Assessing the Commission's Proposal to Enhance Europol's Authority: A Review of the Amendment to Regulation (EU) 2016/784 (Europol Regulation)

Niovi Vavoula and Valsamis Mitsilegas, Queen Mary University

Introduction

The European Union Agency for Law Enforcement Cooperation (Europol) plays a crucial role in supporting EU Member States’ cross-border police cooperation, as defined by Regulation (EU) 2016/794 (Europol Regulation). Referred to as the EU’s ‘criminal information hub,’ Europol facilitates information exchange between Member States, Europol itself, other EU bodies, international organizations, and third countries. It also generates criminal intelligence using information from various sources, including Member States and partners. Beyond information exchange, Europol supports and coordinates cross-border police work and produces regular assessments that provide comprehensive, future-oriented analyses of crime and terrorism within the EU.

On December 9, 2020, the Commission presented a proposal for a Regulation amending the Europol Regulation, accompanied by a two-part Impact Assessment. The proposal aims to strengthen Europol’s mandate in several ways. However, the proposal’s timing is questionable, as a proper evaluation of the Europol Regulation, due in May 2022 according to Article 68, has not yet been conducted. The limited information within the Impact Assessment and other EU documentation cannot substitute for a thorough evaluation. Consequently, a complete and accurate assessment of the agency’s effectiveness and impact is not possible.

This proposal encompasses extensive reforms to Europol’s tasks, categorized into nine themes:

  1. Enabling Europol to cooperate effectively with private parties
  2. Enabling Europol to process large and complex datasets
  3. Strengthening Europol’s role in research and innovation
  4. Enabling Europol to enter data into the Schengen Information System (SIS)
  5. Strengthening Europol’s cooperation with third countries
  6. Strengthening Europol’s cooperation with the European Public Prosecutor’s Office (EPPO)
  7. Enabling Europol to request the initiation of an investigation of a crime affecting a common interest covered by an EU policy
  8. Strengthening the data protection framework applicable to Europol
  9. Other provisions, including enhancing political accountability and parliamentary scrutiny

This blog post aims to provide an overview of the proposal and emphasize key privacy and data protection concerns by examining each thematic block. It is based on a study commissioned by the LIBE Committee of the European Parliament, published on May 27, 2021. This study argues that the proposed Regulation, in its current form, would drastically change the nature and powers of Europol and its relationships with key stakeholders without implementing adequate safeguards.

Enabling Europol to Cooperate Effectively with Private Parties

The first set of revisions focuses on enhancing cooperation between Europol and private parties in combatting criminal offenses that involve the misuse of cross-border services provided by private entities. Currently, Europol can exchange personal data with private parties. However, Article 26 of the Europol Regulation outlines several restrictions: the agency typically receives personal data from private parties indirectly through competent intermediaries, and direct transfers of personal data from Europol to private parties are prohibited unless one of three exceptions applies. The proposal aims to establish the agency as a central point of contact for cases involving multi-jurisdictional or non-attributable datasets. This would allow Europol to: (a) receive personal data directly from private parties more routinely; (b) inform such private parties about missing information; and (c) request that Member States ask private parties to share additional information. Additionally, Europol could provide its infrastructure for data exchange between national authorities and private parties and support Member States in preventing the large-scale dissemination of terrorist content or violent extremism, as recently addressed in Regulation (EU) 2021/784.

These changes represent a significant shift for the agency, aligning with the emerging trend of establishing direct communication channels between law enforcement and private parties, as seen in initiatives like the e-evidence legislative package. This fosters a public/private partnership, but it raises concerns about the ability of private parties to fully and effectively scrutinize the fundamental rights implications of transferring personal data they hold for law enforcement purposes, particularly as Europol would be able to forward requests on behalf of Member States and proactively request information.

Private parties are not equal to public authorities in terms of cooperation, and this difference would persist in interactions with Europol. This power imbalance could put private parties in a difficult position, compelled to hand over requested personal data to both Europol and Member States. Important safeguards, such as obtaining prior judicial authorization and scrutinizing compliance with fundamental rights, risk being circumvented. Applying this approach to Europol requires detailed rules on the responsibilities of Europol, Member States, and the private sector. This includes circumstances where private parties can refuse cooperation, provisions for independent authorization of transfers, and remedies for individuals, none of which are present in the proposal.

