Europol inches closer to increasing its powers despite lacking accountability

On 9 December 2020, the European Commission released its proposal to reform the mandate of Europol, the EU agency for police cooperation. Among other objectives, the revision seeks to 

1. deepen the “cooperation” with private parties, notably internet companies, to hoover up even more personal data, 
2. allow Europol to analyse big datasets transferred by Member States’ law enforcement authorities by using data mining techniques, even though that implies analysing personal data that it must in principle not process, 
3. increase Europol’s role in setting EU research priorities in the field of law enforcement and make full use of the data stored in its systems to develop and train algorithms in order to equip EU police forces with AI-based policing tools,
4. create additional derogations to rules regulating the transfers of data to non-EU states,
5. enter alerts on non-EU citizens in the Schengen Information System (SIS), a European police database for wanted and missing persons as well as lost objects.

Today, EDRi and its members have published an analysis of what the reform entails for fundamental rights and democracy as well as a set of recommendations addressed at EU legislators, the European Parliament and the Council.

The shady origins of the reform

Europol was set up in 1998 to facilitate the cooperation between police forces in Europe and became a fully-fledged EU agency in 2009. It has no executive powers, which means that Europol’s staff are not entitled to arrest anyone or take initiatives on its own. All its operations must be directed to solely support Member States’ law enforcement authorities, mostly by serving as a centre for the exchange of data, intelligence and for providing expertise.

In April 2019, Europol informed the EDPS of “serious compliance issues” concerning its data practices and invited the European Data Protection Supervisor (EDPS), which ensures EU institutions respect data protection rules, to look deeper into the matter. A year later, the EDPS released the results of its investigation, warning that Europol was processing personal data which mainly referred to individuals not linked in any capacity to any criminal activity and therefore, data categories that go far beyond what Europol is allowed to process and store under its current mandate. 

These findings motivated the Commission to fix this “structural legal problem” as Europol complained that these legal limitations were affecting its operational capabilities and thus its support to certain criminal investigations that involved the “analysis of large and complex datasets”. The Member States avidly backed the idea calling for “any possible action [to] be taken to minimise the impact of the EDPS decision”. As a result, the Commission proposed new provisions that would simply allow Europol to “exceptionally” circumvent its own rules on data processing as well as a series of other measures expanding the agency’s operational powers. 

The rationale and timing of the Commission’s proposal are equally problematic. Europol was caught breaking the law and developing new initiatives without any proper legal basis (e.g. Europol’s innovation lab). Many proposed changes to Europol’s mandate show an attempt to legalise the agency’s unlawful activities. In addition, this revision is happening even before the first implementation evaluation of Europol’s Regulation, planned for 2022, has been carried out. Without this evaluation, it is impossible to assess whether the current rules impede the fulfilment of the Agency’s missions and whether its working practices respect fundamental rights. 

Stronger operational powers, featherweight oversight

The main problem of the proposal, besides legalising what has been unlawful until now for good reasons, is that it significantly expands Europol’s operational capacities without the corresponding reinforcement of oversight mechanisms. In every area of the reform, the Agency is given greater capacity to take initiatives and its own decisions without being accountable for it. Some of these measures dangerously flirt with the limits of its competencies as defined by the EU treaties. For example, Europol would be allowed to directly approach private parties with information requests, thus bypassing the necessary judicial review that would generally be required to check the legality of such requests. Its operational powers would also be extended beyond what is permitted when entering data into the SIS, setting the conditions for the arrest of concerned third-country nationals. Europol does not have the mandate to make such a decision because it is not a law enforcement authority.

The proposed strengthening of Europol’s mandate won’t improve the democratic deficit the Agency is suffering from nowadays. It took months for Members of the European Parliament, who are members of the Joint Parliamentary Scrutiny Group, to realise that Europol is using the software of the US big data analytics firm Palantir  -a company which has been involved in data scandals; and criticised for its assistance of the US Immigration and Customs Enforcement- for “the operational analysis of all counter-terrorism related data“ –. MEPs are forced to pro-actively request this type of information as their scrutiny abilities do not include the review of Europol’s daily investigative techniques and how they function. Moreover, the fact that the Agency itself had to take the initiative to raise the issue of its unlawful data processing activities highlights the weak capacity of its watchdogs – the EDPS and the JPSG – to effectively oversee its day-to-day work. 

 Shaping future policing practices and strategies in Europe

A future role foreseen for Europol is to support the Commission in identifying research priorities in the field of law enforcement and security and to carry out “research and innovation” projects by training, testing and developing algorithms with operational data stored in its own databases.

The selection of law enforcement-related research projects to be funded by the EU has the potential to dramatically affect future policing practices with severe consequences on the lives and rights of persons subject to them. The risks are manifold: the projects’ outcomes could lead to the deployment of unlawful biometric mass surveillance systems or to the use of ‘predictive’ algorithmic systems by national and local police officers that codify racialised assumptions and other systematic discrimination and violence. Similarly, the algorithms trained by Europol will likely perpetuate pre-existing police biases and thus, social inequalities as the Agency would use its operational data that it has hoovered up from the Member States and third countries, carrying the legacy of their discriminatory policing practices. 

EDRi will closely follow the development of the reform in the upcoming period and work to ensure that Europol can fulfil its missions without overstepping legal boundaries, violating rights or enabling collective harms.

(Contribution by:)