Secret negotiations about Europol: the big rule of law scandal

In negotiations held behind closed doors, the Council of Member States and the European Parliament are about to torpedo all the efforts of the European data protection watchdog’s to hold Europol accountable for its illegal data practices.

By EDRi · January 31, 2022

On 3 January 2022, the European Data Protection Supervisor (EDPS), responsible for overseeing the compliance of European Union (EU) institutions and agencies with data protection law, notified Europol, the EU agency for police cooperation, of an order to delete data it has illegally retained and processed for years. The decision aimed at bringing back Europol’s data practices in line with its mandate currently in force. It revealed “the EU’s very own ‘Snowden Scandal’”, in which Europol plays an increasingly important role in the mass collection of personal data and the use of data mining techniques to analyse these huge amounts of data. Unfortunately, EU policymakers want to remove any remaining legal barriers to this mass surveillance complex.

In recent years, Europol has received large datasets (literally “millions of messages”), from several Member States, that were collected in the course of bulk hacking operations, such as Encrochat. Europol’s role was to cross-check and analyse these datasets with its tools and share the results with the concerned Member States. However, these data transfers from national police forces or third countries’ authorities often contained data of individuals who have no link to any criminal activity – a category of data currently prohibited to be processed by Europol’s current mandate. Under the existing regulation, it is the responsibility of the data providers to extract all data from their datasets that Europol is not allowed to process and only provide data relevant to Europol’s missions. The EDPS therefore gave Europol twelve months to delete all datasets that did not undergo this extraction process, and had set a 6-month deadline for the new incoming data. 

The EDPS’ corrective measures came in the middle of secret negotiations (also called “trilogues”) between the Council of the EU and the European Parliament over new legislation defining the missions and capacities of Europol. The main controversy (among many others) of the proposed regulation comes down to allowing the agency to circumvent its own rules when it ‘needs’ to process data categories outside of its somewhat restricted white list. Put simply, the new regulation would legalise data practices that were so far prohibited and confirm the use of predictive policing in European law enforcement. Europol would no longer be required to delete datasets containing data of innocent people it receives from national investigative authorities – to the contrary, it would be encouraged to exploit them.

But that’s not all. On 24 January, the French Presidency of the Council, which is in charge of the negotiations on behalf of the Member States, proposed an additional provision that would completely cancel the effects of the EDPS’ order if accepted by the European Parliament. Article 74a would permit Europol to keep the datasets it received before the entry into force of the new Europol regulation and to analyse them for a period of three years. 

In practice, it would means that illegal data processing is retroactively legalised – nothing less than a big blow to the rule of law and to the rights of affected people. It also severely undermines the EDPS legitimacy as the data protection law enforcer. If Europol can simply be exempted by legislators every time it is caught red-handed, the system of checks and balance is inherently impaired. 

EDRi and 22 other civil society organisations are thus urging EU policymakers to radically change plans regarding the reform of the Europol regulation. In a letter addressed to the Council and the European Parliament representatives, they recommend to:

  • Renounce giving Europol more operational powers by way of receiving and analysing data its current rules forbid to process;
  • Reinforce data protection safeguards, notably by increasing the involvement of the EDPS before any new data processing operation;
  • Abandon any attempt to cancel the effects of the EDPS’ Decision;
  • Guarantee a genuine independence of Europol’s oversight bodies in charge of monitoring the agency’s respect of fundamental rights.

Find the open letter here.

(Contribution by:)

Chloé Berthélémy

Chloé Berthélémy

Policy Advisor

Twitter: @ChloBemy

Explore EDRi’s work on Europol 2020 reform