The dangerous increasing support of Europol in national criminal investigations: An additional layer of complexity

From an intergovernmental body to a key support for national law enforcement authorities

Europol came into being as an international organ under the Europol Convention of 1995, which came into force on 1 October 1998. ⁹ Initially, Member States were reluctant to transfer important powers to this supranational entity, as police cooperation and security remained a sensitive national concern. ¹⁰ They thus preferred the creation of an external body to the EU established under a Convention. ¹¹ This rigid legal basis required unanimity of the Member States to any amendments made. With the increasingly cross-border nature of the security threats in the EU, Member States started grasping the potential of Europol and transformed it into an EU agency (first through a Council Decision in 2009, and then through a Regulation in 2016). ¹²

Even before its establishment, however, Europol was mentioned in the Treaty of Maastricht of 1992 and envisaged as ‘a Union-wide system for exchanging information’ within the Union. ¹³ This emphasized, before its creation, the central position of Europol concerning data processing and exchanges between law enforcement authorities. However, at its inception, Europol was limited in two regards from directly becoming a strong information centre. Firstly, from a practical perspective, there was a reluctance of Member States to share information with Europol, particularly when it came to ongoing criminal investigations. ¹⁴ For some time, Member States preferred to cooperate bilaterally rather than using Europol as they did not fully trust the agency and feared a leakage of data or a compromised investigation. ¹⁵ Secondly, from a formal perspective, the scope of competence of Europol was restricted. Under the Convention, the agency was competent to support law enforcement action “in preventing and combating terrorism, unlawful drug trafficking and other serious forms of international crime”. ¹⁶ The latter category included crimes against life and personal freedom, crimes against property or public goods, and illegal trading or harm to the environment. ¹⁷ Under the Convention, the existence of a criminal organised structure had to exist. This formal restriction was abandoned when Europol was integrated as an EU Agency through the subsequent Council Decision of 2009. ¹⁸ The Council Decision expanded Europol’s competences, as the agency was also competent to support criminal investigations where involvement of organised crime could not be demonstrated from the beginning, or which took place outside of an organised context. ¹⁹ This expansion of scope allowed for a broader sharing of national data. Europol also cooperates with third countries and international organisations, ²⁰ and (albeit more recently) with private parties, ²¹ which further contributes to Europol becoming the criminal EU information hub. Throughout the years, Europol played a key role in national criminal investigations, through its databases, but also its operational support and expertise. With the new amendments in 2022, Europol gained an even stronger role in supporting national criminal investigations. ²²

An enhanced role with the 2022 amendments to Europol Regulation

As noted above, the Europol Regulation was amended in June 2022 as a response to the changing security landscape and increasingly complex security threats, emerging notably from digital transformation, that the EU is facing. ²³ The changes were aimed at strengthening Europol by giving it the necessary tools and capabilities to better support Member States in countering serious crimes. This section considers several key changes.

(i) Information hub for private parties

The new Regulation transforms Europol beyond its classical role of EU criminal information hub by allowing for data exchanges with private parties. Before 2022, Europol was allowed to receive personal data from private parties only indirectly via competent intermediaries and could transfer personal data to private parties only under exceptional circumstances. ²⁴ This was considered insufficient, ²⁵ and has resulted in Europol’s powers being extended to allow for cooperation with private parties, which significantly helps national criminal investigations. ²⁶

This development has occurred in two respects. Firstly, Europol has become the EU contact point for private parties that want to voluntarily share data with national competent authorities. In these situations, Europol then uses this data to determine the competent jurisdiction and assists in the investigation of the relevant crime. ²⁷ Secondly, Europol has taken on the role of EU central hub in cases of online crises and the dissemination of online child sexual abuse material. ²⁸ In this respect, Europol is empowered not only to collect the data but also to process and exchange it with private parties established within the EU, but also (exceptionally) those established in a third country not subject to an adequacy decision or international cooperation agreement. ²⁹ The cooperation with private parties is essential to deal with the contemporary criminal landscape which is marked by a strong digitalisation. Private parties hold an increasing amount of data which is relevant for law enforcement authorities to solve criminal investigations. ³⁰ This can be, for example, IP addresses, traffic data, or content of electronic communications. ³¹ This required an enhanced cooperation between Europol and private parties, to equip it with the tools to continue its support to Member States and its key role as the “nerve centre of the EU’s internal security architecture”. ³²

