Author: Student posts

By Ana, Natalie and Marceau

Both the Office Européen de Lutte Antifraude (OLAF) and the European Public Prosecutor’s Office (EPPO) share the goal of enforcing the European Union (EU) anti-fraud agenda. Although OLAF is an administrative agency and the EPPO falls more under the field of criminal law, they both act against offences affecting the financial interests of the Union. Hence, the substantive scope covered by the two is in essence the same. However, although the objectives of the two agencies are strikingly close, the approach they use to fight fraud differs. In that sense, one can look at the two as complementing each other at work. While previous research on OLAF and the EPPO focused on the working of the agencies separately (e.g. the issue of the EPPO’s ‘forum shopping’ and OLAF’s accountability), in this blog post we aim to view the two together.

In the following we show both how they may be viewed as complementary to one another as well as what gaps and issues still remain in fighting fraud efficiently with the two enforcement agencies. To fight fraud, two steps have to take place: first, the authorities need to investigate the case, and second, if they find the case fraudulent, the perpetrators need to be prosecuted. Additionally, an effective infrastructure has to be put in place on the EU as well as the Member State’s level to prevent future fraud from occurring in the first place. In the following we discuss those issues in view of the EPPO and OLAF complementarity.

If you are unfamiliar with the roles of OLAF and the EPPO, you can familiarize yourself with their work by watching the above videos.

COMPLEMENTARITY IN INVESTIGATIONS AND GATHERED EVIDENCE

When it comes to investigation, OLAF has strong investigatory powers to gather evidence on cases involving potential fraud. It conducts the so-called ‘internal’ and ‘external’ investigations, overviewing the use (or misuse) of EU funds by the EU as well as its Member States respectively. While in the internal investigations OLAF enjoys a great deal of independence (e.g. it has the right to immediate and unannounced access to information), when investigating potential fraud in the Member State’s context, it is dependent in law and in practice on the Member State concerned. However, Member States are obliged to cooperate with OLAF, ensuring that OLAF has access to relevant information (e.g. databases) under the same conditions as national authorities. In order for OLAF to be effective and efficient in conducting, for example, its ‘on-the-spot’ checks in Member States, such cooperation is essential.

On the other hand, in gathering evidence for prosecution, the EPPO relies on the work of the European Delegated Prosecutors (EDPs) who represent the European Prosecutor of every participating Member State. Upon the instruction by the EPPO’s Permanent Chamber, the relevant EDP may initiate investigations to gather evidence for prosecution. Having the same investigatory powers as their national counterparts, EDPs may, for example, tap phones, search premises and request for information to build up a file. Similarly to OLAF, the EPPO should ALSO be aided by the national authorities when investigating a case

Considering the powers of both agencies, the investigative powers seem to overlap. However, instead of disqualifying one because the other may conduct similar investigations, the two can be viewed as complementing or enhancing the role of one another. With OLAF fighting fraud in the EU for over two decades, the agency has a lot of relevant know-how as well as legitimacy to gather evidence on a case. That evidence may subsequently be used by the EPPO, with OLAF becoming the main investigative body of the EPPO. In fact, such cooperation has recently been put into law, namely by amending the OLAF Regulation. Because of this change, OLAF is obliged to submit its report on any criminal conduct to the EPPO without delay. At the same time, while the EPPO might enhance the role of OLAF by making it its main investigative body, the role of OLAF may be viewed as subdued to that of the EPPO. That is exemplified by the fact that OLAF can no longer continue its investigations once it has handed the file to the EPPO and the EPPO opened its own investigations of the case. On a different note, when the EPPO itself lacks competence to act on a case it considers potentially illegal, it has the duty to report the case to OLAF. In that sense, it is obliged to present OLAF with the information it gathered too, enhancing its role in some cases.

COMPLEMENTARITY IN FURTHER ACTION – RECOMMENDATIONS AND PROSECUTION

While in the investigation phase more overlaps can be found between OLAF and the EPPO, the possible subsequent steps differ. That is so mostly because OLAF is in essence an administrative agency while the EPPO is primarily a prosecution body.

OLAF’s main outputs following an investigation are drawing up a report presenting evidence and issuing recommendations suggesting further action by other EU or Member States’ authorities. However, as the recommendations are not legally binding, the enforcement powers of OLAF in this regard are quite weak. At the same time, recommendations carry political weight which make the authorities take them into account. The actions recommended may vary from disciplinary and administrative actions to financial and judicial ones, aiming to deter the future misuse of EU funds and remedy the ones that already took place.

