The European Law Blog will be taking a summer recess. We’ll be back in September with new commentaries. Please do send us on your contributions throughout this period and we will get back to you in due course. Happy Holidays to all our readers!
The European Commission plans to considerably expand the data processing powers of Europol, the EU’s law enforcement agency. In December 2020, the Commission published a proposal for a Regulation amending Regulation 2016/794 (Europol Regulation). In view of the Commission, increasingly digital and complex security threats necessitate new powers for Europol so that it can continue to effectively support and strengthen action by national authorities.
The proposed amendments to the Europol Regulation can be divided up into nine thematic blocks:
- Enabling Europol to cooperate effectively with private parties;
- Enabling Europol to process large and complex datasets;
- Strengthening Europol’s role on research and innovation;
- Enabling Europol to enter data into the Schengen Information System;
- Strengthening Europol’s cooperation with third countries;
- Strengthening Europol’s cooperation with the European Public Prosecutor Office;
- Clarifying that Europol may request the initiation of an investigation of a crime affecting a common interest covered by a Union policy;
- Strengthening the data protection framework applicable to Europol;
- Other provisions, such as support for Member States’ high value target investigations, information processing for judicial proceedings, and increased parliamentary scrutiny.
As a preliminary point, it should be stressed that parts of the proposed amendments aim to legalize personal data processing activities which Europol is already conducting, such as the processing of large datasets and the processing of data about individuals who are not linked to any criminal activity. After an inquiry, the EDPS in its decision of September 2020 admonished Europol for these (currently) unlawful data processing activities and urged Europol to mitigate the risks created by these data processing activities. The Commission responded to the EDPS’s admonishment by proposing certain amendments to the Europol Regulation to create a legal basis for Europol’s extensive data processing activities.
This contribution focuses on the new data processing powers of Europol. These data processing powers relate to personal data which Europol receives via national intermediaries and private parties or which Europol collects via publicly available sources. The contribution makes four points. First, there is a tension between Europol’s new proactive data processing powers and its legally mandated supportive role. Second, the proposed amendments follow a problematic logic in which new data processing powers for Europol are justified by the fact that Europol receives large datasets. Third, the new data processing powers are regulated by open norms which are hard to oversee or supervise. Fourth, the proposed amendments incentive voluntary data sharing by private parties to Europol, with which procedural safeguards for fundamental rights are circumvented.