The EU’s Law Enforcement Directive 2016/680 (LED) was adopted as the criminal justice counterpart to the General Data Protection Regulation. The objective was to ensure a common and consistent level of protection for personal data processed by police, prosecutors, and judicial authorities, while enabling effective cooperation within the European Union and beyond. Yet nearly ten years after its adoption in 2026, the gap between that objective and the reality experienced by criminal justice authorities has become increasingly stark.
What was intended as a modern, enabling framework has instead evolved into a significant structural impediment to the effective prevention, detection, investigation, and prosecution of crime. Nowhere is this more apparent than in the fight against serious and organised crime, including drug trafficking, human trafficking, and transnational criminal networks that operate with speed, secrecy, and technological sophistication. The uncomfortable truth is that the LED, as currently designed and interpreted, is not merely imperfect; it is actively hampering the operational effectiveness of those tasked with protecting public safety.
At the heart of the problem lies a fundamental legislative misjudgement: the decision to transplant data protection concepts and principles, developed primarily for consumer protection, into the different environment of criminal justice, without sufficient recalibration. The absence of recalibration has produced a framework that prioritises regulatory symmetry regarding personal data over the operational realities of criminal justice. The consequences have been limits on the ability of the criminal justice system to uphold the safety and security of society.
From its inception, the LED was framed as part of the EU’s broader data protection reform package. Negotiated alongside the GDPR, it was shaped by a powerful impulse toward legal and practical consistency in data protection. Concepts such as purpose limitation, data minimisation, storage limitation, data subject rights, and restrictions on international data transfers were deliberately aligned across both instruments. This alignment was presented as a virtue: a coherent EU data protection “family” of laws, including also the slightly later (2018) EU Data Protection Regulation (EUDPR) for data processing by EU Institutions.
Yet this coherence was achieved at the expense of contextual understanding. Data processing in criminal justice is not a variant of commercial data processing; it is a fundamentally different activity. By failing to operationalise this distinction, the LED inherited assumptions that do not hold in criminal justice.
For effective operational capacity in law enforcement, authorities require rapid, flexible data exchange to respond to transnational crime, terrorism, and cyber threats. Yet the directive’s procedural safeguards, consent requirements, and limitations on data use have slowed down these processes. Instead of building a seamless network of cooperation, the directive has created obstacles that discourage proactive information sharing, thereby impacting law enforcement and judicial cooperation.
For example, Article 6 LED creates complications requiring clear distinctions to be made for different categories of data subjects. This applies to suspects, those convicted, victims or individuals who may be victims, and other parties to a criminal offence. When it comes to suspects, other parties, and individuals convicted, strict differentiations of categories are not easily possible, as these roles are often fluid or overlapping. The result is an administrative burden of constant updating of the categories, which in turn delays investigations and complicates the exchange of intelligence between Member States.
Another example exists with Article 7 of the Directive, calling for data accuracy, whereby a distinction is to be made between “factual” versus “opinion-based” reporting. Given that law enforcement work inherently relies on subjective witness accounts and preliminary leads developed through experience-based intuition, requiring officers to document and verify these distinctions to a high data-protection standard hinders operations. Full adherence to Article 7 impacts the rapid sharing of information and intelligence, which is often critical in the early stages of serious crimes, counter-terrorism or organised crime investigations.
A more in-depth discussion on such anomalies can be found here.
This does not mean that striving to ensure data protection in criminal justice should not be an objective to be pursued. The point is that adopting a commercial-based standard designed to uphold consumer rights does not easily translate into the operational realities of criminal justice. Criminal justice systems across the EU already have a range of safeguards addressing privacy rights and evidentiary standards through national, regional, and international human rights standards that are applicable in the processing of personal data in crime and judicial matters. These standards also have oversight authorities through the judicial systems of the Member States, which have specific criminal justice standards to uphold. While the LED may be seen as positive for raising data protection across society, it has not delivered the intended improvements in law enforcement or judicial cooperation.
