[DRAFT] Eurojust to the rescue! The rising principle of legality in parallel cross-border investigations and prosecutions

By Sonia, Shermane and Sandy

Within the EU, Eurojust achieved for the first time an effective attempt to provide for coordination to prevent conflicts of jurisdiction. Conflicts of jurisdiction occur when two or more member states possesses the right to investigate and prosecute the same alleged criminal offence. In 2003, Eurojust issued guidelines to help decide which jurisdiction is most competent to prosecute. In 2005, the Commission launched the Green Paper on conflicts of jurisdiction and the Principle of ne bis in idem in Criminal proceedings. But what about the principle of legality? Nor do the guidelines or the Green Paper tackle the derogation of this principle when an individual is subject to multiple jurisdictions, resulting from parallel cross-border prosecutions. This post shows the limited role of the legality principle is in parallel cross-border investigations, what solutions have been already proposed and how could Eurojust overcome the current shortcomings.

What is the role of the legality principle in parallel cross-border investigations?

Parallel investigations, understood as when two or more states claim criminal jurisdiction to investigate, prosecute and adjudicate suspicious criminal conduct. The Commission included the principle of legality as one of the main principles expressing the core meaning of the rule of law in its communication on a new EU framework to strengthen the rule of law. The principle of legality has also been described as an “umbrella” principle, as it covers multiple other principles. Although the focus of this post is the aspect of foreseeability of laws (legal certainty). This is understood as a requirement of predictability and accessibility of the law, so that a subject of law can reasonably foresee the consequences of its actions. Meaning that an individual must be able to predict which law he/she are subject to and what are its consequences. “Law” requires sufficiently precise formulation to enable the person concerned to foresee the consequences that a given action may entail. In case a crime affects different jurisdictions and triggers different national investigations and prosecutions, as a general rule, each state possesses jurisdiction. Jurisdiction may arise from different origins. It may be territorial (ratione loci), where the state exercises jurisdiction over a certain territory. A state´s jurisdiction may also arise from a personal scope (ratione personae),  whereas the right to prosecute is related to a person. Either the offender (active jurisdiction) or the victim (passive jurisdiction) is a national of the state. Resultantly, the individual faces parallel prosecutions, each following different substantive and procedural rules. Consequently, the violation of the ne bis in idem principle is at risk. Which refers to the notion that a person shall not be punished twice for the same conduct. Furthermore, arbitrariness may appear, ultimately resulting in forum shopping (see graph). Forum shopping in this context is understood as when Member States choose a certain jurisdiction for the case to be heard because it is more likely to provide a favorable outcome. For example, where the conduct is more severely punished.

Eurojust to the rescue? The Competence of Eurojust to enforce the principle of legality in parallel investigations.

Art. 4(1) c and 4(2)b of Regulation (EU) 2018/1727 state that first, Eurojust is competent to assist the competent authorities of the Member States (MS) in ensuring the best possible coordination of investigations and prosecutions. Secondly, Eurojust may issue a written opinion to indicate the MS most competent to prosecute. Hence, Eurojust is more suited to tackle this issue both in the early stages of the investigation through assistance and cooperation and ultimately recommending competent jurisdiction.

The European Law Institute published a Draft Legislative Proposals prevent and resolve conflicts of jurisdiction aiming to avoid uncertainty and lack of foreseeability. The reports include substantive legality as a relevant aspect of Article 47 CFR, which provides inter alia that “everyone is entitled to a fair and public hearing within a reasonable time by an independent and impartial tribunal previously established by law. We consider that the last part “concerning the tribunal established by law”  renders problematic in parallel investigations and prosecutions, because the jurisdiction in which a suspect is to be prosecuted is unclear and may remain undecided for an unacceptably period of time.  Moreover, Article 49 CFR, enshrining the principles of legality and proportionality. Some law academics, as Luchtman already predicted in many articles this shortcoming. He relates the substantive legality principle, foreseeability and choice of forum. He argues that insofar as the specific jurisdiction determines the applicability of different national substantive provisions, a new framework to provide for that choice would support the foreseeability of the law for the individual.

The European Law Institute distinguishes three alternative approaches that would provide the principle of legality the granted role in the CFR in parallel cross-border investigations.

  1. The so-called horizontal mechanism, in which the conflicts of jurisdiction and parallel investigations are solved via mutual trust between MS.
  2. The vertical mechanism is characterized by a binding supranational decision (issued by Eurojust) in cases where coordination between the national criminal justice authorities has failed.
  3. Mechanisms for the allocation of criminal jurisdiction in the AFSJ, defend the establishment of uniform European rules on the allocation of the exercise of criminal jurisdiction in the AFSJ.

