The European Law Blog will be taking a summer recess. We’ll be back in September with new commentaries. Please do send us on your contributions throughout this period and we will get back to you in due course. Happy Holidays to all our readers!
The European Commission plans to considerably expand the data processing powers of Europol, the EU’s law enforcement agency. In December 2020, the Commission published a proposal for a Regulation amending Regulation 2016/794 (Europol Regulation). In view of the Commission, increasingly digital and complex security threats necessitate new powers for Europol so that it can continue to effectively support and strengthen action by national authorities.
The proposed amendments to the Europol Regulation can be divided up into nine thematic blocks:
- Enabling Europol to cooperate effectively with private parties;
- Enabling Europol to process large and complex datasets;
- Strengthening Europol’s role on research and innovation;
- Enabling Europol to enter data into the Schengen Information System;
- Strengthening Europol’s cooperation with third countries;
- Strengthening Europol’s cooperation with the European Public Prosecutor Office;
- Clarifying that Europol may request the initiation of an investigation of a crime affecting a common interest covered by a Union policy;
- Strengthening the data protection framework applicable to Europol;
- Other provisions, such as support for Member States’ high value target investigations, information processing for judicial proceedings, and increased parliamentary scrutiny.
As a preliminary point, it should be stressed that parts of the proposed amendments aim to legalize personal data processing activities which Europol is already conducting, such as the processing of large datasets and the processing of data about individuals who are not linked to any criminal activity. After an inquiry, the EDPS in its decision of September 2020 admonished Europol for these (currently) unlawful data processing activities and urged Europol to mitigate the risks created by these data processing activities. The Commission responded to the EDPS’s admonishment by proposing certain amendments to the Europol Regulation to create a legal basis for Europol’s extensive data processing activities.
This contribution focuses on the new data processing powers of Europol. These data processing powers relate to personal data which Europol receives via national intermediaries and private parties or which Europol collects via publicly available sources. The contribution makes four points. First, there is a tension between Europol’s new proactive data processing powers and its legally mandated supportive role. Second, the proposed amendments follow a problematic logic in which new data processing powers for Europol are justified by the fact that Europol receives large datasets. Third, the new data processing powers are regulated by open norms which are hard to oversee or supervise. Fourth, the proposed amendments incentive voluntary data sharing by private parties to Europol, with which procedural safeguards for fundamental rights are circumvented.
Tension between Europol’s supportive and proactive role
The proposed amendments to the Europol Regulation foresee a proactive role for Europol. This active role becomes apparent from the provisions which are to be included in the Regulation. Article 4 of the Europol Regulation states the tasks of Europol, to which a new task is added for Europol to ‘proactively monitor and contribute to research and innovation activities’ (Article 4(1)(t) as proposed). In addition to this new task, Europol is empowered to receive personal data directly from private parties and then forward these personal data to the national authorities concerned (Article 26(2) as proposed). In connection with this new power, Europol may transmit or transfer personal data to private parties in specific cases (Article 26(5) as proposed) and Europol may request Member States, via their national authorities, to obtain personal data from private parties (Article 26(6a) as proposed). However, as Vavoula and Mitsilegas remark in their study for the European Parliament (p. 30), ‘[m]agnifying Europol’s role towards the direction of proactivity somewhat sits at odds with Article 88(1) TFEU, according to which Europol has a supportive role and its tasks are heavily relied on Member States’ willingness to cooperate’.
Technological reality becomes normative reality
The Explanatory Memorandum to the proposal for a Regulation explains that Europol obtains new data processing powers because it is receiving larger and more complex datasets from Member States. Broadly speaking, the Explanatory Memorandum identifies three reasons why Member States submit these datasets to Europol (p. 6): national authorities sometimes get hold of datasets which span multiple jurisdictions or cannot yet be attributed to a specific jurisdiction; national authorities cannot identify cross-border links in the datasets; and, national authorities may lack the digital tools to analyse such datasets.
