The European co-legislators agreed on a new mandate for Europol, closing a controversy over the agency’s data processing practices.
The recast mandate adopted on Tuesday (1 February) gives the law enforcement agency a legal basis for storing and processing vast amounts of personal data, practices already in place that were at the centre of an inquiry of the European Data Protection Supervisor (EDPS).
Europol supports cross-border criminal investigations related to terrorism and organised crime by making data available to law enforcement agencies. However, national authorities started transferring more and more data to Europol over the years, no longer limited to people with an established link to criminal activities.
In 2019, the agency’s executive director Catherine De Bolle asked the EDPS for advice on potential data compliance issues related to its ‘big data challenge’. In September 2020, the Supervisor concluded that Europol’s activities were going beyond its mandate, breaching the principles of data minimisation and storage limitation.
In response, the European Commission presented a proposal enhancing the mandate of Europol, with this legitimising its data processing practices. In a parliamentary hearing on Tuesday, the deputy director-general of the EU home affair service Olivier Onidi stated that the Commission intended to provide legal clarity.
By contrast, centre-to-left MEPs criticised the Commission’s proposal for legitimising practices in breach of EU data protection rules, setting a dangerous precedent.
“What is the Commission doing instead of addressing the elephant in the room and closing this gap to prohibit unlawful amassing of potentially sensitive data? It is retroactively legalising something that was found unlawful by the very watchdog she installed,” said social-democrat lawmaker Brigit Sippel at the same hearing.
However, following the hearing, major political groups agreed in an internal meeting to the proposals put forth by the French Presidency, which significantly downsized the role of the EDPS. One of them would require Europol to only inform the Supervisor of new operational data processing once the support to the investigation is over, which might take several years.
The new mandate does not include any limit for transferring large data sets to Europol, including from countries where fundamental rights might not be guaranteed.
Initially, the Commission proposed to allow the EDPS to rule whether the dataset was “disproportionate or collected in violation of fundamental rights.” However, in the final text, the EU data watchdog is only informed about the data transfer, and Europol will assess it.
On Monday, 22 civil society organisations sent a letter to the negotiators voicing concerns regarding the recast mandate’s potential impact on fundamental rights. According to a Lighthouse investigation, Europol conducted a mass screening of asylum seekers in Italy and Greece to pursue foreign fighters and terrorists.
Moreover, Europol’s data-driven activities fuel predictive policing, AI-powered tools designed to identify suspicious behaviour and persons of interest. For the NGO Fair Trials, these practices could be discriminatory based on race, socio-economic status and nationality and would go against the presumption of innocence.
“There is a huge gap between what has been said by the coordinators this morning and what is accepted by their shadows in the meeting,” Green MEP Saskia Bricmont told EURACTIV.
For Bricmont, the new mandate gives Europol increased power without proportionate safeguards. She makes an example of the Fundamental Right Officer, a new position obtained by the Parliament but whose independence will not be ensured as it will be nominated by Europol’s executive director among the staff members.
“The expansion of powers of Europol does not go hand in hand with strengthened scrutiny of the agency actions,” echoed EDPS Wojciech Wiewiórowski, who during the hearing referred to provisions included in the proposal as a “direct threat” to the role of the supervisory authority.
In January, the EU data watchdog concluded its probe by mandating Europol to conduct a data subject categorisation within one year, in other words, to assess whether the data it possessed was criminally relevant or had to be deleted. However, based on a new measure (Art. 74a) included in the final compromise, Europol will maintain such data.
Additionally, the EDPS established that Europol would have six months for new datasets to complete this categorisation, whereas the new mandate prolongs that to three years.
“We are talking about data that was contributed to Europol by law enforcement agencies in a lawful way,” said Europol’s deputy executive director Jürgen Ebner, stressing that the sheer size of the datasets means more time is needed to categorise the data.
Ebner pointed out that complex criminal investigations usually last longer than six months and that since the scope of Europol is to support the national authorities, it should be able to do so “as long as it is necessary for the investigation.”
The Europol representative added that there is “nearly no risk” that a data subject is miscategorised.
By contrast, Wiewiórowski said that law enforcement authorities across the EU could use Europol as a “clearing house”, transferring there data they would no longer be able to retain due to national legislation.