From the three choices, we consider the second one the most suitable. On one hand, the horizontal mechanism is what MS are doing right now, which has proven non efficient. This is because there is not a uniform procedure that would allow the individual to foresee the consequences of their conduct or which law are they subject to. On the other hand, a complete regulatory mechanism that would force MS to accept which jurisdiction is better suited would render too complex to enforce. This complexity derives from the fact that there are too many factors to assess to decide which jurisdiction is more suitable. As for example, the nationality and current location of the suspect, the place where most evidence is located, the interest and protection of victims and witnesses etc. This factors, which a lot depend on the specific circumstances of the case at hand makes it difficult to merely stablish that one is more important than the other and therefore each case needs a specific assessment.

So, what can be done now?

At current, the legal certainty problems that derive from parallel investigations should be acknowledged, taking as an example Eurojust. Eurojust tackles in its reports the importance of detecting parallel investigations at the earliest possible stage.

There is the need to acknowledge greater the legal certainty problems that derive from parallel investigations and Eurojust should be taken as an example. At current, Eurojust considers that parallel proceedings can be considered beneficial in combating crime if they are performed in a coordinated manner. They assess questions regarding parallel investigations in their plenary meetings and tackle the issue in the yearly coordination meetings. Indeed, this is a positive attempt for these issues to be addressed in coordination meetings and strategic seminars solely for the purpose of tackling parallel investigations and their consequences for individuals as it increases understanding regarding the issues related to legality that may arise in parallel investigations and prosecutions. The gentle mandate of Eurojust to support cooperation and coordination between Member States is without doubt, enhanced in such a way even without the use of punitive sanctions to achieve compliance. To conclude, policy documents as guidelines on coordinated and safeguarded parallel investigations would be a great contribution from Eurojust.

AMLA: Proposal for a happily ever after?       

By Natalia, Magali, Robin & Kristina

Money laundering is one of humanity’s most deceitful crimes. Huge money laundering scandals have occurred in the EU over the past decade. One of the main reasons is the insufficient exchange of suspicious activity/transaction reports (SARs/STRs) between Financial Intelligence Units (FIUs). FIUs form a bridge between the private sector and law enforcement bodies in the information exchange. But depending on their legal status, they may be subject to different rules of data protection regimes. Therefore, FIUs may be restricted in accessing SARs/STRs in cross-border cases. To coordinate the FIUs, the European Commission (Commission) proposed a new specialized Agency: the Authority on Anti-Money Laundering and the Countering of Financing Terrorism (AMLA). AMLA would be authorized to draft binding Implementing Technical Standards (ITS) on the templates of SARs/STRs. This is important because  SARs/STRs’ content vary between Member States (MSs). For example, regarding the activities that are considered to be ‘suspicious’ and the extensiveness of the SARs/STRs. A cause for these differences lie in the fact that the MS uphold diverging thresholds for submitting a SAR/STR.  AMLA would also be empowered to host the server FIU.net. FIU.net is considered to be a good and safe alternative to bilateral requests for SARs/STRs. In this blogpost we aim to show how the AMLA could improve the exchange of information between the different FIUs whilst upholding the EU data protection safeguards.

A Scandalous History      

Money laundering (ML) is a crime with a strong international dimension. It  has been a priority of the EU since the 1990s in response to increased drug trafficking. The EU thus recognized that a highly coordinated response from the EU as a whole is required to tackle AML effectively. This coordinated response is, among others, accomplished through the FIUs. These receive information from the private sector by means of SARs/STRs. The FIUs must forward the reports to national competent authorities and foreign FIUs. Although the SARs/STRs differ across the EU, they are crucial to stop ML. Namely because they can serve as intelligence for the initiation of  a criminal investigation. The picture below illustrates how the aforementioned exchange of information goes.

However, the Commission identified in 2021 that there was an insufficient detection of suspicious transactions and activities by FIUs. A main reason, according to the Commission, is insufficient oversight of how entities subject to AML rules apply them. The insufficient detection limits the FIUs’ capacity to suspend transactions and to quickly send relevant information to competent authorities and other FIUs. Consequently, huge ML scandals have happened in the last decade. For example, the Danske Bank case in 2018 where almost €200 billion of suspicious transactions took place before the Danish authorities intervened.

Partly in light of the foregoing, the Commission proposed a Regulation on establishing the Authority for Anti-Money Laundering (AMLA) and the Countering the Financing of Terrorism (proposal). The AMLA would become the EU coordinator of national authorities to ensure that the private sector applies EU rules effectively. Given that a considerable amount of the MSs requested for EU oversight, establishing another agency seems to be an adequate measure. However, it is also known that the Commission does not always consider better alternatives for setting up a new agency . Hence, the question arises whether the proposal would be an improvement for the coordination of FIUs. Hereafter we elaborate on the problems in exchange of information between FIUs and how AMLA could be a solution.      

Problems in the exchange of information     

Despite the scandalous history, it is not that the private sector does not send SARs/STRs to the FIUs. On the contrary, the German FIU received so many SARs/STRs that it has a huge backlog. Rather, the problem lies with the exchange of the SARs/STRs between the EU FIUs. This might seem odd, considering Article 53 of Directive 2015/849 (AMLD5). FIUs are obliged to forward SARs/STRs to another FIU if they are relevant to that MS.     

