Europol, the EU’s law enforcement cooperation agency, is approaching the finishing line to get a broader mandate, legitimising data processing practices that spurred controversy last year.
The adoption of the new mandate on Tuesday (12 October) by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) is one of the final steps for Europol to broaden its competencies.
“Digital is the new reality. The Europol mandate had to be updated to face these challenges that threaten the security of the Europeans,” said Javier Zarzalejos, the MEP leading on the file.
Europol’s main task consists in collecting data on cross-border crime and make it available to national authorities for their investigations, but the EU agency has also developed an expertise in analysing very large datasets with the objective of identifying criminal profiles.
An investigation of the European Data Protection Supervisor (EDPS) from last year found these data processing practices went beyond the agency’s mandate – an assessment that the broadened scope would make redundant.
The EDPS ‘admonished’ the EU agency in September 2020 for collecting personal data of individuals who had no relations with criminal activities.
In its action plan to address the supervisor’s concern, Europol pointed in particular to the revision of its legal basis that would enable it to continue with its data processing practices, in derogation of the EU’s general data protection rules.
However, in its opinion on the reformed mandate, the EDPS warned that “the exceptions from the current data protection rules, applicable to Europol, could become in reality the rule”, a concern also shared by others.
“This reform is meant to legalise current practices that went beyond scope, how do we know it won’t be the case again in the future?” Green MEP Saskia Bricmont told EURACTIV.
A key part of the proposal consists in giving Europol the capacity to process data from any kind of private entities, including internet companies, and third countries that voluntarily choose to provide it.
Data protection concerns note there is little Europol can do to verify the origin of such data, which might also come from non-EU countries that do not meet Europe’s privacy standards.
Liberal MEP Dragoș Tudorache argued that “the new mandate sets strict rules that determine the limited scope and duration for such processing of data, specifying that this processing can take place for the sole purpose of determining if such data falls within the remit and mandate of Europol”.
Big Data and AI
The new mandate will formalise Europol as a processor of massive quantities of data to continue training algorithms and developing new tools for law enforcement purposes. To this end, Europol is being given a broad mandate on research and innovation that will let the EU agency identify the relevant themes for EU research programmes.
“Europol’s increasing use and development of AI and data analytics are deeply concerning, and may engage and infringe fundamental rights, including the right to a fair trial, to privacy and data protection rights,” Laure Baudrihaye-Gérard, legal director at Fair Trials, told EURACTIV.
The potentially discriminatory effects of AI and machine learning are a recurring topic, as these technologies tend to reproduce biases intrinsic to the datasets, disproportionally impacting marginalised groups.
For Chloé Berthélémy, a policy adviser at European Digital Rights (EDRi), an international advocacy group, the recast mandate contradicts a resolution the European Parliament adopted last week, which opposes the use of predictive modelling for law enforcement.
However, rapporteur Zarzalejos argued that the two reports are not in contradiction. “The capacity of police to process large sets of personal data, including for profiling purposes, is essential to fight crime,” the lawmaker said.
Proportionality and safeguards
The parliamentary text introduces some safeguards on Europol’s research activities, notably in terms of transparency, accountability and impact assessments on data protection issues. An independent audit will also be required before a new technology is deployed.
Nonetheless, Green MEPs voted against the proposal as they consider that safeguards and scrutiny still do not match the increase in the EU agency’s power.
“It should not be Europol’s role to conduct research and innovation on this field, as the agency will essentially be mandating its own role in the future,” MEP Bricmont added.
The EU crime experts will be able to request data whenever deemed relevant for an investigation with no ex-ante authorisation. National authorities will no longer need judicial authorisation to access Europol’s data, as the agency will be able to make its own entries in EU databases.
Europol’s democratic accountability is ensured by the Joint Parliamentary Scrutiny Group (JPSG). The Parliament’s text proposes including two JPSG representatives in the agency’s management board, with observatory status.
EU lawmakers also suggest the addition of a consultative forum on the model of border agency Frontex and the introduction of a fundamental rights officer.
The text is now expected to go through a plenary vote during next week’s plenary session.
[Edited by Zoran Radosavljevic]