Niovi Vavoula and Valsamis Mitsilegas, Queen Mary University
The European Union Agency for Law Enforcement Cooperation (Europol), the legal basis of which is Regulation (EU) 2016/794 (Europol Regulation), has a key role in supporting EU Member States on cross-border police cooperation. Europol is described as the EU’s ‘criminal information hub’, as it facilitates information exchange between Member States, Europol, other EU bodies, international organisations and third countries, and produces criminal intelligence on the basis of information acquired from various sources, including Member States and its partners. Amongst its many tasks, Europol also supports and coordinates cooperation on cross-border police work and produces regular assessments that offer comprehensive, forward-looking analyses of crime and terrorism in the EU.
On 9 December 2020, the Commission presented a proposal for a Regulation amending the Europol Regulation, accompanied by a two-part Impact Assessment, aiming at enhancing the Agency’s mandate in numerous respects. From the outset, it must be emphasised that the timing of the proposal is dubious, as the Europol Regulation has not been subject to an evaluation yet and according to Article 68, such evaluation was due in May 2022. Instead, scarce information is included in the Impact Assessment accompanying the proposal and some EU documentation, which, however, cannot replace the lack of a proper evaluation. As a result, the effectiveness and impact of the agency cannot be fully and properly assessed.
The proposal encompasses widespread reforms to Europol’s tasks, which may be divided in nine themes, as follows:
(1) Enabling Europol to cooperate effectively with private parties;
(2) Enabling Europol to process large and complex datasets;
(3) Strengthening Europol’s role on research and innovation;
(4) Enabling Europol to enter data into the Schengen Information System (SIS);
(5) Strengthening Europol’s cooperation with third countries;
(6) Strengthening Europol’s cooperation with the European Public Prosecutor’s Office (EPPO);
(7) Enabling Europol to request the initiation of an investigation of a crime affecting a common interest covered by an EU policy;
(8) Strengthening the data protection framework applicable to Europol; and
(9) Other provisions, including enhancing political accountability and parliamentary scrutiny.
This blog post aims to provide a snapshot of the proposal and highlight key privacy and data protection concerns by looking in turn into the thematic blocks. It is based on a study commissioned by the LIBE Committee of the European Parliament published on 27th May 2021, which argues that the proposed Regulation, as it stands, will radically transform the nature and powers of Europol and its relationship with key stakeholders without introducing adequate safeguards.
Enabling Europol to cooperate effectively with private parties
A first set of revisions concerns the enhancement of cooperation between Europol and private parties in countering criminal offences committed in abuse of the cross-border services of private parties. Currently, Europol is allowed to exchange personal data with private parties, but Article 26 of the Europol Regulation provides a series of restrictions: the traditional way for the agency to receive personal data from private parties is indirectly via competent intermediaries and Europol is prohibited from transferring personal data directly to private parties, unless one of the three exceptions applies. The proposal aims to establish the agency as a central point of contact in cases of multi-jurisdictional or non-attributable datasets,. Europol will be enabled to: (a) receive personal data directly from private parties on a more regular basis; (b) inform such private parties of missing information; and (c) ask Member States to request private parties to share further information. Additionally, Europol will be able to provide its infrastructure for the exchange of data between national authorities and private parties and support Member States in preventing large scale dissemination of terrorist content or violent extremism, on which Regulation (EU) 2021/784 was recently published.
These changes constitute a considerable paradigm shift for the agency, which is line with the emergence of the trend in past years, exemplified by the e-evidence legislative package, to establish direct channels of communication between law enforcement and private parties and foster a public/private partnership. Questions about the ability of private parties to undertake the role of law enforcement authorities in scrutinising fully and effectively the fundamental rights implications of transfer of personal data held by them for the purposes of law enforcement emerge, as Europol will be enabled to forward requests on behalf of Member States and proactively request information. Private parties do not enjoy equality with public authorities in terms of cooperation and the same will also apply in the case of Europol.
Therefore, they may find themselves in a subordinate position, being ‘cornered’ by both Europol and Member States to hand over the personal data requested. Important safeguards, in particular obtaining prior judicial authorisation and scrutiny of compliance with fundamental rights, risk being bypassed. Applying this approach to the case of Europol requires detailed rules on the duties of Europol, Member States and the private sector, e.g. when the private parties may refuse to cooperate, as well as provisions on independent authorisation of transfers and remedies for individuals, which are missing from the proposal. Even the concept of ‘private parties’ is open-ended and there are no limitations as to their nature. Whereas certain safeguards are included, e.g. the requirement for ‘absolute’ or ‘strict’ necessity, there are additional safeguards that are mentioned in the Impact Assessment, but not explicitly stated in the proposal. It is further argued that the European Data Protection Supervisor (EDPS) could be involved before the agency makes such transfers. In addition, whereas the proposal proscribes systematic, massive or structural transfers in cases where the private party is outside the EU, this is not extended to those private parties within the EU. Finally, it must be ensured that Europol’s role in supporting Member States to prevent the dissemination of online content related to terrorism and violent extremism conforms with the Europol’s role as foreseen in Regulation (EU) 2021/784 on preventing the dissemination of terrorist content online.