(ii) Analysis and retention of large and complex datasets

The 2022 amendments also brought changes to Europol’s powers to process personal data of individuals. Europol processes a vast amount of personal data as evidenced by its Annual Activity Reports. ³³ This is evidenced in table 1, below, which gathers some of the operational contributions received by Europol in 2021. The table only covers operational contributions received in 2021 and does not cover all the centres, but already shows the vast amount of data that Europol is collecting every year.

OPEN IN VIEWER

Table 1.

Operational contributions received by Europol in 2021.

	Operational and Analysis Centre	European Serious and Organised Crime Centre	European Cybercrime Centre	European Counter Terrorism Centre	European Financial and Economic Crime Centre
Operational contributions received	99,867	40,935	8,887	4,936	15,115

In principle, data collected by Europol must be the object of a data subject categorisation (DSC). This means that Europol’s Executive Director must define and identify the specific categories of personal data and data subjects of the processing operations, for example suspects, potential future criminals, contacts and associates, or victims. ³⁴ Europol, however, also receives large datasets from Member States which, because of their characteristics, format, or size, did not undergo this data classification process. This has been the object of controversy with the EDPS, ³⁵ and was brought to the attention of journalists and NGOs. ³⁶ In April 2019, Europol’s Executive Director informed the EDPS of major issues of compliance with the agency’s processing of large and complex datasets. ³⁷ In recent years, Europol received large datasets, representing millions of messages, from several Member States, including data of individuals that had no clear link to any criminal activity. ³⁸ The Guardian, drawing on internal documents of Europol, even stated that at least four petabytes of data were stored by Europol (amounting to four billion books). ³⁹

Before the 2022 amendments, the agency was not allowed to process the personal data of individuals who had no clear link to a crime or criminal conduct. Europol could only process data on limited categories of data subjects listed in Annex II B. ⁴⁰ These include suspects, potential future criminals, contacts and associates, victims, witnesses, and informants. ⁴¹ Europol could not go beyond that. The EDPS thus started an own-initiative inquiry on the use of Big Data Analytics by Europol. ⁴² According to the EDPS, it is impossible when receiving such large data sets to ensure that the information contained complies with this limitation. As the EDPS stated “[t]he volume of information is so big that its content is often unknown until the moment when the analyst extracts relevant entities for their input into the relevant databases”. ⁴³ This went against the Europol Regulation and increased the risk of data subjects being wrongfully linked to criminal activity. This may then, in turn, cause damage to the personal and family life of an individual, as well as his/her freedom of movement and occupation.

The EDPS ended up first issuing a formal admonishment to Europol in September 2020, ⁴⁴ and then in January 2022, an order to erase data concerning individuals with no established link to criminal activity. ⁴⁵ In this order, the EDPS also required the DSC to be conducted within six months for new datasets and twelve months for the existing ones. The whole ‘Big Data’ saga will be further analysed in the subsequent section of the paper dealing with the dangerous expansion of Europol’s powers.

With the new amendments of 2022, the legislator legalised Europol’s analysis of large datasets. In principle, Europol is allowed to process data that are subject to DSC, including suspects, potential future criminals, contacts and associates, victims, witnesses, and informants. ⁴⁶ With the new amendment, Europol may now process data sets without DSC to support criminal investigations in certain situations. ⁴⁷ Those include investigative data to support an ongoing specific criminal investigation, or data needed to cross-check information. In addition, the new Regulation allows Europol to continue to process large datasets without DSC, which the Member States already shared with Europol before the amendment. ⁴⁸ The possibility for Europol to analyse large datasets is key for national criminal investigations. Europol noted that Member States increasingly share larger volumes of data, which is not limited to targeted data anymore but includes large and complex datasets. ⁴⁹ National law enforcement authorities send the data that they collect in cross-border criminal investigations to Europol and require the agency to provide them with intelligence product. ⁵⁰ Europol’s processing of Big Data offers multiple opportunities for criminal investigations. It allows Europol to increase its profiling, to better detect cross-border links, notably between crimes, and to support Member States that do not have the technological means needed to analyse Big Data. ⁵¹ The potential of this has been seen after the terrorist attacks in France when French authorities sent Europol 16.7 terabytes of data for it to identify linkages to persons formerly unrelated to the terrorist attacks. ⁵²

