09 July 2020
The European Commission recently launched a consultation on possible changes to Europol's mandate, which would give the policing agency greater data-gathering and processing powers. Some of the proposals under consideration would legalise ongoing activities for which there is currently no legal basis, such as the processing of the personal data of innocent people. Statewatch's submission to the consultation called for a much broader discussion on the agency's role and operations.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
8 July 2020
Submission to the European Commission’s consultation on revising Europol’s mandate (also available as a pdf)
Introduction
Statewatch is a non-profit-making voluntary group founded in 1991 comprised of lawyers, academics, journalists, researchers and community activists. Our European network of contributors is drawn from 18 countries. We encourage the publication of investigative journalism and critical research in Europe in the fields of the state, justice and home affairs, civil liberties, accountability and openness.
We have contributed to the submission to this consultation made by European Digital Rights (EDRi). With this submission we wish to reinforce a number of points made in the EDRi contribution, and raise a number of further issues.
Overview
The European Commission’s inception impact assessment (hereafter referred to as “the document”) outlines five issues concerning the possible expansion of Europol’s mandate. We have structured our response around those headings, but also raise a number of further points that must be taken into consideration in any discussion on the agency’s future role.
Given the significant public scrutiny currently directed at the actions of police forces and the role of the police more generally, in the EU and elsewhere in the world, it seems timely for the Commission to be raising the issue of Europol’s mandate. The objective of expanding Europol’s data-processing capabilities and providing the agency with extended operational powers requires a wide-ranging public debate and conversation.
Europol’s work cannot be isolated from the widespread and well-founded accusations of racist and discriminatory policing practices that are being made in the member states of the EU, including the UK, which for the time being remains a member of Europol. The agency’s work rests upon the activities and actions of national law enforcement agencies and the data they gather and, even if its mandate is extended to grant it a more autonomous role, this will remain the case.
We therefore consider that a broader debate on Europol’s tasks and activities is required, looking at how national law enforcement practices and data-gathering affect the analyses and assessments produced by Europol, and how that in turn affects national law enforcement activity. Such a debate should take into account the views of those groups and individuals whose lives are wrongly or unjustifiably affected by law enforcement activities, and their views should be actively sought out.
With this in mind, this submission makes the following key points:
1. Enabling Europol to cooperate effectively with private parties
The document sets out three options regarding Europol’s processing of data originating from private parties. The Commission told Statewatch last year by email that its evaluation carried out in accordance with Article 26(10) of the Europol Regulation found the current practice “to be working quite well.” As a minimum, then, any discussion on extending Europol’s competences in this area requires the publication of the Commission’s evaluation, its supporting documents; all the materials used by the Council to reach its conclusions that call for the expansion of cooperation with private parties;[1] and any further information available, so that a full and transparent discussion on the issue is possible.
The document states that there is no “interface to report complex cross-border cases to law enforcement authorities when there is no clear link with a single jurisdiction of a Member State,” meaning that “private parties often find it difficult to know how and with which authority to share information which might be relevant for investigations.” To resolve this problem, all that seems to be required would be making the existence of Europol better-known to private parties. Under its current rules, it provides an ‘interface’ to which private parties can provide data, which then must be transmitted to the relevant authorities in one or more member states for further evaluation. Option 1 would sufficient to deal with this issue.
Europol’s role, according to the Treaties, is to “support and strengthen action” by the member states. Options 2 and 3, which would give Europol autonomous powers beyond those permitted by the Treaties and the Regulation, have political and legal implications that go beyond the ‘fight against crime’ and which would be unnecessary and disproportionate. This is particularly so with regard to the third option, which aligns with the Council’s aim to allow Europol to “request and receive data directly from private parties.”
Following the course set out by option 3 would remove the current prohibition on requesting data from private parties and the limits whereby for data from private parties to be processed by Europol, it must come from either a Europol national unit, or a third country or international organisation with which Europol has a cooperation agreement or the EU has an adequacy agreement. It may lead to the bypassing of legal requirements for judicial approval of the provision of information to law enforcement authorities. As the document says, “the rules currently in place aim at ensuring that the information is obtained in full respect of the requirements of the applicable criminal procedure law and under the control of national authorities.” The implication is that the proposed changes seek to bypass applicable criminal procedural law and the control of national authorities.
