EU: Study demands new ways for Europol to access personal data from private parties

Current rules are "perceived to be insufficient by both Europol and the OSPs [online service providers]."


Statewatch is publishing the executive summary of a report produced by Milieu Consulting for the European Commission. The study concerns the direct exchange of personal data between Europol and private parties, in particular online service providers.

See: Study on the practice of direct exchanges of personal data between Europol and private parties (September 2020, pdf)

The study was completed in September this year but has not yet been made public. The executive summary - which is only being made public here - states that it:

"aims to provide a comprehensive overview of the current practice of direct exchanges of personal data between Europol and private parties. The study also provides an overview of how the practice of indirect exchanges of personal data between Europol and private parties works."

With the Commission planning to publish a proposal to revise Europol's founding Regulation in the coming months, expanding the agency's ability to exchange personal data with private parties is a key aim of the Council, the Commission and Europol itself.

More personal data

The study apparently confirms the "growing need for LEAs [law enforcement authorities] to access private data" - which is hardly surprising, given that most of the interviewees appear to have been drawn from law enforcement agencies and home affairs institutions.

Interestingly, it also highlights that national law enforcement agencies are happy to sidestep legal requirements when requesting personal data from private parties, althought this is not necessarily succesful:

"LEAs face difficulties in obtaining personal data from private parties… these issues mainly arise in the context of cross-border cases. In the national context, the issues arise when the LEAs request personal data from the private parties ‘non-officially’, e.g. when despite being required to by law, requests are being filed without the necessary judicial authorisation or similar."

One proposed way around this would be to use Europol as a permanent platform for requests that do not have judicial authorisation (emphasis in original):

"A number of stakeholders saw a need for a change of the current system. Most stakeholders recommended channelling of the requests and the responses through a dedicated platform, and many stakeholders suggested Europol in that regard. Some others were doubtful… These stakeholders reiterated the importance of receiving official requests."

According to the current Europol Regulation, there are three ways Europol can exchange data with private parties, as explained in the study:

"...Europol, as a general rule, is prohibited from transferring personal data directly to private parties. It is allowed to do so in three cases, one of which concerns the subject matter of the study, the so-called 'system of referrals'. Europol is allowed to transfer personal data directly to private parties if the transfer concerns publicly available personal data, and if it is necessary for preventing and combatting internet-facilitated crimes.

Under the Europol Regulation, Europol may only exceptionally receive personal data directly from private parties. This is allowed under the 'system of responding to referrals', under which private parties may decide to transfer personal data to Europol in response to a prior referral."

The third method is via an intermediary (emphasis in original):

"Europol receiving personal data from private parties through an intermediary constitutes the most 'traditional way' of personal data exchange between the private parties and Europol. Under this system, private parties share personal data with national LEAs, typically because they are subject to the regulatory obligation to d o so (e.g. legal obligation to respond to requests received in the context of investigations). Whilst generally, no statistical data are collected on the matter, it seems that large volumes of personal data are shared by private parties with national LEAs. Also, it seems that data sharing is relatively fast. However, compared to the actual physical transfer of the data, more time is needed for the preparation thereof.

National LEAs may transfer these data further to the ENUs, which may then pass the personal data on to Europol. Whilst no precise statistical data exist on the matter, it seems that only a fraction of the personal data shared by the private parties are transferred further from the LEAs to the ENUs. Also, only a fraction of these original datasets reaches Europol in the end..."

Proposed "solutions to the current challenges" include:

"• Amending the Europol Regulation reinforcing Europol's capacity to exchange personal data directly with private parties and to subsequently process these datasets for analytical purposes;
• Amending the national and EU regulatory frameworks, allowing private parties to share personal data with national LEAs on more grounds and/or with an extended group of national competent authorities;
• Establishing a platform for private parties operating in the same sector to exchange personal data among themselves; and for private parties and national LEAs to intensify dialogues leading to the more targeted use of the current system;
• Designating a person within the private parties to coordinate the exchanges of personal data with national LEAs;
• Raising awareness of stakeholders regarding the current system, thereby reinforcing its use."

The Milieu Consulting study follows on from an internal evaluation conducted by the European Commission of Europol's exchange of personal data with private parties. Questioned by Statewatch about that study last May, the Commission refused to release the evaluation itself but said that "the current practice appears to be working quite well."

Nevertheless, the intention was to contract an external study:

"In view of the current changing operational and legal environment – including the entry into application of the General Data Protection Regulation – the Commission plans to launch a more detailed study into the operational needs of all stakeholders of the current practice."

Those "operational needs" point - as ever - in the direction of greater gathering and processing of personal data. The full version of the study remains under lock and key but, with a revision of Europol's legal basis in the offing, public scrutiny of its findings is necessary.

See: Study on the practice of direct exchanges of personal data between Europol and private parties (September 2020, pdf)

Further reading

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error