June 23, 2025

 Thomas Fox

compliance legal operations information governance

If you want to succeed in complying with governmental regulations, it’s not enough to set up and execute a process. You must also plan ahead before new regulations come into effect. Otherwise, you’re guaranteed to run afoul of them.

A case in point is law enforcement data requests (LEDRs). Companies are drowning in requests – it isn’t whether there’s a backlog, it’s how long the backlog is. And it’s about to get worse.

Not only are the volume and complexity of requests increasing exponentially, but the LEDR response process requires constant adjustment to address changing requirements and new jurisdictions.

The Current Framework: ELDD + GDPR + MLATs

Since 2016, the European Law Enforcement Data Directive (ELDD) has regulated the use of personal data by law enforcement in criminal investigations to ensure only lawful and fair processing.

For companies, the ELDD has operated in parallel with the requirements of the General Data Protection Regulation (GDPR) to establish an EU-wide framework that governs whether, what, and when they can share personal data with law enforcement. Companies must also respond to requests from non-EU countries if required by any Mutual Legal Assistance Treaties (MLATs).

These overlapping requirements have proven to be a major operational challenge that few companies have solved. Even at its simplest, the process is time-consuming and it takes a highly dedicated team to maintain accuracy. At a minimum, requests have to be valid, set out a clear date range for the data, contain proper legal grounds for the disclosure, and the disclosure must be necessary and proportionate for the stated purpose. And if complying with the request means transferring data outside of the European Economic Area (EEA), the request must pass through additional jurisdiction-specific MLAT scrutiny.

But Wait, There’s More

If all that weren’t enough, starting in August 2026, companies hosting user data in the EU must comply with a new set of regulations. The e-Evidence Package means that regardless of where the data is, judicial authorities can issue cross-border production and preservation orders to service providers in other member states. Along with crimes such as terrorism or non-cash payment investment fraud, serious criminal proceedings include those with a potential custodial sentence of over three years, which would include assault.

The new rules also expand the in-scope data types beyond subscriber information and IP data to include content, geo-location, and transactional metadata.

And there are mandatory response deadlines for production orders – companies must produce the data within ten days (eight hours for urgent requests). For many companies, this will mean reducing their turnaround time from over a year to less than two weeks.

The Time Is Now

How this works in practice when user data is stored in non-EU countries, particularly where there are conflicting local privacy protections, is anyone’s guess. There’s a long and likely painful path ahead while these questions are resolved. But two points are clear. First, the clock is ticking and second, companies need to arrive at this new regulatory environment with a clear desk. This makes it crucial for companies to move swiftly to eliminate their existing backlog of LEDRs. If such a backlog exists, then it’s obvious that more resources are required, and fast. Rather than building out and staffing the existing internal compliance organisation, companies should seek out service providers with turnkey, scalable compliance solutions. These organisations bring not only the necessary legal and compliance expertise, but also operational know-how, optimised processes, and economies of scale that no company can achieve on its own.

The sooner an organisation moves decisively to clear its backlog of LEDRs, the sooner it can put in place all that is needed as 2026 approaches. If you haven’t done so already, what are you waiting for?