(2) Enabling Europol to process large and complex datasets
This reform aims to address the so-called ‘big data challenge’ following the admonishment of the agency by the EDPS on 17 September 2020. The proposal aims to enable Europol to conduct ‘pre-analyses’ of large and complex datasets received and identify whether these concern individuals whose personal data may be processed by Europol in line with Annex II of the Europol Regulation. Another proposed provision aims to enable the pre-analysis in support of a criminal investigation following transmission of an investigative case file to Europol.
Overall, it is welcome that the prior processing is limited to a maximum period of one year, which can be extended following authorisation by the EDPS. One suggestion is to define the terms ‘large datasets’ and ‘digital forensics’ and explicitly delimit processing when there is an objective necessity, which is not mentioned, so as to ensure that the derogation of Article 18(5a) does not become the rule. Clear criteria to determine that it is justified to extend the maximum period of pre-analysis must be laid down and it could be useful to consider that prior to each pre-analysis the EDPS must be at least informed and that the Europol Data Protection Officer must provide authorisation. The relationship between the new rules and the existing derogation under Article 18(6) of the Europol Regulation must also be clarified, as well as the relationship between the two new provisions foreseen. As these rules constitute an exception, their application must be strict and the existence of a link to an on-going investigation is crucial. In addition, the Regulation should lay down certain conditions and/or thresholds, such as scale, complexity, type or importance of investigations. Finally, the involvement of the EDPS not only in cases where an investigative case file is submitted by a third country, but in general in supervising the processing of large and complex datasets should be maintained and enhanced.
(3) Strengthening Europol’s role on research and innovation
The proposal foresees a greater role for Europol as regards processing of personal data for research and innovation matters for the development of tools, including the use of AI for law enforcement. One must be mindful though that when developing new technologies extensive processing of large quantities of personal data may be required, for example to create and test algorithms or for encryption. Therefore, the potential impact of such processing for research and innovation purposes to the principle of non-discrimination and the rights to respect for private life and protection of personal data must be guaranteed. The processing of personal data for research and innovation should take place only if needed in order to reach the objectives of the project. Furthermore, the processing of synthetic, anonymised or pseudo-anonymised personal data, as opposed to real operational data must be preferred, where possible, and the processing of special categories of personal data must be explicitly excluded or accompanied by additional safeguards. Moreover, principles of data protection law—in particular the principles of data minimisation, data quality and privacy by design and by default—must be taken into account.
(4) Enabling Europol to enter data into the Schengen Information System (SIS)
One of the thorniest aspects of the Europol reform concerns the possibility of enabling the agency to enter alerts into SIS. Currently, Europol has ‘read-only’ access to all types of alerts stored in SIS, both immigration and law enforcement related. The proposal creates a new alert category that Europol can use to enter alerts into SIS following consultation with the Member States and after authorisation by its Executive Director. A detailed process for the issuance of so-called ‘information alerts’ is foreseen in a separate proposal amending Regulation (EU) 2018/1862.
However, whether this power, which to an extent equates Europol with Member States, fits within Europol’s mandate, as laid down in Article 88 TFEU, is doubtful. It is also questionable whether Europol will be able to conduct a proper quality check before issuing alerts into SIS. Importantly, the operational value of such alerts is also questionable, as the alerts will provide significant discretion to national authorities to follow up and wide divergences may arise in practice. The impact on individuals whose personal data will be inserted in SIS is significant and potential liability issues may also arise if the quality of data contained in the alert is not high. In light of the concerns voiced by a number of Member States within the Council, the Portuguese Presidency proposed an alternative to delimit these alerts to those concerning terrorism. However, it is feared that merely opening up Europol to SIS will become the gateway through which in the future Europol may acquire further powers to enter other types of alerts into the system (e.g. on missing persons).
