25 April 2024
Hounded by criticism from civil society and EU member states over its new proposal to increase the powers of Europol, the European Commission has belatedly published an “analytical document” in lieu of a formal impact assessment. The new proposal would lead to the storage of vast quantities of information by Europol on human smuggling and trafficking cases, intended to increase investigations and prosecutions. However, the Commission’s document offers a minimal analysis of the potential impact on individual rights, particularly of people in vulnerable situations, and the data protection safeguards at Europol are inadequate for the proposed changes.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
Image: Roel Wijnants, CC BY-NC 2.0
Backpedalling to provide evidence for new police powers
Last November, the European Commission launched a “Global Alliance to Counter Migrant Smuggling” at a glossy event in Brussels, and used the occasion to announce two new pieces of legislation. The first is a revamped Facilitation Directive, to adjust the legal definition of migrant smuggling and increase criminal penalties. The second would boost Europol’s powers, ostensibly in relation to trafficking and smuggling, but in fact for all crimes for which it has competence.
The Europol proposal follows hot on the heels of a new legislative mandate for the agency, and the European Data Protection Supervisor has denounced the Commission’s failure to assess its potential impact on fundamental rights – in particular given that it is primarily non-EU citizens that will feel the effects of the measures. This echoes the concerns of LIBE members that received the proposal with reservations in particular about the “direct and indirect effects on the safety and rights of people on the move.”
Even member states in the Council of the EU gave the proposal a frosty reception, questioning its necessity and proportionality. One common theme in member states’ comments was the lack of an impact assessment. The Commission claimed that it "had little or no choice available, notably due to the urgent operational needs to improve Europol’s support to Member States on countering migrant smuggling.” But it appears that not everyone is feeling the same sense of urgency, and the glacial reception from the two co-legislators has led the Commission to provide “more detailed information on the facts and figures” underpinning its proposal in a staff working document.
It might be observed that providing evidence for a proposal only after publishing it is not really how things are supposed to be done. This is something the Commission should be aware of: the guidance for its “better regulation” agenda, approved in 2021, commits it to “a way of working that allows political decisions to be prepared in an open and transparent manner, informed by the best available evidence.” Doing so “ improves the legitimacy and accountability of EU action,” says the agenda.
Mandatory information-sharing
Europol’s top strategic priority is to “be the EU criminal information hub”, and it clearly has ambitions in this regard. As revealed by Balkan Insight last year, in relation to a proposal on online child sexual abuse, Europol sought unlimited data access: “All data is useful and should be passed on to law enforcement,” one agency official said at a meeting.
Information is currently provided to Europol by member states authorities on a voluntary basis, in relation to specific offences listed in the Europol Regulation, which already covers migrant smuggling and human trafficking. The new proposal would instead make it mandatory for member states to share information on smuggling and trafficking cases with the agency.
The Commission’s working document states that “all efforts taken since 2015 to increase the level of information sharing… including calls at political level, discussions at technical level or technical improvements… have not resulted in the necessary increase in the sharing of information relating to criminal offences on migrant smuggling and trafficking in human beings.”
This is precisely the opposite of what the European Court of Auditors found in an investigation published in 2021. Between 2016 and 2019, the number of new cases dealing with migrant smuggling initiated at Europol more than doubled, and the number of messages received from member states via the Secure Information Exchange Network Application (SIENA) grew from 10.6 million to 16.2 million annually.
The report went on to say:
A number of stakeholders pointed to the need for Member States to supply Europol with more operational information. There are often valid operational or legal reasons for not sharing information with Europol or engaging with other Member States on a bilateral basis… Investigators might not have authorisation from a prosecutor to share sensitive data in the early stages of investigation. Restrictive information-handling policies may be applied to avoid jeopardising an ongoing investigation or protect national security interests. Some information may also be beyond Europol’s mandate.