Differently from OLAF, the task of the EPPO after the investigation is to prosecute. When the EPPO comes to consider that an allegation of an offence is supported by evidence, and when the case falls under its competence, the EPPO can open a trial before a national court. Because the mandates of the two are so different, it is hard to say that the two complement each other’s work directly. However, in the overall picture of fighting the misuse of EU funds, OLAF’s substantiated recommendations (backed up with evidence from the report) and the EPPO’s prosecution powers jointly contribute to two different fields of law addressing the issue of fraud. With the EPPO’s power to prosecute in front of a judicial body, there is also a possibility that the court will recognize the case as criminal also judicially, issuing a decision that is legally binding.  

The fact that both enjoy some powers following-up an investigation phase is important, particularly because the two cover different territories when enforcing their anti-fraud agenda. It is important to note that while the EPPO is established on the basis of enhanced cooperation, meaning that it only applies to the 22 participating Member States, OLAF can act in all 27 Member States of the EU. While the limited scope of the EPPO’s enforcement might be an issue in a territorial sense, the situation can be remedied by the presence of OLAF. Namely, OLAF can step in with its investigations and recommendations where the EPPO has no territorial jurisdiction to do so. In that sense, OLAF and the EPPO may again be viewed as complementary.

At the same time, because the EPPO with more coercive prosecution powers may only operate in certain Member States and not just everywhere, anti-fraud enforcement across the EU may differ in the intensity. This might affect the extent to which fraud is addressed in different Member States, creating differences in policing the use of funds which may lead to abuse (e.g. cross border fraud). While this issue goes beyond the scope of this blog post, it would be a relevant topic for future research.

Lastly, it is important to state that OLAF also functions as an advisory body, developing anti-fraud policies and “fraud proofing” legislation which contributes to the fight against fraud also ex-ante. In that way it contributes to the anti-fraud agenda of the EU in a preventative way.

CONCLUDING REMARKS

In conclusion, we summarize the points made above in the table below. By outlining the different powers held by OLAF and the EPPO, we showed how and why they may be viewed as complementary. Overall, the authors believe that with the current system in place, OLAF and the EPPO can fight fraud and abuse of EU funds effectively together. However, some gaps still remain and could be addressed by strengthening the competences and the scope of both OLAF’s and the EPPO. Who would be hurt by stronger common anti-fraud fighting anyways?

The table shows the complementarity of OLAF and the EPPO in the fight against the misuse of EU funds by the two agencies.

By Lauren, Florentina, Maria and Rei

Enforcing EU environmental law is essential in combatting climate change and protecting the environment. Yet, non-compliance with environmental law is the leading cause of the commencement of infringement actions every year. Since the start of this year alone, the Commission has opened 85 infringement actions against Member States (“MS”) for non-compliance with environmental law. Infringement actions are lengthy and costly. Given the shortcomings of ex post enforcement, the question arises of how environmental enforcement can be improved ex ante. This blog post looks at four ways in which the European Environment Agency (‘EEA’) can help to plug information gaps in environmental enforcement at the national level, thus potentially reducing infringement actions by the Commission and preventing environmental harm.

The EEA is an information-providing agency. Some of its roles listed in its founding regulation include 

• Providing information needed for sound environmental policy to MS and the Commission (DG Environment, in particular);
• Ensuring that the public is properly informed about the state of the environment;
• Assisting the monitoring of environmental measures and recording and assessing data on the environment, ensuring that the data is comparable at a European level.

It has been argued that in the past the agency has acted as more of a ‘loyal lapdog’ to DG Environment, whereas it has the potential to act as more of a ‘barking watchdog’. Given its roles and powers assigned in its founding regulation, we argue that the EEA could improve enforcement of environmental law in the four following scenarios:

(1) First possibility: EEA information gathering on criminal law enforcement by MS

Inspections are crucial in preventing environmental harm. Blanc and Faure (2018) discuss current problems with environmental inspections in MS. The first one is that the Commission may only carry out an inspection on MS soil if the MS gives permission for the Commission to inspect. This problem arises with Directive 2008/99, which obliges MS to enforce criminal law for certain environmental crimes. For example, Article 3 of the Directive requires MS to criminalise the destruction of protected habitats and to criminalise the discharge of potentially deadly materials into the air, soil or water. However, once the Directive is transposed into national law, the MS may enforce the law in a weak manner. Faure (2017) gives the example of how this happened in the case of Sweden’s transposition of the Directive. The Swedish sanctions in place for corporate environmental crime were considered to be too low, and therefore not considered effective, proportionate and dissuasive.

