Explanatory Memorandum to COM(2020)796 - Amendment of the regulation on Europol’s cooperation with private parties, their processing of personal data in support of criminal investigations, and research and innovation - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
dossier | COM(2020)796 - Amendment of the regulation on Europol’s cooperation with private parties, their processing of personal data in support of ... |
---|---|
source | COM(2020)796 |
date | 09-12-2020 |
1. CONTEXTOFTHE PROPOSAL
• Reasons for and objectives of the proposal
Europe faces a security landscape in flux, with evolving and increasingly complex security threats. Criminals exploit the advantages that the digital transformation, new technologies1, globalisation and mobility bring about, including the inter-connectivity and blurring of the boundaries between the physical and digital world.2 Recent events3 have once again shown that terrorism remains a significant threat to the freedom and way of life of the European Union and its citizens. The COVID-19 crisis adds to this, as criminals have quickly seized opportunities to exploit the crisis by adapting their modes of operation or developing new criminal activities.4 Although the full impact of the COVID-19 crisis on security is not yet apparent, it is expected to shape the landscape of serious and organised crime in the EU in
mid- and long-term.5
These evolving security threats call for effective EU level support to the work of national law enforcement authorities. These threats spread across borders, cut across a variety of crimes that they facilitate, and manifest themselves in poly-criminal organised crime groups6 that engage in a wide range of criminal activities. As action at national level alone does not suffice to address these transnational security challenges, Member States’ law enforcement authorities have increasingly made use of the support and expertise that Europol, the EU agency for law enforcement cooperation, offers to counter serious crime and terrorism. Europol is the centrepiece for EU-level support to Member States in countering serious crime and terrorism. The agency offers support and expertise to national law enforcement authorities in preventing and combating serious crime affecting two or more Member States, terrorism and forms of crime which affect a common interest covered by a Union policy. Since the entry into application of the 2016 Europol Regulation7, the operational importance of the agency’s tasks has changed substantially. For example, the operational support provided by Europol’s European Counter-Terrorism Centre has increased fivefold over recent years (from 127 operational cases supported in 2016 to 632 cases in 2019). The Centre is now part of almost every major counter-terrorism investigation in the EU.
1
This includes developments such as 5G mobile networks, artificial intelligence, the internet of things, drones, anonymisation and encryption, 3D printing and biotechnology. For example, in July 2020, French and Dutch law enforcement and judicial authorities, alongside Europol and Eurojust, presented the joint investigation to dismantle EncroChat, an encrypted phone network used by criminal networks involved in violent attacks, corruption, attempted murders and large-scale drug transports
(www.europol.europa.eu/newsroom/news">https://www.europol.europa.eu/newsroom/news).
The integration of digital systems in many criminal activities and the expansion of the online trade in illicit goods and services is transforming serious and organised crime. See Europol, Serious and Organised Threat Assessments 2017.
The attack in Paris on 25.09.2020, the attack in Conflans-Sainte-Honorine on 16.10.2020, the attack in Nice on 29.10.2020 and the attack in Vienna on 02.11.2020.
www.europol.europa.eu/publications-documents">www.europol.europa.eu/publications-documents. This is notably the case on cybercrime, fraud, counterfeiting and organised property crime. www.europol.europa.eu/publications-documents">https://www.europol.europa.eu/publications-documents.
More than 5,000 organised crime groups were under investigation in Europe in 2017 – a 50% rise compared to 2013. 45% of the organised crime groups were involved in more than one criminal activity. The share of these polycriminal groups increased sharply. Organised crime groups often engage in more than one criminal activity. They are highly flexible and able to shift from one criminal activity to another. Europol, Serious and Organised Threat Assessments 2017. Regulation (EU) 2016/794 (11.5.2016).
2
3
4
5
6
The threat from terrorism in Europe remains high.8 In a joint statement by the EU Home Affairs Ministers of 13 November 2020 on the recent terrorist attacks in Europe, Ministers “invite the Commission to submit a proposal revising the Europol mandate with a strong legal basis for the handling of large datasets. Europol and especially its European Counter Terrorism Centre are of fundamental importance for effectively supporting the Member States in their prevention and prosecution of terrorist crimes, and need to be bolstered.”9
The threat environment also changes type of the support Member States need and expect from Europol to keep citizens safe, in a way that was not foreseeable when the co-legislators negotiated the current Europol mandate. The December 2019 Council Conclusions acknowledge “the urgent operational need for Europol to request and receive data directly from private parties”, calling on the Commission to consider adapting the schedule for the review of the Europol Regulation “in view of the need for European law enforcement to address ongoing technological developments”.10 There is a pressing social need to counter serious crimes prepared or committed with the use of cross-border services offered by private parties11, notably cybercrimes. Whereas this challenge is partially addressed by the e-evidence package12, there are situations where Europol’s support is necessary to counter the threats posed by cybercrime and cyber-enabled crimes effectively, notably when private parties seek to report such crimes.