(iii) Contribution to the Schengen Information System (SIS)

The SIS is one of the EU’s largest information databases, set up in 1990 to maintain public policy and security within the Schengen Area. ⁵³ The system has been amended several times, to include both alphanumerical data and biometrics (namely fingerprints and photographs), and a vast number of alerts. ⁵⁴ These include among others, alerts on persons wanted for arrest or extradition, alerts on missing persons, alerts on vulnerable persons, and alerts on objects sought for seizure or use as evidence in criminal proceedings. ⁵⁵ Initially, Europol was not involved in the setting up and functioning of the SIS. However, Europol quickly gained access to the system, and was able to directly access and search data that fell under its mandate. ⁵⁶ Europol could also request supplementary information from the relevant Member States. In 2018, Europol got full access to all alerts, as well as the right to be informed of any hit linked to a terrorist offence. ⁵⁷ A hit occurs in the system when information on a person or object exists within the system. ⁵⁸ Through its access to the alert, Europol did not directly contribute to national criminal investigations. However, this has changed in 2022 through amendments to the Europol Regulation, ⁵⁹ and also to the SIS II Regulation (and particularly Regulation 2018/1862 on the use of the SIS in the field of police cooperation and judicial cooperation in criminal matters). ⁶⁰

These two legal instruments mention an expanded role of Europol in the system, with the introduction of a new category of alerts: information alerts. ⁶¹ These target third-country nationals who are suspected of being involved in terrorist offences or other serious crimes, and encompass data on foreign terrorist fighters. ⁶² Europol plays a key role, as it is the one who proposes to one (or more) Member States to enter such alerts in the system. ⁶³ It can do so on two occasions. On the one hand, where there are factual indications that a person intends to commit or is committing a terrorist offence or serious crime. On the other hand, where a general assessment of a person gives reasons to believe that he/she may commit a terrorist offence or serious crime. While Member States take the final decision, Europol strongly influences national criminal investigations, by sharing information that essentially comes from third countries and international organisations. Data on foreign terrorist fighters entered in the SIS may for example support Member States in national operations on terrorist operations, or extremist groups.

(iv) Indirect support through an enhanced role in research and innovation

It is essential for Europol to help Member States develop technological tools to fight serious crime, as Member States must strengthen their capabilities to better investigate criminal offences in the current digitalisation era. ⁶⁴ Before 2022, however, this was not possible. Originally, Europol did not have the mandate to support Member States by fostering research and innovation. ⁶⁵ Europol was neither able to implement its innovation projects, nor to process personal data for research and innovation purposes. ⁶⁶ This lack of legal basis restrained Europol’s potential to, for example, develop AI-based tools for law enforcement. A change was required to complement the national efforts with EU-level support. ⁶⁷

The latest amendment to the Europol introduced one last function that will serve to increase its ability to support Member States and better protect EU citizens: an enhanced role in research and innovation. ⁶⁸ Notably, the recent amendments help Member States to use new technologies, explore new tools and approaches, and develop technological solutions, for example in the sphere of artificial intelligence. ⁶⁹ More concretely, Europol can now develop, train, test and validate algorithms. ⁷⁰ To do so, Europol can process personal data after authorisation by the Executive Director. ⁷¹ However, this new role comes with a significant issue relating to data protection: individuals are not informed that their data is being used to test algorithms.

We have seen that Europol plays undeniably a central role in the EU’s internal security and police cooperation. It transformed from an intergovernmental body, not fully trusted by Member States, to the EU criminal information hub. The recent amendments of Europol Regulation in 2022 further increased its prominent role, regarding the development of technological tools, cooperation with private parties, analysis of large datasets and influence in the SIS. This expansion further pushes the boundaries of Europol’s original mandate and purpose ever further, not only supporting Member States but playing a similar role to national law enforcement authorities. As will be analysed in the section below, this strengthening of powers did not go hand in hand with adequate data protection safeguards.

