On 10 January 2022 the EDPS, concluding an inquiry started in April 2019 in regard to Europol’s data processing activities, found that the law enforcement agency was going beyond its mandate and breaching its data protection rules.
stating it has a year to organise what could be lawfully kept.
“Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation,” said EDPS supervisor Wojciech Wiewiórowski.
The challenge to its authority places the EU data protection watchdog up against a large security agency which is being positioned to become the centre of machine learning and AI in policing.
On 8 December 2021 the European Commission proposed new around the automated sharing of biometric data-- all of which is to be done through a new central interface, to which national databases can connect to.
This will increase Europol’s role within EU law enforcement, providing it with the ability to participate in the sharing of biometric data.
The European Commission says the legal concerns highlighted by the EDPS raise “a serious challenge” to Europol’s ability to fulfil its duties.
The EU home affairs commissioner, also defended Europol, “Law enforcement authorities need the tools, resources and the time to analyse data that is lawfully transmitted to them,” Ylva Johansson said. “In Europe, Europol is the platform that supports national police authorities with this herculean task.”
When asked in a parliamentary question on 18 February if Luxembourg shares the position of the European Supervisor, minister of internal security, Henri Kox said: “Luxembourg had taken note of the decision of the EDPS.”
On 31 of January 23 civil society organisations from across Europe and beyond to European policy-makers in reaction to the EDPS ruling and an investigative report by British newspaper, The Guardian, supported by a grant from the IJ4EU fund and in collaboration with Lighthouse Reports. “We are greatly alarmed that the ongoing Europol reform ignores the risks of fundamental rights violations highlighted by these two investigations,” the letter states.
1 February the European Commission announced a , stating “Europol will be able to cooperate effectively with private parties.”
Eric Topfer, a surveillance expert at the German Institute for Human Rights, who studied the said he believes the agency will pull in data directly from banks, airlines, private companies and emails, “then we are moving closer to having an NSA-like agency.”
In a parliamentary hearing on the same day in February, director-general of the EU home affairs service Olivier Onidi, stated that the European Commission intended to provide legal clarity. Yet, some in the hearing felt the executive body was retroactively legalising the amassing of potentially sensitive data that had been found to be unlawful by the very watchdog it had installed.
It is estimated there are 4 petabytes – equivalent to 3m CD-Roms of data information.
In a further parliamentary question, Kox was asked if Luxembourg forwarded such data to Europol. “The data transmitted by the Grand-Ducal Police to Europol complies with the legal reference provided for by Europol's current mandate,” he replied.
Following the European hearing, major political groups in an internal meeting put forth by the French presidency of the council of the EU agreed to significantly downsize the role of the EDPS.
And when asked what the government's position was in the face of Europol's criticism, Kox said that “Europol is an essential tool for police work and [provides] important support in some surveys.” The minster however, did concede “that it was fundamental to find the right balance between the operational imperatives and the rights fundamentals and the protection of personal data.”