On 25 June 2026, the European Commission published a proposal to amend Regulation (EU) 2018/1725 (EUDPR) to harmonise data protection rules for operational personal data processed by EU Justice and Home Affairs agencies, including Europol, Eurojust, the European Public Prosecutor's Office (EPPO), and Frontex. The proposal aims to reduce fragmentation and legal uncertainty by consolidating fragmented rules and integrating the EPPO into the framework.

The proposal extends Articles 43-45, Chapters VII and VIII of the EUDPR to all Union bodies processing operational data, and deletes Article 2(3) to apply the regulation to the EPPO while allowing specific rules in the EPPO Regulation to remain. It introduces technical adjustments to Article 45 to ensure Data Protection Officer tasks cover operational data, and empowers the European Data Protection Supervisor (EDPS) to impose administrative fines under Article 66 for operational data processing. Automated decisions on operational data are permitted under specific conditions, aligned with the Digital Omnibus. The right of access under Article 78 is clarified to allow refusal of manifestly unfounded requests, such as those made for non-data-protection purposes.

New record-keeping requirements under Article 87a align with the Law Enforcement Directive (LED), and additional logging safeguards are added in Article 88. Breach notification deadlines are extended from 72 to 96 hours under Article 92, with notification required only if there is high risk to rights. International transfers under new Articles 92a-92b are aligned with the LED, allowing transfers with adequacy decisions, appropriate safeguards, or specific derogations, and permitting transfers to non-competent authorities in third countries under strict conditions. EDPS powers are streamlined for operational data across all relevant bodies, following the 2022 Europol model.

Policy orientations and trade-offs The proposal balances stronger data protection oversight with operational efficiency for law enforcement agencies. Extending EDPS fines and oversight to operational data increases accountability but may impose administrative burdens on agencies. The extended breach notification deadline (96 hours) gives agencies more time to respond but reduces the speed of alerting affected individuals. Allowing automated decisions under specific conditions supports efficiency but raises concerns about fairness and transparency. Clarifying manifestly unfounded access requests protects agencies from abuse but may limit individuals' rights.

Impact on stakeholders - EU Justice and Home Affairs agencies (Europol, Eurojust, EPPO, Frontex): Benefit from harmonised rules reducing legal uncertainty, but face new compliance costs for record-keeping, logging, and breach notification. The extension of EDPS fines creates financial risk for non-compliance. - EDPS: Gains expanded powers to oversee and fine operational data processing, increasing its regulatory role and resource demands. - Data subjects (individuals): See stronger protections through uniform rules and EDPS oversight, but may experience slower breach notifications (96 hours) and restricted access rights for manifestly unfounded requests. - Third-country authorities: Face stricter conditions for data transfers, requiring adequacy decisions or safeguards, which may complicate international cooperation.

Expected institutional follow-up The proposal will be examined by the European Parliament and the Council under the ordinary legislative procedure. The Council is scheduled to discuss the proposal on 6 July 2026. The European Data Protection Board may issue an opinion. Once adopted, the regulation will enter into force on the date specified in Article 2.

← Atlas › News › Justice & Citizenship