The Commission’s proposal aims to bypass these obstacles. The staff working document states:
Member States would no longer need to determine on a case-by-case basis whether the information related to individual incident [sic] of migrant smuggling or trafficking in human beings is necessary for Europol to fulfil its objectives. Instead, Member States would have to share any information held by its competent authorities and relating to criminal offences on migrant smuggling and trafficking in human beings, since that information would be deemed necessary for Europol to fulfil its objectives
To support this massive change, the Commission proposes giving the agency an extra €50 million and 50 additional staff posts for the current Multiannual Financial Framework period (2021-2027), according to the explanatory memorandum for the proposal . The Commission also argues for further technical resources and legislative clarity for Europol to process biometric data and to “deliver on the obligations set up in the interoperability framework” that has already extended the capacity of the agency to access data in various European information systems. A further objective of the proposal is to increase information exchange with non-EU states.
Fundamental rights impact: nothing to see here
The document provides a very brief analysis of the potential impact on individuals, arguing that the new legislation:
…does not impose a disproportionate and excessive burden on the persons affected by the limitation, namely persons who are related to a criminal offence on migrant smuggling and trafficking in human beings, as Europol’s data protection regime would provide for the necessary safeguards.
There is no consideration that this will also encompass people in a vulnerable situation, who elsewhere in the document are portrayed as victims in need of the new rules (the first sentence states that migrant smuggling “disregards and endangers human lives and strips people of dignity in the pursuit of profit, violating people’s fundamental rights and undermining the migration management objectives of the EU”). The European Data Protection Supervisor opinion on the proposal, meanwhile, warned “vulnerable people might be involved,” and that the impact on fundamental rights cannot be “fully foreseen”.
The lack of analysis offered by the Commission is even more insufficient when considered in light of the impact of anti-smuggling policies in the EU. The fact that people have to cross borders irregularly is precisely what creates the need for migrant smugglers, as EU agencies themselves have pointed out to policymakers. In a 2020 report, Europol, Frontex and the and then-European Asylum Support Office (now the EU Asylum Agency) noted that the “need to bypass reinforced borders several times” means “the demand for facilitation [i.e. smuggling] services in the Western Balkans region is high.”
Meanwhile, a recent report by the Platform for International Cooperation on Undocumented Migrants found that “at least 117 people faced judicial proceedings in the EU for acting in solidarity with migrants” and “at least 76 migrants in Italy, Greece and Spain were criminalised for the sole act of crossing borders irregularly.” Most cases concerned smuggling related offences. The organisation has called for “a paradigm shift on smuggling.” The usual narratives, such as those employed by the Commission, “often refer to the violence that migrants suffer from the hands of smugglers, [while] very little attention is paid to the major harm done by counter-smuggling policies themselves.”
This analysis is also true for the impact of trafficking policies. Revised EU anti-trafficking rules were approved this week by the European Parliament. Irena Ferčíková Konečná of the European Sex Workers Alliance has argued that political debate on the new measures was dominated by calls for an extension of the definition of trafficking to criminalize clients of sex workers, with the aim of “abolishing” sex work. The result, according to the European Council on Refugees and Exiles, is a missed opportunity for EU legislators to adopt a rights-based approach that upholds a “do not harm principle.” Instead, the law is likely to “push sex work further underground, and potentially increase risks and harm for trafficked persons by making them more difficult to reach.” A statement signed by six NGOs in response to the parliamentary vote calls for states to “ensure that the rights of victims are prioritised during the transposition and implementation process.”
Safeguards: real or illusory?
The disastrous effects of smuggling and trafficking policies have been well-documented by NGOs and journalists, yet there is not a word on the topic in the Commission’s staff working paper. The document instead highlights Europol’s data protection framework and the remedies available for individuals – a bold move, considering that this framework has been in the spotlight for its failings.
The Commission presents four existing safeguards at Europol that it says ensure the proportionality of the proposal:
First, Europol is only authorised to process information, including personal data, for the achievement of its objectives, that is, to support Member States in preventing and combating serious crime and terrorism. It is therefore Europol’s obligation to determine whether information received from Member States is relevant to its tasks.
