The European Data Protection Supervisor (EDPS) published an Opinion on the proposed Regulation to enhance police cooperation to prevent, detect, and investigate the smuggling of migrants and the trafficking of human beings, and to reinforce the role of the EU Agency for Law Enforcement Cooperation (Europol) in preventing and combating these crimes.

The Commission made the proposal on 28 November 2023 (→ eucrim 3/2023, 257-258); it aims to strengthen Europol’s role in the fight against migrant smuggling and human trafficking by bolstering the European Centre Against Migrant Smuggling at Europol. It is part of a broader effort by the EU to modernize its approach to combating these crimes, given their growing complexity and cross-border nature.

However, while the EDPS acknowledges that the fight against migrant smuggling and trafficking in human beings represents significant public interest and justifies certain limitations on individual rights, it emphasizes that the necessity and proportionality of the proposed measures must be rigorously assessed.

The EDPS' key concerns:

• Processing of biometric data and facial recognition: The proposal includes provisions for Europol to support Member States in the effective processing of biometric data, including facial recognition technologies. The EDPS raises concerns about the expanded use of such sensitive data, particularly in terms of ensuring the strict necessity and proportionality of their use. Biometric data, by its nature, poses a high risk to privacy and personal security, and the EDPS underscores the need for clear, binding safeguards to prevent misuse. This includes mechanisms to ensure the quality of biometric data, especially when processed using automated systems like facial recognition, which may involve significant risks of error and bias.
• Role of Frontex: The proposal seeks to strengthen cooperation between Europol and the European Border and Coast Guard Agency (Frontex), particularly in operations against migrant smuggling. The EDPS cautions against blurring the lines between Frontex’s core tasks of border management and law enforcement activities. There is concern that, without clearer boundaries, Frontex could effectively become a law enforcement agency, a role for which it is not designed.
• Data transfers to third countries: The proposal allows Europol to transfer personal data to third countries under certain conditions, even in the absence of an adequacy decision or appropriate safeguards, using derogations. The EDPS is particularly concerned about the risk of regular or systemic use of such derogations, which could undermine the protection of personal data when shared with countries that do not have equivalent data protection standards.
• Investigative non-coercive measures: The proposal introduces new provisions that would allow Europol to carry out investigative non-coercive measures related to data processing, particularly when providing operational support to Member States. The EDPS stresses the importance of defining clear data processing responsibilities between Europol and the concerned Member States.
• Absence of an impact assessment: One of the EDPS’s primary concerns is the lack of an impact assessment accompanying the proposal. Given the sensitive nature of the data involved, particularly biometric data, and the vulnerability of the individuals affected (e.g., migrants and victims of trafficking), the absence of such an assessment is problematic. The EDPS highlights that this omission makes it difficult to fully evaluate the necessity and proportionality of the proposed measures.
• Potential impact on fundamental rights: The EDPS notes that the proposal remains vague on the actual impact that the new provisions may have on fundamental rights, particularly the right to privacy and data protection. Although the proposal aims to combat serious crimes like human trafficking and migrant smuggling, it is essential that any measures taken do not disproportionately infringe upon the rights and freedoms of individuals.

Recommendations for mitigating data protection risks:

The EDPS offers several recommendations to address the data protection risks posed by the proposal:

• Adopt clear, binding rules for biometric data processing: Mechanisms must be established to mitigate the risks associated with processing biometric data. These should include strict rules governing the necessity, proportionality, and quality of the data being processed, particularly by Europol.
• Clarify Frontex’s role: The EDPS urges that Frontex’s role in supporting Europol and Member States in combating migrant smuggling be clearly defined to prevent mission creep and ensure that Frontex does not become a law enforcement body.
• Limit the use of derogations for data transfers: The EDPS recommends modifying the proposal to prevent the systemic use of derogations for data transfers to third countries, ensuring that such measures remain the exception.
• Define responsibilities for data processing: Europol and Member States must clearly define their respective responsibilities when Europol is involved in operational support, ensuring accountability in data protection matters.
• Conduct an impact assessment: The EDPS strongly advises that an impact assessment be carried out to properly evaluate the potential effects of the proposal on fundamental rights, particularly given the sensitive nature of the data at stake.

While the EDPS acknowledges the importance of reinforcing Europol’s role in combating migrant smuggling and human trafficking, it emphasizes that any expansion of powers must be balanced with adequate protections for the fundamental rights of individuals. The necessity and proportionality of new measures, particularly those involving biometric data processing and cross-border data transfers, must be carefully considered. By implementing the recommendations provided, the EU can ensure that its efforts to combat serious crime do not come at the expense of personal privacy and data protection.