Important to note here though is that AMLD5 leaves discretion to the MSs to decide upon the legal status of their FIUs. Consequently, 4 different models of FIUs have been developed: ‘administrative’ ‘law enforcement’, ‘judicial’ and ‘hybrid’. Due to this diversity, MSs doubt what the applicable data protection rules are when FIUs exchange information. This results in different content of or access to the STRs/SARs. It hinders the efficiency of the FIUs’ coordination and reduces the capacity to detect money laundering effectively. The fact that FIUs must cooperate with one another regardless of their legal status unfortunately did not prevent the current problems (Article 52 AMLD5). 

ITS time

As previously mentioned, the AMLA is to become a central actor to support the cooperation among the FIUs and facilitate their coordination for better detecting the illicit financial flows of a cross-border nature. Considering this focus, the Commission wants AMLA to coordinate the FIUs by drafting binding Implementing Technical Standards (ITS) on the template of SARs/STRs (Article 42 proposal). The AMLA shall submit its draft ITS to the Commission for adoption. At the same time, the AMLA shall send them to the European Parliament and the Council of the European Union for information purposes.          

In any event, the Commission may not alter the content and adopt the ITS before discussing them with the AMLA. Hence, the AMLA would essentially be able to oblige all the EU reporting entities to forward the same type of SARs/STRs to the FIUs. Currently, each FIU uses a different type of SAR/STR. For example, the Dutch FIU receive reports on all ‘unusual transactions’. In comparison, the Sonly receives reports based on a ‘grounded suspicion’. If AMLA were to impose one  template, then it would become easier for FIUs to coordinate their operations. This would also be in line with recommendations of various scholars. Therefore, we are convinced that ITS would improve the coordination of FIUs.

The FIU.net’s revival

Source: Vimeo.com

Under Article 37 of the proposal, AMLA would also be responsible for hosting and managing the FIU.net. This is a secure communication network between FIUs. AMLA would, for instance, ensure the required level of security of the system to address and reduce data protection risks. This is much needed, since FIU.net faces many technical difficulties.     

This provision could definitely solve the confusion about the applicable data protection rules between FIUs. Since FIU.net is a ‘centralised decentralized system’, the 27 FIUs would have to connect their own database to the in-house server of FIU.net. It implies that FIUs cannot access each other’s data without consent. The server ensures a certain level of flexibility to exchange SARs/STRs via a hit/no-hit system. Namely because, the analyses tool ‘Match Three’ matches the SARs/STRs without revealing personal data. Thus before revealing the personal data, the SARs/STRs will first be compared to see whether there is a ‘match’. Because of this safeguard, we believe that FIUs will exchange more data with one another. Especially, since they there is a function that can automatically grant access to the FIUs’ databases.        

Notwithstanding this, one could argue that the Commission clarifies which data protection regime applies in order to improve the communication between FIUs: the General Data Protection Regulation (GDPR) or the Law Enforcement Directive (LED). That is easier said than done though. For the Commission already stated in 2018 that the GDPR applies to FIUs. Yet, not all of the MSs agree with this because they have law enforcement FIUs. They are hence more inclined to apply the LED, which also happens in practice. Besides this, scholars have provided arguments in favour of both the GDPR and for the LED. Therefore, the answer as to which legal instrument applies, is far from easy. Since the discussion has existed for many years, we do not see a determination of the applicable data protection of rules as the quickest nor most adequate solution. Under these circumstances, we think that the revival of FIU.net would be more preferable in the near future.     

Although it is true that few FIUs currently send SARs/STRs via FIU.net, we believe they will do so if another proposal of the Commission is adopted. The other proposal would oblige FIUs to communicate via FIU.net, which is not compulsory today. We thus believe that this proposal is one for a happily ever after. For it would balance the enhanced coordination between FIUs and the data protection rules. 

[DRAFT] Protecting your money: How OLAF and the EPPO can help each other fight the misuse of EU funds

By Ana, Natalie and Marceau

Both the Office Européen de Lutte Antifraude (OLAF) and the European Public Prosecutor’s Office (EPPO) share the goal of enforcing the European Union (EU) anti-fraud agenda. Although OLAF is an administrative agency and the EPPO falls more under the field of criminal law, they both act against offences affecting the financial interests of the Union. Hence, the substantive scope covered by the two is in essence the same. However, although the objectives of the two agencies are strikingly close, the approach they use to fight fraud differs. In that sense, one can look at the two as complementing each other at work. While previous research on OLAF and the EPPO focused on the working of the agencies separately (e.g. the issue of the EPPO’s ‘forum shopping’ and OLAF’s accountability), in this blog post we aim to view the two together.

In the following we show both how they may be viewed as complementary to one another as well as what gaps and issues still remain in fighting fraud efficiently with the two enforcement agencies. To fight fraud, two steps have to take place: first, the authorities need to investigate the case, and second, if they find the case fraudulent, the perpetrators need to be prosecuted. Additionally, an effective infrastructure has to be put in place on the EU as well as the Member State’s level to prevent future fraud from occurring in the first place. In the following we discuss those issues in view of the EPPO and OLAF complementarity.