The most acute and damaging manifestation of the mismatch in applying commercial/consumer regulatory approaches to criminal justice is found in the LED’s rules on international data transfers. Transnational cooperation is the lifeblood of modern law enforcement. Organised crime does not respect borders; it exploits them. Drug supply chains, terrorism planning, trafficking routes, financial flows, and command structures span continents, not jurisdictions. Effective policing, therefore, depends on the rapid, secure, and trusted exchange of information with partners both within and outside the EU.
The LED approaches international data transfers through a structure closely modelled on the GDPR, emphasising adequacy decisions, appropriate safeguards, and narrowly construed derogations. In doing so, it largely ignores the dense web of existing legal frameworks that have governed law enforcement cooperation for decades. Mutual legal assistance treaties, bilateral police agreements, Council of Europe conventions, and operational arrangements involving EU agencies already embed strong procedural safeguards, including judicial or prosecutorial oversight, purpose limitation tied to concrete investigations, audit requirements, strict rules and criminal sanctions for misuse.
Rather than recognising these safeguard mechanisms as constituting a coherent and robust system of protection, the LED superimposes an additional layer of data protection compliance. Law enforcement authorities are often required to conduct parallel assessments, document transfer justifications in GDPR-style terms, and navigate legal uncertainty about whether long-standing cooperation channels remain lawful under EU data protection law.
This is not a neutral administrative burden. In time-sensitive investigations into organised crime networks, delay is itself a form of failure. Intelligence that arrives too late may be operationally useless. Hesitation in sharing data with trusted partners can fracture joint investigations and weaken collective responses. In some cases, authorities report a reluctance to share information at all, for fear of regulatory repercussions, a chilling effect that criminal organisations are quick to exploit.
The LED’s problems extend beyond international cooperation. More broadly, the impact of the LED has resulted in adherence to data protection standards that exceed what is necessary to safeguard the rights of individuals engaged with the criminal justice system. Data protection is necessary in the course of surveillance, investigations, and cooperation between authorities, but the LED, with its GDPR-style demands, offer little demonstrable additional protection beyond what criminal procedure law already provides.
Criminal justice systems in EU Member States already possess a range of safeguards for suspects, accused, and witnesses. The collection, use, and retention of personal data are governed by detailed procedural rules, judicial authorisation requirements, evidentiary standards, and remedies for abuse. These safeguards are specifically designed to balance individual rights against the public interest in prosecution and prevention of crime. The safeguards begin at the national level, and are overseen by regional measures through the European Convention on Human Rights, and international measures with the International Covenant on Civil and Political Rights.
The European and international human rights oversight of criminal justice systems is much better placed and more experienced in applying the necessary proportionality considerations in relation to data protection, in addressing criminal matters. The LED attempts to overlay this landscape with a second, parallel set of obligations that are not always attuned to the realities of criminal justice. Restrictions on data subject rights are formally permitted, but in practice framed so narrowly that authorities must constantly justify what should be self-evident: that access, rectification, or erasure rights cannot be exercised in ways that compromise investigations or judicial proceedings. This has fostered a defensive compliance culture in which law enforcement agencies devote increasing resources to documentation and legal risk management, rather than operational effectiveness.
Crucially, there is little evidence that this additional layer of regulation has significantly improved the protection of individual rights in the criminal justice context. What it has indisputably impacted is the complexity and fragility of the legal environment in which law enforcement operates. Added to this, the absence of common approaches or consistency of application in relation to either the LED or GDPR has created a highly fragmented system where cooperation is very time-consuming for matters of little added value.
What has occurred under the LED is not a careful contextual adaptation, but a form of rights transposition that risks distorting both objectives. Interpretations of data protection rights developed with consumers are increasingly being applied to suspects, organised crime actors, and transnational criminal networks, without sufficient differentiation. Proportionality assessments modelled on commercial data protection do not translate cleanly into investigations where delay can mean lost evidence, compromised sources, or continued victimisation. Transparency obligations that make sense in consumer contexts can, in law enforcement, alert suspects to investigative techniques or expose informants to retaliation. Data protection is a fundamental right in the EU for good reasons, but it cannot be applied across all aspects of society without consideration of the context and the human rights of others in society.
