(Source: European Data Protection Supervisor)
Following the publication of the amended Europol Regulation in the Official Journal of the EU today, the EDPS expresses its concerns that the amendments, which will enter into force on 28 June 2022, weaken the fundamental right to data protection and do not ensure an appropriate oversight of the European Union Agency for Law Enforcement Cooperation (Europol).
The amended Europol Regulation, Regulation (EU) 2022/991, expands considerably the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets.
Europol is now allowed, in specific cases, to process large datasets, leading to a substantial increase in the volume of individuals’ personal data processed and stored by the Agency. Consequently, data relating to individuals that have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity.
The EDPS regrets that the expansion of Europol’s mandate has not been compensated with strong data protection safeguards that would allow the effective supervision of the Agency’s new powers.
Putting in place strong safeguards is crucial since the impact of the amended Regulation on personal data protection is further aggravated by the fact that EU Member States have the possibility to retroactively authorise Europol to process large data sets already shared with Europol prior to the entry into force of the amended Regulation. The EDPS has strong doubts as to the legality of this retroactive authorisation.
The processing of these large data sets concerning individuals with no established link to a criminal activity is a matter which the EDPS has already expressed concerns about. Indeed, these are the same large data sets that the EDPS ordered Europol to delete on 3 January 2022. Therefore, with the amended regulation, the EDPS Order to delete these large datasets would become ineffective.
Europol’s Management Board should now further specify the data protection safeguards to put in place to limit effectively the impact of such intrusive data processing activities on individuals, as required by the legislator. To this end, the EDPS expects to be formally consulted on the basis of the amended Europol Regulation concerning relevant decisions of the Management Board.
The EDPS remains committed to supervise closely the compliance of Europol’s data processing operations with the applicable legal framework, and to use its advisory, investigative and corrective powers, when necessary.