If you are unfamiliar with the roles of OLAF and the EPPO, you can familiarize yourself with their work by watching the above videos.

COMPLEMENTARITY IN INVESTIGATIONS AND GATHERED EVIDENCE

When it comes to investigation, OLAF has strong investigatory powers to gather evidence on cases involving potential fraud. It conducts the so-called ‘internal’ and ‘external’ investigations, overviewing the use (or misuse) of EU funds by the EU as well as its Member States respectively. While in the internal investigations OLAF enjoys a great deal of independence (e.g. it has the right to immediate and unannounced access to information), when investigating potential fraud in the Member State’s context, it is dependent in law and in practice on the Member State concerned. However, Member States are obliged to cooperate with OLAF, ensuring that OLAF has access to relevant information (e.g. databases) under the same conditions as national authorities. In order for OLAF to be effective and efficient in conducting, for example, its ‘on-the-spot’ checks in Member States, such cooperation is essential.

On the other hand, in gathering evidence for prosecution, the EPPO relies on the work of the European Delegated Prosecutors (EDPs) who represent the European Prosecutor of every participating Member State. Upon the instruction by the EPPO’s Permanent Chamber, the relevant EDP may initiate investigations to gather evidence for prosecution. Having the same investigatory powers as their national counterparts, EDPs may, for example, tap phones, search premises and request for information to build up a file. Similarly to OLAF, the EPPO should ALSO be aided by the national authorities when investigating a case

Considering the powers of both agencies, the investigative powers seem to overlap. However, instead of disqualifying one because the other may conduct similar investigations, the two can be viewed as complementing or enhancing the role of one another. With OLAF fighting fraud in the EU for over two decades, the agency has a lot of relevant know-how as well as legitimacy to gather evidence on a case. That evidence may subsequently be used by the EPPO, with OLAF becoming the main investigative body of the EPPO. In fact, such cooperation has recently been put into law, namely by amending the OLAF Regulation. Because of this change, OLAF is obliged to submit its report on any criminal conduct to the EPPO without delay. At the same time, while the EPPO might enhance the role of OLAF by making it its main investigative body, the role of OLAF may be viewed as subdued to that of the EPPO. That is exemplified by the fact that OLAF can no longer continue its investigations once it has handed the file to the EPPO and the EPPO opened its own investigations of the case. On a different note, when the EPPO itself lacks competence to act on a case it considers potentially illegal, it has the duty to report the case to OLAF. In that sense, it is obliged to present OLAF with the information it gathered too, enhancing its role in some cases.

COMPLEMENTARITY IN FURTHER ACTION – RECOMMENDATIONS AND PROSECUTION

While in the investigation phase more overlaps can be found between OLAF and the EPPO, the possible subsequent steps differ. That is so mostly because OLAF is in essence an administrative agency while the EPPO is primarily a prosecution body.

OLAF’s main outputs following an investigation are drawing up a report presenting evidence and issuing recommendations suggesting further action by other EU or Member States’ authorities. However, as the recommendations are not legally binding, the enforcement powers of OLAF in this regard are quite weak. At the same time, recommendations carry political weight which make the authorities take them into account. The actions recommended may vary from disciplinary and administrative actions to financial and judicial ones, aiming to deter the future misuse of EU funds and remedy the ones that already took place.

Differently from OLAF, the task of the EPPO after the investigation is to prosecute. When the EPPO comes to consider that an allegation of an offence is supported by evidence, and when the case falls under its competence, the EPPO can open a trial before a national court. Because the mandates of the two are so different, it is hard to say that the two complement each other’s work directly. However, in the overall picture of fighting the misuse of EU funds, OLAF’s substantiated recommendations (backed up with evidence from the report) and the EPPO’s prosecution powers jointly contribute to two different fields of law addressing the issue of fraud. With the EPPO’s power to prosecute in front of a judicial body, there is also a possibility that the court will recognize the case as criminal also judicially, issuing a decision that is legally binding.  

The fact that both enjoy some powers following-up an investigation phase is important, particularly because the two cover different territories when enforcing their anti-fraud agenda. It is important to note that while the EPPO is established on the basis of enhanced cooperation, meaning that it only applies to the 22 participating Member States, OLAF can act in all 27 Member States of the EU. While the limited scope of the EPPO’s enforcement might be an issue in a territorial sense, the situation can be remedied by the presence of OLAF. Namely, OLAF can step in with its investigations and recommendations where the EPPO has no territorial jurisdiction to do so. In that sense, OLAF and the EPPO may again be viewed as complementary.

At the same time, because the EPPO with more coercive prosecution powers may only operate in certain Member States and not just everywhere, anti-fraud enforcement across the EU may differ in the intensity. This might affect the extent to which fraud is addressed in different Member States, creating differences in policing the use of funds which may lead to abuse (e.g. cross border fraud). While this issue goes beyond the scope of this blog post, it would be a relevant topic for future research.