The core enforcement problem with the Directive is that the Commission lacks information with respect to penalties imposed by MS. In particular, Blanc and Faure note that the Commission lacks information with regard to the capacity of environmental inspectorates and prosecutors, and on prosecutions and sanctions at the national level. A recommendation was made for the Commission to introduce legally binding minimum criteria and guidelines for inspections carried out by MS to ensure better enforcement of environmental law. This remained, however, a recommendation, as the Commission refused to make the minimum criteria and guidelines legally binding. This is where the EEA could step in, given that the agency already collects data from the national level to present at the EU level. The EEA manages the EIONET network, a forum whereby MS share environmental information and set common data reporting standards. One could imagine a scenario wherein MS report data on environmental criminal sanctions via this forum, with minimum reporting standards. However, a potential drawback for this is that the EEA has no powers to oblige MS to deliver up the necessary information. 

(2)Second Possibility: The information-gathering role can be enhanced

Figure 1: Infringement cases opened January 2022 – April 2022, per legislative instrument breach

When discussing which powers EEA has and which problems it encounters, the first thought that comes to mind is to give it more powers. However, this section investigates if the current powers that it has can solve, at least partially, the underenforcement problem.

As mentioned, a high number of infringement cases on environmental law exist. Adopting  a qualitative legal research method, the main causes of these infringements will be investigated, based on which Directives are breached. Further, it will be assessed whether EEA, if given more powers, could have prevented, at least partially, these infringements from happening.

It was determined that from the beginning of 2022, more than 80% of infringements were with regard to four directives and three major problems: noise pollution, failure to prevent the spread of invasive alien species (IAS), and failure to comply with sustainability measures.

Almost 21% of infringement cases concern Regulation 1143/2014 on the spreading prevention of invasive alien species (IAS). It requires MS to manage the pathways by which IAS are introduced and spread. However, MS  have failed to establish an action plan under the Regulation. Most of the infringements in this sector are due to a lack of knowledge. Since the EEA is an information-gathering agency, it could have informed the MS about all IAS, how to identify which IAS are dangerous and how to deal with them. The list in the regulation ‘accounts for just 3% of all IAS’. Thus, updated annexes by EEA to the Regulation can mitigate this problem and avoid future infringements.

Directive 2019/904 EU promotes circular approaches that give priority to sustainable products. Many MS failed to transpose this Directive by missing the deadline, leading to 20% of infringement cases. Why is there such a high number infringement cases? This Directive is addressed to market players who need to change their behavior. MS act more as ‘supervisors’. After a substantial scrutiny of all these cases and their context, it was identified that  little time given to MS, and the lack of a clear strategy on how to switch to sustainable products are among the causes of non-compliance. Thus, if the EEA could have helped industry actors with an action plan on how to make this change, some infringement cases could have been prevented.

Either way, when such important legislative acts are enacted, governments and market players should be assisted by a European agency to make sure the legislative goal is attained. The first objective of the Lisbon Action Plan is to achieve effective transposition. The EEA has enough information and expertise to be able to assist Member States to comply with environmental law. Even though it is acknowledged that now, it may be difficult to give EEA supervisory or enforcement powers, if it could mitigate information asymmetry problems more efficiently, it would have already been a success.

(3) Third Possibility: Promoting the collection of timely information

National authorities have not been able to sufficiently obtain timely information for effective enforcement. The following bar chart indicates the reporting performance of each country in EIONET in 2021.

Figure 2: Reporting Performance by each EU country in EIONET, 2021. Source: Eionet core data flows 2021

This chart indicates how often there was timely and high-quality data sharing from each country, with 100% being the best possible result. According to this chart, many countries achieved a high percentage in sharing timely data, however, in some countries such as Germany, the rate was only about 60%, a large gap compared to countries like Poland. This gap could generate a risk of ineffective enforcement in some countries because of insufficient timely information to address environmental challenges and this can affect the total quality of enforcement in the EU.

EEA can take measures to reduce the risk of the gap in some ways. One way is to improve the technical aspect of EIONET itself. This information portal site has an enormous amount of data, thus specific data may not be picked up immediately. The development of this database would increase the quality of information sharing to users. Also, the EEA can recommend authorities who have not offered much data compared to other countries to provide data regarding the enforcement situation of EU environmental law to EU institutions. This can put pressure on countries in cases where authorities in the EU have to address problems rapidly. Moreover, the process of sharing data can be improved. EIONET has an infrastructure called Reportnet, and it has a reporting process in 10 steps, but there are no limited periods in each step and this can lead to less timely information sharing. A new version developed in 2018 makes the process without external systems, but a specific period in each step should be also set.

