Europol management board in breach of new rules as soon as they came into force

The EU’s police agency, Europol, has landed itself in trouble again.

Having been formally admonished by the European Data Protection Supervisor (EDPS) late last year for its illegal processing of vast quantities of personal data, and in September for refusing an access request to the personal data of a political activist and trying to cover it up by deleting his data from the system, Statewatch can now reveal that the agency’s management board was in breach of the new rules governing the agency as soon as they came into force in June.

The affair discussed in this article is obscured by a curtain of verbose bureaucratese. There are few people who would pay attention to a post on the website of the European Data Protection Supervisor (EDPS) entitled ‘Referral to the European Parliament of the EDPS request to Europol to repeal four Management Board Decisions on Articles 18(2), 18(6), 18(6a) and 18a of the amended Europol Regulation.’

However, in the context of the vastly-expanded powers granted to Europol by legal changes that came into force in June, those decisions are in fact of vital importance for the protection of the personal data of innocent people, which may now be hoovered up into the vast data vaults maintained by the EU’s policing agency – yet the management board tried to pass those decisions without obeying the legal requirement to formally consult the EDPS.

Europol hits the headlines

Anyone following the activities of Europol will be aware of the EDPS inquiry, launched last year, on Europol’s processing of large datasets. The executive director of Europol informed the EDPS of “major compliance issues with the Europol Regulation” in relation to the processing of large amounts of personal data – a polite way of saying that the agency was breaking the law.

The subsequent EDPS investigation found that Europol was processing the personal data of vast numbers of individuals not linked to any criminal activity, contrary to its mandate. Until changes to the Europol Regulation introduced in June this year, it could only process data on relatively strict categories of individuals. However, member states had been sending huge quantities of information to the agency, which was then undertaking a process of “data subject categorisation” – that is, working out whether or not it could legally process the data.

The EDPS admonished the agency and ordered it to delete the data unless it could demonstrate, within certain time limits, that it was permitted to process it. However, the Council of the EU and European Parliament, who were debating revisions to the Europol Regulation, then approved new provisions that would allow the practice to continue.

The EDPS expressed concern that under the new rules, “data relating to individuals that have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity.” Announcing that it was taking legal action to have the provisions annulled, the EDPS accused the Council and Parliament of undermining the rule of law by threatening the data protection body’s independence.

Implementing decisions

The agency does not have carte blanche to process these “large datasets” however it likes. The new rules oblige the Europol management board to adopt decisions that specify the conditions for processing of that data.

The management board is the agency’s main governance body, composed of one representative from each EU member state taking part in the Europol Regulation and one representative from the European Commission. Its role is to “ensure Europol’s continued development as a trusted partner that successfully meets the needs and expectations of the European Union law enforcement community.”

Because “these processing operations are particularly intrusive for individuals,” the “implementing measures have to be adopted ‘after consulting the EDPS’ as clearly provided in the above mentioned Articles” said a letter from the EDPS, Wojciech Wiewiórowski, to the chairman of the European Parliament’s civil liberties committee, Juan Lopez Aguilar, sent on 12 September.

“This procedural requirement aims at ensuring that Europol is provided with an independent opinion with regard to the appropriateness of the data protection safeguards devised for the implementation of the above referred articles. The EDPS Opinion is thus meant to inform the content of the MB Decisions before they are formally adopted by Europol.” letter from the EDPS, Wojciech Wiewiórowski, to the chairman of the European Parliament’s civil liberties committee, Juan Lopez Aguilar, sent on 12 September.

However, drafts of the decisions that the management board shared drafts with the EDPS did not integrate the comments of the member states, thus depriving the EDPS of all the information needed, and the management board gave “excessively short deadlines,” of just a week to respond, the EDPS letter to Lopez Aguilar complained.

“Its comments were meant to provide initial feedback on the four Management Board decisions. It constitutes a purely informal advice. The informal consultation by Europol cannot replace the formal consultation of the EDPS that can only take place once the new Europol regulation has entered into force.” Lopez Aguilar, EDPS

Illicit adoption

The management board, however, felt differently about the matter. Despite the new legal requirements, they adopted the decisions without formally consulting the EDPS. The justification: they needed to ensure the decisions were applicable upon entry into force of the amended Regulation.

