Europol’s Accountability: Tension Between Secrecy and Supervision

By Elisabeth, Furat, Joseph and Matthew

Europol’s Accountability: Tension Between Secrecy and Supervision

This blogpost addresses the tension between effective policing and democratic oversight in the context of Europol’s extensive data collection used for ‘predictive policing’. This practice raises questions about the balance between security and individual privacy rights in the digital age. This blogpost provides an oversight of Europol’s powers and corresponding accountability, with the goal in mind of asking whether the Joint Parliamentary Scrutiny Group’s (JPSG) supervisory powers are sufficient to ensure robust and effective oversight of Europol’s operations. It’s important to note that while Europol’s role involves information collection and sharing, it’s distinct from predictive policing, a specific approach that relies on information to anticipate criminal activity. Predictive policing is not widely used in many European countries, and its relationship with Europol’s functions is complex.

A Brief Introduction to Europol:

Europol was created by the Treaty of Maastricht, which established a “Union-wide system for exchanging information within a European Police Office.” Initially, Europol’s role was limited to coordinating cross-border drug investigations. Despite its limited powers, the agency faced accountability concerns from the start, falling within the Maastricht treaty’s third pillar concerning police and judicial cooperation. Crucially, this domain was insulated from judicial review, meaning the Court of Justice had no means of ensuring Europol’s (admittedly limited) policing activities complied with fundamental rights.

Europol’s role has gradually expanded throughout the years, becoming a full EU agency in 2010. As an agency, Europol is tasked with additional responsibilities such as the collection and analysis of intelligence. However, with increased responsibility came the need for enhanced accountability.

The Treaty of Lisbon, brought an end to the pillar system which had kept Europol ‘at arm’s length’ from the Court’s oversight under Maastricht. For many, Lisbon signaled an end to Europol’s accountability concerns. Article 88 TEU provided the European Parliament with oversight for the first time, and along with it came “increased democratic accountability – at least superficially.” The JPSG is one of the core components of this newfound accountability. The group was established in April 2017 by the EU Speakers Conference, which brings together the national and the European Parliaments. The JPSG, which meets twice a year, is co-chaired by the European Parliament and the country holding the rotating presidency of the Council.

The group’s oversight powers are mostly supervisory. Under Article 51(2) of the Europol Regulation, the JPSG’s purpose is to “politically monitor Europol’s activities.” To facilitate the group’s supervision, Article 51(4) allows the JPSG to request documents from Europol and Article 12 of the Regulation requires Europol’s management board to make the agency’s annual work program available to the JPSG. So, the question is – are these supervisory powers sufficient when Europol oversteps its mandate?

Is Europol headed for ‘1984 reloaded?’ 

Supervising law enforcement agencies is a complex task. Law enforcement, after all, requires a degree of secrecy, which in turn stands in the way of transparency and supervision. In today’s digital society, this tension between secrecy and supervision is manifested in “predictive policing”, a practice which refers to gathering vast datasets and developing algorithms to identify criminals. Europol is no exception to this tension, as data collection and analysis is one of the core components of Europol’s tasks as the EU’s “principle information hub.” While Europol is permitted to collect personal data, Article 28 of the Europol Regulation requires that this data be relevant and necessary for the purposes for which it is processed.

Europol understands the collection of personal data is a touchy subject. In a 2012 publication from the agency, Europol asked “are we headed for ‘1984’ reloaded?”, referencing George Orwell’s novel which depicts a dystopian society of invasive state surveillance. In an effort to put concerns to rest, Europol reaffirmed its commitment to ensuring “the highest standards of data protection.”

Despite this commitment, “serious concerns” have been raised regarding data mining practices at Europol, which saw Europol retaining data related to huge numbers of individuals for indeterminate periods. The sheer scale of Europol’s data mining saw its dataset of 4 petabytes (equivalent to 2 trillion printed pages) compared to a “black hole” and the scandal compared to the mass surveillance program uncovered by Edward Snowden in the U.S. So where was the JPSG amidst this scandal?

