Abstract
Vice President for Promoting our European Way of Life Margaritis Schinas, stated at the time of the adoption of Europol’s amendment that “Europol is a true example of where EU action helps protect us all. Today’s agreement will give Europol the right tools and safeguard to support police forces in analysing big data to investigate crime and in developing pioneering methods to tackle cybercrime.” While some characterized the changes as an achievement for the adaptability and operational role of Europol, others argued that it undermines fundamental rights and weakens data protection. This paper analyses the amendments made to the Regulation and explores Europol’s increasing role of in national investigations and the associated dangers of it. The paper starts with a historical analysis of Europol’s legal framework and role in national criminal investigations, before diving into the core of the Regulation. After 2022, Europol supports Member States’ investigations in many ways. First, through the continuous retention of large and complex datasets, which was strongly criticized by NGOs and the EDPS. Second, through the transformation of Europol into the information hub and broker for the exchanges of data with private parties. Third, more indirectly, through Europol’s support of research and innovation projects, for national authorities to use and explore new technologies in their work. However, these amendments are not without dangers. The Regulation of 2022 pushes the boundaries of Europol’s competences further, by circumventing existing limits and questioning the legality of the operations. The stronger role of Europol lacks sufficient safeguards and efficient oversight. This is highly problematic considering the impact Europol may have on national investigations, and as a result on the situation of individuals.
Keywords
Introduction
Europol plays a key role in national criminal investigations as a criminal information hub and by delivering strong operational help to national law enforcement authorities. 1 It is a high-security operational centre, that offers analysis and support to Member States in preventing and combating all forms of serious international and organised crime, cybercrime and terrorism. Indeed, as the European Commissioner for Home Affairs, Ylva Johansson, has stated, “[b]ecause fighting organised crime and terrorism depends on police cooperation at the European level, Europol is irreplaceable in supporting law enforcement authorities in their investigations.” 2 This strong role did not come overnight. Initially, Member States were reluctant to give such a strong position to an EU agency and did not fully trust the agency. 3 Over time, however, Europol has become indispensable, and is used as a tool by Member States to strengthen security in the EU, and several amendments to the Europol Regulation have served to solidify its status. This is particularly evident with the most recent amendments to the Europol Regulation, made in 2022 to deal with increasingly complex security threats (with the digital transformation, the use of new technologies, and an increasingly wide and complex cross-border element). 4 Criminal operations and actions at the national level do not suffice to deal with transnational security threats. As a result, Member States must increasingly rely on Europol’s expertise. 5
With a focus on the protection of personal data, this article explores the 2022 amendments to question the extent to which the expansion of Europol’s powers is detrimental to individuals’ fundamental rights. While the new Regulation allows the agency to better support national criminal investigations, notably with information, analysis, and expertise, it also comes with its challenges. Among others, it circumvents national procedural safeguards, such as the requirement of a warrant when accessing data from private parties, as well as the right to be informed. Furthermore, as the European Data Protection Supervisor (EDPS) stated “[…] the expansion of Europol’s mandate has not been compensated with strong data protection safeguards”. 6
The article starts by retracing the origins of Europol and its route towards becoming the criminal information hub of the EU. It then extensively analyses Europol’s latest amendments, by emphasising the main ways through which Europol can now contribute to national criminal investigations. The article argues that this reinforced mandate did not go hand in hand with strong data protection safeguards. Drawing on the pre-existing fragmentation in legal frameworks in the police cooperation sector, the article highlights the novel and existing challenges that appear for the protection of an individual’s personal data. It then goes beyond the current situation, to address upcoming data protection challenges that may occur if the proposal of Prüm II (automated data exchange for police cooperation) is adopted. 7 Within it, Europol should play a central and key role, and its power over police cooperation in the EU will once again be strengthened.
Tracing the development of Europol: Towards the criminal information hub of the EU
The European Commission, the Council, and Europol itself often refer to the agency as the information hub for law enforcement authorities in the EU. 8 The road towards this central role of Europol has however not been without pitfalls, and Europol was not directly established as a powerful and influential body. After several amendments, Europol gained a more prominent position in the EU security landscape. This position has been further enhanced by the 2022 amendments.
