Law enforcement access to personal data originally collected by private parties: Missing data subjects’ safeguards in Directive 2016/680?

Jasserand, C., Feb-2018, In : Computer Law & Security Review. 34, 1, p. 154-165

Research output: Contribution to journalArticleAcademicpeer-review

Copy link to clipboard


  • Law enforcement access to personal data

    Final publisher's version, 416 KB, PDF document

    Request copy


  • Catherine Jasserand
Access by law enforcement authorities to personal data initially collected by private parties for commercial or operational purposes is very common, as shown by the transparency reports of new technology companies on law enforcement requests. From a data protection perspective, the scenario of law enforcement access is not necessarily well taken into account. The adoption of the new data protection framework offers the opportunity to assess whether the new ‘police’ Directive, which regulates the processing of personal data for law enforcement purposes, offers sufficient safeguards to individuals. To make this assessment, provisions contained in Directive 2016/680 are tested against the standards established by the ECJ in Digital Rights Ireland and Tele2 Sverige on the retention of data and their further access and use by police authorities. The analysis reveals that Directive 2016/680 does not contain the safeguards identified in the case law. The paper further assesses the role and efficiency of the principle of purpose limitation as a safeguard against repurposing in a law enforcement context. Last, solutions to overcome the shortcomings of Directive 2016/680 are examined in conclusion.
Original languageEnglish
Pages (from-to)154-165
JournalComputer Law & Security Review
Issue number1
Early online date15-Sep-2017
Publication statusPublished - Feb-2018


  • data protection, law enforcement access, Directive 2016/680, Digital Rights Ireland case, Tele2 Sverige case

ID: 48408806