Second, Member States are only authorised to supply Europol with information necessary for the Agency to fulfil its objectives. The specific obligation provided for in the Commission proposal would not apply to any information that is not relating to criminal offences on migrant smuggling and trafficking in human beings.
Third, the Europol Regulation provides for effective rights of the data subjects, including the right of access and the right to rectification, erasure and restriction.
Fourth, Europol is subject to effective data protection supervision by the European Data Protection Supervisor.
The proposal would turn the logic that currently underpins the first safeguard on its head. Currently, member states determine which information to share with Europol. If the proposed changes were introduced, they would be obliged to send all information on smuggling and trafficking cases to Europol, which would then decide whether or not it was relevant.
Whether Europol is the best judge of this may be called into question. A September 2023 audit by the EDPS found multiple cases in which data on children should not have been transferred to the agency because it concerned “relatively minor infractions, such as pickpocketing (at least two cases) or shoplifting,” but was nevertheless stored under the heading “organised crime group”. In these cases, the data was transferred by a non-EU state; the audit found that Europol did not apply any extra safeguards to its assessment of data received from abroad. The fact that one of the aims of the proposal is to increase data exchanges with non-EU states should be a cause for concern.
It is also open to question whether the safeguards offered to individuals are effective in practice. Individuals who know or believe their data is held by Europol have right to access the data stored about them, as explained in a guide published last year by European Digital Rights. If that request is denied or otherwise responded to insufficiently, appeals can be filed with the European Data Protection Supervisor (EDPS). In 2023 the EDPS dealt with three complaints regarding Europol’s handling of personal data – but despite this low number, the process is extremely slow, judging by one case that is publicly-known.
Frank van der Linde is a Dutch peace activist who has been labelled as a terrorist by the Dutch police. They then transferred his personal information to Europol – calling into question the second safeguard listed by the Commission, which suggests that member states would not transfer unnecessary or irrelevant information – who refused van der Linde access to his file. He contested the decision, and after two years of investigation the EDPS ordered Europol to forward his file. Europol, however, requested a review of the decision, claiming that access to the data had not been agreed by the Dutch police, and should be decided at the national level. The EDPS thus wait for a Dutch judge to take a decision on van der Linde’s right of access.
On 8 February 2024, it appeared that Europol had had second thoughts about leaving the Dutch authorities to decide whether or not to grant access to the data. In a letter to the court the Dutch police claimed that “after consultation with Europol, it has been revealed that Europol does not wish for individual member states to answer questions about the Siena messages system and is not allowed to provide access to Siena messages.”
It has been four years since van der Linde appealed against Europol’s decision. He is still waiting.
Not an impact assessment but a political pitch
The working document appears to be an ill-fated attempt by the Commission, prior to the European Parliament elections, not to lose face. The working document does not offer a serious assessment of the necessity and proportionality of the regulation. It completely ignores the harmful impact anti-smuggling and trafficking policies have, despite warnings from the EDPS and MEPs at the European parliament. At a minimum, before seeking to expand Europol’s data collection, the Commission should make a serious inquiry into whether the agency and its supervisory authority are able to monitor the current flow of personal data from member states and provide effective remedies for individuals. Instead, the document is little more than an attempt to keep an unnecessary proposal afloat.
Romain Lanneau
A new proposal to enhance the powers of Europol and to strengthen its cooperation with Frontex in the name of fighting migrant smuggling falls short of respecting data protection and fundamental rights standards, according to the European Data Protection Supervisor (EDPS).
At the end of November the Commission proposed expanding Europol’s powers, in the name of fighting migrant smuggling. Member states have started discussing the proposal in the Council. Written comments obtained by Statewatch suggest that the plans have not been well-received in national capitals.
At the end of November, the European Commission announced two new laws to fight migrant smuggling. One seeks to make the legal framework more punitive. The other aims “to reinforce Europol’s role in the fight against migrant smuggling and trafficking in human beings,” but would in fact expand Europol’s powers in relation to all crimes for which it has competence, and let the agency conduct “non-coercive investigative measures” during joint operations with national police forces. Its staff are currently prohibited from conducting any kind of investigative measure.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.