[DRAFT] A new Europol Regulation is on the way! Three ways in which its legal framework might change

By Anna, Bart, Francesca and Natália

With new technologies on the rise and the ensuing evolution of many transnational crimes, the importance of the European Union Agency for Law Enforcement Cooperation (Europol) in preventing and countering serious crime has become even more apparent. For example, in January 2021, Europol helped to disrupt one of the world’s most dangerous and longer lasting cybercrime services. It did so by supporting, among others, the Dutch, German and French law enforcement authorities with its technical capabilities and by setting up joint investigation teams.

Europol’s assistance to the Member States is crucial as, today more than ever, criminal information is found in the hands of private companies. This is evident from recent cases where Europol assisted in busting criminal networks specialised in the distribution of counterfeit documents via instant messaging apps such as the one in France, Spain and other Member States. Although Europol can already receive data from private service providers, this is only on exceptional bases and most notably through the intermediary of a national unit or contact point. Hence, extending Europol’s powers in this field could help law enforcement authorities to combat these crimes more effectively. This may become true, should the 2020 Proposal for a new Europol Regulation be adopted. Europol is now one step closer to gaining such power since the European Parliament and the Council have reached a preliminary agreement on the matter on 1st February 2022. In light of this recent development, we aim to shed more light on the Commission’s Proposal and ensure you do not miss out on the three main changes it may bring about. Specifically, these include: (1) the cooperation with private parties; (2) the big data challenge; and (3) Europol´s role in research and innovation. Naturally, no reforms are ever fully welcomed and thus we also aim to highlight some of the concerns raised by different stakeholders with respect to the proposed changes.

Time for a Change

Shortly after the entry into force of Europol’s current Regulation, the Council and Parliament had already called for strengthening of the agency’s mandate. In December 2020, this led to the new Proposal. If enacted, it would further enhance Europol’s powers. The three main changes mentioned above will now be addressed in turn.

1.     Cooperation with private parties

Currently, Europol may only process personal data obtained from private parties indirectly, via the intermediary of a national unit or a third country´s contact point (Article 26(1) Regulation 2016/794). Additionally, the agency cannot address private parties to retrieve (additional) personal data (Article 26(9)). However, this would change with the Proposal´s adoption. Europol would be in fact able to receive personal data directly from private parties while also being allowed to contact them for any potential missing information (proposed Article 26(2) and (5)(d)). In this connection, Europol could also request Member States to obtain data from private parties that are established on their territory on its behalf. Finally, the agency’s technical infrastructures could also be used by competent national authorities and private parties for personal data exchanges (proposed Article 26(6a) and (6b)). In this way, Europol would be able to interact with private parties more regularly, both directly and indirectly.

2.     Big data challenge

Article 18 of the current Regulation stipulates that Europol may process personal data for a number of specific purposes and only in relation to certain categories of data subjects falling within Annex II. Over the past years, however, Europol started receiving large, complex, and unfiltered datasets from national law enforcement authorities. For example, Europol’s analytical and technical support turned out to be crucial for the French and Dutch law enforcement authorities in the dismantling of EncroChat, an “encrypted phone network”, used by criminals for violent crimes and drug transports. However, as the European Data Protection Supervisor (EDPS) observed, these extensive processing activities ultimately led to compliance issues. Therefore, to address the agency’s “big data challenge”, Europol would eventually be able to pre-analyse the data received to determine whether the information may indeed be lawfully processed (proposed Article 18(5a)).

3.     A role in research and innovation

Europol does not currently have a legal mandate to foster innovation and research activities in support of Member States’ law enforcement efforts. This is problematic as not all Member States have the necessary resources and skills to fight crimes carried out through new technological means, such as encrypted mobile devices or artificial intelligence (AI) tools. Therefore, under the new Regulation, Europol would not only be involved in the drafting of the Union framework programs for emerging technologies, but it would also be able to support Member States in the development of AI projects (proposed Article 4(4a) and 1(t)).

The following figure sums up the three issues and how the new Proposal would tackle them.

The half-empty glass?

The strengthening of Europol´s mandate seems to be widely supported, yet, the Proposal has not escaped criticism from some of its stakeholders. The most voiced criticism entails the Proposal´s timing, which some referred to as dubious, premature and hasty. This is because it came almost one-and-a-half years before the planned Europol´s evaluation as required under Article 68 of its current Regulation. Without such evaluation, there is limited information to really assess Europol´s effectiveness and impact.

Furthermore, some stakeholders like Statewatch, argued there is ´no need to expand Europol´s mandate to increase its engagement with private parties´. Others, including scholars like Mitsilegas, questioned the private entities´s ability to effectively assess the fundamental rights implications of their personal data transfers to Europol. Concerns also exist about the risk of such transfers occurring without a prior judicial authorization. Additionally, 26 civil society organisations addressed an open letter to the European Parliament members, calling them to not support the proposal due to various fundamental issues. These range from insufficient democratic oversight and lack of defence rights guarantees to potential invalidation of the reform by the European Court of Justice since Article 88 TFEU does not entail the proposed powers.

The EDPS has also expressed concerns about the current exceptions to data protection rules potentially becoming ´reality in practice´. Hence it called for a better definition of the circumstances in which Europol may apply the proposed derogations to processing large and complex data sets. It further criticised that additional safeguards only apply to data transfers with private parties located outside the EU. According to it, the special safeguards should apply irrespective of the private parties´ location within or outside the EU. Lastly, the EDPS pointed out the scope of Europol´s research and innovation activities is currently defined too broadly. To prevent any potential breaches of the rights to privacy and data protection, the scope shall have to be further clarified.

All in all, you can see that the Proposal, while necessary, may have come a little too early, certainly with the evaluation so close around the corner. There is still room for improvement before the co-legislators come to a final decision on the Proposal. We shall have to wait for the new developments.

Author: Student posts

This blog post is written by Master students at Utrecht University.

Leave a Reply

Your email address will not be published.