The impact of the LED has placed law enforcement authorities across the EU under mounting strain that is detrimental to addressing serious crimes. Resources are finite. Every hour spent navigating duplicative data protection assessments is an hour not spent analysing intelligence, protecting victims, or dismantling criminal networks. Every delay in cross-border data exchange increases the operational advantage of highly mobile and adaptive criminal organisations.
This is not a speculative concern. Practitioners increasingly describe the LED as an obstacle rather than an enabler. While comprehensive quantitative studies remain limited, the qualitative evidence from operational experience is consistent and troubling. The balance between rights protection and effective law enforcement has tilted too far, to the point where public safety itself is at risk. Even within EU policy circles there is recognition that the Law Enforcement Directive is not working smoothly in practice. The European Commission’s first evaluation report in 2022 acknowledged outstanding issues in the LED’s application, including divergences and data transfer challenges across Member States — and the current 2026 review is explicitly tasked with assessing whether the framework should adapt to technological and operational realities.
It is tempting to view these problems as teething issues, capable of being resolved through guidance, best practices, or targeted amendments. That view underestimates the depth of the problem. The LED’s shortcomings are not merely technical; they are structural. They stem from a foundational choice to model law enforcement data protection on a framework designed for an entirely different domain.
What is required is not fine-tuning, but rethinking and recalibration. A genuinely effective law enforcement data protection regime would start from the realities of criminal justice. It would recognise the human rights protections that already exist in criminal procedure and judicial oversight as primary safeguards. It would treat international law enforcement cooperation as a distinct and legitimate category, rather than a derogation from a market-based norm. And it would articulate a context-sensitive application of human rights protection in criminal justice that protects individuals without paralysing those tasked with enforcing the law.
The forthcoming report by the European Commission on the application of the Law Enforcement Directive, due to be published in May, represents a critical moment. If the review confines itself to questions of implementation and compliance, it will fail to address the real problem. If, however, it acknowledges that the LED in its current form is misaligned with the realities of modern law enforcement, it could open the door to meaningful reform.
Organised crime, drug trafficking, and human trafficking are not abstract policy challenges. They are real, evolving threats that cause profound harm to individuals and societies across Europe. A data protection framework that systematically undermines the ability of law enforcement to respond to these threats is not a success story of fundamental rights protection; it is a policy failure.
The current trends towards upholding a data protection framework created for commercial activity over and above the operational needs of criminal justice have not provided more effective law enforcement or cooperation between criminal justice authorities. Instead, it has contributed to a gradual expansion of regulatory expectations that are increasingly disconnected from operational necessity. Supervisory authorities and courts, acting understandably in a rights-maximising tradition, have little legislative guidance on how to recalibrate these rights for criminal justice realities. The result is regulatory creep, legal uncertainty, and growing hesitation around the use of advanced investigative tools—precisely at a time when criminal organisations are rapidly adopting their methods to new technologies.
As new technologies continue to develop and further regulatory regimes are drawn up, as with AI, the matter is only going to become more complicated. The operational realities of the criminal justice system need greater attention in the development of relevant frameworks to minimise administrative burdens. The EU has the opportunity, and the responsibility, to correct course.
A recalibration of the Law Enforcement Directive is not an attack on data protection. It is a necessary step to ensure that data protection law serves both fundamental rights and the equally fundamental obligations upon the state to ensure the rights of all citizens to security and justice.
22 January, 2026
Rond Point Schuman 6 | Box 5
1040 Brussels | Belgium
info@privacynext.eu
Copyrights © 2026 PrivacyNext.eu | Privacy Policy | Cookie Policy Webdesign & Development by ALYS
