Niovi Vavoula and Valsamis Mitsilegas, Queen
Mary University
Introduction
The European Union Agency for Law Enforcement Cooperation (Europol),
the legal basis of which is Regulation
(EU) 2016/794 (Europol Regulation), has a key role in supporting EU Member
States on cross-border police cooperation. Europol is described as the EU’s ‘criminal
information hub’, as it facilitates information exchange between Member
States, Europol, other EU bodies, international organisations and third
countries, and produces criminal intelligence on the basis of information
acquired from various sources, including Member States and its partners.
Amongst its many tasks, Europol also supports and coordinates cooperation on
cross-border police work and produces regular assessments that offer
comprehensive, forward-looking analyses of crime and terrorism in the EU.
On 9 December 2020, the Commission presented a proposal
for a Regulation amending the Europol Regulation, accompanied by a two-part
Impact Assessment, aiming at enhancing the Agency’s mandate in numerous
respects. From the outset, it must be emphasised that the timing of the
proposal is dubious, as the Europol Regulation has not been subject to an
evaluation yet and according to Article 68, such evaluation was due in May
2022. Instead, scarce information is included in the Impact Assessment
accompanying the proposal and some EU documentation, which, however, cannot
replace the lack of a proper evaluation. As a result, the effectiveness and
impact of the agency cannot be fully and properly assessed.
The proposal encompasses widespread reforms to Europol’s tasks,
which may be divided in nine themes, as follows:
(1) Enabling Europol to cooperate effectively with private parties;
(2) Enabling Europol to process large and complex datasets;
(3) Strengthening Europol’s role on research and innovation;
(4) Enabling Europol to enter data into the Schengen Information
System (SIS);
(5) Strengthening Europol’s cooperation with third countries;
(6) Strengthening Europol’s cooperation with the European Public
Prosecutor’s Office (EPPO);
(7) Enabling Europol to request the initiation of an investigation
of a crime affecting a common interest covered by an EU policy;
(8) Strengthening the data protection framework applicable to
Europol; and
(9) Other provisions, including enhancing political accountability
and parliamentary scrutiny.
This blog post aims to provide a snapshot of the proposal and
highlight key privacy and data protection concerns by looking in turn into the
thematic blocks. It is based on a study
commissioned by the LIBE Committee of the European Parliament published on 27th
May 2021, which argues that the proposed Regulation, as it stands, will radically
transform the nature and powers of Europol and its relationship with key
stakeholders without introducing adequate safeguards.
Enabling Europol to
cooperate effectively with private parties
A first set of revisions concerns the enhancement of cooperation
between Europol and private parties in countering criminal offences committed
in abuse of the cross-border services of private parties. Currently, Europol is
allowed to exchange personal data with private parties, but Article 26 of the
Europol Regulation provides a series of restrictions: the traditional way for
the agency to receive personal data from private parties is indirectly via
competent intermediaries and Europol is prohibited from transferring personal
data directly to private parties, unless one of the three exceptions applies. The
proposal aims to establish the agency as a central point of contact in cases of
multi-jurisdictional or non-attributable datasets,. Europol will be enabled to:
(a) receive personal data directly from private parties on a more regular
basis; (b) inform such private parties of missing information; and (c) ask
Member States to request private parties to share further information.
Additionally, Europol will be able to provide its infrastructure for the
exchange of data between national authorities and private parties and support
Member States in preventing large scale dissemination of terrorist content or
violent extremism, on which Regulation
(EU) 2021/784 was recently published.
These changes constitute a considerable paradigm shift for the
agency, which is line with the emergence of the trend in past years, exemplified
by the e-evidence
legislative package, to establish direct channels of communication between
law enforcement and private parties and foster a public/private partnership. Questions
about the ability of private parties to undertake the role of law enforcement authorities
in scrutinising fully and effectively the fundamental rights implications of
transfer of personal data held by them for the purposes of law enforcement emerge,
as Europol will be enabled to forward requests on behalf of Member States and
proactively request information. Private parties do not enjoy equality with public
authorities in terms of cooperation and the same will also apply in the case of
Europol.
Therefore, they may find themselves in a subordinate position, being
‘cornered’ by both Europol and Member States to hand over the personal data
requested. Important safeguards, in particular obtaining prior judicial
authorisation and scrutiny of compliance with fundamental rights, risk being
bypassed. Applying this approach to the case of Europol requires detailed rules
on the duties of Europol, Member States and the private sector, e.g. when the
private parties may refuse to cooperate, as well as provisions on independent
authorisation of transfers and remedies for individuals, which are missing from
the proposal. Even the concept of ‘private parties’ is open-ended and there are
no limitations as to their nature. Whereas certain safeguards are included,
e.g. the requirement for ‘absolute’ or ‘strict’ necessity, there are additional
safeguards that are mentioned in the Impact Assessment, but not explicitly
stated in the proposal. It is further argued that the European Data Protection
Supervisor (EDPS) could be involved before the agency makes such transfers. In
addition, whereas the proposal proscribes systematic, massive or structural
transfers in cases where the private party is outside the EU, this is not
extended to those private parties within the EU. Finally, it must be ensured
that Europol’s role in supporting Member States to prevent the dissemination of
online content related to terrorism and violent extremism conforms with the
Europol’s role as foreseen in Regulation (EU) 2021/784 on preventing the
dissemination of terrorist content online.
