On 16 September 2022, the EDPS requested that the Court of Justice of the European Union (CJEU) annuls two provisions of the newly amended Europol Regulation, which came into force on 28 June 2022. The two provisions have an impact on personal data operations carried out in the past by Europol. In doing so, the provisions seriously undermine legal certainty for individuals’ personal data and threaten the independence of the EDPS – the data protection supervisory authority of EU institutions, bodies, offices and agencies.
These new provisions, articles 74a and 74b, have the effect of legalising retroactively Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity. This type of personal data processing is something that the EDPS found to be in breach of the Europol Regulation, which it made clear in its Order issued on 3 January 2022 requesting Europol to delete concerned datasets within a predefined and clear time limit.
The EDPS notes that the co-legislators have decided to retroactively make this type of data processing legal, therefore overriding the EDPS Order.
Wojciech Wiewiórowski, EDPS, said: “The contested provisions of the amended Europol Regulation retroactively legalise processing operations that were found to be in violation of the 2016 Europol Regulation. In doing so, they retroactively deprive individuals of the safeguards that the EDPS enforced. The EDPS had to apply for an annulment of Articles 74a and 74b of the amended Europol Regulation for two reasons. Firstly, to protect legal certainty for individuals in the highly sensitive field of law enforcement where the processing of personal data implies severe risks for data subjects. Secondly, to make sure that the EU legislator cannot unduly ‘move the goalposts’ in the area of privacy and data protection, where the independent character of the exercise of a supervisory authority’s enforcement powers requires legal certainty of the rules being enforced.”
When data was collected under the previous Europol Regulation, individuals could expect that if their personal data was transmitted to Europol, Europol would be obliged to check within six months whether there was a link to criminal activity. Otherwise, as instructed by the EDPS, this data was supposed to be erased at the very latest by 4 January 2023. The new provisions of the Europol Regulation allow Europol to continue processing the data that has not yet been erased, despite the EDPS Order.
The co-legislators’ choice to introduce such amendments undermines the independent exercise of powers by supervisory authorities. The contested provisions establish a worrying precedent with the risk of authorities anticipating possible counter-reactions of the legislator aimed at overriding their supervision activities, depending on political will. Data protection supervisory authorities, in this case the EDPS, could be compelled to consider political preferences or may be subject to undue political pressure in a manner that undermines their independence as enshrined in the EU Charter of Fundamental Rights.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy, and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council on to serve a five-year term, beginning on 6 December 2019.
Action for annulment of an EU act: An action for annulment is a legal procedure before the Court of Justice that guarantees the conformity of EU legislative acts, regulatory acts and individual acts with the superior rules of the EU legal order. An action can be brought within specific deadlines depending on whether the acts is individually notified or published in the Official Journal. If the Court finds the action well founded, it declares the nullity of the contested act, which, in principle, is considered null from the moment of its adoption. The EDPS lodged its action under Article 263 TFEU for the annulment of Articles 74a and 74b of Regulation 2016/794 as amended by Regulation 2022/991 by the European Union’s co-legislators i.e. the Council of Ministers of the European Union and the European Parliament.
Europol: The rules for data protection applicable to the EU’s Agency for Law Enforcement Cooperation (Europol), as well as the supervisory tasks of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2016/794 (Europol Regulation) as amended by Regulation 2022/991. The powers of the EDPS over Europol are laid down in Article 43 of Regulation (EU) 2016/794.
EDPS Order of 3 January 2022: The EDPS notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data lacking ‘Subject Categorisation’). Datasets older than 6 months that have not undergone this Data Subject Categorisation, or being categorised as not belonging to suspects or other specific relevant categories (witnesses, victims…), must be erased. The Order entails that Europol, before the amendments, was no longer permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. The EDPS has granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.
The amended Europol Regulation and Articles 74a and 74b: The amended Europol Regulation (EU) 2022/991 entered into force on 28 June 2022. It expands the mandate of Europol with regard to exchanges of personal data with private parties, the use of artificial intelligence, and the processing of large datasets. Europol is now authorised, in specific cases, to process large datasets, leading to a substantial increase in the volume of individuals’ personal data processed and stored by the Agency. Consequently, data relating to individuals that have no established link to a criminal activity will be treated in the same way as the personal data of individuals with a link to a criminal activity. Furthermore, Articles 74a and 74b of Regulation (EU) 2022/991 confer on Member States the possibility to retroactively authorise Europol to process large data sets already shared with Europol prior to the entry into force of the amended Regulation.
On 27 June 2022, following the publication of the amended Europol Regulation in the Official Journal of the EU, the EDPS expressed its concerns regarding the impact of the amendments on the fundamental right to data protection and on the need to preserve independent supervision from undue political influence.
Questions can be directed to firstname.lastname@example.org