What role for the JPSG? 

Under Article 51 of the Europol Regulation, the JPSG is responsible for supervising Europol’s activities which impact fundamental rights. Given that the European Data Protection Supervisor (EDPS) found that Europol’s data mining practices have a “potentially severe impact” on data subjects’ fundamental rights, data mining at Europol would seem to fall squarely within Europol’s supervisory powers.

The problem is the limited extent of the JPSG’s supervisory powers. Europol is only required to report to the JPSG on a yearly basis and has no oversight over the agency’s day-to-day activities. This creates a real gap in the group’s supervisory powers. This gap is demonstrated by the fact that it was Europol itself, not the JPSG, which reported concerns regarding its data handling practices to the EDPS.

Real tension between secrecy and supervision is also evident with regards to the JPSG’s requests for documents. Different rules apply to requests for sensitive documents, which Europol handles a lot of as a law enforcement agency. This tension came into play when the JPSG requested access to correspondence between Europol and the EDPS relating to Europol’s data collection software, to which Europol provided only a limited reply, indicating only the types of software used.

Moreover, adherence to the Law Enforcement Directive (LED) reinforces accountability by mandating strict data protection standards for law enforcement authorities, including Europol. The EDPS’s oversight ensures Europol’s predictive policing complies with these standards, highlighting the critical need for enhanced supervisory mechanisms to protect personal privacy and uphold fundamental rights in the era of data-driven law enforcement.

The JPSG’s limited supervisory powers have been harshly criticised. Some have even said that the group’s limited role gives the agency a “blank cheque” to self-regulate. What then can be done to improve the JPSG’s supervisory role? One solution could be allowing the JPSG more access to Europol’s management board meetings. As it stands, under Article 14 of the Regulation, the JPSG is only required to be invited to two board meetings per year. If the board addressed the JPSG’s summary conclusions and the group’s representatives participated more actively, it would greatly enhance both transparency and effectiveness as the JPSG would have a better grasp on Europol’s day-to-day activities. Such improvements are essential for the JPSG to execute its oversight responsibilities more effectively. 





Do crises affect enforcement of EU Law?

In 2018, EU Commission president Jean-Claude Juncker stated that the EU “had been sleepwalking from one crisis to another without waking up.” These crises have no doubt had a range of detrimental effects on the EU, and I argue that crises make it harder for the Commission to enforce EU law. Why? Crises require resources, including time. Time is a fixed and finite resource, and if the Commission is spending time on a crisis, there is less time for enforcement. However, crises do not inevitably lead to lax enforcement. Other actors, including the European Parliament and EU citizens can help overcome the constraints of time.

Continue reading “Do crises affect enforcement of EU Law?”

[REPOST] EPPO – First ruling of the ECJ: a Solomon’s judgement on cross-border investigations

This month, we have the pleasure of re-posting a contribution by Clémence van Muylder, Senior Associate at Loyens&Loeff, Brussels. Have a pleasant read!

In its Grand Chamber judgment of 21 December 2023, the Court of Justice of the European Union rendered its very first decision on the functioning of the European Public Prosecutor’s Office (EPPO). The decision provides valuable guidance on the conditions for cross-border acquisition of evidence by the EPPO.

Continue reading “[REPOST] EPPO – First ruling of the ECJ: a Solomon’s judgement on cross-border investigations”

Tweede druk van het boek “De Algemene verordening gegevensbescherming in Europees en Nederlands perspectief”

Begin april verscheen de tweede druk van het boek “De Algemene verordening gegevensbescherming in Europees en Nederlands perspectief”. Het is een bijgewerkte versie van de eerste druk die verscheen rond de tijd dat de Algemene verordening gegevensbescherming (de “AVG”, ook wel bekend onder de Engelse afkorting: “GDPR”) van toepassing werd.