(2) Enabling Europol to
process large and complex datasets
This reform aims to address the so-called ‘big data challenge’
following the admonishment
of the agency by the EDPS on 17 September 2020. The proposal aims to enable
Europol to conduct ‘pre-analyses’ of large and complex datasets received and
identify whether these concern individuals whose personal data may be processed
by Europol in line with Annex II of the Europol Regulation. Another proposed
provision aims to enable the pre-analysis in support of a criminal
investigation following transmission of an investigative case file to Europol.
Overall, it is welcome that the prior processing is limited to a
maximum period of one year, which can be extended following authorisation by
the EDPS. One suggestion is to define the terms ‘large datasets’ and ‘digital
forensics’ and explicitly delimit processing when there is an objective
necessity, which is not mentioned, so as to ensure that the derogation of
Article 18(5a) does not become the rule. Clear criteria to determine that it is
justified to extend the maximum period of pre-analysis must be laid down and it
could be useful to consider that prior to each pre-analysis the EDPS must be at
least informed and that the Europol Data Protection Officer must provide
authorisation. The relationship between the new rules and the existing
derogation under Article 18(6) of the Europol Regulation must also be
clarified, as well as the relationship between the two new provisions foreseen.
As these rules constitute an exception, their application must be strict and
the existence of a link to an on-going investigation is crucial. In addition,
the Regulation should lay down certain conditions and/or thresholds, such as
scale, complexity, type or importance of investigations. Finally, the
involvement of the EDPS not only in cases where an investigative case file is
submitted by a third country, but in general in supervising the processing of
large and complex datasets should be maintained and enhanced.
(3) Strengthening
Europol’s role on research and innovation
The proposal foresees a greater role for Europol as regards processing
of personal data for research and innovation matters for the development of
tools, including the use of AI for law enforcement. One must be mindful though
that when developing new technologies extensive processing of large quantities
of personal data may be required, for example to create and test algorithms or
for encryption. Therefore, the potential impact of such processing for research
and innovation purposes to the principle of non-discrimination and the rights
to respect for private life and protection of personal data must be guaranteed.
The processing of personal data for research and innovation should take place
only if needed in order to reach the objectives of the project. Furthermore,
the processing of synthetic, anonymised or pseudo-anonymised personal data, as
opposed to real operational data must be preferred, where possible, and the
processing of special categories of personal data must be explicitly excluded
or accompanied by additional safeguards. Moreover, principles of data
protection law—in particular the principles of data minimisation, data quality
and privacy by design and by default—must be taken into account.
(4) Enabling Europol to
enter data into the Schengen Information System (SIS)
One of the thorniest aspects of the Europol reform concerns the
possibility of enabling the agency to enter alerts into SIS. Currently, Europol
has ‘read-only’ access to all types of alerts stored in SIS, both immigration
and law enforcement related. The proposal creates a new alert category that
Europol can use to enter alerts into SIS following consultation with the Member
States and after authorisation by its Executive Director. A detailed process
for the issuance of so-called ‘information alerts’ is foreseen in a separate proposal
amending Regulation (EU) 2018/1862.
However, whether this power, which to an extent equates Europol with
Member States, fits within Europol’s mandate, as laid down in Article 88 TFEU,
is doubtful. It is also questionable
whether Europol will be able to conduct a proper quality check before issuing
alerts into SIS. Importantly, the operational value of such alerts is also
questionable, as the alerts will provide significant discretion to national
authorities to follow up and wide divergences may arise in practice. The impact
on individuals whose personal data will be inserted in SIS is significant and
potential liability issues may also arise if the quality of data contained in
the alert is not high. In light of the concerns voiced by a number of Member
States within the Council, the Portuguese Presidency proposed an alternative to
delimit these alerts to those concerning terrorism. However, it is feared that
merely opening up Europol to SIS will become the gateway through which in the
future Europol may acquire further powers to enter other types of alerts into
the system (e.g. on missing persons).
(5) Strengthening
Europol’s cooperation with third countries
Another important reform of the proposal concerns cooperation with
third countries. Under the current legal framework, as laid down in Article
25(1) of the Europol Regulation, the agency may receive personal data from
third countries based on: a) adequacy decisions under Directive
(EU) 2016/680; b) international agreements under the current Regulation
concluded in accordance with Article 218 TFEU; and c) cooperation agreements
concluded between Europol and third countries under the previous Europol
Council Decision (for the agreements, see here). Finally,
the Executive Director can authorise the transfer of personal data to third
countries and international organisations on a case-by-case basis for certain
exceptional––but arguably broadly worded––reasons. With no adequacy decisions
adopted and the negotiations for eight international agreements stalled, the
calls for a less cumbersome regime for the exchange of personal data with third
countries have proliferated. To that end, the proposal foresees a (seemingly
minor) change enabling the Executive Director to authorise not only transfers,
but also categories of transfers of personal data to third countries or
international organisations in specific situations and on a case-by-case basis.