A July 2020 European Parliament Resolution also calls for reinforcing Europol, stating that “strengthening Europol’s capacity to request the initiation of cross-border investigations, particularly in cases of serious attacks against whistleblowers and investigative journalists who play an essential role in exposing corruption, fraud, mismanagement and other wrongdoing in the public and private sectors, should be a priority.”13
Given the changing security landscape, Europol needs to have the capabilities and tools to support Member States effectively in countering serious crime and terrorism. In response to pressing operational needs, and calls by the co-legislators for stronger support from Europol, the Commission Work Programme for 2020 announced a legislative initiative to “strengthen the Europol mandate in order to reinforce operational police cooperation”. This is also a key action of the July 2020 EU Security Union Strategy.14 In line with the call by the Political Guidelines15 to “leave no stone unturned when it comes to protecting our citizens”, this legislative initiative addresses those areas where stakeholders ask for reinforced support from Europol to help Member States keeping citizens safe.
A total of 119 completed, failed and foiled terrorist attacks were reported by 13 EU Member States, with 10 deaths and 27 injuries (Europol, European Union Terrorism Situation and Trend Report, 2020).
www.consilium.europa.eu/fr/press/press-releases">https://www.consilium.europa.eu/fr/press/press-releases.
www.consilium.europa.eu/media/41586">https://www.consilium.europa.eu/media/41586. Regulation (EU) 2016/794 foresees an evaluation assessing the impact, effectiveness and efficiency of Europol by May 2022.
The term ‘private parties’ refers to organisations with a legal personality other than public authorities. This includes, but is not limited to, undertakings established under civil law, even if they are owned or controlled by a public authority.
The Commission adopted on 17 April 2018 the so-called “e-evidence package” consisting of a Regulation (COM(2018) 225 final) and a Directive (COM(2018) 226 final). The package is under negotiation by the co-legislators.
European Parliament resolution of 10 July 2020 on a comprehensive Union policy on preventing money laundering and terrorist financing (2020/2686(RSP)). COM(2020) 605 final (24.7.2020). https://ec.europa.eu/commission/sites/beta-political/files/political-guidelines-next-commission_en.pdf.
8
9
10
12
3
To that end, this proposal seeks to strengthen the mandate of Europol within the mission and tasks of the agency as laid down in the Treaty , notably by:
• enabling Europol to cooperate effectively with private parties, addressing lack of effective cooperation between private parties and law enforcement authorities to counter the use of cross-border services, such as communication, banking, or transport services, by criminals;
• enabling Europol to effectively support Member States and their investigations with the analysis of large and complex datasets, addressing the big data challenge for law enforcement authorities;
• strengthening Europol’ s role on research and innovation, addressing gaps relevant for
law enforcement;
• strengthening Europol’s cooperation with third countries in specific situations and on
Europol’s objectives;
• clarifying that Europol may request, in specific cases where Europol considers that a criminal investigation should be initiated, the competent authorities of a Member State to initiate, conduct or coordinate an investigation of a crime which affects a common interest covered by a Union policy, without the requirement of a cross-border dimension of the crime concerned;
• strengthening Europol’s cooperation with the European Public Prosecutor’s Office
(EPPO);
• further strengthening the data protection framework applicable to Europol;
• further stren gthening parliamentary oversight and accountability of Europol.
This legislative initiative is linked to a legislative proposal amending Regulation (EU) 2018/1862 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters to enable Europol to enter data into the SIS. Subject to consultation of the Member States, this would enable Europol to enter data into the SIS on the suspected involvement of a third country national in an offence in respect of which Europol is competent.
December 2020 to reinforce the Union’s response to the threat posed by terrorism.
• Consistency with existing policy provisions in the policy area
This legislative initiative takes account of a wide range of EU policies in the area of internal security that have been adopted or launched since the entry into force of the 2016 Europol Regulation.
16 See Article 88 of the Treaty on the Functioning of the European Union.
17
According to Article 3(1) of Regulation (EU) 2016/794, one of Europol’s objectives is to support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combatting forms of crime which affect a common interest covered by a Union policy. This corresponds to Europol’s mission as set out in Article 88 TFEU. Article 6(1) of Regulation (EU) 2016/794 sets out that “in specific cases where Europol considers that a criminal investigation should be initiated into a crime falling within the scope of its objectives, it shall request the competent authorities of the Member States concerned via the national units to initiate, conduct or coordinate such a criminal investigation.”
As regards cooperation with private parties, this legislative initiative takes account of the related initiatives for the removal of terrorist content online18 and to improve cross-border access to electronic evidence.19 Once adopted, and based on the Commission’s proposals, the e-evidence package would provide national law enforcement and judicial authorities with European Production Orders and European Preservation Orders to obtain digital evidence from service providers for criminal investigations, irrespective of the Member State in which the provider is established or the information is stored.