Continue reading “Tweede druk van het boek “De Algemene verordening gegevensbescherming in Europees en Nederlands perspectief””

The Fundamental Rights Officer: Just what the EUAA needed  

By Elaine, Gersi, Joris and Leonoor

The Asylum Crisis 

Granted with a new mandate following the adoption of Regulation (EU) 2021/2303 on 19 January 2022, the European Union Agency for Asylum (EUAA) has transitioned into a full-fledged agency. Its goal is to improve the functioning of the Common European Asylum System (CEAS). As the successor of the European Asylum Support Office (EASO), the EUAA is tasked with upholding and promoting respect for fundamental rights within the European Union’s (EU) asylum system. 

Fundamental rights are particularly relevant in the CEAS. This is especially so, given that migrants and asylum seekers often find themselves in a vulnerable position. This can be due to for example their lack of resources, and poor living and material conditions. Following the mass influx of refugees on the EU’s shores leading to the asylum crisis of 2015, a reform of the CEAS was needed to create ‘a more humane, fair, and efficient European asylum policy’. In light of this, the EUAA has implemented a more robust fundamental rights strategy. This strategy contains several safeguards.  

One of these safeguards is the new Fundamental Rights Officer (FRO). The FRO portraits the enforcement of, and adherence to fundamental rights within the EUAA. In this blog post it will be argued that, as follows from the 2022 Ombudsman initiative, the FRO adds value to the workings of the EUAA. This is because the FRO aids the Agency in several ways within the field of fundamental rights. 

François Deleu: the man for the job 

Following the new fundamental rights strategy, Article 49 Regulation 2021/2303 requires the Management Board of the Agency to install a FRO. The FRO is appointed to design a new Fundamental Right Strategy, manage a new complaints mechanism, and contribute to the Agency’s Monitoring Mechanism. Appointed in May 2023, François Deleu is the first to take on this task.  

“I will develop and uphold a robust Fundament Rights Strategy that will build on what is already in place, ensuring that the respect for fundamental rights is central to all the Agency’s growing activities” ~ François Deleu 

While the FRO works independently, Deleu collaborates with the Agency’s Consultative Forum of Civil Society Organisation to create the new Fundamental Right Strategy. The Consultative Forum has an advisory function: it is established to exchange information with relevant civil society organisations and bodies operating in the field of asylum. This includes the European Union Agency for Fundamental Rights and the European Border and Coast Guard Agency (Article 50 Regulation 2021/2303). Together, the FRO and Consultative Forum aim to ensure that the Fundamental Right Strategy is properly reflected in the Agency’s workings. They also work towards preventing breaches of the Charter of Fundamental Rights of the European Union (Charter). 

The FRO is designed as a response to the 2019 Ombudsman decision on maladministration in the practice of the EASO. The FRO therefore manages a complaints mechanism created for individuals who may have suffered a violation of their fundamental rights by an expert employed by the EUAA. The FRO moreover contributes to the Agency’s Monitoring Mechanism of Member States’ asylum systems. The FRO does so by ensuring that this mechanism takes fundamental rights concerns into account.  

Organisational structure of the EUAA 

A Slow Start… 

Following the 2021 revamping of the EUAA framework, the European Ombudsman opened a new strategic initiative. In this initiative, the Ombudsman posed 16 questions to the Agency. This included questions on how the EUAA complies with its fundamental rights obligations and how it ensures accountability for potential violations. These questions related to the renewed protection offered by the 2021 Regulation. It therefore raised attention to the FRO. What followed was a back-and-forth correspondence between the Agency and the Ombudsman.  

It should be mentioned here that the Ombudsman does not issue legally binding decisions. However, its reports are valuable in assessing the Agency’s compliance with its fundamental rights obligations. This follows from its mandate of investigating ‘instances of maladministration in the activities of the Union institutions, bodies, offices or agencies’ (Article 228(1) TFEU).  

