On 25 July 2019, the Commission lodged an infringement action against Greece and Spain before the CJEU for having failed to transpose Directive 2016/680 regarding the protection of personal data by law enforcement authorities (for the Directive, see eucrim 2/2016, p. 78). The deadline for transposing the rules of the Directive into national law ended on 6 May 2018. The Commission also called on the CJEU to impose financial sanctions in the form of a lump sum against the two countries in accordance with Art. 260(3) TFEU.

The Commission stressed that failure to transpose the directive leads not only to problems in the exchange of law enforcement information but also to an unequal treatment of persons as regards the protection of their fundamental rights. To date, Greece and Spain have not notified their laws, regulations, and administrative measures that would comply with Directive 2016/680, as a result of which the two countries breached their obligations under EU law.

On the same day, the Commission started an infringement procedure against Germany for not having completely transposed Directive 2016/680. The Commission observed that only 10 of the 16 federal states (Länder) had adopted measures implementing the Data Protection Law Enforcement Directive by the end of the transposition period on 6 May 2018. The Commission sent a letter of formal notice to Germany, which is the first step in the infringement procedure. Germany now has two months to reply to the arguments raised by the Commission. Otherwise, the Commission may decide to send a reasoned opinion, i.e., to start the second phase of the infringement procedure.

Directive 2016/680 was part of the EU data protection reform along with the General Data Protection Regulation (GDPR). It pursues a twofold aim: better protection of the individual’s personal data processed by law enforcement authorities in the EU Member States (both in purely domestic processing as well as in the cross-border exchanges of data); at the same time, a more efficient and effective exchange of data due to the harmonisation. The directive replaces Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters with effect from 6 May 2018.