(4) Fourth Possibility: Self-monitoring Scheme

Environmental competences are shared between MS and the EU. The EEA already has important information gathering powers. Objectives delegated to EEA could be enhanced by strengthening cooperation between the EEA and national environmental authorities. 

It is possible to achieve the aforementioned target, by establishing a self-monitoring scheme. Based on this scheme, the EEA cooperates with national authorities for the purpose of monitoring compliance and gathering information regarding EU Environmental Law infringements. Main polluters of each MS by sector are obliged to provide information regarding compliance with EU environmental law to national authorities. The latter are responsible for referring this information to the EEA. Due to the fact that higher fines would not result in higher compliance, since companies would adjust their budgetary strategies accordingly, enterprises which cooperate would benefit with a reduction on the fine imposed for non-compliance. 

By reducing fines imposed, enterprises would have a greater incentive not only to cooperate with the authorities and the Agency, but also to comply with EU environmental law. Consequently, the risk is reduced, considering that they bear certain rather than uncertain sanctions in case of non-compliance.  

Through this Scheme it is not only enterprises who benefit, but the national authorities and the European Commission as well since it would result in saving enforcement resources. Those who report their harmful act, no longer require detection. 

Such schemes already exist in many MS, though there is nothing as such at EU-level. Our proposal is for an obligatory self-monitoring scheme for main polluters at national level with a further obligation for national authorities to cooperate with the EEA. 

By Giorgia, Lisa-Marie, Shivani, and Emilia

You take the blue pill—the story ends, you wake up in your bed and data protection enforcement stays the same. You take the red pill—we make a new agency, and I show you what it could look like.

(Lana Wachowski and Lilly Wachowski, The Matrix, 1999)

In ‘The Matrix’, when the reality of Thomas Anderson begins to fall apart, he is presented with a choice: to take the blue pill which allows him to continue living in contended ignorance, or to take the red pill to learn about reality and express his full potential by becoming his alter ego Neo. It is a risky option which yields challenges, yet ultimately beneficial consequences. Similarly, whilst leaving the status-quo of the enforcement system of the General Data Protection Regulation (‘GDPR’) provides a comforting yet ineffective blue pill, taking the red pill and converting the European Data Protection Board (‘EDPB’) into a European Data Protection Agency (‘EDPA’) could disrupt yet enhance enforcement of data protection law in the European Union (‘EU’).

In today’s digital economy, companies process a significant amount of personal data. Individuals can benefit from this, for instance by receiving more targeted and relevant information. However, there are also inherent risks to data protection, a fundamental right of every EU citizen. For example, in cases of a data breach, individuals can be harmed by identity theft or fraud (Bergkamp, Hunton, and Williams, 2002). The GDPR, therefore, imposes certain limitations on personal data processing. These are enforced through a hybrid system composed of the EDPB and national supervisory authorities (‘SAs’). The SAs investigate and enforce companies’ compliance with the GDPR in their respective Member States, while the EDPB functions as a dispute resolution body in cases of conflicts between SAs, but has no investigative or corrective powers itself. Yet, the EDPB does enjoy corrective powers to a certain extent: It can impose duties on the SAs that require the implementation of EDPB’s decisions, including the adoption of corrective measures. Furthermore, the EDPB can adopt legally binding decisions.

Nevertheless, the GDPR’s enforcement, particularly in cross-border cases, has been criticized for being too complex, slow, and ineffective, leading to its underenforcement. For this reason, the Commission Vice President Věra Jourová announced that the GDPR enforcement system might be reformed, moving towards a more centralized enforcement. This blog post investigates whether converting the existing EDPB into a EDPA modeled after the Single Supervisory Mechanism (‘SSM’) could solve the current enforcement deficits.

Blue pill: The Gordian knot of the current GDPR cross-border enforcement

In situations where companies control and process personal data across several Member States, the one-stop-shop mechanism applies: the SA in the Member State of the companies’ main establishment takes the lead but must cooperate with SAs of other affected Member States through information exchanges, in order to reach consensus in the investigation and sanctioning. However, this cooperation mechanism exhibits major deficits, in particular in cases where companies, such as Google, Facebook, and Twitter, process data from individuals across the EU.