The continued fragmentation in the data protection framework in police cooperation

Many rules exist in the police sector. First and foremost, the Law Enforcement Directive (LED) was adopted in 2016 as part of the data protection package. ⁷² It has often been considered to be the little sister of the GDPR in the field of prevention, investigation and prosecution of criminal offences. It aimed at providing high standards of data protection, but remains an instrument of minimum harmonisation, which means that the Member States must transpose the directive into their national law. ⁷³ The Directive offers broad discretion to the Member States, which already creates divergences in the implementation of the legal framework in the EU. To name a few, differences exist in the definition of what constitutes a criminal offence, the rights given to data subjects and the designation of competent authorities. ⁷⁴ In some Member States, an authority may be considered administrative, whereas in another it would be a criminal authority. The LED applies to national competent authorities but does not apply to EU bodies.

Therefore, next to the general legal framework on police cooperation (the LED), the EU adopted a data protection Regulation applicable to EU institutions, agencies, bodies, and offices (EUDPR). ⁷⁵ In principle, Europol being an EU agency, should fall under the scope of the latter Regulation. At the time of the adoption of the Regulation, it was stated that the Regulation would not apply to Europol’s processing of operational personal data until the current Regulation of 2016 was amended. ⁷⁶ With the changes brought to Europol Regulation in 2022, the EUDPR became applicable to Europol. However, data processing by Europol continued to be subject to a complex legal framework since both the EUDPR (particularly Chapter IX on the processing of operational personal data by EU agencies) and the specific rules of Europol Regulation applied to it. ⁷⁷ In this way, the Europol Regulation may slightly depart from the core data protection principles of the EUDPR, for example when it comes it to data categorisation and storage limitation rules of large datasets. ⁷⁸

Article 18a of Europol Regulation of 2022 provides for the possibility to process personal data outside of the DSC, in support of ongoing specific criminal investigations. This prior processing is limited to a period of six months. ⁷⁹ This has a significant impact on the protection of personal data, as it not only allows for extensive data processing outside of the remit of Annex II (which limits the categories of data subjects about whom Europol may process personal data), but also subsequently allows for an extended storage period. ⁸⁰ Europol can store the data without DSC for as long as necessary to support the investigation, or even beyond that period to ensure the veracity, reliability, and traceability of the criminal intelligence process. ⁸¹ This article, therefore, derogates from the general principles of data minimisation and storage limitation. ⁸² It should thus only be used in exceptional situations to remain compliant with the EUDPR.

Another example of divergence between the two legal instruments can be seen in the provision on the restriction of processing operations. While the EUDPR provides for only two situations where instead of erasing operational personal data, the controller restricts the processing (to ascertain the accuracy of the data or to use it as evidence), ⁸³ Europol Regulation adds a third situation (the protection of the vital interest of the data subject or another person). ⁸⁴ These differences reduce data protection safeguards and create further legal fragmentation of data protection in the EU. ⁸⁵

The cooperation between national authorities and Europol perfectly illustrates this fragmentation and the challenges that data subjects face. If an individual, as has been the case of the Dutch activist Frank van der Linde, wants to obtain access to all the data held on them by the police, many different procedures must be triggered. ⁸⁶ In principle, the data subject would request access to the data in his/her country of residence (in the case of van der Linde, the Netherlands). According to the LED, the national authority must confirm whether they have personal data on the individual and notify them whether they disclosed such data for example to Europol. ⁸⁷ This does not suffice, as it is also highly possible that Europol holds data on that individual, that it obtained via other sources. ⁸⁸ The individual must then use the procedure under the Europol Regulation, which is lengthy, complex, and provides only indirect access through the national authority of the respective Member State. ⁸⁹ This becomes inherently complicated, particularly since within Europol data can be stored in different systems. This is what occurred with Frank van der Linde, where after the cancellation of a SIENA message on the platform (a secure platform used by law enforcement authorities to communicate) a second item of his personal data was found on another system of Europol. ⁹⁰

This overall fragmented and asymmetrical application of data protection rules in the police cooperation sector can seriously undermine individuals’ fundamental rights, particularly their right to data protection. This is highly problematic, particularly when the strengthening of Europol’s competencies is already in itself lacking appropriate data protection safeguards.