As regards limits in the sharing of third-country sourced information on suspects and criminals, the assessment of options to strengthen this information sharing takes account of the on-going work towards the interoperability20 of EU information systems for security, border and migration management and the EU legal framework on large scale IT systems. This includes existing or planned EU information systems, namely the Schengen Information System,21 the EU Entry/Exit System,22 the European Travel Information and Authorisation System,23 and the proposed upgrading of the Visa Information System24 and of the Eurodac
system.25
This legislative initiative also takes account of Europol’s cooperation with other Union bodies or agencies, notably the European Public Prosecutor’s Office26, Eurojust27 as the EU agency for criminal justice cooperation, ENISA as the European Agency for Cyber Security28, the European Anti-Fraud Office (OLAF)29, and the European Border and Coast Guard Agency
(Frontex).30
• Consistency with other Union policies
This legislative initiative also takes account of other relevant Union EU policies that have been adopted or launched since the entry into force of the Europol Regulation.
This legislative initiative takes full account of the relevant EU data protection legislation (see section 3 below on fundamental rights).
As regards innovation, this legislative initiative takes account of EU security-related funding under Horizon 2020,31 the Internal Security Fund,32 the proposed Horizon Europe33 and the proposed Digital Europe programme.34 It also takes account of the European strategy for data35 and the White Paper on Artificial Intelligence36 as the first pillars of the new digital
COM(2018) 640 final (12.9.2018).
COM(2018) 225 final and COM(2018) 226 final (17.4.2018) (“e-evidence package”).
Regulation (EU) No 2019/818 (20.5.2020).
Regulation (EU) No 2018/1862 (28.11.2018).
Regulation (EU) No 2017/2226 (30.11.2017).
Regulation (EU) No 2018/1240 (12.9.2018).
COM(2018) 302 final (16.5.2018).
COM(2020) 614 final (23.9.2020).
Council Regulation (EU) No 2017/1939 (12.10.2017).
Regulation (EU) No 2018/1727 (14.11.2018).
Regulation (EU) No 2019/881 (17.4.2019).
Regulation (EU, Euratom) No 883/2013 (11.9.2013).
Regulation (EU) 2019/1896 (13.11.2019).
Regulation (EU) No 1291/2013 (11.12.2013).
Regulation (EU) No 513/2014 (16.4.2014). See also the Commission proposal for the Internal Security Fund
for the next multiannual financial framework (COM(2018) 472 final (13.6.2018)).
COM(2018) 435 final (7.6.2018).
COM(2018) 434 final (6.6.2018).
COM(2020) 66 final (19.2.2020).
COM(2020) 65 final (19.2.2020).
23
24
25
26
27
28
29
30
3
32
33
34
35
36
strategy of the Commission, as well as the on-going work in preparation of governance of common European data spaces.
As regards Europol’s cooperation with third countries, this legislative initiative takes account of the Union’s external policies, notably the work of EU delegations and counter-terrorism/security experts in third countries and common security and defence policy missions and operations.
2. LEGALBASIS, SUBSIDIARITYAND PROPORTIONALITY
• Legal basis
The legal basis of the legislative initiative is Article 88 of the Treaty on the Functioning of the European Union (TFEU). Article 88(1) TFEU stipulates that Europol’s mission shall be to support and strengthen action by the Member States’ police authorities and other law enforcement services and their mutual cooperation in preventing and combating serious crime affecting two or more Member States, terrorism and forms of crime which affect a common interest covered by a Union policy. It provides for Europol to be governed by a Regulation to be adopted in accordance with the ordinary legislative procedure.
• Subsidiarity
According to the principle of subsidiarity laid down in Article 5(3) TEU, action at EU level should be taken only when the aims envisaged cannot be achieved sufficiently by Member States alone and can therefore, by reason of the scale or effects of the proposed action, be better achieved by the EU.
Member States are responsible for the maintenance of law and order and the safeguarding of internal security.37 Indeed, the Union shall respect Member States’ essential state functions, including maintaining law and order and safeguarding national security.38 As serious crime and terrorism are often of a transnational nature, action at national level alone cannot counter them effectively. This is why Member States choose to work together within the framework of the EU to tackle the threats posed by serious crime and terrorism. They seek to coordinate their law enforcement action and cooperate in addressing shared security challenges. They decide to pool resources at EU level and share expertise. As the EU agency for law enforcement cooperation, Europol is a strong expression of this endeavour by the Member States to keep their citizens safe by working together. Europol provides a framework for Member States to coordinate their law enforcement action. Member States use their liaison officers at Europol and the information exchange channel the agency provides to exchange information and cooperate in their criminal investigations. Member States pool resources by tasking Europol to process their information in its databases and provide joint analysis. They use the growing expertise that Europol brings together on a variety of aspects of policing. This has made Europol the most visible and effective component of EU-level support for Member States’ law enforcement authorities.
Evolving security threats, driven by the way criminals exploit the advantages that the digital transformation and new technologies bring about, also call for effective EU level support to the work of national law enforcement authorities. There are of course differences in the way individual Member States, their regions and local communities confront specific types of crime. This is why their law enforcement authorities can choose where to seek EU-level support from Europol and what joint initiatives to participate in. In any case, law enforcement
37 Article 72 TFEU.
38 Article 4(2) TEU.
authorities across all Member States, regions and local levels face the same evolving security threats. Consequently, there is a need for EU action to step up the support to Member States in fighting serious crime and terrorism to keep pace with these threats.
Indeed, Member States alone would not be able to effectively tackle all the challenges addressed by this proposal:
• As regards the lack of effective cooperation between private parties and law enforcement authorities to counter the abuse of cross-border services by criminals, national authorities cannot alone analyse mul ti -jurisdi cti ona l or non-attributable data sets effectively, as it is very resource intensive to sift through large data sets in order to identify the data relevant for the respective jurisdiction or jurisdictions, in particular when the Member States concerned have not yet been identified. Alternatively, if the national law enforcement authorities obtain smaller data sets targeted to their respective jurisdiction, they fall short of the entire intelligence picture. Furthermore, Member States cannot effectively address these problems through an intergovernmental cooperation, by which the Member State of establishment were to receive the data, analyse and then distribute it to the Member States concerned. This would not only entail disproportionate resource implications for the Member States of establishment, but also legal difficulties in situations, where the criminal activity has no or limited ink to the jurisdiction of that Member State.
• As regards the big data challenge for law enforcement, Member States cannot detect such cross-border links through their own analysis of the large datasets at national level, as they lack the corresponding data on other crimes and criminals in other Member States. Moreover, some Member States might not always have the necessary I T tools, expertise and resources to analyse large and complex datasets.
• As regards gaps on research and innovation relevant for law enforcement, not all Member States are able to exploit fully the opportunities of new technologies for fighting crime and terrorism, and to overcome the challenges posed by the use of these technologies by criminals and terrorists, given the investment, resources and skills this requires.
• As regards limitations in law enforcement cooperation with third countries, Europol can play a key role in expanding its cooperation with third countries to counter crime and terrorism while ensuring coherence with other EU external polices and tools.
• As regards crimes which affect a common interest covered by a Union policy, Member State might require support to effectively investigate such crimes.
Proportionality
According to the principle of proportionality laid down in Article 5 i TEU, there is a need to match the nature and intensity of a given measure to the identified problem. All problems addressed in this legislative initiative call, in one way or another, for EU-level support for Member States to ta c kle th ese problems effectively:
• As regards the lack of effective cooperation between private parties and law enforcement authorities to overcome the challenges posed by the use of cross-border services by criminals, such as communication, banking, or transport services, these problems can be tackled more effectively and efficiently at EU level than at national level, by analysing mul ti-jurisdi cti ona l or non - attributa ble data sets at EU level in order to identify the data relevant for the respective Member States
concerned, and by creating an EU level channel for requests containing personal data to private parties.
• As regards the big data challenge for law enforcement, these problems can be tackled more effectively and efficiently at EU level than at national level, by assisting Member States in processing large and complex datasets to support their criminal investigations with cross-border leads. This would include techniques of digital forensics to identify the necessary information and detect links with crimes and criminals in other M e mber States.
• As regards gaps on research and innovation relevant for law enforcement, and given the si g nifica nt te c h nica l and financial investments required, these problems can be tackled more effectively and efficiently at EU level than at national level, by creating synergies and achieving economies of scale. For that to bring most added value in terms of EU funding for security research, there is a need to close the gap on the coordination of research and innovation needs on the side of law enforcement. Moreover, innovation and the development of new technologies often rely on the availability of large amounts of data, which can be realised better at EU level. By promoting the development of EU tools to counter serious crime and terrorism, an EU approach to innovation takes account of the cross-border dimension of many of
today’s security threats, as well as the need for cross-border cooperation among law
enforcement authorities to tackle these threats.
• As regards uncertainties around the use of mechanisms by Europol to exchange personal data with third countries, the limitations in Regulation (EU) 2016/794, which might prevent effective cooperation with third countries, can be addressed effectively at EU level.
• As regards crimes which affect a common interest covered by a Union policy, support from the EU level might be required to effectively investigate such crimes.
As the EU agency for law enforcement cooperation, Europol would be well positioned to provide this EU-level support. Indeed, Europol has proven very effective in supporting national law enforcement authorities in countering serious crime and terrorism. The stakeholder consultation carried out in the preparation of the impact assessment showed a very high level of satisfaction with Europol. There are clear synergies and economies of scale for Member States resulting, for example, from the joint processing of information by Europol, or from the expertise that the specialised Centres pool and offer to Member States. Member States expect, and operationally need, the same level of support from Europol when it comes to evolving security threats.
Law enforcement cooperation at EU-level through Europol does not replace different national policies on internal security and does not substitute the work of national law enforcement authorities. Differences in the legal systems and traditions of the Member States, as acknowledged by the T reaties, remain unaffected by this EU level support.
Choice
of the instrument
Given that Europol’s mandate is set out in Regulation (EU) 2016/794, the strengthening of Europol’s mandate has to take the form of a Regulation.
European Cybercrime Centre, European Migrant Smuggling Centre, European Counter Terrorism Centre and European Financial and Economic Crime Centre. Article 67(1) TFEU.