(5) Strengthening Europol’s cooperation with third countries
Another important reform of the proposal concerns cooperation with third countries. Under the current legal framework, as laid down in Article 25(1) of the Europol Regulation, the agency may receive personal data from third countries based on: a) adequacy decisions under Directive (EU) 2016/680; b) international agreements under the current Regulation concluded in accordance with Article 218 TFEU; and c) cooperation agreements concluded between Europol and third countries under the previous Europol Council Decision (for the agreements, see here). Finally, the Executive Director can authorise the transfer of personal data to third countries and international organisations on a case-by-case basis for certain exceptional––but arguably broadly worded––reasons. With no adequacy decisions adopted and the negotiations for eight international agreements stalled, the calls for a less cumbersome regime for the exchange of personal data with third countries have proliferated. To that end, the proposal foresees a (seemingly minor) change enabling the Executive Director to authorise not only transfers, but also categories of transfers of personal data to third countries or international organisations in specific situations and on a case-by-case basis. However, it is not clear what exactly is meant by ‘categories of transfers’ and this reform may broaden the remit of such transfers from criminal investigations on specific suspects to surveillance activities in general, thus changing Europol’s powers.
That said, within the Council Member States have expressed their wish to further expand Europol’s capabilities to exchange personal data with third countries by transplanting the wording of Directive (EU) 2016/680 (Law Enforcement Directive) and Regulation (EU) 2018/1727 (Eurojust Regulation) to the Europol legal framework, and creating a new legal ground for exchanges of personal data on the basis of appropriate safeguards outside the three already prescribed grounds. This reform poses significant legal challenges as it bypasses existing institutional safeguards and undermines the importance of an adequacy decision, the procedure for assessing the data protection framework of a third country as adequate in violation of the constitutional limits placed by the Court of Justice of the EU (CJEU) in Schrems, as well as the institutional framework for adopting international agreements. The possibility of using bilateral agreements as the legal basis for such exchanges may result in divergences and different standards applied.
(6) Strengthening Europol’s cooperation with the European Public Prosecutor’s Office (EPPO)
This reform concerns the reinforcement of Europol’s cooperation with the EPPO in the aftermath of the adoption of Regulation (EU) 2017/1939 (EPPO Regulation) on the establishment of the EPPO. However, the proposal is not fully aligned with the rules of the EPPO Regulation and minor modifications to the text are necessary.
(7) Enabling Europol to request the initiation of an investigation of a crime affecting a common interest covered by an EU policy
The proposal aims to enable Europol to request competent authorities of a Member State to initiate, conduct or coordinate an investigation of a crime which affects a common interest covered by an EU policy regardless of the cross-border nature of the crime, for example in high profile sensitive cases such as the murder of Daphne Caruana Galizia in Malta. However, the necessity of this reform has not been substantiated and effectively removes control from judicial authorities over the opening of their investigations in cases affecting one Member State only.
(8) Strengthening the data protection framework applicable to Europol
A positive development of the proposal is the enhancement of Europol’s data protection framework by extending the reach of Article 3 and Chapter IX of Regulation (EU) 2018/1725 concerning the data protection framework applicable to the processing of personal data by EU institutions, bodies and agencies, to the work of Europol and explicitly adding biometric data within special categories of personal data, which was not the case. Whereas this is a welcomed reform, further alignment is necessary, not least because the EDPS’s general powers are still not aligned with the prescriptions of Article 58 of Regulation (EU) 2018/1725.
(9) Other provisions, including enhancing political accountability and parliamentary scrutiny
In addition to other minor reforms further expanding and clarifying Europol’s tasks, the proposal aims to enhance political accountability and parliamentary scrutiny by enabling the Joint Parliamentary Scrutiny Group (JPSG) to receive information regarding the matters falling under themes (1)-(4), as discussed above. Whereas this is a welcome development the proposal is a missed opportunity to further enhance political accountability and parliamentary scrutiny. Despite the establishment of the JPSG and the proposed amendments, parliamentary scrutiny and oversight remain weak. Shortcomings concern the structure and work of the JPSG, including the weak powers of the Group in the participation to and appointment of Europol’s Management Board. With the addition of new tasks to Europol, the need to ensure a better framework for parliamentary oversight and political scrutiny must be emphasised and therefore there is significant scope for improving the proposal in that respect.
The analysis above aimed to highlight that the proposal entails widespread reforms to Europol’s mandate, which transform the nature of the agency and its relationship with the Member States. The large majority of these reforms that enhance the data processing capacities of the agency have been met positively by the Council, which refined some provisions when it agreed its position on the proposal in June 2021. This massive expansion of Europol’s powers is explained; Europol’s ability to bring about results is tightly related to Member States’ input and participation and research shows the reluctance of national authorities that were, and are, sometimes not very keen to share their data with the agency. As a result, the proposal wishes to bypass such reluctance, by enabling the agency to directly ‘deal the cards’ and centralise information processing. At the same time, certain operational reforms, particularly the SIS-related ones, have been met with greater scepticism, albeit without an outright dismissal. At the time of writing, the Council is still scrutinising the proposal but a significant amount of work has already been conducted. It remains to be seen whether the Parliament will success in adding further safeguards to circumscribe these additional powers and enhance its own role.
Barnard & Peers: chapter 25
Photo credit: OSeveno, via Wikimedia Commons