From chaos to order: The legal evolution of Europol’s non-DSC data processing framework

This article explores the evolving legal framework governing Europol’s processing of non-data subject categorised (non-DSC) data, with a focus on the interplay between autonomy, discretion, accountability, responsibility and transparency. It analyses the progressive development of Europol’s frameworks under the 1995 Europol Convention, the 2009 Europol Council Decision, the 2016 Europol Regulation and the 2022 amending Regulation. The article demonstrates how Europol moved from a position of legal uncertainty and was largely reliant on Member States, towards a more structured and centralised framework. Particular attention is given to the legal bases for non-DSC data processing, internal data management architectures and the agency’s evolving responsibilities. While formal legislative reforms only modestly increased Europol’s autonomy and discretion, the agency expanded its operational scope in practice, especially based on the increasing volumes of data Member States send to Europol. In response, accountability and transparency mechanisms were reinforced, especially the European Data Protection Supervisor and the Europol Data Protection Officer. The article concludes that Europol’s capacity to process non-DSC data has grown steadily, but this expansion has been accompanied by stricter legal safeguards and accountability, resulting in a calibrated balance between operational effectiveness and institutional accountability.