Brussels, 19 January - During its latest plenary, the EDPB adopted a report to support the European Commission’s evaluation of the Law Enforcement Directive (LED). 

The Commission has to submit its public report* on the evaluation and review of this Directive to the European Parliament and to the Council by 6 May 2026. Ahead of this, the Commission gathered the views of the European Data Protection Authorities (DPAs) on the application and functioning of the LED over the period from January 2022 to 31 August 2025.**

“We welcome the European Commission’s regular evaluations of the application of the LED, and we are committed to providing our expertise for these evaluations to ensure that the LED continues to uphold high data protection standards in the law enforcement context.”
EDPB Chair, Anu Talus

The EDPB facilitates cooperation and coordination between DPAs when supervising law-enforcement processing. The EDPB Secretariat also provides the Secretariat of the Coordinated Supervision Committee (CSC) which ensures coordinated supervision of large-scale IT systems and EU bodies and agencies in the areas of law enforcement and criminal justice. 

In its report, the EDPB highlights the key role of the LED in protecting personal data in the law enforcement context. DPAs have increasingly advised competent national authorities on mitigating data breaches, while many DPAs have also carried out awareness-raising activities and issued guidance.

The EDPB takes note of the request from DPAs to get more clarity on the scope of the LED, notably its boundary with the GDPR, and to address more thoroughly the challenges posed by the growing use of new technologies, such as AI, in the law enforcement context. The EDPB highlights the need for law enforcement authorities to use these tools in strict compliance with the LED, ensuring that their use is necessary, proportionate, and subject to adequate safeguards. 

According to the EDPB, in the context of the case law that developed since the last evaluation of the directive, it is essential to further strengthen the national implementation of the LED across the European Union. In addition, the role of Data Protection Officers (DPOs) should be reinforced to ensure the effective and consistent application of data protection rules in law enforcement activities.

The report also points to the need for improved cooperation, both among competent authorities responsible for the LED and among law enforcement authorities more broadly.

Finally, the EDPB underlines that both DPAs and the EDPB need additional financial and human resources, to carry out new tasks arising from recent legal acts, including responsibilities linked to the CSC, whose activities now also include the supervision of systems such as the Visa Information System (VIS), Prüm II, and the Entry Exist System (EES). 

Next, the EDPB adopted recommendations on the application for approval and on the elements and principles to be found in Processor Binding Corporate Rules (BCR-P).

These recommendations form an update of the existing BCR-P referential, which contains the criteria for BCR-P approval, and merge it with the standard application form for BCR-P. 

BCR-Ps are a transfer tool that can be used by a group of undertakings or enterprises to transfer personal data outside the European Economic Area to processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the one provided by the GDPR. 

The new recommendations build upon the agreements reached and the experience gained by DPAs in the course of approval procedures on concrete BCR-P applications since the entry into application of the GDPR, as well as upon the work carried out in the context of the updated Recommendations on Controller Binding Corporate Rules (BCR-C). 

The recommendations provide clear criteria and explanations to ensure that BCR-P developed by groups of undertakings or enterprises are compliant with the GDPR. The recommendations clarify when BCR-P can be used, namely only for intra-group transfers between processors, when the controller is not part of the group. 

In addition, the recommendations clarify that the BCR-P are designed to meet the requirements of Article 28(4) GDPR. This means that any processor within the Group using BCR-P does not need to sign a separate sub-processing agreement with each sub-processor in the Group.  

The recommendations will be open to public consultation until 2 March 2026. 

The EDPB members also held an exchange of views on the upcoming joint opinion on the Digital Omnibus, which is scheduled for adoption at the February plenary meeting.

Note to editors
*The legal basis for the Commission’s action is Art. 62 of Directive (EU) 2016/680 (Law Enforcement Directive), which requires the Commission to evaluate and report on the application of the Directive.

**See also the European Commission Report on the application of the Law Enforcement Directive, COM(2022) 364 final, to which the EDPB contributed.