From an intergovernmental body to a key support for national law enforcement authorities
Europol came into being as an international organ under the Europol Convention of 1995, which came into force on 1 October 1998. 9 Initially, Member States were reluctant to transfer important powers to this supranational entity, as police cooperation and security remained a sensitive national concern. 10 They thus preferred the creation of an external body to the EU established under a Convention. 11 This rigid legal basis required unanimity of the Member States to any amendments made. With the increasingly cross-border nature of the security threats in the EU, Member States started grasping the potential of Europol and transformed it into an EU agency (first through a Council Decision in 2009, and then through a Regulation in 2016). 12
Even before its establishment, however, Europol was mentioned in the Treaty of Maastricht of 1992 and envisaged as ‘a Union-wide system for exchanging information’ within the Union. 13 This emphasized, before its creation, the central position of Europol concerning data processing and exchanges between law enforcement authorities. However, at its inception, Europol was limited in two regards from directly becoming a strong information centre. Firstly, from a practical perspective, there was a reluctance of Member States to share information with Europol, particularly when it came to ongoing criminal investigations. 14 For some time, Member States preferred to cooperate bilaterally rather than using Europol as they did not fully trust the agency and feared a leakage of data or a compromised investigation. 15 Secondly, from a formal perspective, the scope of competence of Europol was restricted. Under the Convention, the agency was competent to support law enforcement action “in preventing and combating terrorism, unlawful drug trafficking and other serious forms of international crime”. 16 The latter category included crimes against life and personal freedom, crimes against property or public goods, and illegal trading or harm to the environment. 17 Under the Convention, the existence of a criminal organised structure had to exist. This formal restriction was abandoned when Europol was integrated as an EU Agency through the subsequent Council Decision of 2009. 18 The Council Decision expanded Europol’s competences, as the agency was also competent to support criminal investigations where involvement of organised crime could not be demonstrated from the beginning, or which took place outside of an organised context. 19 This expansion of scope allowed for a broader sharing of national data. Europol also cooperates with third countries and international organisations, 20 and (albeit more recently) with private parties, 21 which further contributes to Europol becoming the criminal EU information hub. Throughout the years, Europol played a key role in national criminal investigations, through its databases, but also its operational support and expertise. With the new amendments in 2022, Europol gained an even stronger role in supporting national criminal investigations. 22
An enhanced role with the 2022 amendments to Europol Regulation
As noted above, the Europol Regulation was amended in June 2022 as a response to the changing security landscape and increasingly complex security threats, emerging notably from digital transformation, that the EU is facing.
23
The changes were aimed at strengthening Europol by giving it the necessary tools and capabilities to better support Member States in countering serious crimes. This section considers several key changes. (i) Information hub for private parties
The new Regulation transforms Europol beyond its classical role of EU criminal information hub by allowing for data exchanges with private parties. Before 2022, Europol was allowed to receive personal data from private parties only indirectly via competent intermediaries and could transfer personal data to private parties only under exceptional circumstances. 24 This was considered insufficient, 25 and has resulted in Europol’s powers being extended to allow for cooperation with private parties, which significantly helps national criminal investigations. 26
This development has occurred in two respects. Firstly, Europol has become the EU contact point for private parties that want to voluntarily share data with national competent authorities. In these situations, Europol then uses this data to determine the competent jurisdiction and assists in the investigation of the relevant crime.
27
Secondly, Europol has taken on the role of EU central hub in cases of online crises and the dissemination of online child sexual abuse material.
28
In this respect, Europol is empowered not only to collect the data but also to process and exchange it with private parties established within the EU, but also (exceptionally) those established in a third country not subject to an adequacy decision or international cooperation agreement.
29
The cooperation with private parties is essential to deal with the contemporary criminal landscape which is marked by a strong digitalisation. Private parties hold an increasing amount of data which is relevant for law enforcement authorities to solve criminal investigations.
30
This can be, for example, IP addresses, traffic data, or content of electronic communications.
31
This required an enhanced cooperation between Europol and private parties, to equip it with the tools to continue its support to Member States and its key role as the “nerve centre of the EU’s internal security architecture”.
32
(ii) Analysis and retention of large and complex datasets
Operational contributions received by Europol in 2021.
Source: Europol's Consolidated Annual Activity Report 2021.
