During its latest plenary, the European Data Protection Board adopted a report to support the European Commission’s evaluation of the Law Enforcement Directive (LED).
The Commission must submit its report on the evaluation and review of the LED to the European Parliament and to the Council by 6 May 2026. It consulted with the European data protection authorities (DPAs) on the application and functioning of the LED.
The EDPB facilitates cooperation and coordination between DPAs when supervising law-enforcement processing. The EDPB Secretariat also provides the Secretariat of the Coordinated Supervision Committee (CSC) which aims to make sure that there is coordinated supervision of large-scale IT systems and EU bodies and agencies in the areas of law enforcement and criminal justice.
In its report, the EDPB highlights the key role of the LED in protecting personal data in the law enforcement context. DPAs have increasingly advised competent national authorities on mitigating data breaches, while many DPAs have also carried out awareness-raising activities and issued guidance.
The EDPB takes note of the request from DPAs to get more clarity on the scope of the LED, in particular, in relation to the GDPR, and to address more thoroughly the challenges posed by the growing use of new technologies, such as AI, in the law enforcement context. The EDPB highlights the need for law enforcement authorities to use these tools in strict compliance with the LED, ensuring that their use is necessary, proportionate, and subject to adequate safeguards.
According to the EDPB, due to case law that has developed since the last evaluation of the Directive, it is essential to further strengthen the national implementation of the LED across the EU. In addition, the role of Data Protection Officers should be reinforced to ensure the effective and consistent application of data protection rules in law enforcement activities.
The report also points to the need for improved cooperation, both among competent authorities responsible for the LED and among law enforcement authorities more broadly.
Finally, the EDPB emphasises that DPAs and the EDPB need additional financial and human resources, to carry out new tasks arising from new laws, including responsibilities linked to the CSC, whose activities now also include the supervision of systems such as the Visa Information System (VIS), Prüm II, and the Entry-Exit System (EES).
BCRs
The EDPB also adopted recommendations on the application for approval and on the elements and principles to be found in Processor Binding Corporate Rules (BCR-P).These recommendations form an update of the existing BCR-P referential, which contains the criteria for BCR-P approval, and merge it with the standard application form for BCR-P.
BCR-Ps are a transfer tool that can be used by a group of undertakings or enterprises to transfer personal data outside the EEA to processors within the same group. BCRs create enforceable rights and set out commitments to establish a level of data protection essentially equivalent to the GDPR.
The new recommendations build on the agreements reached and the experience gained by DPAs about BCR-P applications since the GDPR came into force, as well as on the work carried out in the context of the updated Recommendations on Controller Binding Corporate Rules (BCR-C).
The recommendations provide clear criteria and explanations to help to make sure that BCR-P developed by groups of undertakings or enterprises are compliant with the GDPR. The recommendations clarify when BCR-P can be used, ie only for intra-group transfers between processors, when the controller is not part of the group.
In addition, the recommendations clarify that the BCR-P are designed to meet the requirements of Article 28(4) GDPR. This means that any processor within the Group using BCR-P does not need to sign a separate sub-processing agreement with each sub-processor in the Group.
The consultation on the recommendations ends on 2 March 2026.
Opinion on the Digital Omnibus
The EDPB members discussed the upcoming joint opinion on the Digital Omnibus, which is scheduled for adoption at the February plenary meeting.