These considerations in the Explanatory Memorandum show that the Commission takes it as a given that national authorities have large and complex datasets, which they cannot effectively analyse themselves. The proposal for a Regulation suggests that because of these circumstances, Europol should have new data processing powers. With this, a technological reality (there are large datasets) becomes a normative reality (Europol should be able to process these datasets).
It is to be expected that a similar logic will be followed regarding Europol’s research and innovation activities. The proposed amendments task Europol to monitor and contribute to research and innovation activities, ‘including the development, training, testing and validation of algorithms’ (Article 4(1)(t) as proposed). Once Europol has developed new and powerful algorithms which can be used to analyse large datasets, the argument will likely be made that Europol or national authorities should be able to use these algorithms simply because the algorithms are available.
Open norms for analysis of personal data outside Annex II
The EDPS’s inquiry found (para. 1.1) that Europol regularly obtains large and complex datasets. When Europol acquires such a large dataset, it is presented with a problem. According to Article 18(5) of the Europol Regulation, the Agency may collect and process only personal data which are listed in Annex II to the Regulation. Such data includes, for instance, data relating to persons who are suspected of having committed a criminal offence or who are a contact or associate of suspected persons. However, when Europol receives a large dataset, it does not know what data is contained within that dataset and whether it is allowed to process all the data. To find that out, Europol needs to process the entire dataset, which may involve the processing of personal data which is not in Annex II.
The EDPS’s inquiry showed that Europol regularly processes large datasets which contain personal data which are not listed in Annex II. In other words, Europol processes personal data relating to individuals who are not linked to any criminal activity. Under the current rules, such data processing activities are unlawful. The Commission aims to legalize this practice by empowering Europol to temporarily process all types of personal data for the purpose of determining whether or not such data are listed in Annex II of the Europol Regulation (Article 18(5a) as proposed). This ‘pre-analysis’ of data includes checking the data against all data which Europol already processes in accordance with the law (Article 18(5a) as proposed). In that connection, the proposed amendments also introduce a new Article 18a which empowers Europol to process personal data outside the data listed In Annex II where necessary for the support of a specific criminal investigation (Article 18a(1) as proposed).
The pre-analysis of data and the processing of data in support of a specific criminal investigation are regulated by open norms which are difficult to oversee or supervise by external bodies such as the European Parliament or EDPS. For both data processing activities, the Management Board of Europol will further specify the conditions relating to the processing of such data (Article 18(5a) and Article 18a(2) as proposed). In other words, when Europol (very likely) processes personal data relating to persons who are not linked in any capacity to a crime, then Europol itself can determine the rules for such data processing. The proposed amendments require that for both data processing activities, Europol consults the EDPS. However, it will be difficult for the EDPS to evaluate the conditions that the Management Board specifies if the new Europol Regulation does not contain any criteria or guidelines for these conditions.
Specific criteria are also missing for the duration of the pre-analysis of data. The proposed amendments state that Europol may conduct a pre-analysis of data for a maximum period of one year, or in ‘justified cases’ for a longer period with the prior authorisation of the EDPS (Article 18(5a) as proposed). The proposal does not indicate what are justified cases and how the EDPS should assess if the case for longer processing is justified. In its Opinion on the proposed amendments (para. 25), the EDPS warns that ‘[g]iven the lack of specific criteria or at least general indication what should be considered as “justified cases”, the prior authorisation of the prolongation by the EDPS could actually turn into ‘rubber-stamping’ of the requests by the Agency’. Regardless of the fact that it is remarkable that the EDPS questions its own diligence here, without specific criteria there is indeed a risk that the EDPS can only do a marginal review.
Voluntary data transfer circumvents procedural requirements
The proposed amendments set up a system which relies on and incentivizes voluntary data sharing by private parties to Europol. Under the current rules, Europol is allowed to process personal data received from private parties in three cases. First, Europol is allowed to process personal data received from private parties if those data are transferred to Europol by a national intermediary. These intermediaries include national units which form the liaison link between national authorities in the EU and Europol, and contact points or authorities of third countries and international organisations with which Europol may exchange personal data based on a specific legal arrangement. Second, if Europol receives personal data directly from private parties it is allowed to process those personal data solely for the purpose of identifying the relevant national intermediary (‘proactive sharing’). Third, following the transfer of personal data by Europol to a private party for the purpose of preventing and combatting internet-facilitated crimes (a ‘referral’), Europol may in connection therewith receive personal data directly from a private party if the private party declares it is legally allowed to transmit the data in accordance with the applicable law (a ‘response to a referral’).