In principle, data collected by Europol must be the object of a data subject categorisation (DSC). This means that Europol’s Executive Director must define and identify the specific categories of personal data and data subjects of the processing operations, for example suspects, potential future criminals, contacts and associates, or victims. 34 Europol, however, also receives large datasets from Member States which, because of their characteristics, format, or size, did not undergo this data classification process. This has been the object of controversy with the EDPS, 35 and was brought to the attention of journalists and NGOs. 36 In April 2019, Europol’s Executive Director informed the EDPS of major issues of compliance with the agency’s processing of large and complex datasets. 37 In recent years, Europol received large datasets, representing millions of messages, from several Member States, including data of individuals that had no clear link to any criminal activity. 38 The Guardian, drawing on internal documents of Europol, even stated that at least four petabytes of data were stored by Europol (amounting to four billion books). 39
Before the 2022 amendments, the agency was not allowed to process the personal data of individuals who had no clear link to a crime or criminal conduct. Europol could only process data on limited categories of data subjects listed in Annex II B. 40 These include suspects, potential future criminals, contacts and associates, victims, witnesses, and informants. 41 Europol could not go beyond that. The EDPS thus started an own-initiative inquiry on the use of Big Data Analytics by Europol. 42 According to the EDPS, it is impossible when receiving such large data sets to ensure that the information contained complies with this limitation. As the EDPS stated “[t]he volume of information is so big that its content is often unknown until the moment when the analyst extracts relevant entities for their input into the relevant databases”. 43 This went against the Europol Regulation and increased the risk of data subjects being wrongfully linked to criminal activity. This may then, in turn, cause damage to the personal and family life of an individual, as well as his/her freedom of movement and occupation.
The EDPS ended up first issuing a formal admonishment to Europol in September 2020, 44 and then in January 2022, an order to erase data concerning individuals with no established link to criminal activity. 45 In this order, the EDPS also required the DSC to be conducted within six months for new datasets and twelve months for the existing ones. The whole ‘Big Data’ saga will be further analysed in the subsequent section of the paper dealing with the dangerous expansion of Europol’s powers.
With the new amendments of 2022, the legislator legalised Europol’s analysis of large datasets. In principle, Europol is allowed to process data that are subject to DSC, including suspects, potential future criminals, contacts and associates, victims, witnesses, and informants.
46
With the new amendment, Europol may now process data sets without DSC to support criminal investigations in certain situations.
47
Those include investigative data to support an ongoing specific criminal investigation, or data needed to cross-check information. In addition, the new Regulation allows Europol to continue to process large datasets without DSC, which the Member States already shared with Europol before the amendment.
48
The possibility for Europol to analyse large datasets is key for national criminal investigations. Europol noted that Member States increasingly share larger volumes of data, which is not limited to targeted data anymore but includes large and complex datasets.
49
National law enforcement authorities send the data that they collect in cross-border criminal investigations to Europol and require the agency to provide them with intelligence product.
50
Europol’s processing of Big Data offers multiple opportunities for criminal investigations. It allows Europol to increase its profiling, to better detect cross-border links, notably between crimes, and to support Member States that do not have the technological means needed to analyse Big Data.
51
The potential of this has been seen after the terrorist attacks in France when French authorities sent Europol 16.7 terabytes of data for it to identify linkages to persons formerly unrelated to the terrorist attacks.
52
(iii) Contribution to the Schengen Information System (SIS)
The SIS is one of the EU’s largest information databases, set up in 1990 to maintain public policy and security within the Schengen Area. 53 The system has been amended several times, to include both alphanumerical data and biometrics (namely fingerprints and photographs), and a vast number of alerts. 54 These include among others, alerts on persons wanted for arrest or extradition, alerts on missing persons, alerts on vulnerable persons, and alerts on objects sought for seizure or use as evidence in criminal proceedings. 55 Initially, Europol was not involved in the setting up and functioning of the SIS. However, Europol quickly gained access to the system, and was able to directly access and search data that fell under its mandate. 56 Europol could also request supplementary information from the relevant Member States. In 2018, Europol got full access to all alerts, as well as the right to be informed of any hit linked to a terrorist offence. 57 A hit occurs in the system when information on a person or object exists within the system. 58 Through its access to the alert, Europol did not directly contribute to national criminal investigations. However, this has changed in 2022 through amendments to the Europol Regulation, 59 and also to the SIS II Regulation (and particularly Regulation 2018/1862 on the use of the SIS in the field of police cooperation and judicial cooperation in criminal matters). 60
These two legal instruments mention an expanded role of Europol in the system, with the introduction of a new category of alerts: information alerts.
