EU: Data protection authorities condemn Commission's Europol proposal

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

13.06.2013 - The data protection provisions of the European Commission's most recent law enforcement proposal have been condemned by European data protection authorities, with the Joint Supervisory Board of Europol saying that they are a "a clear retrograde step" that "would result in a much weaker Europol data protection regime."

At the end of March, the Commission published a proposal for a Regulation that would establish a European Union Agency for Law Enforcement Cooperation and Training, merging Europol (whose name the new agency would retain) and the European Police College, CEPOL. At the beginning of May both agencies rejected the proposal, arguing that their "core mandates do not overlap though they co-operate on some training issues relevant to serious crime." [1]

Serious criticism by data protection authorities has followed. In mid-May, the spring Conference of European Data Protection Authorities in Lisbon issued a short resolution stating that "under no circumstances would it be acceptable if the new legal basis lowered the existing level of data protection," and warned that "this is precisely what has to be feared - if the proposal submitted by the Commission is taken as a basis." [2]

Europol's key task is the collection and analysis of large amounts of data submitted to it by member states' and third countries' law enforcement agencies, and collected from open sources. According to the Joint Supervisory Board of Europol, it has a "robust data protection regime, safeguarded by strict, tailor-made rules and effective supervision arrangements." [3]

The current legal basis, a 2009 Council Decision, lays out the information processing systems that should be used and provides strict safeguards. The proposal, in its current form, permits computer systems to be established in whatever form the agency sees fit. It also offers new possibilities to transfer data outside the EU, amongst other things. The conference statement accuses the Commission of trying to "limit existing procedural safeguards and to lift current restrictions on the data transfer to third countries and third bodies."

Two weeks later, at the beginning of June, the European Data Protection Supervisor (EDPS), Peter Hustinx, issued an opinion that called for the Parliament and the Council to introduce a host of new provisions and clarifications during negotiations on the new proposal to ensure - amongst other things - strict purpose limitation, joint European and national oversight of data protection issues, and limitations on transfer to third countries and other bodies. [4]

Hustinx highlighted Article 24 of the Commission's proposal which "could be a cause for concern if data protection safeguards are not put in place," because it would give Europol the ability "to cross-reference information stored in different databases to check if individuals or groups are suspected of more than one type of crime." [5] As it stands, vast swathes of data on suspects, witnesses, victims and others could be collated for "cross-checking aimed at identifying connections between information"; "analyses of a strategic or thematic nature"; and "operational analyses in specific cases". [6]

The most recent criticism of the Commission's proposal has come from the Joint Supervisory Body of Europol (JSB), which is made up of two representatives of the data protection authorities of each member state.

In an opinion issued on 10 June, the JSB noted their agreement with the statement issued by the Conference of European Data Protection Authorities, saying that "Europol's legal basis must contain specific provisions for data processing and responsibilities in relation to each task and each data processing facility. The regulation falls short of this." [7]

The JSB's opinion criticises the proposal on a number of issues. It notes that the Regulation, as it stands, contains "no rules applicable to specific data processing activities to be chosen by Europol that guarantee tailor made implementation of the general [data protection] principles," and that instead the Commission has provided vague references to the use of "privacy-by-design" in the development of new technology. In this case, that technology would be enhanced databases allowing cross-checking and cross-referencing of information on a vast scale - at the end of the 2011 financial year, the Europol Information System contained 200,000 "objects". [8] The Commission's arguments for the proposed changes are, according to the JSB, "unconvincing".

The JSB also criticised the Commission for moving away from "the definition of serious crime that has been practice for the last decade," based on the list of crimes covered by the European Arrest Warrant. The regulation introduces the concept of "forms of crime which affect a common interest covered by a Union policy," but the JSB says it is "unclear" why the previous definition has not been maintained.

The JSB also echoes comments made by the EDPS in criticising the proposal to abolish the role of national data protection authorities in ensuring that Europol abides by its data protection framework, saying that "the involvement of the national DPAs [data protection authorities] is essential because the vast majority of data collected and processed by Europol originates from the member states and is sent back to the member states." The Board therefore suggests "the creation of an independent and effective joint supervision structure with equal participation of each national DPA and the EDPS."

