10 November 2022
The new rules governing Europol, which came into force at the end of June, massively expand the tasks and powers of the EU’s policing agency whilst reducing external scrutiny of its data processing operations and rights protections for individuals, says a report published today by Statewatch.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Given Europol’s role as a ‘hub’ for information processing and exchange between EU member states and other entities, the new rules thus increase the powers of all police forces and other agencies that cooperate with Europol, argues the report, Empowering the police, removing protections.
New tasks granted to Europol include supporting the EU’s network of police “special intervention units” and managing a cooperation platform for coordinating joint police operations, known as EMPACT. However, it is the rules governing the processing and exchange of data that have seen the most significant changes.
Europol is now allowed to process vast quantities of data transferred to it by member states on people who may be entirely innocent and have no link whatsoever to any criminal activity, a move that legalises a previously-illegal activity for which Europol was admonished by the European Data Protection Supervisor.
The agency can now process “investigative data” which, as long it relates to “a specific criminal investigation”, could cover anyone, anywhere, and has been granted the power to conduct “research and innovation” projects. These will be geared towards the use of big data, machine learning and ‘artificial intelligence’ techniques, for which it can process sensitive data such as genetic data or ethnic background.
Europol can now also use data received from non-EU states to enter “information alerts” in the Schengen Information System database and provide “third-country sourced biometric data” to national police forces, increasing the likelihood of data obtained in violation of human rights being ‘laundered’ in European policing and raising the possibility of third states using Europol as a conduit to harass political opponents and dissidents.
The new rules substantially loosen restrictions on international data transfers, allowing the agency’s management board to authorise transfers of personal data to third states and international organisations without a legal agreement in place – whilst priority states for international cooperation include dictatorships and authoritarian states such as Algeria, Egypt, Turkey and Morocco.
At the same time, independent external oversight of the agency’s data processing has been substantially reduced. The threshold for referring new data processing activities to the European Data Protection Supervisor (EDPS) for external scrutiny has been raised, and if Europol decides that new data processing operations “are particularly urgent and necessary to prevent and combat an immediate threat,” it can simply consult the EDPS and then start processing data without waiting for a response.
The agency is now required to employ a Fundamental Rights Officer (FRO), but the role clearly lacks independence: the FRO will be appointed by the Management Board “upon a proposal of the Executive Director,” and “shall report directly to the Executive Director”.
Chris Jones, Director of Statewatch, said:
“The proposals to increase Europol’s powers were published six months after the Black Lives Matter movement erupted across the world, calling for new ways to ensure public safety that looked beyond the failed, traditional model of policing.
With the new rules agreed in June, the EU has decided to reinforce that model, encouraging Europol and the member states to hoover up vast quantities of data, develop ‘artificial intelligence’ technologies to examine it, and increase cooperation with states with appalling human rights records.”
Yasha Maccanico, a Researcher at Statewatch, said:
“Europol has landed itself in hot water with the European Data Protection Supervisor three times in the last year for breaking data protection rules – yet the EU’s legislators have decided to reduce the EDPS’ supervisory powers. Independent, critical scrutiny and oversight of the EU’s policing agency has never been more needed.”
The report has been published alongside an interactive 'map' of EU agencies and 'interoperable' policing and migration databases, designed to aid understanding and further research on the data architecture in the EU's area of freedom, security and justice.
For further information or comment please contact comms [at] statewatch.org or call (+44) (0) 203 393 8366.
This report examines the new powers granted to EU policing agency Europol by legal amendments approved in June 2022. It finds that while the agency's tasks and powers have been hugely-expanded, in particular with regard to acquiring and processing data, independent data protection oversight of the agency has been substantially reduced.
EU and member state officials have begun discussing a working agreement between Europol and the Israeli authorities. It would allow the exchange of personal data, including sensitive categories of data such as biometrics, racial and ethnic origin, or religious or political beliefs. It also includes derogations that would allow data transferred by Europol to be used in the occupied territories.
The EU’s police agency, Europol, has landed itself in trouble again. Having been formally admonished by the European Data Protection Supervisor (EDPS) late last year for its illegal processing of vast quantities of personal data, and in September for refusing an access request to the personal data of a political activist and trying to cover it up by deleting his data from the system, Statewatch can now reveal that the agency’s management board was in breach of the new rules governing the agency as soon as they came into force in June.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.