61
These target third-country nationals who are suspected of being involved in terrorist offences or other serious crimes, and encompass data on foreign terrorist fighters.
62
Europol plays a key role, as it is the one who proposes to one (or more) Member States to enter such alerts in the system.
63
It can do so on two occasions. On the one hand, where there are factual indications that a person intends to commit or is committing a terrorist offence or serious crime. On the other hand, where a general assessment of a person gives reasons to believe that he/she may commit a terrorist offence or serious crime. While Member States take the final decision, Europol strongly influences national criminal investigations, by sharing information that essentially comes from third countries and international organisations. Data on foreign terrorist fighters entered in the SIS may for example support Member States in national operations on terrorist operations, or extremist groups. (iv) Indirect support through an enhanced role in research and innovation
It is essential for Europol to help Member States develop technological tools to fight serious crime, as Member States must strengthen their capabilities to better investigate criminal offences in the current digitalisation era. 64 Before 2022, however, this was not possible. Originally, Europol did not have the mandate to support Member States by fostering research and innovation. 65 Europol was neither able to implement its innovation projects, nor to process personal data for research and innovation purposes. 66 This lack of legal basis restrained Europol’s potential to, for example, develop AI-based tools for law enforcement. A change was required to complement the national efforts with EU-level support. 67
The latest amendment to the Europol introduced one last function that will serve to increase its ability to support Member States and better protect EU citizens: an enhanced role in research and innovation. 68 Notably, the recent amendments help Member States to use new technologies, explore new tools and approaches, and develop technological solutions, for example in the sphere of artificial intelligence. 69 More concretely, Europol can now develop, train, test and validate algorithms. 70 To do so, Europol can process personal data after authorisation by the Executive Director. 71 However, this new role comes with a significant issue relating to data protection: individuals are not informed that their data is being used to test algorithms.
We have seen that Europol plays undeniably a central role in the EU’s internal security and police cooperation. It transformed from an intergovernmental body, not fully trusted by Member States, to the EU criminal information hub. The recent amendments of Europol Regulation in 2022 further increased its prominent role, regarding the development of technological tools, cooperation with private parties, analysis of large datasets and influence in the SIS. This expansion further pushes the boundaries of Europol’s original mandate and purpose ever further, not only supporting Member States but playing a similar role to national law enforcement authorities. As will be analysed in the section below, this strengthening of powers did not go hand in hand with adequate data protection safeguards.
A strengthening of Europol’s powers without adequate data protection safeguards
Europol strongly supports Member States in national criminal investigations and aims to continue to do so in the future. While one can witness a constant expansion of Europol’s competencies, some issues remain unresolved. The EU police and criminal justice sector is currently still regulated by a mosaic of different legal frameworks, creating fragmentation and uncertainty that undermine the protection of individuals’ personal data. In addition, with the new amendments to the Europol Regulation, new data protection challenges emerge, particularly related to the fact that Europol may be used to circumvent existing national constraints.
The continued fragmentation in the data protection framework in police cooperation
Many rules exist in the police sector. First and foremost, the Law Enforcement Directive (LED) was adopted in 2016 as part of the data protection package. 72 It has often been considered to be the little sister of the GDPR in the field of prevention, investigation and prosecution of criminal offences. It aimed at providing high standards of data protection, but remains an instrument of minimum harmonisation, which means that the Member States must transpose the directive into their national law. 73 The Directive offers broad discretion to the Member States, which already creates divergences in the implementation of the legal framework in the EU. To name a few, differences exist in the definition of what constitutes a criminal offence, the rights given to data subjects and the designation of competent authorities. 74 In some Member States, an authority may be considered administrative, whereas in another it would be a criminal authority. The LED applies to national competent authorities but does not apply to EU bodies.
