On 2 and 7 March 2022, the EDPS published two Opinions on the Commission’s Proposal for the Regulation on automated data exchange for police cooperation (“Prüm II”) and on the Proposal for a Directive on information exchange between law enforcement authorities of Member States. Both Proposals are part of the “EU Police Cooperation Code” package.
The objective of the proposed Police Cooperation Code is to enhance law enforcement cooperation and, in particular, the information exchange between the competent authorities responsible for the prevention, detection, and investigation of criminal offences. To this end, the Proposal for the “Prüm II” Regulation lays down the conditions and procedures for the automated searching of DNA profiles, dactyloscopic data (fingerprints), facial images, police records, and vehicle registration data, while the Proposal for the Directive on information exchange aims to facilitate the access by law enforcement authorities to information held in another Member State.
Wojciech Wiewiórowski, EDPS, said: “Police cooperation, including exchange of relevant information between law enforcement authorities, is an important element of a well-functioning Area of Freedom, Security and Justice. At the same time, the increase in data sharing and the reinforcing of Europol’s role as the EU’s “criminal information hub” should comply with the principle of proportionality and should not lead as a side effect to the creation of new large centralised databases."
Given the risks associated with the processing of individuals’ personal data in criminal matters, the necessity and proportionality of the envisaged measures should be clearly demonstrated, so that the level of protection for individuals guaranteed by EU law is not undermined. Against this background, the EDPS makes a series of recommendations in his Opinions.
Regarding the Proposal for the “Prüm II Regulation”, the EDPS stresses that the proposed new framework lacks essential elements related to its material and personal scope, such as the types of crimes, which may justify a query, and the categories of data subjects affected by the automatic exchange of data. In particular, the automated searching of DNA profiles and facial images should only be possible in the context of individual investigations of serious crimes, and not of any criminal offence, as provided for in the Proposal. Furthermore, the EDPS is not convinced about the necessity of the proposed automated searching and exchange of data from police records and underlines the need for strong safeguards to address the related data quality risks. The Opinion also comments on the inclusion of Europol within the Prüm framework, recalling the position of the EDPS on the processing by Europol of the so-called ‘big data’, i.e. large and complex datasets.
Regarding the Proposal for the Directive on information exchange, the EDPS highlights the need to clearly define the personal scope of the measure, and in any event, to limit the categories of personal data about witnesses and victims that may be exchanged. He also expresses concerns about the length of the storage of personal data in the case management systems of the Single Points of Contacts, as well as on the role of Europol in the exchanges of personal data between national law enforcement authorities. In particular, the EDPS considers that the Member States should be required to assess on a case-by-case basis whether Europol should receive a copy of the information exchanged by the competent national authorities, and with a clearly indicated purpose. Otherwise, the Directive might result in creating a vast database of back-up copies of exchanged information to be managed by Europol, for new purposes set by the Agency.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.
The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.
Personal data: see EDPS Glossary
Processing personal data: see EDPS Glossary
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).