2. Strengthening Europol’s tasks to address emerging threats
The inception impact assessment acknowledges that the agency’s activities “are not clearly reflected in the legal basis.” The fact that the agency’s powers have been extended by policy decision rather than legislation is extremely concerning and speaks volumes about the democratic deficits at the heart of EU decision-making. The aim now appears to be to adjust the legal basis to the reality. While this is necessary if Europol’s actions are to meet basic rule of law requirements, it requires thorough consideration of what these new activities and tasks entail. For example, the agency has taken on a significantly increased role in attempting to counter migrant smuggling, whereby persons in a vulnerable situation may be placed at greater risk of having their fundamental rights violated. All the agency’s work should thus be subject to a thorough evaluation, as the Europol Regulation provides for,[2] in order to assess compliance with the tasks current undertaken by Europol and the limits and requirements set out in the Treaties, the Europol Regulation, the Charter of Fundamental Rights and other applicable legislation.
The document states that “the current wording in Europol’s legal basis has given rise to problems of interpretation.” While this is not further explained in the document itself, the reference provided (to the minutes of a Joint Parliamentary Scrutiny Group meeting) indicates that the issue relates to the processing of personal data in the FIU.net system embedded in Secure Information Exchange Network Application (SIENA), and the fact that Europol has no legal mandate to process personal data on non-suspects in this system. In fact, Europol has no legal mandate to process data on non-suspects at all, as made clear by Article 18(2)(a) of the Europol Regulation (emphasis added):
“2. Personal data may be processed only for the purposes of:
(a) cross-checking aimed at identifying connections or other relevant links between information related to:
(i) persons who are suspected of having committed or taken part in a criminal offence in respect of which Europol is competent, or who have been convicted of such an offence;
(ii) persons regarding whom there are factual indications or reasonable grounds to believe that they will commit criminal offences in respect of which Europol is competent;”
According to the minutes of the JPSG meeting, the European Data Protection Supervisor considers that there is a “compliance issue” with the processing of personal data in FIU.net. Taken at face value, this would seem to indicate that the agency is acting outside of the law by developing “criminal intelligence” on individuals, or by processing the data of individuals, who are not in any way suspects. The idea that this practice be legalised is rather shocking; the treatment of innocent individuals as potential suspects for the purposes of generating ‘intelligence’ should instead be halted.
A second issue raised here is the limitations placed upon Europol regarding the use of the Schengen Information System and the possibility of giving the agency a role in the Prüm system, in particular with regards to entering data received from third countries. Data from states that do not ensure a high level of fundamental rights protection should not be entered in EU systems that enable member states to take action on the basis of such data. This would amount to using Europol as a ‘data-laundering’ hub.
In this regard, it should be noted that Europol is already engaging in the exchange of data with operations and bodies with which it appears to have no working agreements. The ‘Information Clearing House’ that sits within the European Migrant Smuggling Centre “pools together military and law enforcement intelligence,” and apparently already receives data from EU naval operations and the European Gendarmerie Force, with whom Europol has neither strategic nor operational agreements; if it does, these should be made public immediately. As of December 2018, future cooperation was foreseen with the European Asylum Support Office, the European Maritime Safety Agency, the International Criminal Court, the EU Satellite Centre, the International Organization for Migration, the UN High Commissioner for Refugees and “possibly Eurojust”.[3] With the exception of Eurojust, Europol has no formal cooperation agreement with any of these bodies. This further underlines the need for a thorough, independent evaluation of Europol’s current operations and activities.
Under this heading, the document also raises the option of giving Europol a role in “ensuring a coordinated approach as regards research, innovation and capacity building”. This presumably refers to the “innovation lab” that is already in the works at Europol. It should be noted that the Regulation provides no legal basis for Europol to have a role in research and innovation activities. This proposal would therefore provide a legal footing for activities that have already begun. Again, a thorough, independent evaluation of those tasks is necessary in order to determine their necessity and proportionality and to permit a broad democratic debate.
