On 19 September 2023, the European Data Protection Board (EDPB) adopted guidelines on the application of Art. 37 of Directive 2016/680 on the protection of personal data processed for law enforcement purposes (dubbed: Data Protection Law Enforcement Directive - LED). Art. 37(1) lit. a) and b) allows the transfer of personal data of natural persons from law enforcement authorities in EU Member States to third countries or international organisations in the absence of an adequacy decision. The provision requires that "appropriate safeguards" with regard to the protection of personal data exist, which must be assessed by the competent authorities in the EU.

Against this background, the EDPB guidelines pursue various objectives:

• Providing clarity on the legal standard for appropriate safeguards;
• Being a reference for EU countries if they conclude legally binding instruments in accordance with Art. 37(1) lit. a) LED;
• Providing guidance to national data protection authorities if they are involved in negotiations on such instruments or are subsequently reviewing their implementation;
• Providing support for the data controller’s accountability obligations according to Art. 37(2) and (3) LED.

The EDPB calls to mind that Art. 37 LED be applied in light of the principle that the level of data protection applicable in the EU must not be undermined by the transfer of personal data to another jurisdiction. Therefore, Art. 37 LED requires an essentially equivalent level of data protection in the recipient third country or international organisation. However, this requirement relates to the specific data transfer or category of transfers at hand and not to the entire existing legislation in the third country or international organisation.

Looking at the legally binding instrument in the meaning of Art. 37(1) lit. a) LED, the guidelines stress that all relevant rules to allow overcoming any shortcomings or limitations of the legislation of the third country or international organisation in terms of data protection should be contained. In addition, Member States should review their international agreements and bring them in line with the requirements of the LED for data transfers, where this is not yet the case.

With regard to Art. 37(1) lit. b) LED, the guidelines point out that this option should only be applied when an assessment on appropriate safeguards is based on a careful analysis of the relevant legal framework and practices in the third country/international organisation. Furthermore, it is necessary that all the details of the circumstances surrounding the data transfer are known and the competent authorities carry out a risk analysis of the information sharing with regard to fundamental rights and freedoms of the data subjects, their legitimate interests and those of other persons concerned. Any other processing operation necessitates that a competent authority be aware of and consider in a granular manner the nature, scope, context and purposes of the transfer.

The EDPB also makes statements on the data controller's accountability obligations if data transfers are based on Art. 37(1) lit. b) LED. These obligations are enhanced pursuant to Art. 37(2) and (3) LED because it is the controller alone who determines, based on its own assessment, whether appropriate safeguards exist. This involves higher risks of inconsistencies, less transparency, and less legal certainty for data subjects in comparison with transfers legally framed by adequacy decisions or legally binding instruments. Hence, competent law enforcement authorities should inform their data protection authorities in regular intervals about the categories of transfers that were carried out under Art. 37(1) lit. b) LED so that an adequate "ex post" control is ensured.

The guidelines had been made subject to public consultation. Comments from national law enforcement authorities and stakeholders may feed into a second version of the guidelines.