At the time of the investigation, Deleu had not yet been appointed. One of the questions therefore rested on when the Agency anticipated this position to become operational. In the Agency’s initial reply of 11 July 2022, it walked through the appointment procedure for the FRO. The reply highlighted that certain steps like kick-starting the selection process were taking longer than expected. This could be owed to the “extensive consultations” held with all involved stakeholders. These consultations were needed to ensure that the necessary attention to detail was afforded in the selection of candidates. 

The Ombudsman later expressed disappointment in February of 2023 that the position remained vacant more than a year after the 2021 Regulation came into force. It urged the Agency to fill this position as “a matter of urgency”, because of the need to operationalise the Agency’s other fundamental rights mechanisms. In this way, the FRO can be seen as the catalyst for all EUAA fundamental rights mechanisms.  

 …But a Promising Future 

As mentioned, the FRO position was eventually filled in 2023. At the time of writing, Deleu now holds office for nearly a year. So, what can be said for this new development?

At the end of June 2023, the Agency replied to the Ombudsman observations. In the reply, the Ombudsman was informed of this long anticipated appointment. Also, it was stated that the fundamental rights strategy was expected to be adopted in March/April 2024. At the time of writing, it can therefore be expected any day. 

Additionally, the response addressed recommendations for the FRO to review all operational plans signed between the Agency and EU Member States. It highlighted that Deleu had already reviewed plans with Spain, Bulgaria and Lithuania since entering office. Here, the value of the FRO can be seen through its direct involvement in scrutinising Member State plans. 

In July of 2023, the EUAA also published its Annual Report about asylum in the EU. In the Annual Report, it discusses its newly developed escalation process. This process is outlined under Article 18(6)(c) of the 2021 Regulation. It stipulates that the Agency’s Executive Director can suspend or terminate asylum support teams in a Member State that is violating fundamental rights or international protection obligations. This is done after consultation with the FRO. 

An overview of the EUAA's timeline (made by the authors of this post)

A Well-Rounded Appointment 

As a final note, the recruitment process’ emphasis on maintaining the FRO’s independence towards the Executive Director should be highlighted. This is important due to the weight placed on independence in the FRO’s mandate. The selection committee for the post therefore included external stakeholders, like the European Commission Directorate-General for Migration and Home affairs. So, while the position is appointed internally, individuals from outside the Agency have a say in deciding the next FRO. Based on the selection procedure, a list of candidates is sent to the Management Board, which ultimately takes the final decision. Ultimately, it is therefore an internal decision with external input.  

The importance attributed to the FRO in the Ombudsman initiative has now been shown. The office’s essential role in upholding the new framework’s mechanisms is also evident. Hence, the FRO can be seen to hold great added-value for the Agency, with further-untapped potential. 


The Role of Frontex in Enforcing ETIAS

By Ariana, Beatrice and Elsa

Due to increasing global mobility and security challenges, Europe has reinforced its border management strategies. The European Border and Coast Guard Agency, commonly known as Frontex, is essential to this policy. Frontex is in charge of assisting the Member States in managing the European Union’s external borders. On this subject, a new system will be implemented: the European Travel Information System (ETIAS). This new system contributes to fortifying the external European borders, and Frontex has a significant role in its implementation.

Photo: European Travel to Become Payable: EU Introduces ETIAS. Source: Collage The Gaze

The European Travel Information and Authorization System (ETIAS): a brief explanation 

What is ETIAS?  

ETIAS was introduced by Regulation 2018/1240. This new European travel authorization system will be implemented in 2025. It will be completed via an online application that will cost €7 for people aged 18 to 70.  

This travel authorization will impose on travelers the obligation to provide personal data, including the level of education, occupation, the address of the first intended stay, and prior convictions for criminal or terrorist offenses. This data will assess the risk of the threats above and create an ETIAS watchlist concerning people at risk of committing or having committed a terrorist offense.

This new electronic authorization system is intended to apply to visa-exempt visitors from third countries traveling to a Member State of the European Union or the Schengen area (except Ireland) for less than 90 days.  

European Travel Information and Authorisation System (ETIAS): In a nutshell

What is the goal of implementing ETIAS?