39
40
3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER
Contents
- CONSULTATIONS
- 14 15
- a case-by-case basis for preventing and countering crimes falling within the scope of
- This legislative initiative is part of a package of measures presented by the Commission on 9
- 18 19 20 21 22
- Regulation (EU) No 513/2014 (16.4.2014). See also the Commission proposal for the Internal Security Fund
- Member States in preventing and combatting serious crime and terrorism. Member States have supported the preferred policy options explicitly in various Council fora as well as in a
- innovation hub
- Schengen I nf o rmati on Sy stem
- The assessment of fundamental rights in annex 5 of the accompanying impact assessment
- 45 46
- European Union Agency for Fundamental Rights: Applying the Charter of Fundamental Rights of the
- European Data Protection Supervisor: Assessing the necessity of measures that limit the fundamental right
- complies with the categories of data subjects whose data may be processed by the Agency. To that end, the legislative initiative would introduce the possibility to
ANDIMPACTASSESSMENTS
Stakeholder
consultations
To ensure that the general public interest is properly considered in the Commission’s approach to strengthening Europol’s mandate, the Commission services identified relevant
stakeholders and consulted them throughout the preparation of this legislative initiative. The Commission services sought views from a wide range of subject matter experts, national authorities, civil society organisations, and from members of the public on their expectations
and concerns relating to enhancing Europol’s capabilities in supporting Member States to
effectively prevent and investigate crime.
During the consultation process, the Commission services applied a variety of methods and forms of consultation. They included:
• the consultation on the Inception Impact Assessment, which sought views from all interested parties;
• targeted stakeholder consultation by way of a questionnaire; expert interviews; and
• targeted thematic stakeholder workshops that focused on subject matter experts,
including practitioners at national level. Taking into account the technicalities and specificities of the subject, the Commission services focused on targeted consultations, addressing a broad range of stakeholders at national and EU level.
The diversity of perspectives proved valuable in supporting the Commission to ensure that its legislative initiative addresses the needs, and took account of the concerns, of a wide range of stakeholders. Moreover, it allowed the Commission to gather necessary and indispensable data, facts and views on the relevance, effectiveness, efficiency, coherence and EU added value of this legislative initiative.
Taking into consideration the Covid-19 pandemic and the related restrictions and inability to interact with relevant stakeholders in physical settings, the consultation activities focused on applicable alternatives such as online surveys, semi-structured phone interviews, as well as meetings via video conference.
Stakeholders are generally supportive of strengthening Europol’s legal mandate to support
Member States in preventing and combatting serious crime and terrorism. Member States have supported the preferred policy options explicitly in various Council fora as well as in a
October 2020 Declaration of the Home Affairs Ministers of the EU (‘ Ten points on the Future
of Europol’). At the same time, Member States are conscious of the importance of their national sovereignty in the area of law enforcement from an operational and procedural perspective. The European Parliament has supported a strong role for Europol, while recalling
in a July 2020 European Parliament Resolution that “a strengthened mandate should go hand-in-hand with adequate parliamentary scrutiny”. The European Parliament is expected to
require detailed justification for the necessity of any new data processing capability at Europol, as well as strong data protection safeguards. Indeed, discussions with all stakeholders showed the importance of providing for appropriate safeguards to ensure fundamental rights, and in pa rticula r the right to protection of personal data.
The results of the consultation activities were incorporated throughout the impact assessment and the preparation of the legislative initiative.
• Collection and use of expertise
The Commission contracted an external consultant to conduct a study into the practice of direct exchanges of personal data between Europol and private parties. The work on the study took place between September 2019 and August 2020, and involved desk research, and stakeholder consultations by way of scoping interviews, targeted questionnaires, a survey, semi-structured interviews, and a workshop. The findings of the study are available online.41
Impact
assessment
In line with its “Better Regulation” policy, the Commission conducted an impact
assessment.42
A number of legislative and non - le g isl ati ve policy options have been considered. Following a pre-selecti on where some options had to be discarded, the following policy options have been assessed in full detail:
Policy options addressing objective I: effective cooperation between private parties and law enforcement
• policy option 1: allowing Europol to process data received directly from private parties
• policy option 2: allowing Europol to exchange personal data with private parties to e stablish jurisdiction
• policy option 3: allowing Europol to directly query databases managed by private parties
(2) Policy options addressing objective II: analysing large and complex datasets to detect cross-border links
• policy option 4: enabling Europol to analyse large and complex datasets
• policy option 5: introducing a new category of data subjects (persons not related to a crime) whose data Europol can process
(3) Policy options addressing objective III use of new technologies for law enforcement
• policy option 6: regulating Europol’s support to the EU security research programme, the innovation lab at Europol, and Europol’s support to the EU
• policy option 7: enabling Europol to process personal data for the purpose of innovation in areas relevant for its support to law enforcement
Furthermore, the following policy options, which respond to calls by the c o - le g isl ators for a reinforced role of Europol and raise less of a policy choice notably due to legal constraints, were analysed in separate annexes to the impact assessment, given their relevance and for reasons of completeness:
https://ec.europa.eu/home-affairs/news/commission-publishes-study-practice-direct-exchanges-personal-data-between-europol-and-private_en. [add links to the summary sheet and to the opinion of the Regulatory Scrutiny Board].