A Study on the practice of direct exchanges of personal data between Europol and private parties conducted by Milieu Consulting for the European Commission identified several limitations to the system of indirect and direct personal data exchange between private parties and Europol. Nonetheless, the study (p. 34) also observed an increasing willingness of online service providers to take the initiative to share personal data with Europol outside of the system of referrals.
To resolve these difficulties and capitalize on private parties’ willingness to share data, the Commission proposes to establish Europol as a single point of contact for private parties. Recital 26 of the proposal notes that ‘[a]s a result from (sic) the increased use of online services by criminals, private parties hold increasing amounts of personal data that may be relevant for criminal investigations’. The Commission wants to increase the disclosure of data by making it easier for private parties to voluntarily share such data directly with Europol.
As EDRI has pointed out in its Recommendations on the revision of Europol’s mandate (p. 10-11), a system of voluntary data transfer by private parties to Europol ‘takes place without the procedural safeguards which apply to [national] authorities when seeking access to personal data in accordance with national or Union law, e.g. prior review by a court or an independent administrative body’. The study by Milieu Consulting explains (p. 39) that in the case of indirect transfer of data via an intermediary, the initial transfer to the intermediary generally happens because private parties receive a request from a national law enforcement authority in the context of criminal investigations or because private parties are under a legal obligation to report data to the national law enforcement authority. These two routes are regulated by procedural requirements such as judicial authorisation of an information request and strict requirements regarding the forwarding of data via the intermediaries to Europol. When Europol is empowered to process personal data directly received from private parties, these procedural and other legal requirements are circumvented.
The proposed amendments to the Europol Regulation will further establish Europol as the EU’s ‘criminal information hub‘ and ‘platform for European policing solutions‘. But the realization of these ambitions of Europol, including the new tasks and data processing powers which Europol will receive, is in tension with Europol’s legally mandated supportive role.
The Explanatory Memorandum to the proposal for a Regulation also shows a logic in which the idea of what should be the case follows from an observation of what is the case. The technological reality that Europol receives large and complex datasets from national authorities thereby turns into the norm that Europol should be able to process these datasets. We should be attentive to such kind of reasoning, as it will likely be used to justify the use newly developed algorithms as well: as soon as Europol has powerful algorithms, certain stakeholders will argue that therefore, law enforcement authorities should be able to deploy these algorithms.
Another issue is that the new data processing powers proposed for Europol come with open norms which will be difficult to control or oversee by the European Parliament or EDPS. Strict criteria are necessary to prevent that these data processing powers, which are an exception to the rule that Europol may process only personal data as listed in Annex II to the Europol Regulation, become the rule.
A final point is that the use of voluntary schemes to incentivize the transfer of data from private parties to Europol purposefully circumvents procedural safeguards which protect individual rights when law enforcement authorities access personal data from private parties. Such voluntary mechanisms are also used in the context of the removal of terrorist content, where the EU Internet Referral Unit refers content to online platforms who are then kindly asked but not obliged to remove the content. These voluntary systems weaken the rule of law.
As the European Data Protection Supervisor (‘EDPS’) stressed in a decision regarding Europol (para. 4.10), without proper safeguards and strict adherence to the data minimisation principle, ‘data subjects run the risk of wrongfully being linked to a criminal activity across the EU, with all of the potential damage for their personal and family life, freedom of movement and occupation that this entails’. Seeing that the Council has agreed on a negotiating mandate which is very similar to the Commission’s proposal and by no means tries to trim down the proposed powers of Europol, it is to be hoped that the European Parliament can provide pushback, resist the current logic of the proposal, and table appropriate safeguards for individual rights.