On 25 July 2022, the Commission presented the first report on the evaluation and review of Directive 2016/680. The Directive lays down rules on the protection of personal data if it comes to their processing by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (→ eucrim 2/2016, 78). This is why the Directive is also briefly called the “Data Protection Law Enforcement Directive” (LED). The evaluation report is foreseen by Art. 62(1) of the Directive.

It examines the level of transposition of the LED in the EU Member States, e.g. with regard to the scope of the LED, the governance and powers of data protection supervisory authorities, remedies and data subject rights, draws first lessons from the application and functioning of the LED, and looks into international data transfers pursuant to the various transfer tools provided by the LED. Lastly, the report outlines the way forward.

It is stated that the LED has generally been transposed in a satisfactory manner, but a number of issues have been identified. In this context, the Commission points out to a number of infringement procedures that had to be launched; additionally, several references for preliminary rulings are pending before the CJEU. Nonetheless, the LED has significantly contributed to a more harmonised and higher level of protection of individuals’ rights and a more coherent legal framework for competent authorities. Furthermore, the LED has resulted in a higher level of awareness and attention on data protection by national competent authorities, especially with regard to the security of processing.

Looking at the way forward, the report, inter alia, calls on the Member States to ensure full and correct transposition of the LED. Another focus should be laid on data protection supervisory authorities. They should be provided with sufficient resources to perform their LED tasks, must have the powers set out in the LED, and be better consulted on draft legislation and administrative measures. Member States should also continue efforts to provide training on data protection requirements to competent authorities, including in relation to new technologies.

With regard to international data transfers, the Commission intends to take the following actions:

• Actively promote possible new adequacy decisions with key international partners;
• Negotiate new cooperation agreements between Europol and Eurojust, on the one hand, and third countries, on the other hand;
• Engage in negotiations with Japan with a view to amend the existing EU-Japan Mutual Legal Assistance Agreement to ensure appropriate data protection safeguards;
• Pursue and conclude the negotiation of a bilateral agreement with the United States on cross-border access to electronic evidence for judicial cooperation in criminal matters, including by complementing the data protection safeguards guaranteed by the EU-US Umbrella Agreement;
• Explore the possibility of concluding data protection framework agreements for data processing in the area of criminal law enforcement with important criminal law enforcement partners, building on the example of the EU-US Umbrella Agreement.