The new Europol proposal was discussed by the Justice and Home Affairs Council at its meeting on 7 June, and a background paper from the end of May perhaps provides some clues as to how that discussion went. [9] It made no mention of data protection or fundamental rights, but the proposal faced hostility from member states with "a number of delegations" commenting on the Commission's "unconvincing argument to justify the merger and also on the lack of detailed calculations to the support the view that the merger would result in costs savings."

Furthermore, "a majority of delegations expressed the view that the merger would negatively affect both the training and the operational activities for EU law enforcement," and a number of member states are apparently unsure about plans to significantly increase the supply of data to the agency, expressing "concerns that a significant increase in the volume of information supplied to Europol may overburden it."

Enmity towards the Commission's plans for Europol appears to be long-standing. Records of discussions held in the Council long before the publication of the new proposal show that not all member states are happy with the new proposal. In March last year suggestions on the possible future of Europol made by the Commission to the Standing Committee on operational cooperation on internal security (COSI, a Council working party) received a rather lukewarm reception. [10]

Delegations wanted information flow to Europol to be improved in "a pragmatic and realistic manner", a proposal for a binding obligation to provide certain information to Europol was opposed "by some delegations", some member states "voiced concerns regarding the transmission of personal data" to Europol by private sector organisations, and while redesigning Europol's information systems and its "data management concept" was welcomed by some member states, they "asked for cautiousness and advocated that this should not lead to a decrease in either the operational effectiveness or on the high data protection level." [11]

Meanwhile, the Parliament is yet to debate the proposal. Four committees - Budgets, Budgetary Control, Constitutional Affairs and Civil Liberties, Justice and Home Affairs - will discuss the new Regulation, but it is the LIBE committee's discussions that will attract the most attention. Its recent record on data protection affairs is mixed: it rejected the proposed EU Passenger Name Record proposal that would have permitted Europe-wide surveillance and profiling of air passengers by law enforcement agencies, [12] but agreed to a highly controversial proposal to give those same bodies the power to search Eurodac, the European database of asylum seekers' and irregular migrants fingerprints. [13]

It remains to be seen what the LIBE committee will make of the Commission's Europol proposal. The JSB concluded that "the regulation, as it is currently formulated, would result in a weaker data protection regime at Europol… The JSB urges the European Parliament and the Council to ensure a legal framework containing a level of data protection appropriate for Europol and sufficient to protect individuals' rights."

[1] Nikolaj Nielsen, EU police agencies reject cost-cutting merger, EUobserver, 7 May 2013
[2] Conference of European Data Protection Authorities, Resolution on ensuring adequate level of data protection at Europol, Lisbon, 16-17 May 2013
[3] Joint Supervisory Body of Europol, Opinion of the Joint Supervisory Body of Europol (Opinion 13/31) with respect to the proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol), 10 June 2013
[4] European Data Protection Supervisor, Opinion on the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA, 31 May 2013; Nikolaj Nielsen, EU data chief urges limits on joint police powers, EUobserver, 3 June 2013
[5] European Data Protection Supervisor, Strong data protection to improve EU approach to serious crimes, 3 June 2013
[6] European Commission, Opinion on the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA, 27 March 2013
[7] Ibid. at [3]
[8] European Court of Auditors, Report on the annual accounts of the European Police Office for the financial year 2011, together with the Office's replies, Official Journal of the European Union, 15 December 2012
[9] NOTE from: Presidency to: Council, Proposal for a Regulation on the European Union Agency for Law Enforcement Cooperation and Training (Europol) - Discussion paper, 10213/13, 29 May 2013
[10] NOTE from: Commission services to: Standing Committee on operational cooperation on internal security, Revision of Europol's legal basis, 8261/12, 29 March 2012
[11] NOTE from Presidency to: Standing Committee on operational cooperation on internal security, Summary of the COSI debate on the revision of Europol's legal basis, 9104/12, 23 May 2012
[12] European Parliament, Civil Liberties Committee rejects EU Passenger Name Record proposal, 24 April 2013
[13] European Parliament's Civil Liberties Committee adopts proposal giving law enforcement authorities and Europol access to Eurodac, Statewatch News Online, December 2012; Ska Keller, Asylum seeker database plan shows EU's hypocrisy on human rights, Public Service Europe, 29 April 2013

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error