By Elisabeth, Furat, Joseph and Matthew
Europol’s Accountability: Tension Between Secrecy and Supervision
This blogpost addresses the tension between effective policing and democratic oversight in the context of Europol’s extensive data collection used for ‘predictive policing’. This practice raises questions about the balance between security and individual privacy rights in the digital age. This blogpost provides an oversight of Europol’s powers and corresponding accountability, with the goal in mind of asking whether the Joint Parliamentary Scrutiny Group’s (JPSG) supervisory powers are sufficient to ensure robust and effective oversight of Europol’s operations. It’s important to note that while Europol’s role involves information collection and sharing, it’s distinct from predictive policing, a specific approach that relies on information to anticipate criminal activity. Predictive policing is not widely used in many European countries, and its relationship with Europol’s functions is complex.
A Brief Introduction to Europol:
Europol was created by the Treaty of Maastricht, which established a “Union-wide system for exchanging information within a European Police Office.” Initially, Europol’s role was limited to coordinating cross-border drug investigations. Despite its limited powers, the agency faced accountability concerns from the start, falling within the Maastricht treaty’s third pillar concerning police and judicial cooperation. Crucially, this domain was insulated from judicial review, meaning the Court of Justice had no means of ensuring Europol’s (admittedly limited) policing activities complied with fundamental rights.
Europol’s role has gradually expanded throughout the years, becoming a full EU agency in 2010. As an agency, Europol is tasked with additional responsibilities such as the collection and analysis of intelligence. However, with increased responsibility came the need for enhanced accountability.
The Treaty of Lisbon, brought an end to the pillar system which had kept Europol ‘at arm’s length’ from the Court’s oversight under Maastricht. For many, Lisbon signaled an end to Europol’s accountability concerns. Article 88 TEU provided the European Parliament with oversight for the first time, and along with it came “increased democratic accountability – at least superficially.” The JPSG is one of the core components of this newfound accountability. The group was established in April 2017 by the EU Speakers Conference, which brings together the national and the European Parliaments. The JPSG, which meets twice a year, is co-chaired by the European Parliament and the country holding the rotating presidency of the Council.
The group’s oversight powers are mostly supervisory. Under Article 51(2) of the Europol Regulation, the JPSG’s purpose is to “politically monitor Europol’s activities.” To facilitate the group’s supervision, Article 51(4) allows the JPSG to request documents from Europol and Article 12 of the Regulation requires Europol’s management board to make the agency’s annual work program available to the JPSG. So, the question is – are these supervisory powers sufficient when Europol oversteps its mandate?
Is Europol headed for ‘1984 reloaded?’
Supervising law enforcement agencies is a complex task. Law enforcement, after all, requires a degree of secrecy, which in turn stands in the way of transparency and supervision. In today’s digital society, this tension between secrecy and supervision is manifested in “predictive policing”, a practice which refers to gathering vast datasets and developing algorithms to identify criminals. Europol is no exception to this tension, as data collection and analysis is one of the core components of Europol’s tasks as the EU’s “principle information hub.” While Europol is permitted to collect personal data, Article 28 of the Europol Regulation requires that this data be relevant and necessary for the purposes for which it is processed.
Europol understands the collection of personal data is a touchy subject. In a 2012 publication from the agency, Europol asked “are we headed for ‘1984’ reloaded?”, referencing George Orwell’s novel which depicts a dystopian society of invasive state surveillance. In an effort to put concerns to rest, Europol reaffirmed its commitment to ensuring “the highest standards of data protection.”
Despite this commitment, “serious concerns” have been raised regarding data mining practices at Europol, which saw Europol retaining data related to huge numbers of individuals for indeterminate periods. The sheer scale of Europol’s data mining saw its dataset of 4 petabytes (equivalent to 2 trillion printed pages) compared to a “black hole” and the scandal compared to the mass surveillance program uncovered by Edward Snowden in the U.S. So where was the JPSG amidst this scandal?
What role for the JPSG?
Under Article 51 of the Europol Regulation, the JPSG is responsible for supervising Europol’s activities which impact fundamental rights. Given that the European Data Protection Supervisor (EDPS) found that Europol’s data mining practices have a “potentially severe impact” on data subjects’ fundamental rights, data mining at Europol would seem to fall squarely within Europol’s supervisory powers.
The problem is the limited extent of the JPSG’s supervisory powers. Europol is only required to report to the JPSG on a yearly basis and has no oversight over the agency’s day-to-day activities. This creates a real gap in the group’s supervisory powers. This gap is demonstrated by the fact that it was Europol itself, not the JPSG, which reported concerns regarding its data handling practices to the EDPS.
Real tension between secrecy and supervision is also evident with regards to the JPSG’s requests for documents. Different rules apply to requests for sensitive documents, which Europol handles a lot of as a law enforcement agency. This tension came into play when the JPSG requested access to correspondence between Europol and the EDPS relating to Europol’s data collection software, to which Europol provided only a limited reply, indicating only the types of software used.
Moreover, adherence to the Law Enforcement Directive (LED) reinforces accountability by mandating strict data protection standards for law enforcement authorities, including Europol. The EDPS’s oversight ensures Europol’s predictive policing complies with these standards, highlighting the critical need for enhanced supervisory mechanisms to protect personal privacy and uphold fundamental rights in the era of data-driven law enforcement.
The JPSG’s limited supervisory powers have been harshly criticised. Some have even said that the group’s limited role gives the agency a “blank cheque” to self-regulate. What then can be done to improve the JPSG’s supervisory role? One solution could be allowing the JPSG more access to Europol’s management board meetings. As it stands, under Article 14 of the Regulation, the JPSG is only required to be invited to two board meetings per year. If the board addressed the JPSG’s summary conclusions and the group’s representatives participated more actively, it would greatly enhance both transparency and effectiveness as the JPSG would have a better grasp on Europol’s day-to-day activities. Such improvements are essential for the JPSG to execute its oversight responsibilities more effectively.