02 February 2024
A new proposal to enhance the powers of Europol and to strengthen its cooperation with Frontex in the name of fighting migrant smuggling falls short of respecting data protection and fundamental rights standards, according to the European Data Protection Supervisor (EDPS).
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Move along, nothing to see here
Last November, the Commission announced a Global Alliance to Counter Migrant Smuggling and a strengthened EU legal framework, made up of a new Directive on the criminalisation of migrant smuggling that replaces a 2002 law, and a new Regulation on police cooperation and Europol.
In June 2022, the new Europol Regulation was adopted, significantly increasing the agency’s powers and data collection framework. Despite revelations about the agency’s mass data collection practices, the law that was passed by the Council and Parliament sidelined concerns and legalised previously unlawful practices.
The Commission wants the additional powers adopted as swiftly as possible, claiming that “urgent operational needs” have prevented it from conducting an impact assessment, contradicting its own “better regulation” guidelines.
In an opinion on the proposed new powers for Europol (pdf), the EDPS heavily criticises this approach, “given the nature of the personal data at stake and that vulnerable people may be involved.” The terms of the proposal are “too vague”, says the supervisory body, making it impossible to foresee its impact on fundamental rights.
Mass collection with no new safeguards
The EDPS considers that the new measures will “inevitably” result in a substantial expansion in the processing of biometric data, including the use of facial recognition, by Europol.
The supervisory authority “recommends the establishment of mitigation mechanisms for the data protection risks caused by biometric data processing.” These “should include the adoption of clear binding rules providing for appropriate safeguards, especially with regard to the strict necessity and proportionality of the processing of biometric data by Europol, and the quality of the data”.
In the explanatory memorandum for the proposal, the Commission estimates that the agency will need around 50 new staff and an additional budget of around €50 million. There is no parallel increase in budget or staff planned for the EDPS, which is the external supervisory authority for data protection at the agency.
This is representative of the trend to give data protection authorities new tasks without any corresponding resources. A September 2022 report found that eighty per cent of the EU’s data protection bodies were underfunded, with some unable to fulfil their legal duties.
The report, by the EDPS and the European Data Protection Board (EDPB), said that supervisors continue to receive new tasks from EU legislators for the supervision large-scale information systems and EU agencies, while facing financial and staff shortages.
Frontex is not a police force
In the summer of 2022, an investigation exposed Frontex’s attempts to collect “intrusive” personal data from migrants and asylum seekers during “debriefing” interviews, and forward it to Europol for storage and analysis as part of its work on migrant smuggling.
Frontex should only “process operational personal data collected only in the context of a specific and lawful purpose, within its mandate, namely - in respect of debriefing interviews - for migration management purposes,” said the EDPS report. “In addition, the EDPS considers that Frontex may not systematically, proactively and on its own, collect any kind of information about suspects of any cross-border crimes.”
The lack of monitoring in the collection of data and its transfer has previously led to the transfer, at least six times, of information about NGOs from Frontex to Europol.
This has taken place in the context of an increasing criminalization of NGOs assisting migrants in the EU and at its external borders. The EDPS called on the Commission to clarify the role of the border guard agency “in order to avoid Frontex being turned de facto into a law enforcement agency.”
Derogations should remain exceptions
The transfer of personal data to third countries and international organisations should be guaranteed by an adequacy decision or an international agreement. These provide guarantees that, upon transfer, essentially equivalent data protection safeguards to those in the EU will be applied.
However, the 2022 amendments to the Europol Regulation introduced a derogation from the general rule, allowing the executive director to authorise transfers of personal data to third countries “in the absence of an adequacy decision or of adequate or appropriate data protection safeguards.” The new proposal would give Europol’s European Migrant Smuggling Centre the task of identifying cases in which such transfers should be authorised.
In a report published last year, Statewatch highlighted how the 2022 legal changes had loosened the rules noting that: "Priority states for cooperation… include dictatorships, authoritarian and repressive regimes, such as Algeria, Egypt, Turkey and Morocco."
Following a September 2023 audit of Europol’s information system, the EDPS ordered the agency to monitor the proportionality and lawfulness of data transferred from third countries and international organisations concerning minors under the age of 15.
The audit found multiple cases in which data should not have been transferred to the agency because it concerned “relatively minor infractions, such as pickpocketing (at least two cases) or shoplifting,” but was nevertheless transferred under the heading “organised crime group”.
Commenting on the new smuggling proposal, the EDPS “stresses” that it “should not be interpreted as promoting or recommending regular and systemic use of derogations for transfer of data to third countries,” calling for changes to the text to reflect this.
Joint responsibility or no responsibility?
The new measures would let Europol staff carry out “non-coercive investigative measures,” including data processing, in support of member state investigations. Currently, the agency is prohibited from undertaking any form of investigative measure, as this is considered a competence of national police forces.
The EDPS notes in its comment on the smuggling proposal that this proposal comes in the light of other new joint working methods, such as “joint operational analysis,” introduced by the 2022 changes, which is “part of a more general trend identified in the recent years where more actors participate in a specific processing operation,” increasing the risks to data protection standards.
Wojciech Wiewiórowski, the head of the EDPS, has also warned that member states could use Europol in that context to get around their national data protection rules, for example with regard to storage limitation. The issue of joint responsibility for data processing between Europol and member states has been raised at the Court of Justice, but the facts of the case in question mean judges could not rule on it.
The EDPS recommends that the new rules on Europol make clear “the allocation of responsibility as regards the processing of personal data, in accordance with the relevant provisions of Europol Regulation, the [Regulation on data protection in EU institutions] and the Law Enforcement Directive.”
At the end of November, the European Commission announced two new laws to fight migrant smuggling. One seeks to make the legal framework more punitive. The other aims “to reinforce Europol’s role in the fight against migrant smuggling and trafficking in human beings,” but would in fact expand Europol’s powers in relation to all crimes for which it has competence, and let the agency conduct “non-coercive investigative measures” during joint operations with national police forces. Its staff are currently prohibited from conducting any kind of investigative measure.
The European Commission wants to agree “new anti-smuggling operational partnerships” with Tunisia and Egypt before the end of the year, despite longstanding reports of abuse against migrants and refugees in Egypt and recent racist violence endorsed by the Tunisian state. Material and financial support is already being stepped up to the two North African countries, along with support for Libya.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.