3. Streamlining Europol cooperation with third countries
The document refers to “long and complex negotiations” for international agreements hindering the possibilities for cooperation. Particular countries are not named, although it may be presumed that this refers at least in part to current negotiations with MENA states.[4] Amongst those countries are dictatorships whose law enforcement authorities routinely abuse fundamental rights, including through torture and ill-treatment. Many of the countries in question do not have data protection laws. Given that these agreements are intended to provide a legal basis that enables the protection of individual rights in relation to the transfer of personal data (including sensitive personal data) between law enforcement agencies, there is no good argument for watering down the requirements underpinning international cooperation. “Long and complex negotiations” are exactly what should be expected in an attempt to reach an agreement with a dictatorship on the exchange of personal data between police forces.
4. Strengthening Europol’s capacity to request the initiation of cross-border investigations
The document refers to recent positive experience in supporting member states’ investigations and argues that because of this, Europol’s mandate should be extended. On the contrary, from the brief explanation offered in the document – that “recent experience has demonstrated the benefit of Europol’s role” – it would appear the current mandate is sufficient. At the very least, a public assessment of all the occasions on which Member States have refused to initiate criminal investigations at Europol’s request, in accordance with Article 6(3) of the Europol Regulation, is required. This would allow a reasoned discussion of when and why Europol’s requests are refused, and should form part of a comprehensive, independent evaluation of the agency and its tasks.
The third option set out in the document is to give Europol the power to initiate criminal investigations that fall within the mandate of the European Public Prosecutor (EPPO). The EPPO Regulation does not foresee any role for Europol in initiating criminal investigations. As highlighted in the document, it contains a mandate for cooperation with Europol. This concerns the provision of information and analytical support, while the initiation of criminal investigations is to be undertaken by European Delegated Prosecutors. Proposing such a role for Europol appears to be little more than political opportunism.
5. Maintaining the highest level of data protection at Europol
If the aim is to increase the level of data protection at Europol, in particular with regard to data subjects’ rights, changes to the data protection regime would be welcome. Any such action should take special consideration of the processing of biometric data by Europol. This is not specifically mentioned in the current Regulation but, as a special category of personal data, requires particular consideration and a higher level of protection than other categories of personal data. The option to “align the data protection regimes of other agencies” seems to suggest legislative intervention in other agencies’ mandates, aside from just Europol’s, which would require a broader debate.
6. Other issues
There is a general need for greater transparency regarding the agency’s activities and operations. Any revision of Europol’s legal basis should provide for the mandatory publication of all decisions taken by the Management Board and Executive Director and all minutes of Management Board meetings. With regard to the agency’s operational activities, the legislation should include requirements for clear, regularly-updated public explanations of what these are, their legal basis and what they practically involve. A more pro-active approach to transparency should be taken, in particular in order to fulfil the requirements of Regulation 1049/2001 and the establishment of a comprehensive public register of the documents produced and held by the agency.
It is particularly concerning that the Council is already working to agree a process by which data sent to the Member States “trusted third countries” may be inserted from the SIS, and that Europol set up the project that helped to define this process.[5] Given the provision of data used to create Article 36 alerts likely involves the activities of intelligence agencies, neither Europol nor any other EU institution, agency or body should be engaged in this work, which is explicitly reserved by the Treaties as a national competence. It is likely this same issue arises in other areas of Europol’s work with regard to ‘foreign terrorist fighters’. The Commission should ensure that this is taken into account in an evaluation of Europol and any potential changes to its mandate.
The Joint Parliamentary Scrutiny Group is a unique institution that provides useful possibilities for democratic scrutiny of Europol’s work. Along with an evaluation of Europol’s tasks and activities, the work of the JPSG should also be evaluated, to see whether it has been able to carry out its tasks effectively and how its role and remit might be extended to ensure more regular and effective democratic scrutiny.
Notes
[1] https://data.consilium.europa.eu/doc/document/ST-14745-2019-INIT/en/pdf
[2] Article 68 – Evaluation and review – 1. By 1 May 2022 and every five years thereafter, the Commission shall ensure that an evaluation assessing, in particular, the impact, effectiveness and efficiency of Europol and of its working practices is carried out.
[3] https://data.consilium.europa.eu/doc/document/ST-15250-2018-INIT/en/pdf
[4] https://www.statewatch.org/news/2018/may/eu-warnings-over-proposed-new-europol-partners-in-middle-east-and-north-africa/
[5] https://www.statewatch.org/news/2020/may/council-of-the-eu-defining-a-process-for-entering-information-from-trusted-third-countries-on-suspected-non-eu-terrorists-in-the-schengen-information-system/
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.