Wojciech Rafał Wiewiórowski, the European Data Protection Supervisor (EDPS), on 23 September sent a letter to the attendants of the meeting of the Joint Parliamentary Scrutiny Group on Europol (JPSG). In that letter he informed the readers that Europol does not respect the fundamental rights and freedoms of European citizens. One of the breaches is that Europol is collecting and keeping data of people that are not involved in or suspected of crime.
Wiewiórowski points out there are three areas that deserve attention:
The first area relates to the fact that, under the Europol Regulation, Europol can only process information about certain categories of individuals, namely suspects, contacts and associates, victims, witnesses or informants, and certain categories of data. National law enforcement authorities do not have such constraints under Directive (EU) 2016/680  (the “Law Enforcement Directive”). The problem is that the volume of information Europol receives in some cases is so considerable that its content is often unknown until the moment when analysts extract the relevant entities for entry into the corresponding database. These datasets are further stored throughout the criminal investigation or criminal intelligence operation in order to investigate new leads.
At the meeting requested by Europol in April 2019 between Executive Director Catherine de Bolle and the European Data Protection Supervisor, Giovanni Buttarelli, Europol informed the EDPS about this problem. The EDPS has investigated this matter for one year and concluded that it is highly likely that Europol stores personal data on individuals for whom it is not allowed to do so and retains categories of personal data that go beyond the restrictive list provided in the Europol Regulation.
In the course of this investigation, Europol has addressed many of the data protection concerns identified at the beginning of my inquiry but structural issues remain. Thus, the EDPS has decided to admonish Europol. Admonishments are meant to signal data processing activities that are not in line with the applicable data protection framework and to urge the agency to adjust its practices.
We now expect Europol, as responsible data controller, to devise effective mitigation measures that will both reduce the risks for data subjects, in line with the provisions of the Europol Regulation and secure Europol’s operational capabilities. I have asked Europol to provide an action plan within two months and to inform me of the measures put in place to address the issue within six months. We understand that this problem might also be of interest for the EU lawmaker in the context of future legal framework.
The second area relates to the processing of operational data for data science purposes. I have started an inquiry on this matter when I discovered that while Europol had put in place strict policies with regard the processing of operational data for testing purposes, in line with the EDPS position, Europol was considering using operational data for the testing, development and training of algorithms. This initiative reflects the current trend – present also at national level – towards using automated processing techniques and algorithms in the law enforcement context. Taking also into account that the operational data of Europol originate from national law enforcement authorities, the EDPS wants to get a clear understanding of the data processing activities taking place in that regard at Europol and to verify that they rely on an appropriate legal basis.
Finally, the third matter relates to the involvement of national criminal analysts in personal data processing activities taking place in Europol systems. In some fields, Europol receives, from its operational partners, substantial amounts of personal data of which it should further share with competent national authorities. In order to tackle this issue, Europol is looking towards closer involvement of Member States’ investigators to determine national priority criteria according to operational usefulness. However, the Europol Regulation does not provide a clear legal basis that supports an analysis role for national investigators at Europol, even for thematic analysis purposes. Thus, there are also no clear data protection safeguards in place to regulate such new data processing operations by Member States. These questions were discussed with Europol in the context of a prior consultation submitted under Article 39 of the Europol Regulation.
 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
It shows the necessity of strict supervision of enforcement activities.
- Letter by EDPS, 23rd September 2020.
- Page of the European LIBE committee on the seventh meeting of the Joint Parliamentary Scrutiny Group (JPSG) on Europol, 28 September 2020.
- Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol).
- A previous article on this blog: Inspecting Europol’s processing of AML and CFT-data | EDPS, 10 October 2019.