6.11.2012   

EN

Official Journal of the European Union

C 336/7

1.

On 28 March 2012, the Commission adopted a Communication titled ‘Tackling Crime in our Digital Age: Establishing a European Cybercrime Centre’ (1).

2.

The EDPS notes that the Council published its conclusions on the establishment of a European Cybercrime Centre on 7 and 8 June 2012 (2). The Council endorses the goals of the Communication, supports the establishment of the Centre (also referred to as ‘EC3’) within Europol and the use of the existing structures to cross-work with other crime areas, confirms that the EC3 should serve as a focal point in the fight against cybercrime, and that the EC3 will cooperate closely with relevant agencies and actors at international level, and calls the Commission in consultation with Europol to further elaborate the scope of the specific tasks that will be required to make the EC3 operational by 2013. However, the conclusions do not refer to the importance of fundamental rights, and in particular, to data protection in the establishment of the EC3.

3.

Before the adoption of the Commission Communication, the EDPS was given the possibility to provide informal comments on the draft communication. In its informal comments, the EDPS emphasised that data protection is an essential aspect to be taken into consideration in the set-up of the European Cybercrime Centre (hereafter ‘EC3’). Unfortunately, the Communication did not take into account the comments made at informal stage. Moreover, the Council conclusions ask to ensure that the Centre will be operational already by next year. This is why data protection should be taken into consideration in the next steps that will be taken already on a very short term.

4.

This Opinion addresses the importance of data protection when setting up the EC3, and provides specific suggestions that could be taken into consideration in the course of the set-up of the terms of reference for the EC3 and in the legislative revision of the Europol legal framework. Acting on his own initiative, the EDPS has therefore adopted the current Opinion based on Article 41(2) of Regulation (EC) No 45/2001.

5.

In its Communication, the Commission indicates the intention to create a European Cybercrime Centre as priority of the Internal Security Strategy (3).

6.

The Communication non-exhaustively lists several strands of cybercrime which the EC3 is supposed to focus on: cybercrimes committed by organised crime groups, particularly those generating large criminal profits such as online fraud, cybercrimes which cause serious harm to their victims, such as online child sexual exploitation, and cybercrimes seriously affecting critical information communication technology (ICT) systems in the Union.

7.

In terms of the Centre's work, the Communication lists four main tasks (4):

8.

The information processed by the EC3 will be gathered from the widest array of public, private and open sources, enriching available police data, and it would concern cybercrime activities, methods and suspects. The EC3 will also collaborate directly with other European agencies and bodies. This will happen via the participation of these entities in the EC3's Programme Board and also through operational cooperation where relevant.

9.

The Commission proposes that the EC3 would be the natural interface to Europol's cybercrime activities and other international police cybercrime units. The EC3 should also, in partnership with Interpol and other strategic partners around the globe, strive to improve coordinated responses in the fight against cybercrime.

10.

In practical terms, the Commission proposes to create this EC3 as part of Europol. The EC3 will be part of Europol  (5) and, therefore, it will be placed under the legal regime of Europol (6).

11.

According to the European Commission (7), the main novelties that the proposed EC3 will bring to Europol's current activities will be: (i) increased resources to more efficiently gather information from various sources; (ii) exchange of information with partners beyond the law enforcement community (mainly from the private sector).

12.

The EDPS seeks in this Opinion to:

13.

The Opinion is organised as follows: part 2.1 elaborates why data protection is an essential element in the creation of the EC3. Part 2.2 deals with the compatibility of the goals set for the EC3 in the Communication with Europol's legal mandate. Part 2.3 deals with the cooperation with private sector and international partners.

50.

The EDPS regards the fight against cybercrime as a cornerstone in building security and safety in the digital space and generating the required trust. The EDPS notes that compliance with data protection regimes should be regarded as an integral part of the fight against cybercrime and not as a deterrent of its effectiveness.

51.

The Communication refers to the establishment of a new European Cybercrime Centre within Europol while a Europol Cybercrime Centre has already been in existence for a number of years. The EDPS would welcome if more clarity is provided concerning the new capacities and the activities that will distinguish the new EC3 from the existing Europol Cybercrime Centre.

52.

The EDPS advises that the competences of the EC3 should be clearly defined and not just laid out by referring to the concept of ‘computer crime’ included in current Europol's legislation. Also, the definition of the competences and data protection safeguards of the EC3 should be part of the review of the Europol legislation. Until the new Europol legislation becomes applicable, the EDPS recommends that the Commission sets forth such competences and data protection safeguards in the terms of reference for the Centre. These could include:

53.

The EDPS considers that the exchanges of personal data of the EC3 with the widest array of public, private and open source actors imply specific data protection risks as they will often involve the processing of data collected for commercial purposes and international data transfers. These risks are addressed by the current Europol Decision which establishes that, in general, Europol should not exchange data directly with the private sector, and with specific international organisations only in very concrete circumstances.

54.

Against this background, and given the importance of these two activities for the EC3, the EDPS recommends that appropriate data protection safeguards should be provided in compliance with the existing provisions in the Europol Decision. These safeguards should be embedded in the terms of reference to be elaborated by the implementation team for the EC3 (and later in the revised Europol legal framework) and should in no event result in a lower level of data protection.