Data Protection Directive (EU) 2016/680 for Police and Criminal Justice Authorities

22 Pages Posted: 10 Dec 2018 Last revised: 11 Dec 2021

See all articles by Juraj Sajfert

Juraj Sajfert

Vrije Universiteit Brussel (VUB) - LSTS, Interdisciplinary Research Group on Law Science Technology & Society

Teresa Quintel

European Centre on Privacy and Cybersecurity ; Universite du Luxembourg; Uppsala University

Date Written: December 1, 2017


In May 2018, the EU Data Protection Reform became applicable. In particular the General Data Protection Regulation (EU) 2016/679 (GDPR), which repealed Directive 95/46/EC on 25 May 2018 attracted much attention, albeit resembling its predecessor.

Alongside the GDPR, the Reform encompassed a Directive (EU) 2016/680 establishing rules for the protection of individuals with regard to the processing of personal data by competent authorities for purposes of law enforcement (LED). The LED put forth great achievements in areas that had previously not been regulated by EU law. Therefore, the LED constitutes a major step forward in establishing a comprehensive EU data protection regime, as the first horizontal and legally binding instrument laying down the rules for national and cross-border processing of personal data in the area of law enforcement.

Although the LED received way less attention than the GDPR, two main objectives of the Directive are too important to be neglected: the increased level of fundamental rights protection in the area of police and criminal justice, and the improved sharing of personal data between the Member States, as they will be able to rely on uniform data protection rules.

The LED is a modern instrument, designed for the processing of personal data by Law Enforcement Authorities (LEAs) in the Digital Age, which is why there is no doubt that instruments such as the Directive are rapidly gaining in importance and visibility: firstly, an increased number of criminal acts is being committed online or with the help of online tools. Perpetrators of crime leave digital traces that may support LEAs in their tasks of crime prevention, detection, investigation and prosecution.

Secondly, as perpetrators are becoming more tech-savvy, LEAs turned to new investigative techniques, including big data analytics. The term big data police technologies may include predictive systems that identify people or places suspected of crime, surveillance systems to monitor at-risk areas and search systems to mine data for investigative clues or to develop intelligence nets of helpful data for groups or across communities.

Thirdly, EU rules on the processing of personal data by LEAs are undergoing consolidation, with the LED acting as a locomotive.

The rules of the LED, which had to be transposed into the national laws of all 28 Member States and the four Schengen Area States (Norway, Iceland, Switzerland and Lichtenstein) by 6 May 2018, benefited from the attention given to the GDPR, as some of the Regulation’s solutions could simply be taken over. However, a number of provisions were developed specifically for the LED.

This Article will give a general overview of the LED structure, its scope and briefly present the ten chapters. The second part of the Article will address four distinct features enshrined in the LED, focussing on automated individual decision-making (Article 11), the indirect exercise of data subject rights (Article 17), the obligation for competent authorities to keep logs (Article 25) and the provisions on international transfers (Articles 35-39). It will thereby critically assess the articles and point to both similarities and differences with regard to the GDPR.

Keywords: Directive (EU)2016/680, data protection, LED, big data policing, predictive policing, profiling, international transfers of personal data, cybercrime, indirect access, logs

Suggested Citation

Sajfert, Juraj and Quintel, Teresa, Data Protection Directive (EU) 2016/680 for Police and Criminal Justice Authorities (December 1, 2017). Available at SSRN: or

Juraj Sajfert

Vrije Universiteit Brussel (VUB) - LSTS, Interdisciplinary Research Group on Law Science Technology & Society ( email )


Teresa Quintel (Contact Author)

European Centre on Privacy and Cybersecurity ( email )


Universite du Luxembourg ( email )

L-1511 Luxembourg

Uppsala University ( email )


Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics