Explanatory Memorandum to COM(2013)173 - EU Agency for Law Enforcement Cooperation and Training (Europol) - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2013)173 - EU Agency for Law Enforcement Cooperation and Training (Europol). |
---|---|
source | COM(2013)173 |
date | 27-03-2013 |
The European Police Office (Europol) started as an intergovernmental body regulated by a Convention concluded between the Member States, which entered into force in 1999. By virtue of a Council Decision adopted in 2009, Europol became an EU agency funded by the EU budget.
Europol’s role is to provide support to national law enforcement services’ action and their mutual cooperation in the prevention of and fight against serious crime and terrorism. Europol facilitates the exchange of information between Member States’ law enforcement authorities and provides criminal analysis to help national police forces carry out cross border investigations.
Article 88 of the Treaty on the Functioning of the European Union stipulates that Europol shall be governed by a regulation to be adopted by the ordinary legislative procedure. It also requires the co-legislators to establish procedures for the scrutiny of Europol’s activities by the European Parliament, together with national Parliaments.
The European Police College (CEPOL) was established as an EU agency in 2005, in charge of activities related to the training of law enforcement officers. It aims to facilitate cooperation between national police forces by organising courses with a European policing dimension. It defines common curricula on specific topics, disseminates relevant research and best practice, coordinates an exchange programme for senior police officers and trainers, and may act as a partner in EU grants for specific projects.
The European Council, in “the Stockholm Programme – An Open and Secure Europe Serving and Protecting Citizens”[1], called on Europol to evolve and “become a hub for information exchange between the law enforcement authorities of the Member States, a service provider and a platform for law enforcement services”, and called for the establishment of European training schemes and exchange programmes for all relevant law enforcement professionals at national and EU level, with CEPOL playing a key role in ensuring the European dimension.
In its Communication ‘The EU Internal Security Strategy in Action: Five steps towards a more secure Europe’[2], the Commission identified key challenges, principles and guidelines for dealing with security issues within the EU, and suggested a number of actions involving Europol and CEPOL to address the risks that serious crime and terrorism pose to security.
Over the last decade, the EU has seen an increase in serious and organised crime as well as more diverse patterns in crime.[3] Europol’s EU Serious and organised crime threat assessment 2013 (SOCTA 2013) found that “serious and organised crime is an increasingly dynamic and complex phenomenon, and remains a significant threat to the safety and prosperity of the EU.”[4] The study also notes that “the effects of globalisation in society and business have also facilitated the emergence of significant new variations in criminal activity, in which criminal networks exploit legislative loopholes, the internet, and conditions associated with the economic crisis to generate illicit profits at low risk.”[5] The internet is used to organise and execute criminal activities, serving as a communication tool, a marketplace, recruiting ground and financial service. It also facilitates new forms of cybercrime, payment card fraud as well as the distribution of child sexual abuse material.[6]
Serious crime offences therefore cause increasingly severe harm to victims, inflict economic damage on a large scale and undermine the sense of security without which persons cannot exercise their freedom and individual rights effectively. Crimes like trafficking in human beings,[7] in illicit drugs,[8] and in firearms,[9] financial crimes like corruption,[10] fraud[11] and money laundering,[12] and cybercrime[13] not only pose a threat to personal and economic safety of people living in Europe, they also generate vast criminal profits which strengthen the power of criminal networks and deprive public authorities of much needed revenues. Terrorism remains a major threat to the EU’s security, as societies in Europe are still vulnerable to terrorist attacks.[14]
Crime is one of the five main concerns of EU citizens.[15] Asked what issues the EU institutions should focus on, the fight against crime was mentioned in fourth place.[16] In a recent survey most EU internet users expressed high levels of concern about cyber security and cybercrime.[17]
In this context, EU agencies are needed to effectively and efficiently support law enforcement cooperation, information sharing and training.
The Common Approach on EU decentralised agencies endorsed by the European Parliament, Council and Commission in July 2012[18] sets out principles for the governance arrangements of agencies such as Europol and CEPOL. The Common Approach also notes that “merging agencies should be considered in cases where their respective tasks are overlapping, where synergies can be contemplated or when agencies would be more efficient if inserted in a bigger structure”.
Merging Europol and CEPOL into a single agency, situated at the current headquarters of Europol in The Hague would create important synergies and efficiency gains. Combining the operational police cooperation know-how of Europol with the training and education expertise of CEPOL would strengthen the links and create synergies between the two fields. Contacts between the operational and the training staff working within a single agency would help identify training needs, thus increasing the relevance and focus of EU training, to the benefit of EU police cooperation overall. Duplication of support functions in the two agencies would be avoided, and resulting savings could be redeployed and invested in core operational and training functions. This is particularly important in an economic context, where national and EU resources are scarce and where resources to strengthen EU law enforcement training might not otherwise be available.
This proposal for a regulation therefore provides for a legal framework for a new Europol which succeeds and replaces Europol as established by the Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police Office (Europol), and CEPOL as established by Council Decision 2005/681/JHA establishing the European Police College (CEPOL).
The proposal is in line with the requirements of the Lisbon Treaty, the expectations of the Stockholm Programme, the priorities set out in the Internal Security Strategy in Action, and the Common Approach to EU decentralised agencies.
Contents
- RESULTS OF CONSULTATIONS WITH THE INTERESTED PARTIES AND IMPACT ASSESSMENTS
- LEGAL ELEMENTS OF THE PROPOSAL
- BUDGETARY IMPLICATION
- Objective and content of the legislative proposal
- 1. Aligning Europol with the requirements of the Treaty of Lisbon, increasing its accountability
- 2. Europol as a hub for information exchange between law enforcement authorities in the Member States
- 3. New responsibilities: training and developing EU centres to fight specific crimes
- 4. Robust data protection regime
- 5. Improved governance
Dialogues on the preparation of the reform of Europol, CEPOL and of EU law enforcement training took place in 2010 and 2011 between the Commission and representatives of the European Parliament, the Council of the European Union and the Management Board of Europol and Governing Body of CEPOL, as well as with representatives of national Parliaments.
In line with its “Better Regulation” policy, the Commission conducted two impact assessments of policy alternatives concerning Europol and CEPOL.[19]
The impact assessment on Europol was based on the two policy objectives of increasing provision of information to Europol by Member States and of setting a data processing environment that allows Europol to fully assist Member States in preventing and combating serious crime and terrorism. As regards the former objective, two policy options were assessed: (i) clarifying a legal obligation of Member States to provide data to Europol, providing for incentives and a reporting mechanism on the performance of individual Member States, and (ii) granting Europol access to relevant national law enforcement databases on a hit-/no hit basis. As regards the policy objective on a data processing environment, two policy options were assessed: (i) merging the two existing Analyses Work Files into one and (ii) new processing environment setting up procedural safeguards to implement data protection principles with particular emphasis on ‘privacy by design’.
The impact assessment on CEPOL was based on the two policy objectives of (i) ensuring better quality, more joined-up and more consistent training for a wider range of law enforcement officers in cross-border crime issues and (ii) establishing a framework to achieve this in line with the Common Approach on EU decentralised agencies. In the context of the Commission presenting a Law Enforcement Training Scheme, for the implementation of which additional resources will be needed, the Commission examined different options including strengthening and streamlining CEPOL as a separate agency and merging, partially or fully, the functions of CEPOL and Europol into a new Europol agency.
According to the Commission’s established methodology, each policy option was assessed, with the help of an inter-service steering group, against its impact on security, on the costs (including on the budget of the EU institutions) and impact on fundamental rights.
The analysis of the overall impact led to the development of the preferred policy option which is incorporated in the present proposal. According to the assessment, its implementation will lead to further effectiveness of Europol as an agency providing comprehensive support for law enforcement officers in the European Union.
Article 88 and Article 87(2)(b) of the Treaty on the Functioning of the European Union are the legal bases for the proposal.
This proposal aims to:
· Align Europol with the requirements of the Treaty of Lisbon by setting up the legislative framework of Europol in the regulation and by introducing a mechanism for control of Europol’s activities by the European Parliament, together with national Parliaments. In this way democratic legitimacy and accountability of Europol to the European citizen would be enhanced.
· Meet the goals of the Stockholm Programme by making Europol “a hub for information exchange between the law enforcement authorities of the Member States” and establishing European training schemes and exchange programmes for all relevant law enforcement professionals at national and EU level.
· Grant Europol new responsibilities so that it may provide a more comprehensive support for law enforcement authorities in the Member States. This includes Europol taking over the current tasks of CEPOL in the area of training of law enforcement officers and developing a Law Enforcement Training Scheme. This also involves a possibility for Europol to develop the EU centres of specialized expertise for combating certain types of crime falling under Europol’s objectives, in particular the European Cybercrime Centre.
· Ensure a robust data protection regime for Europol, in particular to guarantee that the data protection supervisor of Europol has full independence, can act effectively and has sufficient powers of intervention.
· To improve the governance of Europol by seeking increased efficiency and aligning it with the principles laid down in the Common Approach on EU decentralised agencies.
The proposal achieves these aims in the following way:
The regulation ensures that Europol’s activities are subject to scrutiny by the democratically elected representatives of the EU citizens. The proposed rules are in line with the Commission’s 2010 Communication on the procedures for the scrutiny of Europol’s activities by the European Parliament, together with national Parliaments.[20]
In particular, the European Parliament and national Parliaments:
· receive information through annual activity reports and final accounts each year;
· receive for information threat assessments, strategic analyses and general situation reports relating to Europol’s objective as well as the results of studies and evaluations commissioned by Europol, and working arrangements agreed with authorities of third countries to implement international agreements concluded by the European Union with this third country;
· receive for information the multi-annual and annual work programme as adopted;
· receive reports on quantity and quality of information provided to Europol by each Member State and on the performance of its National Unit;
· may discuss with the Executive Director and the Chairperson of the Management Board matters relating to Europol- taking into account the obligations of discretion and confidentiality.
In addition, the European Parliament:
· fulfils its functions of the budgetary authority, in particular: receives the statement of estimates, receives the report on the budgetary and financial management for that financial year, may ask for any information required for the discharge procedure and gives a discharge to the Executive Director in respect of the implementation of the budget;
· is consulted on the multi-annual work programme of Europol;
· receives for information the annual work programme of Europol;
· may invite the candidate for the Executive Director of Europol or a Deputy Executive Director selected by the Management Board for a hearing before the competent parliamentary committee;
· may invite the Executive Director to reply to its questions on his/her performance.
In order to allow the European Parliament to exercise the scrutiny but at the same time to guarantee confidentiality of operational information, Europol and the European Parliament need to conclude working arrangement on the access to European Union Classified Information and sensitive non-classified information processed by or through Europol.
2. Europol as a hub for information exchange between law enforcement authorities in the Member States
In order to improve Europol’s intelligence picture, so that it can better support Member States and better inform EU policy setting, the proposal seeks to enhance the supply of information by Member States to Europol. This is done by strengthening the obligation for Member States to provide Europol with relevant data. An incentive is offered by extending the possibility for law enforcement services to receive financial support to cross border investigations in areas other than euro counterfeiting. A reporting mechanism to monitor Member States’ contribution of data to Europol is introduced.
To enable Europol to better establish links between data already in its possession and subsequently analysing them, the agency’s processing architecture is re-designed. It no longer pre-defines data bases or systems but instead adopts a ‘privacy by design’ approach and full transparency towards the Data Protection Officer at Europol and the European Data Protection Supervisor, the EDPS. High data protection and data security standards are achieved by means of procedural safeguards that apply to any specific type of information. The regulation sets out in detail the purposes of data processing activities (cross-checking, strategic analyses or other general nature, operational analyses in specific cases), the sources of information and who may access data. It also lists categories of personal data and data subjects whose data may be collected for each specific information processing activity. This would enable Europol to adapt its IT architecture to future challenges and the needs of the law enforcement authorities in the EU. Once in place, it would allow Europol to link and make analyses of relevant data, reduce delays in identifying trends and patterns and reduce multiple storage of data. At the same time, high data protection standards would be guaranteed. Observance of those standards will be supervised by the European Data Protection Supervisor.
In this way Europol analysts would gain a broader picture on serious criminality and terrorism in the EU. They would be able to quickly identify trends and patterns across all criminal areas and build more comprehensive and relevant intelligence reports to support Member States’ law enforcement authorities.
To ensure synergies in EU support for policing, and to allow full implementation of the EU Law Enforcement Training Scheme proposed in parallel with this regulation,[21] Europol will take over and build on the tasks formerly carried out by CEPOL. Closer links between training and operational work will lead to more targeted and relevant training for law enforcement officers.
Europol, through a new department known as the Europol Academy will assume responsibility for supporting, developing, delivering and coordinating training for law enforcement officers at the strategic level, and not only (as is the case under the current CEPOL Decision) senior police officers. These activities will address needs for awareness and knowledge of international and Union instruments, encouragement of cross-border cooperation, specialized knowledge in specific criminal or policing thematic areas and preparation for participation in EU civilian police missions in third countries. It will be responsible for developing and evaluating educational tools, linked to requirements identified in regular training needs assessments. It will contribute to research and seek to establish partnerships with Union bodies and private academic institutions as appropriate.
The composition, functions and procedures of the Management Board reflect Europol’s new responsibilities for law enforcement training, as well as the best practice set out in the Common Approach on EU decentralised agencies.
A Scientific Committee for Training will advise the Management Board in order to guarantee and guide the scientific quality of Europol’s training activities.
To enhance the EU’s capacity to confront specific crime phenomena, which particularly call for a common effort, Europol is given a possibility to develop centres to fight specific forms of crime, for example the European Cybercrime Centre.
Such EU centres integrating various approaches towards fighting the specific form of crime would add value to the Member States actions. They could, for instance, be information focal points, pool expertise to support Member States in capacity building, support Member States’ investigations or become the collective voice of the European investigators across law enforcement in the specific area.
The proposal reinforces the data protection regime applicable to Europol’s activities. In particular, the following measures are taken:
· The existing autonomous Europol data protection regime is further strengthened by drawing to a large extent on the principles underpinning Regulation (EC) No 45/2001 on the protection of individual with regard to processing of personal data by the Community institutions and bodies and on the free movement of such data.[22] As Declaration 21 attached to the Treaty recognizes the specificity of personal data processing in the law enforcement context, the data protection rules of Europol have however been aligned with other data protection instruments applicable in the area of police and judicial cooperation. These are in particular the Convention No. 108[23] and Recommendation No R i of the Council of Europe[24] and Council Framework Decision 2008/977 on the protection of personal data processed in the framework of police and judicial cooperation.[25] This will ensure a high level of protection of individuals with regard to processing of personal data, while taking into due account the specificity of law enforcement.
· Access by Member States to personal data held by Europol and relating to operational analyses, is made indirect based on a hit/no hit system: an automated comparison produces an anonymous ‘hit’ if the data held by the requesting Member State match data held by Europol. The related personal or case data are only provided in response to a separate follow-up request.
· The processing of personal data on victims, witnesses, persons different from suspects, and minors is prohibited unless strictly necessary. This limitation also applies to data revealing racial or ethnic origin, political opinions, religions or beliefs, trade-union membership and of data concerning health or sex life (sensitive personal data). Furthermore, sensitive personal data can only be processed where they supplement other personal data already processed by Europol. Europol is obliged to provide every six months an overview of all sensitive personal data to the EDPS. Finally, no decision which produces legal effects concerning a data subject can be taken solely on the basis of automated processing of sensitive personal data, unless it is authorised by EU or national law or by the EDPS.
· To increase transparency, individuals’ right of access to personal data held by Europol is reinforced. The information that Europol must provide to an individual requesting access to his/her data is listed in the Regulation.
· The proposal sets clear rules on the division of responsibility in data protection matters, in particular it makes Europol responsible for reviewing the continued need to store personal data at regular intervals.
· The obligation of logging and documentation is extended from covering access to a wider range of data processing activities: collection, alteration, access, disclosure, combination and erasure. To ensure better control over the use of data and clarity on who has been processing it, the regulation prohibits modification of the logs.
· Any individual can turn to Europol for compensation for unlawful data processing or an action incompatible with the provisions of this Regulation. In such a case Europol and a Member State in which damage has occurred are jointly and severally liable (Europol on the basis of Article 340 of the Treaty and the Member State on the basis of its national law).
· The role of Europol’s external data protection supervisory authority is strengthened. The European Data Protection Supervisor will be competent for the supervision of processing of personal data by Europol. This ensures full compliance with the criteria of independence established in the case-law of the Court of Justice and, due to the EDPS’ enforcement powers, effectiveness of data protection supervision.
· The national data protection authorities remain however competent for supervision of input, the retrieval and any communication to Europol of personal data by the Member State concerned. They also remain responsible for examining whether such input, retrieval or communication violates the rights of the data subject.
· The Regulation introduces elements of “joint supervision” on data transferred to and processed at Europol. In specific issues requiring national involvement and in order to ensure coherent application of this regulation throughout the European Union, the European Data Protection Supervisor and national supervisory authorities, each acting within its competences, should co-operate with each other.
The proposal improves the governance of Europol by seeking efficiency gains, streamlining procedures, notably with respect to the Management Board and the Executive Director, and by aligning Europol with the principles laid down in the Common Approach on EU decentralised agencies.
The Commission and the Member States are represented on the Management Board of Europol in order to effectively control its workings. In order to reflect the dual mandate of the new Agency – operational support and training for law enforcement – the full members of the Management Board are appointed on the basis of their knowledge of law enforcement cooperation, whereas alternate members are appointed on the basis of their knowledge of training for law enforcement officers. The alternate members will act as full members whenever training is discussed or decided. The Management Board will be advised by a scientific committee on technical training issues (Scientific Committee for Training).
The Management Board is given the necessary powers, in particular to establish the budget, verify its execution, adopt the appropriate financial rules and planning documents, establish transparent working procedures for decision-making by the Executive Director of Europol, adopt the annual activity report, and appoint an Executive Director.
To streamline the decision making process, the Management Board may also decide to establish an Executive Board. Such a small-sized Executive Board, with the presence of a Commission representative, could be more closely involved in the monitoring of Europol’s activities with a view to reinforcing supervision of administrative and budgetary management, in particular on audit matters.
In order to ensure efficient day-to-day functioning of Europol, the Executive Director is its legal representative and manager. The Executive Director is completely independent in the performance of his/her tasks and ensures that Europol carries out the tasks foreseen in this Regulation. In particular, the Executive Director is responsible for preparing budgetary and planning documents submitted for the decision of the Management Board, implementing the annual and multiannual work programmes of Europol and other planning documents.
The full merger of CEPOL and EUROPOL will lead to synergies and efficiency gains. The savings achieved are assessed at the level of €17.2 million over the period 2015-2020 and 14 full time staff equivalent (FTE).
Although this proposal will take advantage of these savings and build on existing resources, additional resources will be required for Europol to implement the new tasks related to training of law enforcement officials, and to process and analyse the expected increase in information flows, including through the European Cybercrime Centre. The operation and further development of the European Cybercrime Centre has by far the most significant impact on resources. In parallel to these needs for new resources, CEPOL and Europol also participate in the current 5% reduction in staff numbers across all EU agencies, as well as contributing staff posts to a pool for redeployment in EU agencies in favour of new tasks and start-up phase agencies.
An additional 12 FTE will be needed to implement the new tasks related to training of law enforcement officials, i.e. the activities needed to implement the European Law Enforcement Training Scheme proposed in parallel with this Regulation. The human resources for the new training activities will be obtained as a result of the merger of CEPOL into Europol, which will result in savings amounting to 14 posts, representing €10.1m over the period 2015-2020. By discontinuing 14 posts, CEPOL should comply with the request to cut staff by 5% and to contribute to the redeployment pool. In addition, an estimated €7.1m will be saved as a result of lower costs of building, equipment and management board expenses over the same period. The relocation of around 40 staff from CEPOL’s current site in Bramshill, UK, to the Europol site in The Hague, the Netherlands, is expected to result in limited one-off costs, estimated at €30 000. However, the UK has announced its intention to close the Bramshill site, CEPOL will therefore in any event have to be relocated.
An additional 3 FTE will be needed for increased information processing requirements that will result from the expected rise in the quantity of information supplied to Europol as a result of this proposal (which combines a strengthened obligation upon Member States to provide relevant data to Europol, financial support to individual investigations and monitoring reports). These will be gradually recruited between 2015 and 2017 resulting in an estimated €1.8m in staffing costs over the period 2015-2020. However, approximately two thirds of these costs will be offset by the savings resulting from the merger of CEPOL: two FTE will be secured from the remaining 2 posts out of the 14 saved as a result of the CEPOL merger.
For the European Cybercrime Centre, an additional 41 FTE will be recruited over the period 2015-2020. The tasks for which that staff is needed are identified in an accompanying Commission Staff Working Document. The non–staff costs for the European Cybercrime Centre have been estimated at €16.6m over the same period. In 2013, 44 FTE had already been assigned to the European Cybercrime Centre through internal redeployment within Europol and an additional 17 FTE were requested by Europol as a part of the Draft Budget 2014.
In order to comply with the request to cut staff by 5% and to contribute to the redeployment pool, 34 FTE should be discontinued within Europol between 2015 and 2018 on top of the 12 FTE to be discontinued already in 2014.
Finally, this proposal will require additional resources for the European Data Protection Supervisor estimated at the equivalent of 1 FTE. The change in data protection supervision arrangements will create savings of €3m for Europol between 2015 and 2020, no longer needing to provide support to the current Joint Supervisory Body, and additional costs of €1.5m for EDPS over the same period.
In total, therefore, the budgetary impact of the legislative proposal amounts to €623m for the merged agency over the period 2015-2020, as well as the €1.5m needed for the EDPS.[26]