The European Commission aims to strengthen controls at the external borders to preserve freedom of movement within the internal market and, more generally, the Schengen area.  

The establishment of ETIAS answers several objectives. This system has been designed to reinforce security at the borders, especially against terrorism and irregular immigration. By conducting security risk assessments of visitors before their arrival at the border, the goal is to prevent potential threats, even potential epidemic threats, from entering the Schengen area.

Moreover, this system aims to support the objectives of the Schengen Information System (SIS), the platform Schengen area members utilize to exchange real-time data on individuals and objects of interest. ETIAS will contribute to preventing, detecting, and investigating terrorist offenses and serious criminal activities.

Finally, the other purpose of ETIAS is to streamline border management to facilitate legitimate travel.   

How will ETIAS work?

ETIAS is an automated IT system that performs tasks or processes automatically without continuous human intervention. ETIAS will use artificial intelligence (AI) to analyze applications from third-country nationals wishing to stay in the Schengen area for less than 90 days. Nationals from the 60 countries covered by ETIAS will have their applications automatically analyzed by various European databases, such as Frontex or Europol, to ensure they do not constitute a threat. Applicants will mostly receive an answer in less than an hour, but it could take up to a month. Frontex has stated that, on average, 97% of applications would receive rapid authorization. Regarding the remaining 3%, these applications will be reviewed manually by the ETIAS Central Unit. Frontex is responsible for setting up and operating this Central Unit.


 The Role of Frontex…

Frontex, created in 2004, is one of the most critical European agencies. Its relevance has grown over the years and, with a budget of over 845 million euros in 2023, plays a crucial role in enforcing EU borders policy. This European agency provides support to Member States in their efforts to control and secure the external borders of the Schengen. Therefore, it is logical that Frontex plays a pivotal role in enforcing ETIAS.  

…in enforcing ETIAS

According to Article 7 of the ETIAS Regulation, Frontex is responsible for setting up and operating the ETIAS Central Unit. This Unit is within Frontex’s organization and manages ETIAS.


First, concerning online application provided by the travelers. During the processing of the data sent by the applicant, if there is a hit, the ETIAS Central Unit will have the responsibility to cross-check the information of the person in question against the information contained in the Central System. Information encloses in the Central System include other EU information systems, Europol, and Interpol data. This will allow the Central Unit to determine whether the applicant is welcome in the Schengen area.

Frontex is further tasked with performing audits of the processing of applications to safeguard fundamental rights in this process. In doing this, Frontex agents will have to examine how the continental Unit manages online applications’ fundamental rights, such as the right to privacy and non-discrimination. The ETIAS central unit must respect these rights throughout the data analysis process but also subsequently regarding their storage.

Frontex officials are responsible for ensuring the data entered in application files is up to date. The Central Unit is tasked with publishing an annual activity report containing statistical data on ETIAS’s functioning and general information on its activities, activities, and concerns. The report is made to the European Parliament, the Council, and the Commission.

One of the most critical tasks of Frontex is that it is charged with defining, revising, and deleting, as well as assessing risk indicators to ensure the security of Europe’s borders, according to Article 33 of the ETIAS Regulation. These risk indicators are listed in Recital 27 of the ETIAS regulation and relate to threats regarding security, irregular immigration, or high epidemic risks. The risk indicators are based on the factors provided by the ETIAS online application, which include nationality, residence, education, and employment status. Those criteria have been chosen to avoid discrimination. Applications will be automatically checked against this list of risk indicators. If a hit is triggered, the Central Unit cross-checks this(/these) hit(s) against other databases and, depending on the result, either issues a travel authorization or refers the case to a competent Member State authority, who will manually process the information and either grant or refuse the travel authorization. This meticulous process ensures that ETIAS balances security concerns with respect for individual rights and non-discrimination principles.