Therefore, next to the general legal framework on police cooperation (the LED), the EU adopted a data protection Regulation applicable to EU institutions, agencies, bodies, and offices (EUDPR). 75 In principle, Europol being an EU agency, should fall under the scope of the latter Regulation. At the time of the adoption of the Regulation, it was stated that the Regulation would not apply to Europol’s processing of operational personal data until the current Regulation of 2016 was amended. 76 With the changes brought to Europol Regulation in 2022, the EUDPR became applicable to Europol. However, data processing by Europol continued to be subject to a complex legal framework since both the EUDPR (particularly Chapter IX on the processing of operational personal data by EU agencies) and the specific rules of Europol Regulation applied to it. 77 In this way, the Europol Regulation may slightly depart from the core data protection principles of the EUDPR, for example when it comes it to data categorisation and storage limitation rules of large datasets. 78
Article 18a of Europol Regulation of 2022 provides for the possibility to process personal data outside of the DSC, in support of ongoing specific criminal investigations. This prior processing is limited to a period of six months. 79 This has a significant impact on the protection of personal data, as it not only allows for extensive data processing outside of the remit of Annex II (which limits the categories of data subjects about whom Europol may process personal data), but also subsequently allows for an extended storage period. 80 Europol can store the data without DSC for as long as necessary to support the investigation, or even beyond that period to ensure the veracity, reliability, and traceability of the criminal intelligence process. 81 This article, therefore, derogates from the general principles of data minimisation and storage limitation. 82 It should thus only be used in exceptional situations to remain compliant with the EUDPR.
Another example of divergence between the two legal instruments can be seen in the provision on the restriction of processing operations. While the EUDPR provides for only two situations where instead of erasing operational personal data, the controller restricts the processing (to ascertain the accuracy of the data or to use it as evidence), 83 Europol Regulation adds a third situation (the protection of the vital interest of the data subject or another person). 84 These differences reduce data protection safeguards and create further legal fragmentation of data protection in the EU. 85
The cooperation between national authorities and Europol perfectly illustrates this fragmentation and the challenges that data subjects face. If an individual, as has been the case of the Dutch activist Frank van der Linde, wants to obtain access to all the data held on them by the police, many different procedures must be triggered. 86 In principle, the data subject would request access to the data in his/her country of residence (in the case of van der Linde, the Netherlands). According to the LED, the national authority must confirm whether they have personal data on the individual and notify them whether they disclosed such data for example to Europol. 87 This does not suffice, as it is also highly possible that Europol holds data on that individual, that it obtained via other sources. 88 The individual must then use the procedure under the Europol Regulation, which is lengthy, complex, and provides only indirect access through the national authority of the respective Member State. 89 This becomes inherently complicated, particularly since within Europol data can be stored in different systems. This is what occurred with Frank van der Linde, where after the cancellation of a SIENA message on the platform (a secure platform used by law enforcement authorities to communicate) a second item of his personal data was found on another system of Europol. 90
This overall fragmented and asymmetrical application of data protection rules in the police cooperation sector can seriously undermine individuals’ fundamental rights, particularly their right to data protection. This is highly problematic, particularly when the strengthening of Europol’s competencies is already in itself lacking appropriate data protection safeguards.
The dangerous expansion of Europol powers to the detriment of individuals’ protection of personal data
The new amendments made to Europol Regulation have been criticized as they empower the agency but also remove fundamental rights protection.
91
They not only weaken individuals’ protection of personal data but also allow Europol to circumvent (legal) limits that exist at the national level to the detriment of individuals rights. (i) Undermining individuals’ fundamental right to data protection
The weakening of the right to data protection is anchored within the challenges related to Big Data, which was briefly touched upon in the previous section. The issue relates to Europol’s continuous processing of large datasets from Member States, which includes data of individuals that has no clear link to any criminal activity. 92 The EDPS dealt with the matter and issued a formal admonishment to Europol in September 2020 stating that the agency had been unlawfully processing data of individuals with no established link to criminal activity. 93 After several exchanges with Europol, the EDPS ended up ordering Europol to erase the said data and required DSC to be completed within six months for new datasets, and twelve months for existing ones. 94 The response of the legislators was troubling – ignoring the European watchdog’s opinion and retroactively legalising what had been found to be an illegal practice (since the practice was not provided for in the old Regulation). 95 This is problematic on two main levels.