The very concept of ‘private parties’ is open-ended, lacking limitations on the nature of these entities. While some safeguards exist, such as the requirement for ‘absolute’ or ‘strict’ necessity, additional safeguards mentioned in the Impact Assessment are not explicitly included in the proposal. One suggestion is to involve the European Data Protection Supervisor (EDPS) before the agency makes such transfers. Furthermore, while the proposal prohibits systematic, massive, or structural transfers to private parties outside the EU, it does not extend this prohibition to private parties within the EU. Finally, it is crucial to ensure that Europol’s role in assisting Member States in preventing the spread of online content related to terrorism and violent extremism aligns with the agency’s role as defined in Regulation (EU) 2021/784 on preventing the dissemination of terrorist content online.

(2) Enabling Europol to Process Large and Complex Datasets

This reform aims to address the ‘big data challenge,’ following the EDPS’s reprimand of the agency on September 17, 2020. The proposal would allow Europol to conduct ‘pre-analyses’ of large and complex datasets received to determine whether they involve individuals whose personal data Europol can process according to Annex II of the Europol Regulation. Another proposed provision enables pre-analysis to support criminal investigations after an investigative case file is transmitted to Europol.

Limiting pre-processing to a maximum of one year, extendable with EDPS authorization, is a positive step. However, defining the terms ’large datasets’ and ‘digital forensics’ and explicitly limiting processing to situations with objective necessity, which is not currently mentioned, are crucial to prevent the derogation of Article 18(5a) from becoming the norm.

Clear criteria for extending the pre-analysis period are necessary. It may also be beneficial to require at least informing the EDPS before each pre-analysis and mandating authorization from the Europol Data Protection Officer. The proposal must also clarify the relationship between these new rules and the existing derogation under Article 18(6) of the Europol Regulation, as well as the relationship between the two new provisions.

As these rules are exceptions, they must be applied strictly, and a clear link to an ongoing investigation is essential. Furthermore, the Regulation should establish conditions and/or thresholds, such as the scale, complexity, type, or importance of investigations. Finally, the EDPS’s involvement should be maintained and strengthened, not only in cases involving investigative case files submitted by third countries but also in overseeing the processing of large and complex datasets.

(3) Strengthening Europol’s Role in Research and Innovation

The proposal envisions a more prominent role for Europol in processing personal data for research and innovation, particularly in developing tools, including AI, for law enforcement. However, developing new technologies may require extensive processing of large amounts of personal data, for instance, to create and test algorithms or for encryption purposes.

Therefore, the potential impact of such processing for research and innovation on the principle of non-discrimination and the rights to privacy and data protection must be guaranteed. Processing personal data for research and innovation should only occur when necessary to achieve the project’s objectives.

Furthermore, processing synthetic, anonymized, or pseudonymized personal data, as opposed to real operational data, should be prioritized whenever possible. Processing special categories of personal data must be explicitly excluded or subject to additional safeguards. Additionally, data protection law principles, particularly data minimization, data quality, and privacy by design and default, must be considered.

(4) Enabling Europol to Enter Data into the Schengen Information System (SIS)

One of the most contentious aspects of the Europol reform is the potential for the agency to enter alerts into SIS. Currently, Europol has ‘read-only’ access to all alerts stored in SIS, both immigration and law enforcement related. The proposal creates a new alert category that Europol can use to enter alerts into SIS after consulting with Member States and obtaining authorization from its Executive Director. A separate proposal amending Regulation (EU) 2018/1862 outlines a detailed process for issuing these ‘information alerts.’

However, it is debatable whether this power, which effectively equates Europol with Member States, aligns with Europol’s mandate as defined in Article 88 TFEU. Additionally, it is unclear whether Europol can conduct adequate quality checks before issuing alerts into SIS. The operational value of such alerts is also questionable, as they would give national authorities significant discretion in follow-up, potentially leading to inconsistencies in practice.

The impact on individuals whose personal data would be entered into SIS is significant, and potential liability issues arise if the quality of data in the alert is poor. Given concerns from several Member States within the Council, the Portuguese Presidency proposed an alternative to restrict these alerts to terrorism-related cases. However, there are concerns that granting Europol any access to enter data into SIS will pave the way for the agency to acquire further powers to enter other alert types, such as those concerning missing persons.

(5) Strengthening Europol’s Cooperation with Third Countries

Another significant reform concerns cooperation with third countries. The current legal framework, as defined in Article 25(1) of the Europol Regulation, allows the agency to receive personal data from third countries based on: a) adequacy decisions under Directive (EU) 2016/680; b) international agreements concluded under the current Regulation in accordance with Article 218 TFEU; and c) cooperation agreements established between Europol and third countries under the previous Europol Council Decision (for these agreements, see here).

Lastly, the Executive Director can authorize the transfer of personal data to third countries and international organizations on a case-by-case basis for specific, but arguably broadly defined, reasons. With no adequacy decisions adopted and negotiations for eight international agreements stalled, calls for a less cumbersome system for exchanging personal data with third countries have increased.