Lastly, it is important to state that OLAF also functions as an advisory body, developing anti-fraud policies and “fraud proofing” legislation which contributes to the fight against fraud also ex-ante. In that way it contributes to the anti-fraud agenda of the EU in a preventative way.

CONCLUDING REMARKS

In conclusion, we summarize the points made above in the table below. By outlining the different powers held by OLAF and the EPPO, we showed how and why they may be viewed as complementary. Overall, the authors believe that with the current system in place, OLAF and the EPPO can fight fraud and abuse of EU funds effectively together. However, some gaps still remain and could be addressed by strengthening the competences and the scope of both OLAF’s and the EPPO. Who would be hurt by stronger common anti-fraud fighting anyways?

The table shows the complementarity of OLAF and the EPPO in the fight against the misuse of EU funds by the two agencies.

[DRAFT] 4 ways the EEA can help plug information gaps in environmental enforcement

By Lauren, Florentina, Maria and Rei

Enforcing EU environmental law is essential in combatting climate change and protecting the environment. Yet, environmental law is the number one reason why the Commission opens so many infringement actions every year. Since the start of this year alone, the Commission has opened 85 infringement actions against Member States (“MS”) for non-compliance with environmental law. The reasons include failure to implement regulations and lack of transposition of directives. Infringement actions are lengthy and costly. Further, remedial action implies that damage has already been done to the environment. Given the shortcomings of ex post enforcement, the question arises of how environmental enforcement can be improved ex ante. This blog post looks at four ways in which the European Environment Agency (‘EEA’) can help to plug information gaps in environmental enforcement at the national level, thus potentially reducing infringement actions by the Commission and preventing environmental harm.

The EEA is an information-providing agency. Some of its roles listed in its founding regulation include 

  • Providing information needed for sound environmental policy to MS and the Commission (DG Environment, in particular);
  • Ensuring that the public is properly informed about the state of the environment;
  • Assisting the monitoring of environmental measures and recording and assessing data on the environment, ensuring that the data is comparable at a European level.

It has been argued that in the past the agency has acted as more of a ‘loyal lapdog’ to DG Environment, whereas it has the potential to act as more of a ‘barking watchdog’. Given its roles and powers assigned in its founding regulation, we argue that the EEA could improve enforcement of environmental law in the four following scenarios:

(1) First possibility: EEA information gathering on criminal law enforcement by MS

Inspections are crucial in preventing environmental harm. Blanc and Faure (2018) discuss current problems with environmental inspections in MS. The first one is that the Commission may only carry out an inspection on MS soil if the MS gives permission for the Commission to inspect. This problem arises with Directive 2008/99, which obliges MS to enforce criminal law for certain environmental crimes. For example, Article 3 of the Directive requires MS to criminalise the destruction of protected habitats and to criminalise the discharge of potentially deadly materials into the air, soil or water. However, once the Directive is transposed into national law, the MS may enforce the law in a weak manner. Faure (2017) gives the example of how this happened in the case of Sweden transposing the Directive. The core enforcement problem with the Directive is that the Commission lacks information with respect to penalties imposed by MS. In particular, Blanc and Faure note that the Commission lacks information with regard to the capacity of environmental inspectorates and prosecutors, and on prosecutions and sanctions at the national level. A recommendation was made for the Commission to introduce legally binding minimum criteria and guidelines for inspections carried out by MS to ensure better enforcement of environmental law. This remained, however, a recommendation, as the Commission refused to make the minimum criteria and guidelines legally binding. This is where the EEA could step in, given that the agency already collects data from the national level to present at the EU level. The EEA manages the EIONET network, a forum whereby MS share environmental information and set common data reporting standards. One could imagine a scenario wherein MS report data on environmental criminal sanctions via this forum, with minimum reporting standards. However, a potential drawback for this is that the EEA has no powers to oblige MS to deliver up the necessary information. 

(2)Second Possibility: The information-gathering role can be enhanced

Figure 1: Infringement cases opened January 2022 – April 2022, per legislative instrument breach

As mentioned, a high number of infringement cases on environmental law exist. The main causes of these infringements will be investigated, based on which Directives are breached. Further, it will be assessed whether EEA, if given more powers, could have prevented these infringements from happening.

Almost 21% of infringement cases concern Regulation 1143/2014 on the spreading prevention of invasive alien species (IAS). It requires MS to manage the pathways by which IAS are introduced and spread. However, MS  have failed to establish an action plan under the Regulation. Most of the infringements in this sector are due to a lack of knowledge. Since the EEA is an information-gathering agency, it could have informed the MS about all IAS, how to identify which IAS are dangerous and how to deal with them. The list in the regulation ‘accounts for just 3% of all IAS’. Thus, updated annexes by EEA to the Regulation can mitigate this problem and avoid future infringements.

Directive 2019/904 EU promotes circular approaches that give priority to sustainable products. Many MS did not transpose this Directive by missing the deadline and leading to 20% of infringement cases. Why is there such a high number of infringement cases?