Firstly, it allows Europol to continue to play a key role vis-à-vis Big Data and process data on individuals who do not fall under Annex II of the Regulation, and to hold on to those large datasets received before 2022, for a period of up to three years. 96 This undermines the principle of data minimisation and storage limitation and goes against the advice of the EDPS. One could even go as far as saying that this enables mass surveillance in the EU, through the vast collection of personal data and the use of predictive policing. 97
The second issue is the undermining of any systems of checks and balances, by silencing the opinion of the EDPS. The legislator, by ignoring the EDPS’ order, essentially threatened the body’s independence. As a response, the EDPS brought an action for annulment to the Court of Justice against the new Regulation, to safeguard legal certainty for individuals and ensure the EDPS’ independence. 98 However, this action was declared inadmissible by the General Court. 99 Even after the amendments were adopted, supervision was once again set aside. Despite the legal requirement introduced in the Regulation, Europol’s Management Board adopted the implementing decision specifying the conditions for processing large datasets, without formally consulting the EDPS. 100 While informal conversations took place between Europol and the EDPS, this can in no way replace the formal consultation required by law.
Therefore, alongside the existing fragmentation in the EU police cooperation sector, this disregard for oversight further reduces data subjects’ rights and weakens the power of supervisory authorities, whose precise role is to ensure the agency’s compliance with data protection rules. One may wonder whether new types of oversight mechanisms should be considered, in line with oversight bodies over intelligence agencies.
101
(ii) Circumventing existing national restrictions
Europol, as a supporting agency, has been seen as a potential solution to (alleged) national shortcomings. This became clear in three instances: (1) the analysis and retention of large datasets; (2) the cooperation with private parties; and (3) the contribution to the SIS.
Firstly, the analysis and retention of large datasets refer to the already mentioned Big Data challenge. Indeed, one of the most debated issues concerns the data retention period. Data retention in the EU has had a complex history. In short, the data retention directive was annulled by the Court of Justice in 2014 in the famous Digital Rights Ireland case, 102 followed by several legislative reforms in the Member States and preliminary references by domestic courts. 103 The reactions were clear, the Member States had a commonly shared preference for keeping data retention rules in place to support their fight against crimes. Even though the Court of Justice repeatedly prohibited general and indiscriminate retention of traffic and location data, Member States continuously attempted to circumvent this prohibition. Denmark, for example, proposed a bill maintaining general and indiscriminate data retention. 104 France, reintroduced mass data retention justifying it with the major terrorist threat, and Italy kept a maximum retention period of six years. 105
This common preference of Member States for data retention was also very visible in the discussions on the amendments to Europol Regulation. 106 In general, Member States supported the possibility for Europol to keep large datasets for a longer period, which allows Member States to circumvent their national retention limits. While the EDPS ordered Europol to ensure DSC within six months for new datasets, and twelve months for existing ones, 107 the new amendments provide for it to be kept for a maximum period of three years. 108 Member States can, therefore, now send data to Europol, that they are not legally allowed to retain in their domestic systems.
Secondly, when it comes to cooperation with private parties, there was a clear need for national law enforcement authorities to obtain personal data from private parties to support their criminal investigations. Indeed, a study requested by the European Commission on the exchange of personal data between Europol and private parties, before the 2022 amendments, found that national law enforcement authorities faced serious challenges in trying to obtain personal data from private parties. 109 In practice, they either saw their requests being refused, not answered, or receiving incomplete or delayed data from private parties. 110 Often law enforcement authorities needed judicial authorisation to obtain the said data. Issues arose when they filed a request without judicial authorisation, even though it is formally required by the law. Europol was seen as a potential solution to circumvent the existing national restrictions that prevent national authorities from getting access to the relevant information coming from private parties.
