CIPP/E Study Guide
Ch 3.5 - LED

Law Enforcement Directive (LED)

Agreed alongside the GDPR, the Law Enforcement Directive (Directive (EU) 2016/680) governs personal data processed by criminal law enforcement authorities, replacing the 2008 Framework Decision. It pursues better cooperation between authorities, better protection of citizens' data (under necessity, proportionality and legality), and clear rules for international data flows. It entered into force 5 May 2016; member states had to transpose it by 6 May 2018.

The Law Enforcement Directive protects the fundamental right to data protection whenever personal data are used by criminal law enforcement authorities. It replaced the 2008 Framework Decision. Unlike the GDPR (a regulation), the LED is a directive, so member states had to transpose it into national law by 6 May 2018.

  • Better cooperation: authorities can exchange information needed for investigations more efficiently
  • Better protection: all law-enforcement processing must meet necessity, proportionality and legality with safeguards, supervised by independent DPAs and effective judicial remedies - covering victims, criminals and witnesses
  • Clear rules for transferring data outside the EU by law-enforcement authorities
GDPR vs LED

The GDPR is the general regime (a regulation). The LED is the criminal-justice regime (a directive), covering processing by competent authorities for preventing, investigating, detecting or prosecuting crime.

Key terms - quick answers

What is “Law Enforcement Directive”?
Directive (EU) 2016/680 protecting personal data processed by competent authorities for criminal-justice purposes.
What is “2008 Framework Decision”?
Council Framework Decision 2008/977/JHA on data in police and judicial cooperation, replaced by the LED.
What is “Necessity, proportionality and legality”?
Core principles all EU law enforcement processing must meet, with safeguards for individuals.