EU Member States Are Still Getting Police Data Protection Wrong Eight Years Later

Key Takeaways

• EDRi commissioned a shadow evaluation of the Law Enforcement Directive's implementation across Bulgaria, France, Germany, Greece, and Slovenia.
• In all five member states, data subject rights face overly broad restrictions, giving authorities wide discretion to refuse access requests.
• All five states have transposed Article 10 on sensitive data into national law, but practical application of the strict necessity requirement consistently falls short of EU court standards.
• Bulgaria continues to collect biometric data in violation of two Court of Justice rulings, with no legal amendment proposed as of May 2026.
• All five states lack a sufficiently detailed legal basis for big data and predictive policing practices and remain opaque about how those systems actually work.

The Directive the EU Forgot to Follow Up On

The Law Enforcement Directive, adopted in 2016 alongside the GDPR, sets minimum standards for how police and judicial authorities process personal data across the EU. Often called the GDPR's "little sister," it covers data subject rights, conditions for processing sensitive data, and the legal basis required for any data collection by law enforcement.

European Digital Rights (EDRi) commissioned a shadow evaluation of the LED across five member states to feed into the Commission's second official evaluation, due this May, covering Bulgaria, France, Germany, Greece, and Slovenia. The report's central finding is blunt: eight years after the directive took effect, implementation is highly fragmented and, in large parts, still insufficient.

Your Rights on Paper, Denied in Practice

According to the research findings, in all five member states, national laws implementing data subject rights contain elements that are either overly broad or add restriction grounds beyond what the LED allows, giving police wide discretionary power to refuse access requests.

Bulgaria and Greece are the clearest offenders. Bulgarian law omits necessity and proportionality requirements entirely and adds "public order," undefined, as a restriction ground. Greece allows rights to be restricted whenever it would "enable" authorities to perform their duties, a standard loose enough to justify almost anything. Both impose blanket restrictions with no individual examination, which the Court of Justice has found incompatible with the directive.

France fares better structurally, but in October 2024 the CNIL ruled that the TAJ criminal records database had committed severe violations of data protection rights, finding that many data subjects are not even aware their data is processed there. The CNIL then ordered compliance by October 2026, two full years later, for obligations that have been in force since 2018.

This pattern will be familiar to anyone who has followed how EU member states treat implementation deadlines as suggestions rather than law.

Biometrics Collected First, Questions Asked Never

All five member states have faithfully copied Article 10's strict necessity language into national law. Yet, it’s the practical application that consistently falls short of what the Court of Justice has required.

In two rulings, C-205/21 and C-80/23, the CJEU found that Bulgaria's systematic collection of fingerprints and facial images from anyone accused of an intentional criminal offense is precluded by Article 10. An accusation alone cannot make collection strictly necessary, and authorities must assess each case individually. As of May 2026, Bulgaria has proposed no amendment. Thus, the collection continues.

France's reading of "strict necessity" is, if anything, more creative. The Conseil d'État ruled that running facial recognition across millions of TAJ database images was strictly necessary because the database was too large to search manually.

I find this reasoning genuinely remarkable: a database so vast it can only be searched by algorithm has thereby justified its own algorithmic searching. The EU's track record on building surveillance tools and calling them safety features continues to hold.

Big Data, Zero Accountability

All five member states lack a sufficiently detailed legal basis for big data processing and algorithmic policing, and all remain opaque about what those systems do. Germany's Federal Constitutional Court declared predictive policing provisions in Hamburg and Hesse unconstitutional in February 2023, finding that police laws set no sufficiently high threshold for automated analysis (but I guess building a biometric dragnet instead is completely fine).

Greece deployed facial recognition and fingerprint identification devices during identity checks without a Data Protection Impact Assessment or legal basis. Bulgaria, naturally, won't say what systems the Ministry of the Interior runs at all.

The EU is simultaneously expanding cross-border police data sharing under the Prüm II framework on the explicit premise that member states comply with the LED. This report documents, across five countries and four thematic areas, that this premise does not currently hold. The Commission's second LED evaluation is due this month, and it cannot arrive at a comfortable conclusion and do its job honestly.

A VPN will not fix broken law or stop police from collecting biometric data they are not entitled to collect. But a significant portion of what this report describes, including social media monitoring, web data mining, and opaque algorithmic surveillance, operates at the network level, and limiting what gets exposed through that infrastructure is still within your control. If you want to reduce your footprint while the legal framework catches up, Mysterium VPN (currently at 82% off) is a good place to start. And the time to start is right now.