of protection for the purposes of the LED. The United Kingdom’s position is widely understood as reflecting its prior status as a Member State of the European Union and its historical alignment with EU data protection standards.
Nearly eight years after the entry into force of the LED, no additional adequacy decisions have been adopted by the European Commission. This situation hints at a structural problem that warrants careful consideration, particularly in light of the European Union’s policy objective of strengthening international cooperation in response to transnational crime. While multiple factors may be contributory, the main problem concerns the structural alignment between the Law Enforcement Directive and the General Data Protection Regulation.
However, the replication of GDPR-style safeguards into the law enforcement domain introduces complexities arising from the differing institutional and operational environments in which these regimes function. The GDPR was developed primarily within a commercial and consumer protection context, addressing risks associated with private-sector data processing. Law enforcement data processing, by contrast, is conducted by public authorities operating under statutory mandates, procedural constraints, and judicial oversight mechanisms. These distinctions do not diminish the importance of robust data protection safeguards, but they may influence how regulatory obligations are interpreted and applied in practice.
A related consideration concerns the interaction between the requirements introduced by the LED and safeguards already embedded within EU and national criminal justice systems. Many protections relevant to the handling of personal data are integral to criminal procedural frameworks. These include rules governing the lawfulness of evidence collection, standards of relevance and proportionality, judicial authorisation requirements, confidentiality/security obligations, and various oversight mechanisms. The LED introduces additional regulatory obligations in areas such as data security, logging, data quality, and accountability. While these obligations reinforce formal protections, their relationship with pre-existing procedural safeguards may generate interpretative and operational challenges.
Such complexity may be particularly relevant in the context of cross-border cooperation. International data exchanges require legal certainty, clarity of obligations, and administrative efficiency. Where regulatory requirements overlap with procedural safeguards operating under different legal logics, competent authorities may encounter increased compliance burdens and legal uncertainty. These effects may influence both the timeliness and predictability of cooperation processes.
The concept of essential equivalence, which underpins adequacy assessments, presents an additional area for reflection. Third countries are required to demonstrate safeguards comparable to those provided under EU law. Given the distinctive nature of the GDPR and Law Enforcement Directive framework, many third countries do not replicate EU-style provisions in a directly comparable form. However, divergence in legal architecture does not necessarily imply the absence of effective safeguards. Third-country legal systems may provide protections through alternative mechanisms, including constitutional rights frameworks, criminal procedure guarantees, judicial supervision, sector-specific legislation, and institutional oversight bodies.
A predominantly formal comparison based on structural similarity may therefore encounter difficulties in capturing functional equivalence across diverse legal systems. In this context, consideration may be given to assessment methodologies that place greater emphasis on the effectiveness of safeguards in practice. A context-sensitive approach could evaluate whether third-country systems achieve comparable protective outcomes, rather than focusing primarily on textual alignment with EU regulatory structures. Such an approach would not alter the objective of ensuring a high level of data protection, but it may contribute to greater clarity and predictability in adequacy determinations.
These considerations have direct implications for Eurojust’s cooperation framework. Adequacy decisions under Article 57 play a significant role in shaping Eurojust’s ability to engage with third countries. Where adequacy decisions remain limited, Eurojust must rely more extensively on alternative mechanisms provided under the Regulation, including international agreements and essential equivalence assessments. These mechanisms remain important components of the cooperation framework but may involve more complex or resource-intensive processes. The broader adequacy environment therefore has practical implications for the scope of international partnerships, the degree of legal certainty in data exchanges, and the administrative efficiency of cooperation arrangements.
The protection of personal data in the law enforcement domain remains a core requirement of EU law. At the same time, effective international cooperation is essential for addressing transnational criminal activity. These objectives are not inherently conflicting. Their alignment depends on regulatory frameworks that are both protective and operationally workable. A reassessment of adequacy criteria under the LED, particularly with regard to functional and systemic safeguards, may support enhanced legal certainty, reduced interpretative complexity, and more predictable cooperation pathways.
The evaluation of the Eurojust Regulation provides an opportunity to reflect on the broader legal ecosystem governing international cooperation. In particular, the experience of adequacy decisions under the Law Enforcement Directive suggests the potential value of context-sensitive assessment methodologies, greater recognition of functional safeguards, and enhanced predictability in adequacy determinations. Such considerations may contribute both to the protection of fundamental rights and to the effective functioning of EU judicial cooperation mechanisms.
13 February 2026
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
