Amended Europol Regulation weakens data protection supervision
Following the publication of the amended Europol Regulation in the Official Journal of the EU today, the EDPS expresses its concerns that the amendments, which will enter into force on 28 June 2022, weaken the fundamental right to data protection and do not ensure an appropriate oversight of the European Union Agency for Law Enforcement Cooperation (Europol).
The amended Europol Regulation, Regulation (EU) 2022/991, expands considerably the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets.
Europol is now allowed, in specific cases, to process large datasets, leading to a substantial increase in the volume of individuals’ personal data processed and stored by the Agency. Consequently, data relating to individuals that have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity.
The EDPS regrets that the expansion of Europol’s mandate has not been compensated with strong data protection safeguards that would allow the effective supervision of the Agency’s new powers.
Putting in place strong safeguards is crucial since the impact of the amended Regulation on personal data protection is further aggravated by the fact that EU Member States have the possibility to retroactively authorise Europol to process large data sets already shared with Europol prior to the entry into force of the amended Regulation. The EDPS has strong doubts as to the legality of this retroactive authorisation.
The processing of these large data sets concerning individuals with no established link to a criminal activity is a matter which the EDPS has already expressed concerns about. Indeed, these are the same large data sets that the EDPS ordered Europol to delete on 3 January 2022. Therefore, with the amended regulation, the EDPS Order to delete these large datasets would become ineffective.
Europol’s Management Board should now further specify the data protection safeguards to put in place to limit effectively the impact of such intrusive data processing activities on individuals, as required by the legislator. To this end, the EDPS expects to be formally consulted on the basis of the amended Europol Regulation concerning relevant decisions of the Management Board.
The EDPS remains committed to supervise closely the compliance of Europol’s data processing operations with the applicable legal framework, and to use its advisory, investigative and corrective powers, when necessary.
Background information
About Europol: The rules for data protection applicable to the EU’s Agency for Law Enforcement Cooperation (Europol), as well as the supervisory tasks of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2016/794 (Europol Regulation) as amended by Regulation 2022/991. The powers of the EDPS over Europol are laid down in Article 43 Regulation (EU) 2016/794.
About the EDPS Order to Europol: On 3 January 2022, the EDPS notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation). Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased. This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. The EDPS has granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.