This Directive is addressed to market players who need to change their behavior. Here, MS act more as ‘supervisors’. Therefore, little time given to MS, and the lack of a clear strategy on how to switch to sustainable products are among the causes of non-compliance. Thus, if the EEA could have helped industry actors with an action plan on how to make this change, some infringement cases could have been prevented.

(3) Third Possibility: Promoting the collection of timely information

National authorities have not been able to sufficiently obtain timely information for effective enforcement. The following bar chart indicates the reporting performance of each country in EIONET in 2021.

Figure 2: Reporting Performance by each EU country in EIONET, 2021. Source: Eionet core data flows 2021

This chart indicates how often there was timely and high-quality data sharing from each country, with 100% being the best possible result. According to this chart, many countries achieved a high percentage in sharing timely data, however, in some countries such as Germany, the rate was only about 60%, a large gap compared to countries like Poland. This gap could generate a risk of ineffective enforcement in some countries because of insufficient timely information to address environmental challenges and this can affect the total quality of enforcement in the EU.

EEA can take measures to reduce the risk of the gap in some ways. One way is to improve the technical aspect of EIONET itself. This information portal site has an enormous amount of data, thus specific data may not be picked up immediately. The development of this database would increase the quality of information sharing to users. Also, the EEA can recommend authorities who have not offered much data compared to other countries to provide data regarding the enforcement situation of EU environmental law to EU institutions. This can put pressure on countries in cases where authorities in the EU have to address problems rapidly. Moreover, the process of sharing data can be improved. EIONET has an infrastructure called Reportnet, and it has a reporting process in 10 steps, but there are no limited periods in each step and this can lead to less timely information sharing. A new version developed in 2018 makes the process without external systems, but a specific period in each step should be also set.

(4) Fourth Possibility: Self-monitoring Scheme

Environmental competences are shared between MS and the EU. The EEA already has important information gathering powers. Objectives delegated to EEA could be enhanced by strengthening cooperation between the EEA and national environmental authorities. 

It is possible to achieve the aforementioned target, by establishing a self-monitoring scheme. Based on this scheme, the EEA cooperates with national authorities for the purpose of monitoring compliance and gathering information regarding EU Environmental Law infringements. Main polluters of each MS by sector are obliged to provide information regarding compliance with EU environmental law to national authorities. The latter are responsible for referring this information to the EEA. Due to the fact that higher fines would not result in higher compliance, since companies would adjust their budgetary strategies accordingly, enterprises which cooperate would benefit with a reduction on the fine imposed for non-compliance. 

By reducing fines imposed, enterprises would have a greater incentive not only to cooperate with the authorities and the Agency, but also to comply with EU environmental law. Consequently, the risk is reduced, considering that they bear certain rather than uncertain sanctions in case of non-compliance.  

Through this Scheme it is not only enterprises who benefit, but the national authorities and the European Commission as well since it would result in saving enforcement resources. Those who report their harmful act, no longer require detection. 

Such schemes already exist in many MS, though there is nothing as such at EU-level. Our proposal is for an obligatory self-monitoring scheme for main polluters at national level with a further obligation for national authorities to cooperate with the EEA. 

Converting the European Data Protection Board into a European Data Protection Agency: red pill or blue pill?

By Giorgia, Lisa-Marie, Shivani, and Emilia

You take the blue pill—the story ends, you wake up in your bed and data protection enforcement stays the same. You take the red pill—we make a new agency, and I show you what it could look like.

(Lana Wachowski and Lilly Wachowski, The Matrix, 1999)

In ‘The Matrix’, when the reality of Thomas Anderson begins to fall apart, he is presented with a choice: to take the blue pill which allows him to continue living in contended ignorance, or to take the red pill to learn about reality and express his full potential by becoming his alter ego Neo. It is a risky option which yields challenges, yet ultimately beneficial consequences. Similarly, whilst leaving the status-quo of the enforcement system of the General Data Protection Regulation (‘GDPR’) provides a comforting yet ineffective blue pill, taking the red pill and converting the European Data Protection Board (‘EDPB’) into a European Data Protection Agency (‘EDPA’) could disrupt yet enhance enforcement of data protection law in the European Union (‘EU’).

In today’s digital economy, companies process a significant amount of personal data. Individuals can benefit from this, for instance by receiving more targeted and relevant information. However, there are also inherent risks to data protection, a fundamental right of every EU citizen. For example, in cases of a data breach, individuals can be harmed by identity theft or fraud (Bergkamp, Hunton, and Williams, 2002). The GDPR, therefore, imposes certain limitations on personal data processing. These are enforced through a hybrid system composed of the EDPB and national supervisory authorities (‘SAs’). The SAs investigate and enforce companies’ compliance with the GDPR in their respective Member States, while the EDPB functions as a dispute resolution body in cases of conflicts between SAs, but has no investigative or corrective powers itself. Yet, the EDPB does enjoy corrective powers to a certain extent: It can impose duties on the SAs that require the implementation of EDPB’s decisions, including the adoption of corrective measures. Furthermore, the EDPB can adopt legally binding decisions.

