International Agreements to fight crime require strong data protection safeguards
The EDPS has issued five Opinions on the European Commission’s Recommendations to open negotiations for International Agreements on the exchange of personal data between Europol, the EU Agency for Law Enforcement, and the competent authorities of five Latin American countries: Ecuador, Brazil, Peru, Bolivia, and Mexico to fight serious crime and terrorism.
The EDPS Opinions aim to provide advice on further developing data protection safeguards in these future International Agreements so that individuals’ personal data is protected according to EU standards.
Wojciech Wiewiórowski, EDPS, said: “I am pleased to see that the Commission has established by now - also on the basis of previous EDPS opinions - a well-structured set of objectives to achieve when negotiating agreements on the exchange of personal data between Europol and third country law enforcement authorities. Particular circumstances of each foreign jurisdiction, such as existence of an independent data protection authority, or the accession to Convention 108 of the Council of Europe, should always be duly taken into account”.
Against this background, the EDPS recommends that the future International Agreements explicitly list the criminal offenses and purposes, for which individuals’ personal data may be exchanged. The International Agreements should also provide for a periodic review of the time during which transferred personal data is stored, and to put in place appropriate measures to ensure that these time periods are respected. The EDPS also notes that additional safeguards are put in place for special categories of data (such as personal data revealing ethnic origin or sexual orientation), as well as in the case of automated processing.
Taking into account the risks associated with transfers of personal data from a country outside the European Union/European Economic Area to Europol, especially in light of Europol’s extension of powers in its updated Regulation, the EDPS recommends that the future International Agreements explicitly exclude transfers of personal data that has been obtained in violation of human rights.
The control by independent authorities in charge of overseeing the transfers of personal data in the context of these International Agreements, equipped with effective powers and efficient tools, is crucial to ensure that individuals’ rights to personal data and data protection are protected. To this end, the EDPS suggests that the parties involved in these International Agreements exchange on a regular basis information on the exercise of individuals’ fundamental rights as well as on the application of the relevant oversight and redress mechanisms, to facilitate the enforcement of appropriate data protection measures.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
About the EDPS: The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
The European Data Protection Supervisor (EDPS) is the independent supervisory authority for the protection of personal data and privacy and promoting good practice in the EU institutions and bodies.
He does so by:
- monitoring the EU administration’s processing of personal data;
- monitoring and advising technological developments on policies and legislation that affect privacy and personal data protection;
- carrying out investigations in the form of data protection audits/inspections;
- cooperating with other supervisory authorities to ensure consistency in the protection of personal
EDPS - The EU’s Independent Data Protection Authority