However, it is not clear what exactly is meant by ‘categories of transfers’ and
this reform may broaden the remit of such transfers from criminal
investigations on specific suspects to surveillance activities in general, thus
changing Europol’s powers.
That said, within the Council Member States have expressed their wish
to further expand Europol’s capabilities to exchange personal data with third
countries by transplanting the wording of Directive (EU) 2016/680 (Law
Enforcement Directive) and Regulation
(EU) 2018/1727 (Eurojust Regulation) to the Europol legal framework, and creating
a new legal ground for exchanges of personal data on the basis of appropriate
safeguards outside the three already prescribed grounds. This reform poses
significant legal challenges as it bypasses existing institutional safeguards
and undermines the importance of an adequacy decision, the procedure for
assessing the data protection framework of a third country as adequate in
violation of the constitutional limits placed by the Court of Justice of the EU
(CJEU) in Schrems, as
well as the institutional framework for adopting international agreements. The
possibility of using bilateral agreements as the legal basis for such exchanges
may result in divergences and different standards applied.
(6) Strengthening Europol’s
cooperation with the European Public Prosecutor’s Office (EPPO)
This reform concerns the reinforcement of Europol’s cooperation with
the EPPO in the aftermath of the adoption of Regulation (EU) 2017/1939 (EPPO
Regulation) on the establishment of the EPPO. However, the proposal is not
fully aligned with the rules of the EPPO Regulation and minor modifications to
the text are necessary.
(7) Enabling Europol to
request the initiation of an investigation of a crime affecting a common
interest covered by an EU policy
The proposal aims to enable Europol to request competent authorities
of a Member State to initiate, conduct or coordinate an investigation of a
crime which affects a common interest covered by an EU policy regardless of the
cross-border nature of the crime, for example in high profile sensitive cases
such as the murder of Daphne Caruana Galizia in Malta. However, the necessity
of this reform has not been substantiated and effectively removes control from
judicial authorities over the opening of their investigations in cases
affecting one Member State only.
(8) Strengthening the data
protection framework applicable to Europol
A positive development of the proposal is the enhancement of
Europol’s data protection framework by extending the reach of Article 3 and
Chapter IX of Regulation
(EU) 2018/1725 concerning the data protection framework applicable to the
processing of personal data by EU institutions, bodies and agencies, to the
work of Europol and explicitly adding biometric data within special categories
of personal data, which was not the case. Whereas this is a welcomed reform,
further alignment is necessary, not least because the EDPS’s general powers are
still not aligned with the prescriptions of Article 58 of Regulation (EU)
2018/1725.
(9) Other provisions,
including enhancing political accountability and parliamentary scrutiny
In addition to other minor reforms further expanding and clarifying
Europol’s tasks, the proposal aims to enhance political accountability and
parliamentary scrutiny by enabling the Joint Parliamentary Scrutiny Group
(JPSG) to receive information regarding the matters falling under themes
(1)-(4), as discussed above. Whereas this is a welcome development the proposal
is a missed opportunity to further enhance political accountability and
parliamentary scrutiny. Despite the establishment of the JPSG and the proposed
amendments, parliamentary scrutiny and oversight remain weak. Shortcomings
concern the structure and work of the JPSG, including the weak powers of the
Group in the participation to and appointment of Europol’s Management Board.
With the addition of new tasks to Europol, the need to ensure a better
framework for parliamentary oversight and political scrutiny must be emphasised
and therefore there is significant scope for improving the proposal in that
respect.
Concluding remarks
The analysis above aimed to highlight that the proposal entails
widespread reforms to Europol’s mandate, which transform the nature of the
agency and its relationship with the Member States. The large majority of these
reforms that enhance the data processing capacities of the agency have been met
positively by the Council, which refined some provisions when it agreed
its position on the proposal in June 2021. This massive expansion of
Europol’s powers is explained; Europol’s ability to bring about results is
tightly related to Member States’ input and participation and research shows the
reluctance of national authorities that were, and are, sometimes not very keen
to share their data with the agency. As a result, the proposal wishes to bypass
such reluctance, by enabling the agency to directly ‘deal the cards’ and
centralise information processing. At the same time, certain operational reforms,
particularly the SIS-related ones, have been met with greater scepticism,
albeit without an outright dismissal. At the time of writing, the Council is
still scrutinising the proposal but a significant amount of work has already
been conducted. It remains to be seen whether the Parliament will success in
adding further safeguards to circumscribe these additional powers and enhance
its own role.
Barnard & Peers: chapter 25
Photo credit: OSeveno, via Wikimedia
Commons
No comments:
Post a Comment