The European Data Protection Supervisor has said that the amended Europol Regulation weakens data protection supervision.
The rules for data protection for the EU’s Agency for Law Enforcement Cooperation (Europol), as well as the supervisory tasks of the EDPS are set out in Regulation (EU) 2016/794 as amended by Regulation 2022/991.
Following the publication of the amended Europol Regulation in the Official Journal of the EU in May, the EDPS is concerned that the amendments weaken the fundamental right to data protection and do not ensure an appropriate oversight of Europol.
The amended Europol Regulation expands Europol’s mandate considerably for exchanges of personal data with private parties, the use of AI, and the processing of large datasets.
Europol is now allowed, in specific cases, to process large datasets, leading to a substantial increase in the volume of individuals’ personal data processed and stored by the Agency. Consequently, data relating to individuals that have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity.
The EDPS regrets that the expansion of Europol’s mandate has not been balanced with strong data protection safeguards that would allow the effective supervision of the Agency’s new powers.
Putting in place strong safeguards is crucial because the impact of the amended Regulation on personal data protection is further heightened by the fact that EU member states may retroactively authorise Europol to process large data sets already shared with Europol before the entry into force of the amended Regulation. The EDPS has strong doubts about the legality of this retroactive authorisation.
The processing of these large data sets concerning individuals with no established link to a criminal activity is a matter about which the EDPS has already expressed concerns – it ordered Europol to delete them on 3 January 2022. Therefore, with the amended regulation, the EDPS Order to delete these large datasets is ineffective.
According to the EDPS, Europol’s Management Board should now further specify the data protection safeguards to put in place to effectively limit the impact of such intrusive data processing activities on individuals, as required by the legislator. To this end, the EDPS expects to be formally consulted based on the amended Europol Regulation concerning relevant decisions of the Management Board.
The EDPS says that it remains committed to supervising closely the compliance of Europol’s data processing operations with the applicable legal framework, and where necessary, to use its advisory, investigative and corrective powers.