4
42
• policy option 8: enabling Europol to issue ‘discreet check’ alerts in the
• policy option 9: introducing a new alert category in the Schengen Information System to be used exclusively by Europol
• policy option 10: targeted revision of the provisions on self-assessment of the adequate level of safeguards
• policy option 11: targeted revision aligning the provision on the transfer of personal data in specific situations with the provision of the Data Protection Law Enforcement Police Directive
• policy option 12: seeking best practices and guidance on the application of provisions of the Europol Regulation
• policy option 13: strengthening the mechanism for requesting the initiation of investi gati ons
• policy option 14: enabling Europol to request the initiation of criminal investigations in cases affecting only one Member State that concern forms of crime which affect a common interest covered by a Union policy, without the requirement of a cross-border dimension of the crime concerned
Following a det ailed assessment of the impact of all policy options, the package of preferred policy options consists of policy option 2, policy option 4, policy option 7, policy option 9, policy option 11, policy option 12 and policy option 14. These preferred policy options are reflected in this legislative initiative.
The package of preferred policy options (policy option 2, policy option 4 and policy option 7, policy option 9, policy option 11, policy option 12 and policy option 14) respond effectively to the identified problems and would provide Europol with strong tools and capabilities to step up its support to Member States in countering emerging threats, in full compliance with fundamental rights.
Socially and economically, the ultimate beneficiaries of all preferred options are the citizens, who will directly and indirectly benefit from lower crime rates, reduced economic damages, and less security related costs. In terms of efficiency, the main beneficiaries are national law enforcement authorities. The preferred options should create significant economies of scale at the EU level, as they will shift tasks, which can be performed more efficiently at the EU level, from the national level to Europol. The preferred policy options provide for efficient solutions to challenges which would otherwise have to be addressed at higher costs by means of 27 individual national solutions, or to challenges which could not be addressed at the national level at all in view of thei r tra nsnational nature.
Fundamental rights
Given the importance of the processing of personal data for the work of law enforcement in general, and for the support activities provided by Europol in particular, this legislative initiative puts a particular focus on the need to ensure full compliance with fundamental rights as enshrined in the Charter of Fundamental Rights, and notably the rights to the protection of personal data and to respect for private life.
43 Article 8 of the Charter of Fundamental Rights of the European Union (hereinafter, ‘the Charter’).
44 Article 7 of the Charter.
As almost all problems, objectives and policy options addressed in the accompanying impact assessment involve the processing of personal data, any resulting limitation on the exercise of the fundamental right to the protection of personal data must be limited to what is strictly necessary and proportionate. Other fundamental rights may also be affected, such as the fundamental right to non-discrimination in the context of research and innovation. The thorough consideration of fundamental rights in the accompanying impact assessment, and notably of the rights to the protection of personal data and to respect for private life, is based on a detailed assessment of policy options in terms of their limitations on the exercise of fundamental rights set out in annex 5 of the accompanying impact assessment.
applies the Commission’s Operational guidance on taking account of fundamental rights in
Commission impact assessments,45 the handbook by the Fundamental Rights Agency on Applying the Charter of Fundamental Rights,46 and the guidance47 provided by the European Data Protection Supervisor on assessing necessity and proportionality. Based on this guidance, annex 5 of the accompanying impact assessment on fundamental rights:
• describes the policy options discarded at an early stage due to their serious adverse impact on fundamental rights;
• sets out a step-by-step assessment of necessity and pro portiona li ty ;
• outlines the rejected policy options if a less intrusive but equally effective option is available; and
• provides for a complete list of detailed safeguards for those policy options where a limitation on the exercise of fundamental rights is necessary, also due to the absence of a less intrusive but equally effective option.
Moreover, chapter 8 of the accompanying impact assessment provides an assessment of the accumulated impact of the preferred policy options on fundamental rights.
4. BUDGETARY IMPLICATIONS
This legislative initiative would have an impact on the budget and staff needs of Europol. It is estimated that an additional budget of around EUR 180 million and around 160 additional posts would be needed for the overall MFF period to ensure that Europol has the necessary resources to enforce its revised mandate. The new tasks for Europol proposed in this legislative initiative would therefore require additional financial and human reinforcements compared to the resources earmarked in the Commission proposal of May 2020 for the Multiannual Financial Framework 2021-2027, which plan for a 2% yearly increase of the EU contribution to Europol. These estimates as well as the overall budget and number of posts are subject to the outcome of the negotiations on the Multiannual Financial Framework 2021-2027. This contribution should also stabilise the resource needs of Europol over the period of the legislative financial statement. This legislative initiative also open the possibility for
Member States to contribute directly to Europol’s budget, where necessary and required by
existing or new tasks.
SEC(2011) 567 final (6.5.2011).
European Union in law and policymaking at national level (2018).
European Data Protection Supervisor: Assessing the necessity of measures that limit the fundamental right
to the protection of personal data: A toolkit (11.4.2017); European Data Protection Supervisor: EDPS
Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to
the protection of personal data (19.12.2019).
