Automated data exchange in Prüm II: The EU’s securitisation mindset keeps encroaching on our fundamental rights

The agreement on automated data exchange for police cooperation, known as ‘Prüm II aligns with a broader EU trend of laws prioritising national security over human rights. The final text of this regulation has insufficient fundamental rights safeguards and could even encourage more member states to adopt facial recognition technology. The EU Parliament must reject the current Prüm II Regulation in the upcoming plenary vote.

By EDRi · February 6, 2024

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) officially endorsed the agreement on automated data exchange for police cooperation, known as ‘Prüm II,’ on December 4, 2023. Members of the European Parliament are expected to vote on whether or not to accept this deal on February 8,  2024. A critical component of the European Union’s (EU) plan to purportedly enhance security across the continent, the Prüm II regulation will introduce additional categories of sensitive data from national police records and databases to the original Prüm framework. The aim is to facilitate automated processing and exchange of personal data for streamlined cross-border law enforcement within the Schengen area. This is concerning because Prüm II aligns with the broader trend of emphasising security measures that treat individuals as potential criminals, rather than addressing the underlying causes of crime and prioritising less intrusive alternatives.

Legislative trend of national security over human rights

The Prüm framework, established as EU law in 2008, represents an effort to enhance collaboration in law enforcement and security. The objective was to empower law enforcement authorities to participate in cross-border cooperation and facilitate the sharing of information. Prüm II is an outcome of the European Commission and the Council advocating for an improved framework, with the aim of expanding the types of data shared through the system.

Communications from the European Commission and the Council strongly emphasise the imperative embedded within the Prüm II reform not just to punish but also to proactively thwart crimes such as terrorism and organised crime. The underlying principle in Prüm II is clear: considering that criminals can operate freely across the borders of Schengen countries, data related to them must also traverse these boundaries freely.

However, this legislative trend prioritises national security over people’s rights, raising concerns about potential violations of due process, systemic discrimination, and an overarching rule of law crisis in the EU. The latter goes hand in hand with Member states’ resistance to any limitation on their processing of personal data in the name of ‘national security’. This is evident in their willingness to grant carte blanche to law enforcement agencies, permitting the use of spyware and endorsing other state-sanctioned abusive actions. A prevalent misconception, tied to the ever-prevalent securitisation mindset in recent times suggests that sacrificing certain rights is necessary for the sake of living safely. However, the optimal approach to ensuring our safety lies in security services adhering to the rule of law, rather than infringing upon it. Unchecked, the impact of their operations has the potential to cause significant harm, particularly when it comes to marginalised and vulnerable groups.

Prüm II: lacks safeguards, could exacerbate deep-rooted problems

The Prüm II initiative assumes uniform protection for personal data and due process rights across all Schengen law enforcement and judicial agencies. However, EDRi has long argued that the reality on the ground reveals deep-rooted problems in the current system that might be exacerbated by the proposed automation under Prüm II. Commissioner Johansson’s praise for Prüm II as a significant achievement in the fight against organised crime underscores the growing inclination towards a surveillance state, eroding the presumption of innocence. Civil society has repeatedly expressed concerns about the necessity, proportionality, and scope of Prüm’s automated data exchange. While acknowledging the important role of the police in criminal investigations, it is important to maintain stringent safeguards to prevent potential abuses.

Although the version of Prüm II agreed by negotiators includes some fundamental rights safeguards, critical insufficiencies remain. The inclusion of facial images and a low threshold for crimes pose problems against recent Court of Justice of the EU (CJEU) case law: in Tele2 Sverige, the ruling distinguished between the handling of data for the purpose of preventing serious crimes and the prevention of minor offences or the efficient management of non-criminal proceedings.

The final text also fails to comply with jurisprudence requirements by neglecting to distinguish between data subjects. Additionally, negotiators seem to have disregarded the potential consequences of including facial images, a move that could encourage yet more member states to adopt facial recognition technology. Compounding the issue is the provision for very weak manual reviews. In the case of initial matches, human review is purely voluntary, with no mandatory requirement for a human review of a list of potential facial image matches, as long as core data are not subsequently requested. This list of initial matching facial images still holds the potential to prompt measures against the individuals listed, with serious implications for their rights and freedoms.

No security without human rights

The consequences of Prüm II extend beyond privacy and data protection concerns. It risks instrumentalising EU principles to justify expanding policing activities, in line with a deeply alarming trend that EDRi and its partners have warned about. The lack of awareness among EU citizens and residents, not to mention people on the move and other vulnerable communities, regarding the processing of their data further compounds the issue. This limits their ability to proactively protect their rights and seek redress for potential violations. The notion that the surveillance state is the sole paradigm has become more widespread in recent years, with governments and companies engaged in mass data collection and exchange, capitalising on people’s fears amid growing geopolitical instability. However, for a genuine focus on our safety, states should emphasise human rights more, not less, in their security operations.

The European Parliament, as the sole directly-elected EU institution, should give top priority to safeguarding EU citizens and their fundamental rights. The recommendations from organisations like EDRi, which have unfortunately been only minimally heeded, emphasise the urgent need for a thorough reassessment of the Prüm II text. Without substantial revisions, there is a risk that the Regulation may face annulment by the CJEU, jeopardising its stated goal of combating crime while adhering to EU law.

Given these concerns, the upcoming Parliamentary plenary vote, currently expected in February 2024, offers a crucial opportunity for the Parliament to assert its responsibility to EU citizens by reconsidering and potentially rejecting the current Prüm II Regulation. We cannot have security without human rights – something that the EU seems to have forgotten.

Itxaso Domínguez de Olazábal

Itxaso Domínguez de Olazábal

Policy Advisor

Twitter: @itxasdo

Ella Jakubowska

Senior Policy Advisor

Twitter: @ellajakubowska1