The weakness of the European data protection rules is clearly shown in the case of the European Data Protection Supervisor (EDPS) against Europol. According to the General Court of the Court of Justice of the European Union (presse release case T-578/22), EDPS was inadmissable in an action against the amended Europol regulation.

From the release:

On 8 June 2022, the European Parliament and the Council amended the Europol regulation, inserting two transitional provisions. Those provisions lay down the conditions in which Europol is to proceed, within a specified period, to the categorisation of the data in its possession at the time of entry into force of the amended regulation. Furthermore, the transitional provisions specify the conditions and procedures according to which the processing of personal data, not relating to certain categories of data subjects (listed in Annex II to the amended Europol regulation) and which were transferred to Europol before 28 June 2022, is to be authorised in support of an ongoing criminal investigation.

The EDPS takes the view that those transitional provisions infringe his independence and his powers as a supervisory authority. In his view, those provisions retroactively legalise Europol’s contested data retention practices and de facto annul his decision of 3 January 2022. Thus, the EDPS sought the annulment of those transitional provisions before the General Court. He submits that his standing to bring an action is justified by the need to be able to have a judicial remedy in order to defend his institutional prerogatives and, in particular, his independence as a supervisory authority.

By order of 6 September 2023, the General Court dismisses the action as inadmissible, thereby upholding the objection of inadmissibility raised by the Council.

It shows the need to give EDPS the power to request annulment of a provision of an EU act.