There are two major drawbacks to the current system:

1. The one-stop-shop mechanism places an unproportionate burden on SAs of Member States where many big companies are located (e.g., Ireland) which, combined with a lack of resources and possible political unwillingness to investigate violations sufficiently, leads to enforcement bottlenecks;
2. The EDPB and concerned SAs are highly dependent on the lead SA to investigate sufficiently and share its information. If this is not done in goodwill, then the EDPB does not possess enough evidence to decide disputes between SAs (see Decision 01/2020, paras 132-133).

Together, these deficits contribute to the underenforcement of the GDPR (Mustert and Bledoeg, 2021). Could the transformation of the EDPB, empowered with direct enforcement powers, be the bold step necessary to solve this Gordian knot?

Red pill: Creating an EDPA modeled after the SSM?

EU agencies play a crucial role in the shared administration of the EU by executing information-gathering, regulatory, and direct enforcement tasks (Scholten, Strauss, and Brenninkmeijer, 2021). There are pros and cons of a centralized agency that enjoys investigative and legally-binding enforcement powers overruling national authorities (Scholten and Ottow, 2014). Most importantly, a centralized EDPA could increase harmonization and reduce the risks of enforcement bottlenecks, ensuring a cohesive observance of the GDPR throughout the EU. However, optimal results will still only be achieved when national SAs are incentivized to cooperate with a centralized EDPA. This could be achieved if the EDPA is modeled following the role that the European Central Bank (‘ECB’) undertakes in the SSM.

The Regulations governing the SSM ensure the soundness of the European banking system. This mechanism confers specific tasks on the ECB regarding policies on the prudential supervision of banks and credit institutions. It functions through a centralized system of enforcement between the ECB and SAs, with the former being ultimately responsible for the effective functioning of the SSM. Although the ECB and SAs enjoy similar powers, the ECB is exclusively competent for supervising and investigating significant banks, whilst SAs are entrusted with the monitoring and investigation of less-significant banks. The significant status is decided by the ECB based on banks’ sizes, their economic importance, their cross-border activities, and whether they have requested direct public support. The ECB must cooperate through a system of shared enforcement which permits the ECB to take over institutions overseen by SAs at any time (Karagianni and Scholten, 2018).

The solution of an EDPA and SSM model of enforcement

In light of the considerations on centralizing the GDPR enforcement, the EDPB could be transformed into the EDPA by firstly adopting a regulation on the basis of the fundamental right to data protection, and secondly by endowing it with similar supervisory and investigative powers as the ECB has within the SSM for ‘significant’ banks. Accordingly, the EDPA will have direct enforcement powers regarding large data processing companies. The legal basis allows for ensuring the GDPR compliance of companies harvesting personal data of EU citizens, while the SSM-like powers allow to share the task of overseeing the personal data processing companies with the supervisory authorities and supervise the overall system. Otherwise, allocating the entire supervision to the EDPA might prove detrimental, especially when comparing the large number of companies controlling and processing personal data in the EU with the few significant banks supervised by the ECB. While the criteria of significance in the data-processing field cannot be directly transposed from what is used to determine significant banks, new considerations in terms of the quantity and quality of data a company processes (i.e. strategic importance) will prove pivotal to determining which entities are supervised by the EDPA.

By Anna, Bart, Francesca and Natália

With new technologies on the rise and the ensuing evolution of many transnational crimes, the importance of the European Union Agency for Law Enforcement Cooperation (Europol) in preventing and countering serious crime has become even more apparent. For example, in January 2021, Europol helped to disrupt one of the world’s most dangerous and longer lasting cybercrime services. It did so by supporting, among others, the Dutch, German and French law enforcement authorities with its technical capabilities and by setting up joint investigation teams.

Europol’s assistance to the Member States is crucial as, today more than ever, criminal information is found in the hands of private companies. This is evident from recent cases where Europol assisted in busting criminal networks specialised in the distribution of counterfeit documents via instant messaging apps such as the one in France, Spain and other Member States. Although Europol can already receive data from private service providers, this is only on exceptional bases and most notably through the intermediary of a national unit or contact point. Hence, extending Europol’s powers in this field could help law enforcement authorities to combat these crimes more effectively. This may become true, should the 2020 Proposal for a new Europol Regulation be adopted. Europol is now one step closer to gaining such power since the European Parliament and the Council have reached a preliminary agreement on the matter on 1st February 2022. In light of this recent development, we aim to shed more light on the Commission’s Proposal and ensure you do not miss out on the three main changes it may bring about. Specifically, these include: (1) the cooperation with private parties; (2) the big data challenge; and (3) Europol´s role in research and innovation. Naturally, no reforms are ever fully welcomed and thus we also aim to highlight some of the concerns raised by different stakeholders with respect to the proposed changes.

