Spotlight Amended Europol Regulation in Force – Criticism Remains
On 8 June 2022, the European Parliament and the Council signed the controversial amendments to the 2016 Europol Regulation. A compromise on the text was already found at the beginning of February 2022 (for the Commission proposal → eucrim 4/2020, 279). The amendments will mainly strengthen Europol’s cooperation with private parties, allow Europol to process big sets of personal date in support of criminal investigations and define Europol’s role in research and innovation. The respective Regulation (EU) 2022/991 amending Regulation (EU) 2016/794 was published in the Official Journal L 169 of 27 June 2022, p. 1. The amendments entered into force on 28 June 2022. The main changes to Europol’s legal framework are as follows:
- Several additional tasks are conferred to Europol (Art. 4 of the Regulation); new tasks include:
- Supporting investigations against high-risk criminals;
- Issuing proposals for the entry of information alerts into the Schengen Information System (SIS), which is accompanied by a periodic reporting mechanism;
- Contributing to the Schengen evaluation and monitoring mechanism;
- Assisting in EU and Member States activities regarding security research and innovation;
- Supporting the screening of specific cases of foreign direct investments into the EU;
- Providing operational support to the competent national authorities in concrete operations and investigations;
- Supporting, upon their request, Member States’ actions in addressing online crisis situations, in particular by providing private parties with the information necessary to identify relevant online content;
- Supporting Member States’ actions in addressing the online dissemination of online child sexual abuse material;
- Cooperating with Financial Intelligence Units (FIUs), in order to support cross-border investigations into money laundering and terrorist financing.
- Europol’s possibility to request the initiation of criminal investigations is extended (Art. 6 of the Europol Regulation). Now, Europol’s Executive Director can propose to the competent authorities of a Member State that they initiate, conduct or coordinate the investigation of a crime which concerns only that Member State but affects a common interest covered by a Union policy (i.e. a cross-border dimension to ask for the initiation of investigations is not required);
- The purposes for which Europol can process personal data are extended – this includes the possibility for Europol to publish information on the most wanted fugitives, thus legalizing past practice;
- The new rules define situations in which Europol is exempted from its duty to allocate personal data to categories as defined in Annex II of the Europol Regulation. These rules mainly reply to the phenomenon that Europol has increasingly received large and complex data sets where a categorization is hardly feasible (→ eucrim 1/2022, 18). The new rules are accompanied by several procedural safeguards. The situations in which data can be processed without data subject categorisation defined in the amended Regulation include:
- Processing of personal data received for the purposes of research and innovation projects;
- Processing of personal data that support specific criminal investigations and that were submitted by Member States, the EPPO, Eurojust or a third country requesting Europol’s support – in this case, Europol can process the investigative data “for as long as it supports the ongoing specific criminal investigation for which the investigative data were provided” (new Art. 18a(1a));
- Europol’s own assessment finds that cross-checking of information or operational analyses cannot be carried out without processing personal data outside the categories allowed (new Art. 18a(1b)).
- The same rules for the processing of personal data in support of a criminal investigation apply if a third country shared personal data with Europol for operational analysis, which supports a specific criminal investigation in a Member State or Member States. Europol must verify that such data were not obtained through violating fundamental rights and that the amount of personal data is not “manifestly disproportionate” in relation to the investigation in the Member State (new Art. 18a(6)).
- Europol is enabled to carry out pre-analyses of personal data in order to determine whether they relate to one of the categories of data subjects listed in Annex II of the Regulation – the time limit is six months from the receipt of such data (Art. 18(6));
- In addition, Europol has 18 months (extendable up to three years) in order to assess the categorisation of personal data, e.g. if a re-assessment is necessary as a result of new information that became available (for example regarding additional suspects) – new Art. 18(6a);
- The amended Regulation sets out more concretely the relations between Europol and the European Public Prosecutor’s Office (EPPO). The new Art. 20a reaffirms that Europol shall establish and maintain a close relationship with the EPPO on the basis of a working arrangement. Europol must support criminal investigations at the EPPO’s request and notify it immediately of any criminal conduct which falls within its remit. Furthermore, operational support includes the possibility of the EPPO to have indirect access on the basis of a hit/no hit system to Europol data related to offences that fall within the EPPO’s competence;
- Cooperation with OLAF is strengthened, with Europol sending OLAF any information linked to possible illegal activity affecting the EU's financial interests (Art. 21(8));
- The scope of Europol to cooperate with third countries is extended: first, Europol’s Executive Director is allowed to authorize also the transfer of a category of personal data; second, Europol is allowed to exchange personal data with third country authorities ad hoc (i.e. on a case-by-case basis), if appropriate safeguards with regard to the protection of personal data exist. The latter obligation is met if the appropriate safeguards are provided in a legally binding instrument or if Europol itself concludes that those safeguards exist, following an assessment of all the circumstances surrounding the transfer (amended Art. 25(4a));
- Europol will have extended powers to cooperate with private parties. Europol will be enabled to directly receive data from private parties and, in specific cases where necessary and proportionate, exchange personal data with private parties;
- Europol will be a contact point at the Union level for private parties who wish to lawfully and voluntarily share data with competent authorities of the EU Member States;
- Europol will be able to receive data from private parties for the purposes of identifying the competent jurisdiction and to investigate the respective crimes. In doing so, Europol may also send requests to private parties for missing information or send request to national units, in order to obtain personal data held by private parties (which are established or have a legal representative in the territory of the respective Member State) (amended Art. 26);
- Exchanges with private parties that are established in a third country, which is not the subject of an adequacy decision, with which no international cooperation agreement has been concluded or where no appropriate safeguards with regard to the protection of personal data could be established, are possible under the condition of an authorisation by Europol’s Executive Director. He/she needs to determine that the fundamental rights and freedoms of the data subject concerned do not override the public interest that requires the transfer (Art. 26(6));
- It is clarified that transfers or transmissions of personal data with private parties shall not be systematic, massive or structural (Art. 26(6a));
- Europol will be the central hub at Union level and allowed to obtain, process and exchange personal data in cases of “online crisis situations” and the online dissemination of online child sexual abuse material (new Arts. 26a and 26b);
- Europol’s role in security research and innovation is defined: Europol will help Member States use emerging technologies, explore new approaches and develop common technological solutions, including solutions based on artificial intelligence.