Thirdly, Europol’s contribution to the current SIS with the novel introduction of information alerts was also seen as a solution to (alleged) national shortcomings. 111 With the changes introduced in 2022, Europol can propose to one (or more) Member States to enter information alerts on third-country nationals in the interests of the EU. 112 This essentially encompasses data on third-country nationals, suspected of being involved in terrorist offences or other serious crimes (e.g., foreign terrorist fighters). 113 The amendments were triggered by an existing information gap in the system. Data from third countries and international organisations on individuals suspected or convicted of terrorist offences (or other crimes), were only rarely inserted into the system. 114 This was either because the information was not shared with Member States, or because it was shared but Member States were not allowed to enter the alert under their national law. 115 Europol has wider access to such data, as it has strong cooperation relations with third countries and international organisations. 116 Approximately 1,000 foreign terrorist fighters are inserted into Europol’s information system, but not into the SIS. 117 Alerts are essential for front-line officers and national criminal investigations. Thus, Europol once again is seen as a solution to the limitations that exist at the national level.
These three examples show the potential for Europol to be used as a tool to circumvent national limitations. However, this comes with challenges for individuals’ right to data protection, as national limitations and rules are put in place for a reason. Issues emerge concerning data minimisation, storage limitation, and risk of misuse of the SIS, for example, to persecute their nationals and, more specifically, political opponents. 118
Beyond data protection safeguards – a need for procedural safeguards?
While the focus of this paper has been the protection of personal data, the expansion of Europol’s competence also questions the need to go beyond a mere fundamental rights approach and focus on the introduction of criminal procedural safeguards. As seen previously, Europol significantly contributes to national criminal investigation and allows the circumventing of national constraints. This also applies to procedural safeguards.
The new Regulation brought significant change in the way Europol can cooperate with private parties. 119 Europol can receive personal data directly from private parties for purposes of identification of the relevant national unit, 120 and shall become the EU central hub in cases of online crises and the dissemination of online child sexual abuse material. 121 This means that in these situations, it can receive personal data directly from private parties, process this data and transfer it on a case-by-case basis. Exceptionally, Europol may also exchange personal data with private parties that are established in a third country not subject to an adequacy decision or international cooperation agreement. 122 This new role of Europol is not supported by sufficient procedural safeguards.
When Europol processes personal data received by a Member State or third country, it can only do so when the initial data has been obtained in accordance with the procedural requirements. 123 No such requirements exist when data is received from a private party. This means that there is no assurance that procedural requirements, such as prior review by an independent court or administrative body, 124 have been conducted when Europol directly receives personal data from private parties. 125 Similarly, no procedural safeguard is established when Europol decides to transfer personal data to private parties (e.g., public prosecutor, or investigating judge). Thus, the new Regulation allows for the sidestepping of crucial national criminal procedural safeguards. This is highly problematic since Europol is increasingly resembling a national law enforcement authority, in terms of powers and role.
No happy ending? Future worrying developments
The situation as it stands is already fragmented and does not offer adequate data protection to individuals. This is meant to become even more complicated with the planned new role for Europol in Prüm II. Currently, a modernisation of the Prüm framework is in the pipeline. 126
The Prüm regime was set up in 2005, by Belgium, France, Germany, the Netherlands, Spain, Luxembourg, and Austria, to exchange information to combat terrorism, cross-border crime, and illegal migration. 127 The members could exchange DNA, fingerprints, and vehicle registration data. In practice, Member States have reciprocal access to national databases containing the above-mentioned data and can conduct searches in an automated way. 128 When a hit or a match occurs, Member States obtain the personal information associated with the hit. Initially, the Prüm framework was on a voluntary participation basis, but in 2008, it was incorporated into the EU police and judicial cooperation provisions through a Council Decision, 129 making it applicable to all EU Member States. Prüm has been successful in fighting crime and terrorism in the EU, but still has some loopholes that Prüm II intends to overcome.
