Law enforcement, EU institutions, ePrivacy and E-Commerce
Article 2(2)(d) exempts processing by for the prevention, investigation, detection or prosecution of criminal offences (and public-security threats); that gap is filled by the Law Enforcement Directive (LED). A competent authority can be subject to both the GDPR and the LED for the same data processed for different purposes - and if it processes for non-LED purposes, or transfers to a non-LED body, the GDPR applies. Schrems II confirmed that a commercial transfer is not removed from the GDPR just because the data might later be processed for national security. EU institutions sit under Regulation 2018/1725 (Article 2(3)). The GDPR also interacts with the ePrivacy Directive (which 'particularises' the GDPR and takes precedence on specific matters) and the E-Commerce Directive (intermediary liability).
Article 2(2)(d) exempts processing by for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against public-security threats. That gap is filled by the Law Enforcement Directive (LED, Directive 2016/680), implemented in the UK by Part 3 of the Data Protection Act 2018. Competent authorities include the police, prosecution authorities, courts and offender support services.
| Situation | Which law applies |
|---|---|
| Competent authority processes for LED (criminal-law) purposes | LED |
| Competent authority processes for purposes other than the LED's | GDPR (unless it is a national-security/outside-EU-law activity) |
| Competent authority transfers data to a body not covered by the LED | GDPR |
| Competent authority transfers to another competent authority but for non-LED purposes | GDPR |
| Same data, processed for different purposes | Both GDPR and LED can apply |
In Schrems II, the CJEU held a commercial transfer between two economic operators is not removed from the GDPR merely because the data might later undergo processing for public security, defence or State security by authorities of the third country.
EU institutions (Article 2(3)). EU institutions, bodies, offices and agencies are not covered by the GDPR; Regulation 2018/1725 applies instead.
ePrivacy (Article 95). The GDPR imposes no additional obligations where matters are already covered by specific obligations with the same objective in the ePrivacy Directive (2002/58/EC). The ePrivacy Directive particularises and complements the GDPR; where it sets a 'special rule' (e.g. traffic data, storing information on a device), it takes precedence over the GDPR's general provisions. But ePrivacy now borrows the GDPR's stricter consent standard (so direct-marketing consent must meet GDPR requirements). Anything not specifically governed by ePrivacy remains under the GDPR.
E-Commerce Directive. The GDPR is 'without prejudice' to the E-Commerce Directive (2000/31/EC), especially the liability limits for intermediary service providers who merely host, cache or act as a 'mere conduit'. The relationship is not straightforward: ISP liability for users' actions follows the E-Commerce Directive, but the ISP's own data uses and obligations to erase/rectify follow the GDPR.