“For the sake of legal certainty, thus also in the interest of the data subjects, the MB endeavoured to ensure that the implementing conditions for the prompt application of the referred provisions be applicable upon the entry into force of the amended Regulation” said a letter to the European Parliament sent on 15 September by Jérôme Bonet, chairman of the Europol management board and head of the French police judiciaire.

However, this appears to be an interpretation of the management board rather than an explicit requirement laid down in the Europol Regulation. During the informal consultation process, the EDPS continually requested a formal consultation after the entry into force of the amended Europol Regulation. The management board ignored that request, whilst maintaining that their actions were intended to ensure protections for individuals – a strange way of showing concern.

On 19 July the EDPS thus invoked, for the first time, its corrective power under Article 43(3)(g) of the Europol Regulation, which allows the supervisory body to “refer a matter to Europol and, if necessary, to the European Parliament, the Council and the Commission.” Four days previously, Wiewiórowski had requested that the management board repeal the adopted decisions by 26 August, or face legal action at the Court of Justice.

Talking it out

Three days prior to the 26 August deadline, Bonet wrote to Wiewiórowski asking for a meeting “to explore any possible avenue to overcome the current situation and avert the occurrence of a judicial procedure.” On 2 September a meeting was held between the two officials, along with Ylva Johannson – the EU’s Commissioner for Migration and Home Affairs.

Statewatch has requested documents relating to that meeting from Europol, the EDPS and the European Commission, with the Commission so far the only one to provide a response. It was not particularly informative.

The extensive redactions were justified on the grounds that they would “seriously undermine the institution’s decision-making process.” However, this does not apply where there is an “overriding public interest in disclosure.” The Commission considers this not to be the case.

Statewatch has appealed on the grounds that there is an overriding public interest in knowing how the European Commission interprets the requirement to consult the EDPS. Indeed, Jérôme Bonet affirmed in his letter to the European Parliament that, following a “dedicated written procedure” initiated after the initial adoption, approval of the contested decisions “was unanimously upheld” by the management board.

After the 2 September meeting, the EDPS wrote to the management board with a proposal “for a last attempt at avoiding litigation,” and the board complied. On 15 September, Bonet to wrote the European Parliament and the EDPS to inform them that a settlement had been reached, and that the board had submitted four new draft decisions for formal consultation.

While those involved may be pleased to have avoided legal action, a judgment from the CJEU could have clarified the consultation requirement, providing jurisprudence that could not be ignored by the management board in the future. As Bonet put it in his 15 September letter, the management board only repealed the implementing decisions “to avert legal proceedings, and notwithstanding its position on the correctness of the procedure.” The implication is that the management board still thinks it was right.

Statewatch asked Europol how the management board considered that the initial process ensured legal certainty and upheld data subjects’ rights, and how it interpreted the requirement to “consult” the EDPS. At the time of publication, Europol had not responded.

“The authority of the EDPS as the supervisory body of Europol has been challenged by the careless position of the management board on the consultation requirement. The board unanimously decided that the procedure they followed was justified and that it was the EDPS that was wrong to demand a formal consultation procedure, aside from the advice given at staff level.
While the CJEU did not have the possibility to decide on the matter, the EDPS’ role as a supervisory authority for Europol will be at stake in the legal action for annulment brought by the EDPS against two provisions of the newly amended Europol Regulation, which retroactively legalise the ‘big data’ practices that the EDPS found unlawful. The EDPS has said that the legal action aims to defend its ‘very ability… to fulfil its role. The implementing decisions debacle suggests that the Management Board also lacks respect for the role of the EDPS. Given that the agency now has massively-increased powers to gather and process personal data, it sets a concerning precedent.” Romain Lanneau, Consultant Researcher at Statewatch.

The article was first published by Statewatch here.

Contribution by: EDRi member, Statewatch