The European Data Protection Supervisor (EDPS) published today his Opinion on the proposed amendments to the Europol Regulation which aim, in part, to broaden the scope of Europol’s mandate in response to changes in the security landscape and increasingly complex threats. The Opinion assesses the necessity and proportionality of these proposed amendments, taking into account the importance of aligning the data protection rules for Europol with the data protection rules for other European institutions, bodies and agencies (EUIs), under Regulation (EU) 2018/1725.
In particular, the proposed exemptions related to the processing of large and complex datasets require further safeguards, so that the exemptions do not become the rule in practice. Effective protection of personal data requires the situations and conditions in which Europol may rely on the proposed exemptions to be clearly defined in the Europol Regulation.
Wojciech Wiewiórowski, EDPS, said: “I am glad that the Commission acknowledges the problems previously raised by the EDPS in relation to the processing of large datasets. The approach taken by the Commission – providing for an exception from the general rules on processing operational personal data – is one of the solutions a lawmaker can indeed consider in this context. At the same time, it is important to add further clarifications and safeguards to ensure that the exemptions do not become the rule.”
The EDPS acknowledges the need for Europol to engage in research and innovation in order not to rely on external vendors’ tools and products. At the same time, the terms justifying the use of personal data for such purposes need to be more narrowly defined.
As the supervisory authority of Europol and other EUIs, the EDPS calls for a full alignment of its powers with Regulation (EU) 2018/1725. When it comes to the protection of individuals’ personal data, a stronger mandate of Europol must go hand in hand with oversight powers that are at least as strong and effective as for any other EUIs.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
About Europol: The European Union Agency for Law Enforcement Cooperation (Europol) was established by Regulation (EU) 2016/794 of the European Parliament and of the Council (the Europol Regulation) to support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combating serious cross-border crime, terrorism and other criminal activities which affect the common interests of the Union.
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”. See the glossary on the EDPS website.
The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725 which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.
The EDPS opinions are published on our website, and later on, in the Official Journal of the EU, and officially transmitted to the European Parliament, the Council and the Commission.
The EDPS also has the power to issue opinions on any issue of relevance to the protection of personal data, addressed to the EU legislator or to the general public, in response to a consultation by another institution or on his own initiative.