The dangerous expansion of Europol powers to the detriment of individuals’ protection of personal data

The new amendments made to Europol Regulation have been criticized as they empower the agency but also remove fundamental rights protection. ⁹¹ They not only weaken individuals’ protection of personal data but also allow Europol to circumvent (legal) limits that exist at the national level to the detriment of individuals rights.

(i) Undermining individuals’ fundamental right to data protection

The weakening of the right to data protection is anchored within the challenges related to Big Data, which was briefly touched upon in the previous section. The issue relates to Europol’s continuous processing of large datasets from Member States, which includes data of individuals that has no clear link to any criminal activity. ⁹² The EDPS dealt with the matter and issued a formal admonishment to Europol in September 2020 stating that the agency had been unlawfully processing data of individuals with no established link to criminal activity. ⁹³ After several exchanges with Europol, the EDPS ended up ordering Europol to erase the said data and required DSC to be completed within six months for new datasets, and twelve months for existing ones. ⁹⁴ The response of the legislators was troubling – ignoring the European watchdog’s opinion and retroactively legalising what had been found to be an illegal practice (since the practice was not provided for in the old Regulation). ⁹⁵ This is problematic on two main levels.

Firstly, it allows Europol to continue to play a key role vis-à-vis Big Data and process data on individuals who do not fall under Annex II of the Regulation, and to hold on to those large datasets received before 2022, for a period of up to three years. ⁹⁶ This undermines the principle of data minimisation and storage limitation and goes against the advice of the EDPS. One could even go as far as saying that this enables mass surveillance in the EU, through the vast collection of personal data and the use of predictive policing. ⁹⁷

The second issue is the undermining of any systems of checks and balances, by silencing the opinion of the EDPS. The legislator, by ignoring the EDPS’ order, essentially threatened the body’s independence. As a response, the EDPS brought an action for annulment to the Court of Justice against the new Regulation, to safeguard legal certainty for individuals and ensure the EDPS’ independence. ⁹⁸ However, this action was declared inadmissible by the General Court. ⁹⁹ Even after the amendments were adopted, supervision was once again set aside. Despite the legal requirement introduced in the Regulation, Europol’s Management Board adopted the implementing decision specifying the conditions for processing large datasets, without formally consulting the EDPS. ¹⁰⁰ While informal conversations took place between Europol and the EDPS, this can in no way replace the formal consultation required by law.

Therefore, alongside the existing fragmentation in the EU police cooperation sector, this disregard for oversight further reduces data subjects’ rights and weakens the power of supervisory authorities, whose precise role is to ensure the agency’s compliance with data protection rules. One may wonder whether new types of oversight mechanisms should be considered, in line with oversight bodies over intelligence agencies. ¹⁰¹

(ii) Circumventing existing national restrictions

Europol, as a supporting agency, has been seen as a potential solution to (alleged) national shortcomings. This became clear in three instances: (1) the analysis and retention of large datasets; (2) the cooperation with private parties; and (3) the contribution to the SIS.

Firstly, the analysis and retention of large datasets refer to the already mentioned Big Data challenge. Indeed, one of the most debated issues concerns the data retention period. Data retention in the EU has had a complex history. In short, the data retention directive was annulled by the Court of Justice in 2014 in the famous Digital Rights Ireland case, ¹⁰² followed by several legislative reforms in the Member States and preliminary references by domestic courts. ¹⁰³ The reactions were clear, the Member States had a commonly shared preference for keeping data retention rules in place to support their fight against crimes. Even though the Court of Justice repeatedly prohibited general and indiscriminate retention of traffic and location data, Member States continuously attempted to circumvent this prohibition. Denmark, for example, proposed a bill maintaining general and indiscriminate data retention. ¹⁰⁴ France, reintroduced mass data retention justifying it with the major terrorist threat, and Italy kept a maximum retention period of six years. ¹⁰⁵

This common preference of Member States for data retention was also very visible in the discussions on the amendments to Europol Regulation. ¹⁰⁶ In general, Member States supported the possibility for Europol to keep large datasets for a longer period, which allows Member States to circumvent their national retention limits. While the EDPS ordered Europol to ensure DSC within six months for new datasets, and twelve months for existing ones, ¹⁰⁷ the new amendments provide for it to be kept for a maximum period of three years. ¹⁰⁸ Member States can, therefore, now send data to Europol, that they are not legally allowed to retain in their domestic systems.