To address this, the proposal includes a seemingly minor change that would allow the Executive Director to authorize not only transfers but also categories of personal data transfers to third countries or international organizations in specific situations on a case-by-case basis. However, the meaning of ‘categories of transfers’ is unclear, and this reform could expand the scope of such transfers from criminal investigations focused on specific suspects to broader surveillance activities, thus altering Europol’s powers.

Within the Council, Member States have expressed a desire to further expand Europol’s ability to exchange personal data with third countries. They propose incorporating the language of Directive (EU) 2016/680 (Law Enforcement Directive) and Regulation (EU) 2018/1727 (Eurojust Regulation) into the Europol legal framework and establishing a new legal basis for personal data exchanges based on appropriate safeguards outside the three currently prescribed grounds.

This reform raises significant legal concerns, as it bypasses existing institutional safeguards and diminishes the importance of an adequacy decision, the procedure for assessing the adequacy of a third country’s data protection framework. This approach contradicts the constitutional limits established by the Court of Justice of the European Union (CJEU) in Schrems and undermines the institutional framework for adopting international agreements. Using bilateral agreements as the legal basis for such exchanges may lead to inconsistencies and varying standards.

(6) Strengthening Europol’s Cooperation with the European Public Prosecutor’s Office (EPPO)

This reform focuses on enhancing Europol’s cooperation with the EPPO following the adoption of Regulation (EU) 2017/1939 (EPPO Regulation), which established the EPPO. However, the proposal is not fully aligned with the EPPO Regulation, and minor textual modifications are required.

(7) Enabling Europol to Request the Initiation of an Investigation of a Crime Affecting a Common Interest Covered by an EU Policy

The proposal would allow Europol to request that competent authorities in a Member State initiate, conduct, or coordinate an investigation into a crime that impacts a common interest covered by an EU policy, even if the crime is not cross-border in nature. This could apply to high-profile, sensitive cases like the murder of Daphne Caruana Galizia in Malta. However, the need for this reform is not substantiated, and it effectively removes judicial authorities’ control over initiating investigations in cases that only affect one Member State.

(8) Strengthening the Data Protection Framework Applicable to Europol

One positive aspect of the proposal is the enhancement of Europol’s data protection framework. It extends the scope of Article 3 and Chapter IX of Regulation (EU) 2018/1725, concerning the data protection framework for processing personal data by EU institutions, bodies, and agencies, to include Europol’s work. It also explicitly adds biometric data to the special categories of personal data, which was not previously the case. While this is a welcome reform, further alignment is needed, particularly since the EDPS’s general powers do not yet align with Article 58 of Regulation (EU) 2018/1725.

(9) Other Provisions, Including Enhancing Political Accountability and Parliamentary Scrutiny

In addition to other minor reforms that expand and clarify Europol’s tasks, the proposal aims to strengthen political accountability and parliamentary scrutiny. It would allow the Joint Parliamentary Scrutiny Group (JPSG) to receive information on the matters covered in themes (1)-(4), as discussed above.

While this is a positive step, the proposal misses an opportunity to further enhance political accountability and parliamentary scrutiny. Despite establishing the JPSG and the proposed amendments, parliamentary scrutiny and oversight remain inadequate. Weaknesses include the structure and operation of the JPSG, including the Group’s limited powers in participating in and appointing Europol’s Management Board.

As Europol takes on new tasks, the need for a stronger framework for parliamentary oversight and political scrutiny becomes even more critical. Therefore, there is significant room for improvement in this area.

Concluding Remarks

This analysis highlighted the proposal’s extensive reforms to Europol’s mandate, transforming the agency’s nature and its relationship with Member States. The Council has generally welcomed the majority of these reforms, which enhance the agency’s data processing capabilities. It refined some provisions when agreeing on its position on the proposal in June 2021.

This substantial expansion of Europol’s powers is understandable. Europol’s effectiveness is closely tied to Member States’ input and participation, and research reveals a reluctance among national authorities to share data with the agency, both in the past and present. Therefore, the proposal seeks to overcome this reluctance by enabling the agency to ’take charge’ and centralize information processing.

At the same time, certain operational reforms, especially those related to SIS, have been met with more skepticism, though not outright rejection. As of this writing, the Council is still reviewing the proposal, but significant progress has been made. It remains to be seen whether the Parliament will successfully add further safeguards to limit these additional powers and strengthen its role.

Barnard & Peers: chapter 25

Photo credit: OSeveno, via Wikimedia Commons

Licensed under CC BY-NC-SA 4.0