Europol’s ‘Big Data Challenge’

The EDPS submits that a stronger mandate of Europol should always come with stronger oversight. I therefore note with surprise that the extension of powers of Europol does not go hand in hand with strengthened scrutiny of the Agency’s actions.

EDPS Wojciech Wiewiórowski, Remarks at the LIBE Committee on Europol, 1 February 2022

On the 1^st of February 2022, the Council’s presidency and the European Parliament reached a provisional agreement on a new mandate for the European Police Office (Europol). While the Commissioner for Home Affairs welcomes it as “good news for the fight against organised crime and terrorism in the European Union”, it also represents a defeat in the battle for fundamental rights and the system of checks and balances. To understand the issues underlying this agreement, it is essential to start from the beginning of the story. 

1. The Large and Complex Datasets saga within Europol

In April 2019, Europol’s Executive Director informed the European Data Protection Supervisor (EDPS) of significant compliance issues in processing of large and complex datasets by the agency. In the past years, Europol continuously received and processed large datasets from several EU Member States, including data of individuals without a clear link to any criminal activity. Under the current Regulation, the agency is not allowed to process the personal data of individuals who have not been linked to a crime or a criminal conduct. 

The EDPS played its first move by deciding to open an own initiative inquiry on the use of Big Data Analytics by Europol. Following this, a ping-pong game of ‘Big Data challenge’ started between Europol and the EDPS (the European watchdog). The EDPS informed Europol of its preliminary findings and requested further information, notably on scenarios where Europol is processing large datasets, and more particularly of individuals not linked to any criminal activity. It also asked for a list of current or planned development to process big, automated datasets. In November 2019, Europol replied by providing further clarifications to the European watchdog. At the end of the year, the EDPS issued recommendations in its annual inspection report (not publicly available), that were sent back to Europol’s Executive Director. 

The game went on in 2020. The EDPS and Europol met several times to discuss additional points. A first attack was made by the EDPS in September 2020, with the issuance of a formal admonishment to Europol. It stated that Europol had been unlawfully processing a vast number of personal data of people with no established link to a criminal activity and has been for several years. These actions are not compliant with data minimisation and storage limitation principles. The admonishment does not require Europol to stop using the techniques to process large datasets, but to develop an Action plan within two months to remedy the situation. With this move, the EDPS scored a point but did not win the game. 

As requested, Europol presented an Action Plan in November 2020 stating that it would use flagging, labelling, and other measures to better review and monitor large datasets’ processing. This Plan resulted in a back and forth of comments from both players, discussions and further clarifications on the actions taken by the agency.  These exchanges lasted for more than a year because the EDPS remained concerned on several points, notably on the data retention period. While progress was made on several data protection risks identified, no concrete actions were taken to address the core issue of storing the personal data of people with no clear link to a criminal conduct.  

Consequently, in January 2022, the EDPS decided to use its corrective power over Europol for the first time ever. The European watchdog published an order for Europol to erase data concerning individuals with no established link to a criminal activity. Its decision ordered data subject categorisation for new datasets to be completed within six months and for existing datasets within twelve months. The datasets must undergo a process of filtering and extraction to be categorised.  

While this move from the EDPS should have ended the game, the EU institutions decided otherwise. The European Council’s Presidency and the European Parliament adopted an agreement for amending Europol’s current Regulation, overturning the EDPS’ order. 

2. The EU institutions shut the EDPS down 

The provisional agreement on the new amendment for Europol was reached on the 1^st of February 2022. As feared by some members of the European Parliament and the EDPS, the agreement circumvents the order issued by the European watchdog and retroactively legalises what was until now an illegal practice. The French Presidency included Article 74a in the agreement, which expressly allows Europol to hold on to large and complex datasets received before the new Regulation enters into force and analyse them for a period of up to three years. This concerns datasets obtained by EU Member States, the European Public Prosecutor’s Office, Eurojust, and even third countries that may have questionable data protection safeguards. Through this agreement, the EU institutions nullified the EDPS order in two ways. First, by authorising the agency to keep the large and complex datasets previously illegally obtained. Second, by extending the retention period from six months to up to three years.  

