Robust data protection considerations can strengthen the credibility of investigations into serious crimes in the EU. This is the message the European Data Protection Supervisor (EDPS) sent in his opinion published today on the Commission proposal for a new legal framework for the EU Agency for Law Enforcement and Training (Europol). The EDPS fully supports the need for innovative and flexible approaches in preventing and combating serious crimes, but also insists on strong safeguards. The validity of a criminal investigation relies on the quality and integrity of the data collected. Respecting data protection principles can help reinforce the reliability of such evidence.
Peter Hustinx, EDPS, said: "A strong framework of data protection is important not only for those under suspicion or involved in an investigation, but also contributes to the success of police and judicial cooperation. As the work of Europol relies on the cooperation with and between law enforcement agencies in Europe, it is important that data protection considerations are fully taken into account: in practice this means that Europol should collate personal information for specific investigations only. It is important that Europol maintains a high level of data protection as the role it plays in combating serious crimes increases. The effective supervision of Europol is needed to ensure that it operates in full compliance with the stringent case law of the EU Court."
In order to support law enforcement agencies throughout Europe to help prevent and combat organised crime, terrorism and other forms of serious crime, Europol's core activities consist of gathering, analysing and disseminating personal information. Given the increasingly cross-border nature of this work, the EDPS says it is imperative that clearly defined criteria are outlined for transfers of information to third countries and international organisations.
While Europol has maintained a good data protection regime in the past, the proposed idea to cross-reference information stored in different databases to check if individuals or groups are suspected of more than one type of crime - drugs and human trafficking for example - could be a cause for concern if data protection safeguards are not put in place. The increased flexibility to cross check information should be balanced, for example, by specifying the purpose and in general by keeping a high level of data protection, at least as high as that which is prescribed in the current data protection framework.
The proposal also outlines that the EDPS is to supervise Europol's compliance with data protection rules. The EDPS welcomes the emphasis placed on a robust supervision of Europol, that an EU Agency should be supervised by the established - and fully independent - European supervisory body. At the same time, it is essential that the supervision of Europol is carried out in close cooperation with national data protection authorities as is the case for the supervision of EU large-scale IT databases such EURODAC, CIS and others.
Privacy and data protection are fundamental rights in the EU. Under the Data Protection Regulation (EC) No 45/2001, one of the duties of the EDPS is to advise the European Commission, the European Parliament and the Council on proposals for new legislation and a wide range of other issues that have an impact on data protection. Furthermore, EU institutions and bodies processing personal data presenting specific risks to the rights and freedoms of individuals ('data subjects') are subject to prior-checking by the EDPS. If in the opinion of the EDPS, the notified processing may involve a breach of any provision of the Regulation, he shall make proposals to avoid such a breach.
EUROPOL: the role of the EU Agency for Law enforcement Cooperation and Training (Europol) is to provide support to national law enforcement authorities and their mutual cooperation in preventing and combating organised crime, terrorism and other forms of serious crime affecting two or more Member States. The assistance offered by Europol to national law enforcement authorities involves facilitating exchanges of information, providing criminal analysis, as well as helping and coordinating cross border operations. To achieve these tasks, Europol's core activities consist of gathering, analysing and disseminating personal information.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Purpose limitation: personal information may only be collected for specified, explicit and legitimate purposes. Once it is collected, it may not be further processed in a way that is incompatible with those purposes. The principle is designed to protect individuals by limiting the use of their information to pre-defined purposes.