Op-Ed: “The EDPB Adequacy referential for the Law Enforcement Directive: the quest for more clarity for personal data transfers in a law enforcement context continues”

Pers / media: !!Expert Comment


Despite becoming applicable nearly at the same time as the General Data Protection Regulation 679/2016 (‘GDPR’), the Law Enforcement Directive 680/2016 (‘LED’) has so far lived a shadowed existence. There was in particular a notable absence of any activity concerning it from national data protection authorities and the European Data Protection Board (‘EDPB’).

This finally changed last week. On 2 February 2021, the EDPB published its first guidance ever on the LED – ‘Recommendations 01/2021 on the adequacy referential under the Law Enforcement Directive’ (‘Recommendations 01/2021’). With the topic of adequacy, the EDPB chose a complex area for its first recommendation for the law enforcement sector – namely that of international personal data transfers. As a reminder, the LED has a scope limited to law enforcement authorities processing personal data for police purposes (defined in Article 1(1) LED). Data transfers are not defined in the LED, and their precise meaning can be heavily debated. Presumably, any making accessible of personal data to actors outside the EU constitutes a transfer. Like the GDPR, the LED includes general principles for transfers (Article 35 LED) and three different avenues for them to take place: adequacy decisions, appropriate safeguards and derogations (Articles 36, 37 and 38 LED). In its recommendation, the EDPB now advises the Commission on one of these three avenues – adequacy decisions.

Periode8 feb 2021