The EDPS, Europol, data protection and security

The European Union places itself as a major data protection actor worldwide, notably through the General Data Protection Regulation (GDPR). Nonetheless, Europol, its law enforcement agency, seems to run counter to the flow as the European Data Protection Supervisor (EDPS) recently unveiled shocking news of the agency overstepping its mandate of data harvesting.

Europol and the EDPS

What is Europol? The European Union Agency for Law Enforcement Cooperation presents itself as “the European Union’s law enforcement agency”. It describes its main goal as “to achieve a safer Europe for the benefit of all the EU citizens”. The body was founded to enhance collaboration between the law enforcement agencies of the EU Member States, which coordinate for the EU’s national police forces to fight international crime, from cybercrime to human trafficking and terrorism. To that end, Europol also works with third-country partners and international organisations.

The agency, which is headquartered in The Hague, saw its influence boosted in the wake of the Paris terrorist attacks of 2015, when it was identified by several member states as a potential solution to the war on terrorism. Thus, Europol is now encouraged to collect data on several fronts. With a thousand employees and 220 liaison officers around the world, it claims to assist more than 40,000 international investigations per year.

On the other hand, the EDPS is the EU data protection “watchdog”. The European Data Protection Supervisor is an independent data protection authority under the framework of the European Union. It presents itself as an “increasingly influential independent supervisory authority, currently headed by a Supervisor and supported by an office (secretariat) of experienced lawyers, IT specialists and administrators”. The indepence of this body is central for the EDPS, and was marked as a requirement by the European legislator. The Court of Justice of the European Union indeed underlined the importance of the “control by an independent authority” as “an essential component of the right to data protection […] which implies a decision-making power independent of any direct or indirect external influence”.

Since May 2017, following the 2016 Europol Regulation, the EDPS holds the task of supervising the lawfulness of personal data processing by Europol. In this context, supervising means carrying out inspections and consultations, hearing and investigating complaints, and also conducting inquiries to ensure compliance with its prerogatives. The EDPS wants to ensure that “the right balance is found between data protection rights and the key public interest of security”.

Europol: towards a NSA-like agency

In 2013, through the leaks of Edward Snowden, The Guardian revealed a big surveillance network of data harvesting in the United States. As an ex-agent of the National Security Agency (NSA), Snowden highlighted the mass surveillance apparatus of the American body, which provoked a mediatic outbreak and severely undermined the legitimacy of the NSA. The EU’s GDPR was launched in the aftermath of the scandal.

Since 2015, with the demand for security increasing following the wave of terrorist attack in Europe, Europol’s influence has never ceased to grow wider. The agency has even developed some kind of impunity. In the framework of its prerogatives, Europol is meant to harvest relevant data to counter terrorism. However, the full scale of data held by Europol is currently unknown.

Several complaints arose from people who found their personal data held by the agency. Indeed, according to the EPDS, “the Europol Regulation provides any individual with the right to obtain information (Art. 36) on whether or not personal data relating to him or her are processed by Europol, to ask for rectification, erasure and restriction (Art. 37) of such data and, more in general, that his or her data are processed in accordance with data protection principles (Art. 28), notably in a fair and lawful way”. Nevertheless, several examples show that this obligation was not met by Europol.

Moreover, since 2016, Europol runs mass surveillance programmes in southern Europe’s refugee camps, monitoring data from tens of thousands of asylum seekers in the search for alleged foreign fighters and terrorists. The Guardian inquiry states that this screening “may have resulted in migrants’ personal data being stored on a criminal database regardless of any links being found to crime or terrorism”.

Following citizens’ complaints and concerns from MEPs, the European Union tasked the EDPS to open an inquiry on Europol data processing in 2019. The EDPS’ conclusions were then submitted In January 2022.

The EDPS’ report: a frightening overview calling for sanctions

The EDPS’ inquiry unveiled a mass surveillance apparatus. Europol has been illegally amassing tons of data, the total amount being equal to four petabytes (one petabyte would equal one billion books). In those quadrillion bytes, there are of course sensitive data on terrorists and crime syndicates but also on possible suspects and innocent people. Europol has accumulated this mass of data from criminal investigations of national policies authorities over the past six years. It concerns data transmitted by EU member states on individuals suspected of criminal activities.

The EDPS accuses Europol of having violated its own regulations by keeping certain data for “longer than necessary”. Thus, the supervisor ordered Europol to erase data held for more than six months: if within this timeframe a link to criminal activity cannot be proven, the data may not be retained. Europol has been given a year to delete problematic data that had not been eradicated and “to sort out what could be lawfully kept”. The EDPS Supervisor, Wojciech Wiewiórowski, explained that “a 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms”.

For Europol, the EDPS decision is likely to hamper its activities: “This will have an impact on our ability to analyse large and complex datasets at the request of law enforcement,” the agency reacted in a statement on January 11. “[The] Europol regulation was not intended by the legislator as a requirement which is impossible to be met by the data controller [ie Europol] in practice” since Europol’s intervention “frequently covers periods of more than six months”, the agency argued.

To continue on the parallelisms with the NSA, Wiewiórowski draw a comparison between this statement and “what the NSA said to Europeans after the Prism scandal […] that they are not processing the data, they are just collecting it and they will process it only in case it is necessary for the investigation they are doing”. “This is something that doesn’t comply with the European approach to processing personal data”, the supervisor added.

The European Commission welcomed this period offered “by way of derogation” by the EDPS, believing that it will give Europol “sufficient time” to comply with the decision. It is then up to the European Parliament and the Council of the European Union to “provide an appropriate solution and legal clarity on the processing of big data by Europol”, the European executive also noted in a statement.

IA, security and the endangerment of democracy

This episode marks the peak of the confrontation between the EU data protection bulwark and a powerful security entity who might one day become the centre of machine learning and AI in policing. Since 2020, Europol has been developing its own machine learning and AI programmes to process the unquantifiable amount of data stored. Despite the EDPS’ reluctance, Europol continued with this project and even started a recruitment round for experts to help with the development of AI and data mining.

Saskia Bricmont, Green MEP, stated that “in the name of the fight against criminality and terrorism we have an evolution of an agency, which performs very important missions, but they are not executed in the right manner. This will lead to problems”.

This ruling highlights the deep political divisions among European policymakers over the compromise between security and privacy. More “security” means more control over citizens’ lives, which could underline a deficiency in democracy. The consequences of the clash between those two institutions might hold the future of privacy and data protection in the European Union and beyond.

[This article was first published in the issue 36 of the magazine]