10 November 2022
This report examines the new powers granted to EU policing agency Europol by legal amendments approved in June 2022. It finds that while the agency's tasks and powers have been hugely-expanded, in particular with regard to acquiring and processing data, independent data protection oversight of the agency has been substantially reduced.
In 2022 the legal basis of the European Union Agency for Law Enforcement Cooperation, better known as Europol, was revised. Changes were needed, argued the European Commission, because “Europe faces a security landscape in flux, with evolving and increasingly complex security threats.” This created “pressing operational needs,” and reforms to the 2016 Regulation governing the agency were agreed by the Council of the EU and the European Parliament in early June, coming into force 20 days later.
The changes make the agency responsible for a vast number of new tasks and massively expand the scale and scope of the agency’s ability to access and process data. Given Europol’s role as a ‘hub’ for information processing and exchange between EU member states and other entities, the new rules thus increase the powers of all police forces and other agencies that cooperate with Europol. However, despite this increase in data powers, the new rules significantly lower the data protection requirements governing the agency.
This report aims to provide an overview of the powers and problems introduced by the revised legal basis, so that civil society, elected officials, and anyone with an interest in the matter is able to understand the role of the agency better. It is based on an analysis of Europol’s legal basis, other relevant legislation, and publicly-available documentation.
This report was produced as part of the project 'Building the biometric state - EU agencies and interoperable databases', supported by Privacy International.
The 2022 amendments give the executive director of Europol the power to request that an investigation be opened into a crime involving just one member state, where it “affects a common interest covered by a Union policy,” rather than where it falls within Europol’s objectives. Previously, a crime had to affect two or more member states. There is still no obligation for the member state(s) to comply with such a request, but there is a requirement for Europol to inform the European Public Prosecutor’s Office and Eurojust of these requests and the replies received, which appears to be a way to put pressure on national authorities.
The tasks the agency must undertake have been vastly expanded by the 2022 amendments and now include supporting national “special intervention units”, supporting the identification of and investigation into suspects that present “a high risk for security”, managing the EMPACT cooperation platform for joint police operations, and assisting in setting “research and innovation” priorities for the EU’s security research programme.
While the law continues to include relatively tightly defined categories of persons on whom Europol may process data, how the police define terms such as “suspect,” “contact” or “associate” is open to interpretation – as demonstrated by a case that has come to light recently, in which a peaceful activist was branded a terrorist by the Dutch police and had his data shared with Europol.
Europol is now allowed to process vast quantities of data transferred to it by member states on people who may be entirely innocent and have no link whatsoever to any criminal activity. This legalises an activity that was previously illegal, and for which Europol was admonished by the European Data Protection Supervisor.
The agency can now process “investigative data” which, as long it relates to “a specific criminal investigation”, does not have to relate to any of the data subject categories set out in the Europol Regulation – that is to say, it could cover anyone, anywhere (“investigative data” can be received from member states, EU bodies, international organisations and non-EU states).
Europol has been granted the power to conduct “research and innovation” projects, which will likely be geared towards the use of big data, machine learning and ‘artificial intelligence’ techniques. For those projects, it may process special categories of personal data (such as genetic data or ethnic background) and may use any data it receives from member states, EU bodies, international organisations, third states or private parties in those projects, without requesting permission.
The scale of Europol’s data processing has increased substantially in recent years, and the recent legal reforms are intended to increase this further: the number of objects stored in the Europol Information System (EIS) at end of 2021 was more than 1.5 million, an increase of more than 280% since 2016; and the number of searches in the EIS increased by 753% between 2016 and 2021, when there were more than 12 million searches.
A proposal to revise the rules on information exchange between national law enforcement authorities will further increase the amount of data transmitted to Europol, by making it mandatory to copy the agency into messages sent via SIENA (Secure Information Exchange Network Application)
New powers for Europol to enter “information alerts” in the Schengen Information System, based on information received from third states, and proposals for it to provide “third country-sourced biometric data” for the Prüm network raise the possibility of Europol being used as a data-laundering hub for information obtained in breach of the law, and for third states to use Europol as a conduit for harassing political opponents and dissidents.
The 2022 amendments to the Europol Regulation substantially loosen restrictions on international data transfers, empowering the management board to authorise transfers of personal data to third states and international organisations without a legal agreement in place.
Priority states for cooperation with Europol include dictatorships, authoritarian and repressive regimes, such as Algeria, Egypt, Turkey and Morocco.
There is no longer a requirement for the agency to “publish on its website and keep up to date a list of adequacy decisions, agreements, administrative arrangements and other instruments relating to the transfer of personal data”.
Europol can now contact private parties to retrieve personal data (via national units, which must request the data in accordance with their national law), but the member state through which Europol makes the request does not have to have jurisdiction over the crime in question.
In an “online crisis situation” or in cases involving the online dissemination of child sexual abuse material, Europol can receive personal data directly from private parties.
Europol can now receive personal data obtained from private parties via third countries or international organisations, and when the agency receives personal data from a private party established in a third country, it can forward the data and “the results of its analysis and verification” on the basis of a Management Board decision, without a legal agreement in place.
Europol may now receive and process information “originating from private persons”, if received via a national unit, a third country contact point, or a third country or international organisation authority, but cannot contact private persons to obtain data.
Europol now has access to all six of the EU’s centralised justice and home affairs databases, and legal reforms under negotiation may see it obtain access to the ‘Prüm’ network of national police databases, which currently cover DNA, fingerprints and vehicle registration data, and will likely come to include facial images and police records.
Within the interoperability architecture, Europol has a key role in the “watchlisting” and profiling of individuals wishing to travel to the EU, and is developing a ‘European Travel Intelligence Centre’ to ensure the comprehensive profiling and surveillance of international travellers.
Europol’s Data Protection Officer has been given an expanded set of tasks and powers, but the possibilities for independent external oversight by the European Data Protection Supervisor have been substantially limited.
The Management Board breached the new Regulation as soon as it came into force, by failing to consult the EDPS on implementing decisions setting out how Europol would process large datasets in order to provide “data subject categorisation”.
The threshold for referring new data processing activities to the European Data Protection Supervisor (EDPS) for external scrutiny has been raised, and the EDPS has raised concerns over “recurrent issues” with the “risk assessment methodology” Europol uses to determine whether or not to refer a new data processing activity to the EDPS.
If Europol determines that the new processing operations “are particularly urgent and necessary to prevent and combat an immediate threat,” it can simply consult the EDPS and then start processing data without waiting for a response.
The agency is now required to employ a Fundamental Rights Officer, although the rules provide less independence for this official than their counterpart at Frontex. Europol’s FRO is appointed by the Management Board “upon a proposal of the Executive Director,” and “shall report directly to the Executive Director”.
The Joint Parliamentary Scrutiny Group, made up of national and European parliamentarians and responsible for political supervision of Europol’s work, has received some new powers (mainly with regard to information that must be shared with it by Europol) and must be consulted on Europol’s multiannual work programme. However, its conclusions and recommendations remain non-binding upon the agency.
The JPSG is also mandated to set up a “a consultative forum” to provide “independent advice in fundamental rights matters,” which is similar to a requirement that applies to Frontex. However, unlike Frontex’s consultative forum, the JPSG’s is not granted any particular powers by the new rules aside from being able to give advice.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.