47
5. OTHERELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
The monitoring and evaluation of Europol’s reinforced mandate would largely be performed
by the applicable mechanisms under the existing Europol Regulation. Article 68 foresees an evaluation which assesses, in particular, the impact, effectiveness and efficiency of Europol and of its working practices and may address the possible need to modify the structure, operation, field of action and tasks of Europol, and the financial implications of any such modification. Further to this evaluation, the Commission will draw data through its
representation in Europol’s Management Board meetings and its supervision, along with the Member States, of Europol’s work (Article 11).
• Detailed explanation of the specific provisions of the proposal This legislative initiative proposes the following new tasks for Europol:
• Enabling Europol to cooperate effective with private parties: the legislative initiative sets out rules for Europol to exchange personal data with private parties and analyse this data with a view to identifying all Member States concerned and providing them with the information necessary to establish their ju risdiction, also with regard to terrorist content online. To this end, Europol should be able to receive personal data from private parties, inform such private parties of missing information, and ask Member States to request other private parties to share further additional information. T hese rules also introduce the possibility for Europol to act as a technical channel for exchanges between Member States and private parties. These new legal grounds respond to the problems private parties and law enforcement authorities face when cooperating on crimes where the offender, the victims and the relevant I T infrastructure are under mul ti ple jurisdi cti ons in the EU and beyond, and would also enable Europol to support law enforcement authorities in their interactions with private parties on the removal of terrorist content online and other relevant issues. [Article 26]
• Enabling Europol to exchange personal data with private parties related to crisis response: The legislative initiative sets out rules for Europol to support Member States in preventing the large scale dissemination, via online platforms, of terrorist content related to on-going or recent real-world events depicting harm to life or physical integrity, or calling for imminent harm to life or physical integrity. To this end Europol will be enabled to exchange personal data with private parties, including hashes, IP addresses or URLs related to such content. [Article 26a]
• Enabling Europol to process large and complex datasets: The legislative initiative sets out rules for Europol to verify if personal data received in the context of
preventing and countering crimes falling within the scope of Europol’s objectives
complies with the categories of data subjects whose data may be processed by the Agency. To that end, the legislative initiative would introduce the possibility to
carry out a pre-analysis of personal data received with the sole purpose of determining whether such data falls into the categories of data subjects. The
Article 18(5) of Regulation (EU) 2016/794 limits the processing of personal data by Europol to the categories of data subjects listed in annex II of that Regulation. The categories of data subjects cover: (1) suspects, (2) convicted persons, (3) persons regarding whom there are factual indications or reasonable grounds to believe that they will commit, i persons who might be called on to testify in investigations or in subsequent criminal proceedings, (5) victims, (6) contacts and associates of a criminal, and (7) persons who can provide information on a crime.
48
Commission proposes these new legal grounds following its analysis of the Decision of the European Data Protection Supervisor on “Europol’s big data challenge”.49 [Article 18(5a)]
Enabling Europol to effectively support criminal investigations in Member States or by the EPPO by way of analysis of large and complex datasets: The legislative initiative sets out new rules to enable Europol, in justified cases where it is necessary to support effectively a specific criminal investigation in a Member State or by the EPPO, to process data the national authorities or the EPPO acquired in the context of that criminal investigation in accordance with procedural requirements and safeguards applicable under national criminal law. To that end, and where a Member State or the EPPO requests Europol’s analytical support for a specific criminal investigation, the legislative initiative would introduce the possibility for Europol to process all data contained in an investigative case file provided by the Member State or the EPPO for this investigation for as long as Europol supports that specific criminal investigation. This may include information provided by a trusted third country50 in the context of a specific criminal investigation, provided that this information is necessary for Europol’s support of the specific criminal investigation in a Member State. Moreover, the legislative initiative provides for the possibility for a Member State or the EPPO to request Europol to store the investigative case file and the outcome of its operational analysis for the sole purpose of ensuring the veracity, reliability and traceability of the criminal intelligence process, and only for as long as the judicial proceedings related to that criminal investigation are on-going in a Member State. The Commission proposes these new legal grounds following its analysis of the Decision of the European Data Protection Supervisor on “Europol’s big data challenge”.51 [Article 18a]
Strengthening Europol’s role on research and innovation: (a) Assisting the Commission in identifying key research themes, drawing up and implementing the Union framework programmes for research and innovation that are relevant to Europol’s objectives. [Article 4(4a)] (b) Supporting Member States in the use of emerging technologies in preventing and countering crimes falling within the scope of Europol’s objectives, and implementing innovation activities including with the processing of personal data where necessary. [Article 33a] (c) Supporting the screening of specific cases of foreign direct investments into the Union that concern undertakings providing technologies used or being developed by Europol or by Member States for the prevention and investigation of crimes falling within the scope of Europol’s objectives. [Article 4(4b)]
Enabling Europol to enter data into the Schengen Information System, subject to consultation of the Member States, on the suspected involvement of a third country national in an offence in respect of which Europol is competent. [Article 4(1)(r)]
See the EDPS Decision on the own initiative inquiry on Europol’s big data challenge: https://edps.europa.eu/sites/edp/files/publication/20-09-18_edps_decision_on_the_own_initiative_inquiry_on_europols_big_data_challenge_en.pdf.