The EU institutions also took a strong stance against any potential role of the EDPS in this ‘Big Data saga’, by downsizing its power, notably vis-à-vis personal data received from a third country. The initial proposal from the Commission provided for the EDPS to be kept informed of any provision of investigative case files to Europol (in its Article 18a). It also gave the power to the EDPS to rule whether the datasets are disproportionated or collected in violation of fundamental rights. The provisional agreement removes the EDPS from the equation by dismissing both options. The EDPS may merely be notified by Europol’s Data Protection Officer, where relevant, about the data transfer. Europol is the sole authority competent for assessing its proportionality and fundamental rights compliance.    

The institutions took a strong stance against supervision and preferred to retroactively legalise illegal practices, undermining thereby the rule of law, the fundamental right to data protection, and the system of checks and balances. Consequently, with the provisional agreement, the EU institutions completely neutralise the EDPS’s previous and future powers on complex and large datasets. By authorising the processing of data of individuals with no clear link to a criminal activity, EU institutions indirectly agree to mass surveillance and the use of predictive policing in European law enforcement. What example do EU institutions set by overruling the EDPS first use of corrective power vis-à-vis Europol? Supervision seems to be accepted only when the supervisor sees eye to eye with Europol. As soon as a conflict emerges, and corrective powers are exercised, the supervisors’ decision is ignored. Thus, EU institutions want supervision to be kept to discussions and advice, confining it to use only soft powers.   

3. An uneven balance: more power for less supervision

A stronger mandate of Europol must come with a more robust oversight of the agency. The provisional agreement adopted extends Europol’s power, by allowing the development of new technological solutions, the processing of large and complex datasets, and the direct cooperation with private parties. Europol can even suggest opening national investigations into non-cross-border crimes that affect a common EU interest. Indeed, the EU institutions reinforced the critical role Europol plays in the fight against organised crime and terrorism, but they failed to offer the same reinforcement to the EDPS. As discussed above, they dismissed the EDPS’ use of corrective powers and any substantial role it might have in the ‘Big Data’ debate. The weakening of the European watchdog went further than the large and complex datasets saga. 

Within the provisional agreement, other examples illustrate the uneven balance between power and supervision, and the reduced role of the EDPS. First, the prior consultation mechanisms, added in Recital 36b, provides that the EDPS is not to be consulted for all new types of processing operations. It shall be consulted only for using new IT systems, but not for operational analysis projects. Europol may, in any case, exceptionally initiate new data processing without the written advice by the EDPS, if Europol deems it sufficiently urgent. Second, the provision on the EDPS power still does not match the EDPS demands. The EDPS in its Opinion 4/2021 on the Proposal for the new Europol Regulation, requested a full harmonisation of its supervisory power over Europol, with its general powers under Regulation (EU) 2018/1725. For now, the EDPS has less control over Europol than over the other EU institutions, bodies, offices, and agencies. It cannot order Europol to bring processing operations into compliance with data protection. It cannot impose an administrative fine or order the suspension of data flows. While these three corrective powers are included in the provisional agreement, the agreement still does not apply the Regulation mutatis mutandis. Instead, it offers an exhaustive list of power that the EDPS may perform. The EDPS can still not order Europol to communicate a personal data breach to the data subject. Thus, the EU institutions increased the EDPS general competencies but did not yet go as far as full harmonisation. Third, while suggestions were made to add a prior authorisation of the EDPS as a requirement for the extension of the data processing period of 18 months, the French Presidency suggested merely informing the EDPS of an extension. Finally, even though the cooperation of Europol with private parties is deemed controversial, the EDPS does not get a specifically stronger role over these exchanges. It can merely be informed of their existence.
What can be observed is that the EU institutions went all the way in to strengthen Europol to continue its work efficiently. However, they did so at the expense of the EDPS, effective supervision, protection of fundamental rights, and disregarding the system of checks and balances. By adopting this provisional agreement, EU institutions favoured Europol and the operational requirements that the agency needed to support Member States, but left aside data protection, rendering the balance uneven. They knowingly dismissed the EDPS order and showed that supervision is only a ‘cover-up’ concept and a box to tick on a checklist without further impact. They displayed their superiority over the European watchdog and further opened the door for Europol to become an ‘uncontrollable centre of arbitrary power’.