Time for a Change

Shortly after the entry into force of Europol’s current Regulation, the Council and Parliament had already called for strengthening of the agency’s mandate. In December 2020, this led to the new Proposal. If enacted, it would further enhance Europol’s powers. The three main changes mentioned above will now be addressed in turn.

1.     Cooperation with private parties

Currently, Europol may only process personal data obtained from private parties indirectly, via the intermediary of a national unit or a third country´s contact point (Article 26(1) Regulation 2016/794). Additionally, the agency cannot address private parties to retrieve (additional) personal data (Article 26(9)). However, this would change with the Proposal´s adoption. Europol would be in fact able to receive personal data directly from private parties while also being allowed to contact them for any potential missing information (proposed Article 26(2) and (5)(d)). In this connection, Europol could also request Member States to obtain data from private parties that are established on their territory on its behalf. Finally, the agency’s technical infrastructures could also be used by competent national authorities and private parties for personal data exchanges (proposed Article 26(6a) and (6b)). In this way, Europol would be able to interact with private parties more regularly, both directly and indirectly.

2.     Big data challenge

Article 18 of the current Regulation stipulates that Europol may process personal data for a number of specific purposes and only in relation to certain categories of data subjects falling within Annex II. Over the past years, however, Europol started receiving large, complex, and unfiltered datasets from national law enforcement authorities. For example, Europol’s analytical and technical support turned out to be crucial for the French and Dutch law enforcement authorities in the dismantling of EncroChat, an “encrypted phone network”, used by criminals for violent crimes and drug transports. However, as the European Data Protection Supervisor (EDPS) observed, these extensive processing activities ultimately led to compliance issues. Therefore, to address the agency’s “big data challenge”, Europol would eventually be able to pre-analyse the data received to determine whether the information may indeed be lawfully processed (proposed Article 18(5a)).

3.     A role in research and innovation

Europol does not currently have a legal mandate to foster innovation and research activities in support of Member States’ law enforcement efforts. This is problematic as not all Member States have the necessary resources and skills to fight crimes carried out through new technological means, such as encrypted mobile devices or artificial intelligence (AI) tools. Therefore, under the new Regulation, Europol would not only be involved in the drafting of the Union framework programs for emerging technologies, but it would also be able to support Member States in the development of AI projects (proposed Article 4(4a) and 1(t)).

The following figure sums up the three issues and how the new Proposal would tackle them.

The half-empty glass?

The strengthening of Europol´s mandate seems to be widely supported, yet, the Proposal has not escaped criticism from some of its stakeholders. The most voiced criticism entails the Proposal´s timing, which some referred to as dubious, premature and hasty. This is because it came almost one-and-a-half years before the planned Europol´s evaluation as required under Article 68 of its current Regulation. Without such evaluation, there is limited information to really assess Europol´s effectiveness and impact.

Furthermore, some stakeholders like Statewatch, argued there is ´no need to expand Europol´s mandate to increase its engagement with private parties´. Others, including scholars like Mitsilegas, questioned the private entities´s ability to effectively assess the fundamental rights implications of their personal data transfers to Europol. Concerns also exist about the risk of such transfers occurring without a prior judicial authorization. Additionally, 26 civil society organisations addressed an open letter to the European Parliament members, calling them to not support the proposal due to various fundamental issues. These range from insufficient democratic oversight and lack of defence rights guarantees to potential invalidation of the reform by the European Court of Justice since Article 88 TFEU does not entail the proposed powers.

The EDPS has also expressed concerns about the current exceptions to data protection rules potentially becoming ´reality in practice´. Hence it called for a better definition of the circumstances in which Europol may apply the proposed derogations to processing large and complex data sets. It further criticised that additional safeguards only apply to data transfers with private parties located outside the EU. According to it, the special safeguards should apply irrespective of the private parties´ location within or outside the EU. Lastly, the EDPS pointed out the scope of Europol´s research and innovation activities is currently defined too broadly. To prevent any potential breaches of the rights to privacy and data protection, the scope shall have to be further clarified.

All in all, you can see that the Proposal, while necessary, may have come a little too early, certainly with the evaluation so close around the corner. There is still room for improvement before the co-legislators come to a final decision on the Proposal. We shall have to wait for the new developments.