EU: Europol: "Significant progress" on legalising illegal data practices

There has been "significant progress" in negotiations on new powers for EU police agency Europol, according to a document circulated by the Slovenian Presidency of the Council in December. The police agency was recently ordered to delete vast amounts of personal data that it was processing illegally - but the new rules would allow those practices to continue. Member states may be hoping to approve the new rules before the agency has to implement the deletion order.

"Significant progress"

In December 2020, the European Commission published a proposal seeking to significantly expand Europol's powers, a move that Statewatch and other organisations warned was unjustified and threatened fundamental rights. By October 2021, both the Parliament and Council had adopted their negotiating positions and entered into secret "trilogue" negotiations on the text.

As its term in the Council Presidency drew to a close at the end of last year, the Slovenian delegation circulated a note to Council delegations (pdf) declaring that:

"Significant progress has been achieved under the Slovenian Presidency in a number of key areas of the proposal where operational needs are the strongest: handling of big datasets, cooperation with private parties and Europol’s role in research and innovation are nearly finalised..."

Legalising the illegal

Earlier this week, the European Data Protection Supervisor (EDPS) ordered Europol to delete vast quantities of data that it had no legal basis to store (pdf). Europol is only permitted to process data on individuals with a link to criminal activity - convicted persons, suspects, witnesses, contacts, and associates - but for several years, has been receiving vast quantities of data from member states, and holding onto it without determining whether it is permitted to process it or not.

The EDPS thus ordered the agency to delete any such data received after 4 January 2022 after six months unless, following the "Data Subject Categorisation" process, it was legal to retain it. For data received by the agency prior to that date, it has 12 months to carry out an assessment: any data it has not assessed by the beginning of 2023 will have to be deleted. However, Europol is still able to challenge the EDPS decision in court.

Beyond a legal challenge, Europol's supporters in the Council and Parliament may be hoping that approval of the new rules will avoid the need to delete the vast troves of data gathered by the agency. In particular, Article 18a of the proposed rules (pdf) would provide numerous grounds for Europol to hold on to large datasets that it would not otherwise be legally allowed to process - which is precisely why, as detailed in the EDPS Decision, Europol argued that the EDPS should refrain from taking a decision in its investigation until the new rules enter into force.

Whether this would work is another matter. As Niovi Vavoula, a legal scholar, told The Guardian:

“The new legislation is actually an effort to game the system. Europol and the commission have been attempting an ex-post rectification of illegally retaining data for years. But putting new rules in place does not legally resolve previously illegal conduct. This is not how the rule of law works.”

Data from third countries

The provisions on large datasets do not only concern information sent to the agency by EU member states, but also from "third countries". The proposal aims to make it simpler for Europol to process data transmitted by third countries, including dictatorships and authoritarian states with abysmal human rights records.

In a consultation document, the European Commission bemoaned the need for "long and complex negotiations" with non-EU states in order to establish a legal basis for data exchange with Europol. Its proposal therefore sought to make such exchanges simpler. Amongst other things, it said:

"Where a third country provides an investigative case file to Europol, the EDPS shall be informed. Europol shall verify that the amount of personal data is not manifestly disproportionate in relation to the specific investigation in a Member State that Europol supports, and that there are no objective elements indicating that the case file has been obtained by the third country in manifest violation of fundamental rights. Where Europol, or the EDPS, reaches the conclusion that there are preliminary indications that such data is disproportionate or collected in violation of fundamental rights, Europol shall not process it. "

Now, those already-limited safeguards have been watered down. The text as it currently stands, agreed in secret trilogues between the Council, Parliament and Commission (pdf), says:

"Where a third country provides an investigative data case file to Europol, the EDPS shall be informed. Europol shall verify that the amount of personal data is not manifestly disproportionate in relation to the specific investigation in a Member State that Europol supports.  Where Europol, or the EDPS, reaches the conclusion that there are preliminary is an indications that such data is manifestly disproportionate or was collected in obvious violation of fundamental rights, Europol shall not process it and delete the data."

The text in italics is still "under discussion at technical level", but the direction of travel is clear: no oversight role for the EDPS, and a ban on processing will only be required if there has been an "obvious" human rights violation.

The Slovenian Presidency boasted in its progress report that it had acquired "the deletion of the requirement for Europol to assess whether data originating in third countries has been obtained in compliance with fundamental rights" - apparently, this is something to be proud of.


Further reading

Image: KamiPhuc, CC BY 2.0


Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error