According to dataprotection organisation EDRi the efforts of the European data protection watchdog to hold Europol accountable for its illegal data practices are torpedoed by European Parliament and the Council of Member States, read EDRi’s article of 31 January, that starts with:

On 3 January 2022, the European Data Protection Supervisor (EDPS), responsible for overseeing the compliance of European Union (EU) institutions and agencies with data protection law, notified Europol, the EU agency for police cooperation, of an order to delete data it has illegally retained and processed for years. The decision aimed at bringing back Europol’s data practices in line with its mandate currently in force. It revealed “the EU’s very own ‘Snowden Scandal’”, in which Europol plays an increasingly important role in the mass collection of personal data and the use of data mining techniques to analyse these huge amounts of data. Unfortunately, EU policymakers want to remove any remaining legal barriers to this mass surveillance complex.

In recent years, Europol has received large datasets (literally “millions of messages”), from several Member States, that were collected in the course of bulk hacking operations, such as Encrochat. Europol’s role was to cross-check and analyse these datasets with its tools and share the results with the concerned Member States. However, these data transfers from national police forces or third countries’ authorities often contained data of individuals who have no link to any criminal activity – a category of data currently prohibited to be processed by Europol’s current mandate. Under the existing regulation, it is the responsibility of the data providers to extract all data from their datasets that Europol is not allowed to process and only provide data relevant to Europol’s missions. The EDPS therefore gave Europol twelve months to delete all datasets that did not undergo this extraction process, and had set a 6-month deadline for the new incoming data. 

EDRi has not yet commented on the press release of the European Parliament of today, “Europol reform: agreement between EP and Council to boost data analysis and safeguards“. According to EP’s press release Europol has to respect fundamental rights:

Fundamental Rights Officer, EDPS to monitor compliance

During the negotiations, the Parliament’s team ensured that, before engaging in the use of data for research projects, Europol will have to consult a Fundamental Rights Officer and a Data Protection Officer. MEPs also pushed to limit the data provided by private parties to the least sensitive types.

EP negotiators also secured the right for Europol to ask member states to start investigations into crimes related to EU common interests, even if the crimes only concern one member state. Such investigations would be initiated by the Executive Director.

To balance the police agency’s new powers with appropriate oversight, the co-legislators agreed that the EDPS will have oversight over Europol’s personal data processing operations, and work together with the agency’s Data Protection Officer. Citizens will be able to consult personal data related to them by contacting authorities in member states, or Europol directly.

In parallel, technical discussions continue on a proposal that would allow Europol to introduce alerts to the Schengen Information System (SIS). The negotiators agreed in principle that Europol can propose information alerts to be added to the SIS.

EDRi, European Center For Not-for-Profit Law ECNL and other human rights organisations on 26 January published their letter regarding Europol, with the title “Civil society urges European policy-makers to seriously reconsider the expansion of Europol’s data processing capacities“.