Nevertheless, the GDPR’s enforcement, particularly in cross-border cases, has been criticized for being too complex, slow, and ineffective, leading to its underenforcement. For this reason, the Commission Vice President Věra Jourová announced that the GDPR enforcement system might be reformed, moving towards a more centralized enforcement. This blog post investigates whether converting the existing EDPB into a EDPA modeled after the Single Supervisory Mechanism (‘SSM’) could solve the current enforcement deficits.

Blue pill: The Gordian knot of the current GDPR cross-border enforcement

In situations where companies control and process personal data across several Member States, the one-stop-shop mechanism applies: the SA in the Member State of the companies’ main establishment takes the lead but must cooperate with SAs of other affected Member States through information exchanges, in order to reach consensus in the investigation and sanctioning. However, this cooperation mechanism exhibits major deficits, in particular in cases where companies, such as Google, Facebook, and Twitter, process data from individuals across the EU.

There are two major drawbacks to the current system:

  1. The one-stop-shop mechanism places an unproportionate burden on SAs of Member States where many big companies are located (e.g., Ireland) which, combined with a lack of resources and possible political unwillingness to investigate violations sufficiently, leads to enforcement bottlenecks;
  2. The EDPB and concerned SAs are highly dependent on the lead SA to investigate sufficiently and share its information. If this is not done in goodwill, then the EDPB does not possess enough evidence to decide disputes between SAs (see Decision 01/2020, paras 132-133).

Together, these deficits contribute to the underenforcement of the GDPR (Mustert and Bledoeg, 2021). Could the transformation of the EDPB, empowered with direct enforcement powers, be the bold step necessary to solve this Gordian knot?

Red pill: Creating an EDPA modeled after the SSM?

EU agencies play a crucial role in the shared administration of the EU by executing information-gathering, regulatory, and direct enforcement tasks (Scholten, Strauss, and Brenninkmeijer, 2021). There are pros and cons of a centralized agency that enjoys investigative and legally-binding enforcement powers overruling national authorities (Scholten and Ottow, 2014). Most importantly, a centralized EDPA could increase harmonization and reduce the risks of enforcement bottlenecks, ensuring a cohesive observance of the GDPR throughout the EU. However, optimal results will still only be achieved when national SAs are incentivized to cooperate with a centralized EDPA. This could be achieved if the EDPA is modeled following the role that the European Central Bank (‘ECB’) undertakes in the SSM.

The Regulations governing the SSM ensure the soundness of the European banking system. This mechanism confers specific tasks on the ECB regarding policies on the prudential supervision of banks and credit institutions. It functions through a centralized system of enforcement between the ECB and SAs, with the former being ultimately responsible for the effective functioning of the SSM. Although the ECB and SAs enjoy similar powers, the ECB is exclusively competent for supervising and investigating significant banks, whilst SAs are entrusted with the monitoring and investigation of less-significant banks. The significant status is decided by the ECB based on banks’ sizes, their economic importance, their cross-border activities, and whether they have requested direct public support. The ECB must cooperate through a system of shared enforcement which permits the ECB to take over institutions overseen by SAs at any time (Karagianni and Scholten, 2018).

The solution of an EDPA and SSM model of enforcement

In light of the considerations on centralizing the GDPR enforcement, the EDPB could be transformed into the EDPA by firstly adopting a regulation on the basis of the fundamental right to data protection, and secondly by endowing it with similar supervisory and investigative powers as the ECB has within the SSM for ‘significant’ banks. Accordingly, the EDPA will have direct enforcement powers regarding large data processing companies. The legal basis allows for ensuring the GDPR compliance of companies harvesting personal data of EU citizens, while the SSM-like powers allow to share the task of overseeing the personal data processing companies with the supervisory authorities and supervise the overall system. Otherwise, allocating the entire supervision to the EDPA might prove detrimental, especially when comparing the large number of companies controlling and processing personal data in the EU with the few significant banks supervised by the ECB. While the criteria of significance in the data-processing field cannot be directly transposed from what is used to determine significant banks, new considerations in terms of the quantity and quality of data a company processes (i.e. strategic importance) will prove pivotal to determining which entities are supervised by the EDPA.

[DRAFT] A new Europol Regulation is on the way! Three ways in which its legal framework might change

By Anna, Bart, Francesca and Natália

With new technologies on the rise and the ensuing evolution of many transnational crimes, the importance of the European Union Agency for Law Enforcement Cooperation (Europol) in preventing and countering serious crime has become even more apparent. For example, in January 2021, Europol helped to disrupt one of the world’s most dangerous and longer lasting cybercrime services. It did so by supporting, among others, the Dutch, German and French law enforcement authorities with its technical capabilities and by setting up joint investigation teams.