Prüms II intends to further support national criminal investigations, by adding the automated searching of digital facial images held in national police databases to the DNA profiles and fingerprint data, and by adding Europol and its databases to the regime. Initially, Europol was not involved in Prüm. However, with the new proposal, the Commission intends to offer a central role to Europol. 130 The participation of Europol would enable Member States to check biometric data shared with Europol by third countries, and Europol to check the same data received from these third countries against national databases. This will help criminal investigations, as it will ensure that no gaps occur in data on serious crime and terrorism received by third countries. It also comes with similar fears to those related to the SIS, namely of Europol being used as a “data-laundering hub” for data received in breach of national law, and as a conduit for harassing political opponents of third countries. 131
This potential future expansion does not come without its data protection challenges. While the proposal for Prüm II falls under the LED, the current Prüm regime lays down specific data protection safeguards in its Council Decision. 132 It thus falls under a specialised data protection framework. It has been argued that although a coherent data protection regime for all EU police and criminal justice measures may be appealing, it is not always achievable in practice. 133 It may be challenging, for example, to represent the specific purpose limitation Prüm requirements in the general data protection rules applicable throughout the field. The current Council Decision under Article 26 on purpose limitation distinguishes two situations. Firstly, in a general manner, processing of personal data by the receiving Member State is permitted only for the purposes of the Decision, or exceptionally, with prior authorisation of the concerned Member States. 134 This entails essentially the prevention of criminal offences and the maintenance of public order and security for major events. 135 Secondly, and more specifically, processing of data by automated search or comparison of DNA profiles or dactyloscopic data, is only allowed under specific circumstances (to establish whether the DNA profiles or dactyloscopic data match; to prepare a police or judicial request for legal assistance if the data match; and to perform logs and records). 136 In contrast, the LED provides for the possibility to process personal data for “the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties […]”. 137 It remains very general and fails to take the specificities of the Prüm regime into account, particularly when it comes to the automated nature of the operations.
In addition, fragmentation exists in the data inclusion retention criteria of forensic databases. It was already pointed out that after the adoption of the Council decision, that there are differences between EU Member States when it comes to the inclusion and retention of the profiles of children and innocent people in forensic DNA databases. 138 Whereas Sweden includes personal data in the DNA database only if the person was convicted of a crime and sentenced for over two years, the Netherlands adds any person who has committed any crime (except if the penalty is only paying a fine). 139 This is only one example of the overall fragmentation in the existing national rules. This causes concern, as some Member States may be processing and retaining personal data which should in principle legally not be on their system. If the different data protection regime applicable to Europol is added to this situation, the result is a complex mosaic and mismatch of legal frameworks and regimes that renders it ever more complicated for data subjects to safeguard their rights, let alone to understand them. It is highly probable, that when the Regulation of Prüm II is adopted, Europol will end up receiving more information than it is legally entitled to process according to its Regulation. 140
Conclusion
This article offered a detailed analysis of the new amendments to the Europol Regulation and of Europol’s increasing support for national criminal investigations. From its very origins, Europol was set up to support national law enforcement authorities in the fight against crimes in the EU. With the increase of cross-border criminality, and digitalisation, Europol has become an indispensable ally for national authorities, to the point of being considered the EU criminal information hub. The amendments of 2022 have enabled Europol to reach a new milestone in its evolution, by strengthening its cooperation with private parties, its analysis of Big Data, its role in the SIS, and by allowing it to contribute to research and innovation projects, putting it as a forerunner in the development of artificial intelligence tools for law enforcement authorities. While this expansion of the agency’s competencies strongly supports national criminal investigations, it fails to provide appropriate safeguards for individuals’ data protection.
This article specifically dealt with the challenges that Europol’s amendments bring when it comes to individuals’ fundamental rights, particularly their right to the protection of personal data. It also briefly linked this issue to the sidestepping of national procedural law. The expansion of Europol’s powers is grounded in an already fragmented and asymmetrical application of data protection rules in the police cooperation sector. Instead of addressing this fragmentation, the new Europol Regulation embraces them and adds to them by deviating from the general data protection provisions. The Regulation puts in question compliance with several principles of data protection (data minimisation, storage limitation) and dangerously undermines the role of the EDPS and its independence. This may diminish individuals’ right to data protection, and Europol’s overall compliance with data protection provisions. This article has also emphasised how Europol is frequently used as a tool to circumvent existing national constraints, as has been seen with the SIS. The safeguards put in place by Member States are overlooked in favour of stronger security in the EU. This again undermines individuals’ fundamental rights, as national law enforcement authorities simply use Europol to do their “dirty work” with insufficient safeguards.
These existing challenges and fragmentation will further be accentuated in the future, notably with the adoption of Prüm II as well as the Artificial Intelligence Act. New specific data protection legal frameworks will be added to the already existing complex mosaic of legal instruments, making it even more complicated for data subjects to defend their rights.
Footnotes
Author's note
Sarah Tas is now Assistant Professor of Administrative Law, Maastricht University
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) received no financial support for the research, authorship, and/or publication of this article.