Secondly, when it comes to cooperation with private parties, there was a clear need for national law enforcement authorities to obtain personal data from private parties to support their criminal investigations. Indeed, a study requested by the European Commission on the exchange of personal data between Europol and private parties, before the 2022 amendments, found that national law enforcement authorities faced serious challenges in trying to obtain personal data from private parties. ¹⁰⁹ In practice, they either saw their requests being refused, not answered, or receiving incomplete or delayed data from private parties. ¹¹⁰ Often law enforcement authorities needed judicial authorisation to obtain the said data. Issues arose when they filed a request without judicial authorisation, even though it is formally required by the law. Europol was seen as a potential solution to circumvent the existing national restrictions that prevent national authorities from getting access to the relevant information coming from private parties.

Thirdly, Europol’s contribution to the current SIS with the novel introduction of information alerts was also seen as a solution to (alleged) national shortcomings. ¹¹¹ With the changes introduced in 2022, Europol can propose to one (or more) Member States to enter information alerts on third-country nationals in the interests of the EU. ¹¹² This essentially encompasses data on third-country nationals, suspected of being involved in terrorist offences or other serious crimes (e.g., foreign terrorist fighters). ¹¹³ The amendments were triggered by an existing information gap in the system. Data from third countries and international organisations on individuals suspected or convicted of terrorist offences (or other crimes), were only rarely inserted into the system. ¹¹⁴ This was either because the information was not shared with Member States, or because it was shared but Member States were not allowed to enter the alert under their national law. ¹¹⁵ Europol has wider access to such data, as it has strong cooperation relations with third countries and international organisations. ¹¹⁶ Approximately 1,000 foreign terrorist fighters are inserted into Europol’s information system, but not into the SIS. ¹¹⁷ Alerts are essential for front-line officers and national criminal investigations. Thus, Europol once again is seen as a solution to the limitations that exist at the national level.

These three examples show the potential for Europol to be used as a tool to circumvent national limitations. However, this comes with challenges for individuals’ right to data protection, as national limitations and rules are put in place for a reason. Issues emerge concerning data minimisation, storage limitation, and risk of misuse of the SIS, for example, to persecute their nationals and, more specifically, political opponents. ¹¹⁸

Beyond data protection safeguards – a need for procedural safeguards?

While the focus of this paper has been the protection of personal data, the expansion of Europol’s competence also questions the need to go beyond a mere fundamental rights approach and focus on the introduction of criminal procedural safeguards. As seen previously, Europol significantly contributes to national criminal investigation and allows the circumventing of national constraints. This also applies to procedural safeguards.

The new Regulation brought significant change in the way Europol can cooperate with private parties. ¹¹⁹ Europol can receive personal data directly from private parties for purposes of identification of the relevant national unit, ¹²⁰ and shall become the EU central hub in cases of online crises and the dissemination of online child sexual abuse material. ¹²¹ This means that in these situations, it can receive personal data directly from private parties, process this data and transfer it on a case-by-case basis. Exceptionally, Europol may also exchange personal data with private parties that are established in a third country not subject to an adequacy decision or international cooperation agreement. ¹²² This new role of Europol is not supported by sufficient procedural safeguards.

When Europol processes personal data received by a Member State or third country, it can only do so when the initial data has been obtained in accordance with the procedural requirements. ¹²³ No such requirements exist when data is received from a private party. This means that there is no assurance that procedural requirements, such as prior review by an independent court or administrative body, ¹²⁴ have been conducted when Europol directly receives personal data from private parties. ¹²⁵ Similarly, no procedural safeguard is established when Europol decides to transfer personal data to private parties (e.g., public prosecutor, or investigating judge). Thus, the new Regulation allows for the sidestepping of crucial national criminal procedural safeguards. This is highly problematic since Europol is increasingly resembling a national law enforcement authority, in terms of powers and role.