Europol’s assistance to the Member States is crucial as, today more than ever, criminal information is found in the hands of private companies. This is evident from recent cases where Europol assisted in busting criminal networks specialised in the distribution of counterfeit documents via instant messaging apps such as the one in France, Spain and other Member States. Although Europol can already receive data from private service providers, this is only on exceptional bases and most notably through the intermediary of a national unit or contact point. Hence, extending Europol’s powers in this field could help law enforcement authorities to combat these crimes more effectively. This may become true, should the 2020 Proposal for a new Europol Regulation be adopted. Europol is now one step closer to gaining such power since the European Parliament and the Council have reached a preliminary agreement on the matter on 1st February 2022. In light of this recent development, we aim to shed more light on the Commission’s Proposal and ensure you do not miss out on the three main changes it may bring about. Specifically, these include: (1) the cooperation with private parties; (2) the big data challenge; and (3) Europol´s role in research and innovation. Naturally, no reforms are ever fully welcomed and thus we also aim to highlight some of the concerns raised by different stakeholders with respect to the proposed changes.

Time for a Change

Shortly after the entry into force of Europol’s current Regulation, the Council and Parliament had already called for strengthening of the agency’s mandate. In December 2020, this led to the new Proposal. If enacted, it would further enhance Europol’s powers. The three main changes mentioned above will now be addressed in turn.

1.     Cooperation with private parties

Currently, Europol may only process personal data obtained from private parties indirectly, via the intermediary of a national unit or a third country´s contact point (Article 26(1) Regulation 2016/794). Additionally, the agency cannot address private parties to retrieve (additional) personal data (Article 26(9)). However, this would change with the Proposal´s adoption. Europol would be in fact able to receive personal data directly from private parties while also being allowed to contact them for any potential missing information (proposed Article 26(2) and (5)(d)). In this connection, Europol could also request Member States to obtain data from private parties that are established on their territory on its behalf. Finally, the agency’s technical infrastructures could also be used by competent national authorities and private parties for personal data exchanges (proposed Article 26(6a) and (6b)). In this way, Europol would be able to interact with private parties more regularly, both directly and indirectly.

2.     Big data challenge

Article 18 of the current Regulation stipulates that Europol may process personal data for a number of specific purposes and only in relation to certain categories of data subjects falling within Annex II. Over the past years, however, Europol started receiving large, complex, and unfiltered datasets from national law enforcement authorities. For example, Europol’s analytical and technical support turned out to be crucial for the French and Dutch law enforcement authorities in the dismantling of EncroChat, an “encrypted phone network”, used by criminals for violent crimes and drug transports. However, as the European Data Protection Supervisor (EDPS) observed, these extensive processing activities ultimately led to compliance issues. Therefore, to address the agency’s “big data challenge”, Europol would eventually be able to pre-analyse the data received to determine whether the information may indeed be lawfully processed (proposed Article 18(5a)).

3.     A role in research and innovation

Europol does not currently have a legal mandate to foster innovation and research activities in support of Member States’ law enforcement efforts. This is problematic as not all Member States have the necessary resources and skills to fight crimes carried out through new technological means, such as encrypted mobile devices or artificial intelligence (AI) tools. Therefore, under the new Regulation, Europol would not only be involved in the drafting of the Union framework programs for emerging technologies, but it would also be able to support Member States in the development of AI projects (proposed Article 4(4a) and 1(t)).

The following figure sums up the three issues and how the new Proposal would tackle them.

The half-empty glass?

The strengthening of Europol´s mandate seems to be widely supported, yet, the Proposal has not escaped criticism from some of its stakeholders. The most voiced criticism entails the Proposal´s timing, which some referred to as dubious, premature and hasty. This is because it came almost one-and-a-half years before the planned Europol´s evaluation as required under Article 68 of its current Regulation. Without such evaluation, there is limited information to really assess Europol´s effectiveness and impact.

Furthermore, some stakeholders like Statewatch, argued there is ´no need to expand Europol´s mandate to increase its engagement with private parties´. Others, including scholars like Mitsilegas, questioned the private entities´s ability to effectively assess the fundamental rights implications of their personal data transfers to Europol. Concerns also exist about the risk of such transfers occurring without a prior judicial authorization. Additionally, 26 civil society organisations addressed an open letter to the European Parliament members, calling them to not support the proposal due to various fundamental issues. These range from insufficient democratic oversight and lack of defence rights guarantees to potential invalidation of the reform by the European Court of Justice since Article 88 TFEU does not entail the proposed powers.

The EDPS has also expressed concerns about the current exceptions to data protection rules potentially becoming ´reality in practice´. Hence it called for a better definition of the circumstances in which Europol may apply the proposed derogations to processing large and complex data sets. It further criticised that additional safeguards only apply to data transfers with private parties located outside the EU. According to it, the special safeguards should apply irrespective of the private parties´ location within or outside the EU. Lastly, the EDPS pointed out the scope of Europol´s research and innovation activities is currently defined too broadly. To prevent any potential breaches of the rights to privacy and data protection, the scope shall have to be further clarified.

All in all, you can see that the Proposal, while necessary, may have come a little too early, certainly with the evaluation so close around the corner. There is still room for improvement before the co-legislators come to a final decision on the Proposal. We shall have to wait for the new developments.