User Influencing and a Pragmatic Role for Competition Authorities

Over the past decade, user influencing practices have gained prominence in academic and digital policy debates in Europe. These practices include dark patterns, dark nudges, sludge, and highly personalised processes such as hypernudging. In essence, they rely on manipulating users’ cognitive and environmental constraints to steer their behaviour in a predictable manner. Growing empirical evidence of harms have triggered regulatory responses in the recent Digital Services Act, Digital Markets Act, Artificial Intelligence Act, and Data Act. In addition, the enforcement guidance documents were updated to sharpen the application of EU data protection and consumer laws to capture these practices. In this blog post, I focus on European competition law as an alternative instrument that has so far been largely overlooked in user influencing debates. As user influencing may lead to distortion of competition and consumer harm, competition authorities should take a more active, yet pragmatic, role in addressing these challenges.

Continue reading “User Influencing and a Pragmatic Role for Competition Authorities”

Google – a natural monopoly?

I. Introduction

In the vast landscape of technology, Google stands out as a global giant, operating the world’s largest search engine, Google Search. The sheer influence and market power of this tech behemoth has sparked debates over whether Google qualifies as a natural monopoly, which would mean that it could be subjected to ex-ante, utility-like regulation combined with separation. This contribution delves into the ongoing discourse surrounding Google’s classification as a natural monopoly, analyzing contrasting perspectives, exploring potential regulatory approaches, and analyzing their impact on enforcement. The argument built below leans on an in-depth literature review to offer insights into the complex realm of regulating a tech giant like Google. Finally, for its analysis, this contribution focusses on Google Search as it is Google’s main service and the debate on the classification of Google as a natural monopoly has been related to this service specifically.

Continue reading “Google – a natural monopoly?”

Preparing the European Union for a Geoengineering Future: Exploring the Interplay of EU and International Law in Geoengineering


Geo-Engineering (GE) is an attempt to intervene in the Earth´s climate system. It refers to “the deliberate large-scale intervention in the Earth’s climate system to counteract man-made climate change”. Solar Radiation Management (henceforth GE), is to mitigate global warming by reducing solar radiation reaching the Earth’s surface through techniques such as stratospheric aerosol injection, aiming to cool the planet by reflecting a portion of incoming sunlight. This could have significant levels of risk concerning its impact on the global climate system, natural ecosystems, weather patterns, biodiversity and human rights, therefore having heterogenous externalities. So far, only the legally binding London Convention / London Protocol (LC/LP) and the Convention on Biological Diversity (CBD) regulates the fertilization of oceans to promote CO2-binding algae, another type of GE. Other regulation on GE is lacking.  In June 2023 the European Commission (EC) published their intention to “support international efforts to comprehensively assess the risks and uncertainties of such climate interventions and promote discussions on a potential international framework for their governance, including research into related aspects”.

This blogpost highlights the EU´s potential leading role in the evolving landscape around GE regulation and gives recommendations how the EU can leverage existing mechanisms to address the complexities possible GE regulation entails.

Continue reading “Preparing the European Union for a Geoengineering Future: Exploring the Interplay of EU and International Law in Geoengineering”

Effectiveness and Procedural Protection in Cross-Border GDPR Enforcement

Enforcement of the General Data Protection Regulation (Regulation 2016/679 or GDPR) is organized mainly alongside decentralized procedures, where national supervisory authorities (SAs) are responsible for monitoring and supervising the diverse market of small and large data controllers and processors. Since processing often has a transnational character, enforcement becomes a transnational affair too. Therefore, the GDPR lays down a (complex) cooperation mechanism according to which national SAs in different Member States shall coordinate the outcome of enforcement procedures, in order to address violations together – potentially with involvement of the European Data Protection Board (EDPB) too. While this procedure was, from the outset, infamous for its complexity, concerns regarding under-enforcement of cross-border cases now seem to materialize in practice. This blogpost highlights a number of recommendations that aim to increase the effectiveness of cross-border GDPR enforcement and the protection of data subjects within these procedures. 

Continue reading “Effectiveness and Procedural Protection in Cross-Border GDPR Enforcement”