Beside these essential amendments to Europol’s tasks and powers, Regulation 2022/991 entails changes to Europol’s data protection regime as well as its control mechanisms. The first important change concerns the applicability of Regulation 2018/1725 that sets out the rules on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies. In particular, Chapter IX of that Regulation becomes now applicable to Europol, in which the rules for the processing of operational data by EU law enforcement bodies/agencies are laid down. This is complemented by specific data protection provisions in the Europol Regulation taking into account specific processing operations that Europol performs. The legal change notably means that the supervisory powers of the European Data Protection Supervisor (EDPS) are reinforced. To that end, the EDPS will not only be able to order Europol to bring processing operations into compliance with the Regulation or to order suspension of data flows to the recipient in a Member State or third country, but also to impose an administrative fine if Europol is not compliant with EU data protection law. In addition, the Regulation sets out the cases in which the EDPS must be consulted or informed.
The amended Regulation establishes a Fundamental Rights Officer within Europol. He/She will be responsible for supporting Europol in safeguarding the respect of fundamental rights in all its activities and tasks, in particular Europol’s research and innovation projects and the exchange of personal data with private parties. The Fundamental Rights Officer will be designated by the Europol Management Board following a proposal from the Executive Director. The position can be filled by a member of Europol’s existing staff.
Democratic oversight and accountability are slightly reinforced. The amendments inter alia oblige Europol to provide the Joint Parliamentary Scrutiny Group (JPSG) with detailed annual information on the development, use and effectiveness of additional tools and capabilities as provided in the amended Regulation. Moreover, two representatives of the JPSG must be invited to at least two ordinary Management Board meetings per year to address the Management Board on behalf of the JPSG and to participate in certain discussions. Nonetheless, the JPSG representatives will not have voting rights in the Management Board. Lastly, the JPSG will be enabled to establish a consultative forum to assist it, upon request, by providing it with independent advice in fundamental rights matters.
Statements: The negotiators of the EU institutions, Europol, and the Management Board welcomed the new legal framework.
Europol's Executive Director, Catherine De Bolle, said: “It is the role of law enforcement to implement and protect the rule of law. I am concerned by the impact of serious and organised crime on the daily lives of Europeans, our economy, and the resilience of our state institutions. I therefore welcome the amended Regulation as it will considerably improve the efficiency of Europol's support to the law enforcement authorities of the European Union in fighting serious and organised crime and terrorism.”
Ylva Johansson, the European Commissioner for Home Affairs, told the press: “Because fighting organised crime and terrorism depends on police cooperation at European level, Europol is irreplaceable in supporting the law enforcement authorities in their investigations. With its stronger mandate, Europol will be able to step up its expertise and operational capabilities to become the EU information hub on criminal activities and a cornerstone of EU’s internal security architecture.”
Criticism: Nonetheless, the amendments to the 2016 Europol Regulation still trigger criticism (for the criticism to the Commission proposal → past eucrim issues). The German Bar Association (DAV) criticised that the agreed amendments fall short of the level of fundamental rights protection, respect for privacy and data protection, as requested by stakeholders.
In a press release of 27 June 2022, the EDPS, Wojciech Wiewiórowski, expressed his concerns that the amendments weaken the fundamental right to data protection and do not ensure an appropriate oversight of Europol. He considers data protection safeguards insufficient, in particular if it comes to Europol’s expanded powers to process large datasets where data related to individuals who have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity. The EDPS also criticises that Regulation 2022/991 retroactively authorises Europol to process large data sets (without data subject categorisation), which Member State authorities already shared with Europol prior to the entry into force of the amended Regulation (cf. Art. 74a of the amended Regulation). Indeed, these cases were subject to the EDPS order of 3 January 2022 (→ eucrim 1/2022, 18), which requested the deletion of these large data sets concerning individuals with no established link to a criminal activity. Therefore, the EDPS believes that the transitional arrangement in the amended Europol Regulation renders the order ineffective. He calls on the Europol Management board to soon put in place the data protection safeguards in order to limit effectively the impact of such intrusive data processing activities on individuals, as required by the legislator.