A third country with which there is an agreement concluded either on the basis of Article 23 of Decision 2009/371/JHA in accordance with point (c) of Article 25(1) of Regulation (EU) 2016/794 or on the basis of Article 218 TFEU in accordance with point (b) of Article 25(1) of Regulation (EU) 2016/794, or which is the subject of an adequacy decision as referred to in point (a) of Article 25(1) of Regulation (EU) 2016/794. See the EDPS Decision on the own initiative inquiry on Europol’s big data challenge: https://edps.europa.eu/sites/edp/files/publication/20-09-18_edps_decision_on_the_own_initiative_inquiry_on_europols_big_data_challenge_en.pdf.
49
50
5
• Strengthening Europol s cooperation with third countries in preventing and
countering crimes falling within the scope of Europol’s objectives: The legislative
initiative provides for the possibility for the Executive Director of Europol to authorise categories of transfers of personal data to third countries in specific situations and on a case-by-case basis, where such categories of transfers are required. [ Arti c le 25(5)]
• Strengthening Europol’s cooperation with the European Public Prosecutor’s Office
(EPPO), in line with the rules on the transmission of personal data to Union bodies that are applicable to Europol. [Article 20a]
• Strengthening Europol’s cooperation with the European Anti-Fraud Office
(OLAF) to detect fraud, corruption and any other illegal activity affecting the financial inte rests of the Union, in line with the rules on the transmission of personal data to Union bodies that are a ppli ca ble to Europol. [ Arti c le 21(8) ]
• Enabling joint operational analysis between Europol and Member States in specific investigations. [ Arti c le 20(2a)]
• Further strengthening parliamentary oversight and accountability of Europol by introducing new reporting obli g ati ons for Eur opol to the J oint Pa rliame ntary Sc rutin y Group. [Article 51]
To further strengthen the data protection framework applicable to Europol, this legislative initiative:
• proposes that Article 3 on definitions and Chapter IX of Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of operational personal data by the Union institutions, bodies, offices and agencies become applicable to Europol, while as regards administrative personal data other chapters of Regulation 2018/1725 apply to Europol. [ Arti c l e 27a] .
• aligns the wording on the processing of special categories of personal data (sensitive data) by adding biometric data to the special categories of data. [Article 30]
• introduces a new provision on the processing of personal data for research and innovation to take due account of the stronger role Europol will play in these areas and the im pa ct there of on the processing of personal data and provide for additional safeguards. [Article 33a]
• introduces a new provision on keeping records of categories of data processing activities to reflect current practice. [Article 39a]
• outlines in more detail the designation, position and tasks of the Data Protection Officer of Europol to highlight the importance of this function, in line with the approach taken during the modernisation of the EU data protection acquis, which introduced the fun ction of the Data Protection Officer as a key component of the EU data protection architecture. [Articles 41a to c]
This legislative initiative also provides for the following legal clarifications and codification of existing tasks of Europol
• Supporting Member States’ special intervention units through the ATLAS network as a cooperation platform of 38 special intervention units of Member States and associated countries. [ Arti c le 4(1) (h)]
Supporting Member States through the coordination of law enforcement authorities’ response to cyberattacks. [Article 4(1)(m)]
Supporting Member States in investigations against high-risk criminals. [Article 4(1)(q)]
Supporting the evaluation and monitoring mechanism with expertise, analysis, reports and other relevant information to verify the application of the Schengen acquis as established by Council Regulation (EU) No 1053/2013. [Article 4(1)(s)]
Facilitating and supporting a coordinated, coherent, multi-disciplinary and multi-agency response to serious crime threats by way of the European Multidisciplinary Platform Against Criminal Threats. [Article 4(2)]
Supporting the Commission and the Member States in carrying out effective risk assessments by way of providing threats assessment analysis based on the information Europol holds on criminal phenomena and trends. [Article 4(3)]
Clarifying that Europol staff may provide operational support to Member State’s law enforcement authorities on the ground in operations and investigations. [Article 4(5)]
Clarifying that Europol also may request, in specific cases where Europol considers that a criminal investigation should be initiated, the competent authorities of a Member State to initiate, conduct or coordinate an investigation of a crime which affects a common interest covered by a Union policy, without the requirement of a cross-border dimension of the crime concerned. [Article 6(1)]
Supporting Member States in informing the public about individuals wanted under national law in relation to a criminal offence in respect of which Europol is competent, by way of the Europol website on Europe’s most wanted fugitives. [Article 18(f)]
Clarifying that Member States may make the result of operational and forensic analysis provided by Europol available to their relevant authorities, including prosecutors and criminal courts, throughout the whole lifecycle of criminal proceedings, in accordance with the applicable use restrictions and national criminal procedural law. [Article 20(3)]
Clarifying that Europol staff may give evidence, which came to their knowledge in the performance of their duties or the exercise of their activities, in criminal proceedings in the Member States. [Article 20(5)]