Widening the net: massive expansion of Europol’s data-gathering powers proposed


EU policing agency Europol could have the scope of its data-gathering powers expanded massively under new proposals tabled by the European Commission in December. Current limits on the categories of people the agency can gather data on – such as convicts, suspects, witnesses and victims – would be circumvented, to allow Europol to process “big data dumps” transferred by national police forces, as well as data transferred by non-EU states.

Support our work: become a Friend of Statewatch from as little as £1/€1 per month.

Statewatch recently reported on plans to give Europol a role in developing new policing algorithms, making use of the vast quantities of data available to the agency – but this is not the only change to the rules that was put forward by the European Commission at the end of last year. It is also proposing to widen the scope of Europol’s data-gathering powers, potentially placing vast numbers of innocent people into the agency’s databases.

Europol is currently allowed to process personal data on criminal suspects, convicts, ‘potential’ criminals (providing there are “factual indications or reasonable grounds” to do so), witnesses, victims, “contacts and associates” and “persons who can provide information on the criminal offences under consideration.” These categories are set out in Annex II to the current Europol Regulation. The new proposal would circumvent current limitations in two different ways.

The “big data challenge”: legalise it

Firstly, the proposal seeks to address what has become known as Europol’s “big data challenge”. Although national authorities should only send to Europol personal data that it has legal permission to process, the agency frequently receives vast amounts of information from the member states. According to its 2019 annual report, “big data dumps of multiple terabytes per investigation” are becoming “the standard procedure.” [2]

An investigation by the European Data Protection Supervisor, launched following a request by the agency itself, found “a high likelihood that Europol continually processes personal data on individuals for whom it is not allowed to do so and retain categories of personal data that go beyond the restrictive list provided in… the Europol Regulation.”

What this means, said the EDPS, is that people may be “wrongfully linked to a criminal activity across the EU, with all of the potential damage for their personal and family life, freedom of movement and occupation that this entails.”

In response to this challenge, the European Commission has proposed legalising the existing practice, a stance backed by the member states and Europol itself. New legal provisions proposed in December would allow the “temporary” processing of these “large data dumps” to establish whether any of it relates to the categories covered by the Annex II list.

The proposal foresees this temporary period lasting “a maximum period of one year, or in justified cases for a longer period,” which may require prior authorization by the European Data Protection Supervisor.

Supporting “a specific criminal investigation”

This change is accompanied by provisions that would make it possible for Europol to process, “in support of a specific criminal investigation,” personal data that does not fall within one of the Annex II categories.

This would be possible when a member state, the European Public Prosecutors Office (EPPO) or a non-EU state provides Europol with “an investigative case file… for the purpose of operational analysis,” and Europol considers that such analysis would not be possible without processing data that falls outside the bounds of Annex II.

Under the proposals, this data could be stored and further processed for years at a time. It could be retained for as long as Europol supports the investigation to which the data is related, or – if requested by the relevant member state or the EPPO – for as long as any related judicial proceedings are ongoing in any member state.

Some further safeguards apply to data provided by non-EU states, such as ensuring that information obtained in the case file has not been obtained “in manifest violation of fundamental rights.”

There is no indication of how the agency or the European Data Protection Supervisor might establish whether this is the case, but officials at the data protection body may have a busy time ahead of them – the European Commission is currently negotiating agreements that would allow data exchanges between Europol and states with abysmal human rights records such as Algeria, Egypt and Turkey, and under the new proposals it would become far easier for the agency to exchange data with non-EU states.

Up for discussion

The Europol proposal will be discussed for the first time by the European Parliament’s civil liberties committee this Wednesday, 24 February. As ever, there is likely to be significant enthusiasm for expanding police powers from many of those present, and member states are keen to pass the proposals quickly.

It remains to be seen whether the scale and scope of the debate will match the proposed expansion of Europol’s powers. MEPs should be aware that when the EDPS concluded it is likely that “Europol continually processes personal data on individuals for whom it is not allowed to do so,” it was highlighting a problem, not making a recommendation.

Find out more about the new Europol proposals in the Statewatch Database

Image: KamiPhuc, CC BY 2.0

Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error