Related legislation: LED & ePrivacy
Alongside the GDPR, the EU adopted the Law Enforcement Directive (LED) for processing by criminal-law authorities - in force 5 May 2016, with transposition due by 6 May 2018. The ePrivacy Directive governs processing across public communications networks (confidentiality, traffic data, spam, cookies). The GDPR is not meant to add obligations on top of ePrivacy, and a proposed ePrivacy Regulation remains under review.
The Law Enforcement Directive protects data processed by competent authorities for prevention, investigation, detection or prosecution of criminal offences or execution of criminal penalties. It entered into force 5 May 2016, with member states required to transpose it by 6 May 2018. It harmonises rules but does not prevent member states providing higher safeguards. Note it is a directive, so it must be transposed - unlike the GDPR.
The ePrivacy Directive sets rules for processing across public communications networks, dealing with confidentiality, traffic data, spam and cookies. The GDPR is not intended to impose additional obligations on top of the ePrivacy Directive, which therefore needs review. A proposed ePrivacy Regulation is under review; despite a narrower scope than the GDPR, its lengthy adoption reflects the complexity of electronic-communications policy.
| Feature | Law Enforcement Directive | ePrivacy Directive |
|---|---|---|
| Subject matter | Processing by criminal-law authorities | Processing across public communications networks |
| Instrument type | Directive (must be transposed) | Directive |
| In force | 5 May 2016 (transpose by 6 May 2018) | 2002/58/EC |
| Relationship to GDPR | Separate companion to the GDPR | GDPR adds no obligations on top of it |