8.2.2014   

EN

Official Journal of the European Union

C 38/3

1.

On 27 March 2013, the Commission adopted the proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA (‘the Proposal’). The Proposal was sent by the Commission to the EDPS for consultation on the same day and received on 4 April 2013.

2.

Before the adoption of the Proposal, the EDPS was given the opportunity to provide informal comments. The EDPS welcomes the fact that many of these comments have been taken into account.

3.

The EDPS welcomes the fact that he has been consulted by the Commission and that a reference to the consultation is included in the preambles of the Proposal.

4.

The EDPS was also consulted on the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions establishing a European law Enforcement Training Scheme, adopted in parallel with the Proposal (1). However, he will refrain from issuing a separate reaction on this communication, since he has only very limited comments which are included in part IV of this opinion.

5.

The Proposal is based on Articles 88 and Article 87 (2) (b) of the Treaty on the Functioning of the European Union (TFEU) and has the following aims (2):

The EDPS emphasises that the Proposal is of great importance from the perspective of processing of personal data. The processing of information, including personal data, is a principal reason for the existence of Europol. In the current state of EU development, operational police work remains a competence of the Member States. However, this task has an increasingly cross border nature, and the EU level provides support by providing, exchanging and examining information.

6.

This Opinion will focus on the most relevant changes of the legal framework for Europol from the perspective of data protection. It will first analyse the legal context, its development and the consequences for Europol. It will then elaborate on the main changes, which are:

7.

Subsequently, the Opinion will discuss a number of specific provisions of the Proposal, with an emphasis on Chapter VII thereof (Articles 34-48) on data protection safeguards.

167.

The EDPS emphasises that the Proposal is of great importance from the perspective of processing of personal data. The processing of information, including personal data, is a principal reason for the existence of Europol, and the Proposal already contains strong data protection. This detailed opinion has therefore been adopted with the aim of further strengthening the Proposal.

168.

The EDPS notes that the present Europol Decision provides for a robust data protection regime and considers that this level should not be lowered, independently of the discussions on the proposed data protection Directive. This should be specified in the recital.

169.

The EDPS welcomes the fact that the Proposal aligns Europol with the requirements of Article 88 (2) TFEU, which will ensure that that the activities of Europol will benefit from the full involvement of all the EU institutions concerned.

170.

The EDPS welcomes Article 48 of the Proposal that provides that Regulation (EC) No 45/2001, including the provisions on supervision, is fully applicable to staff and administrative data. However, he regrets that the Commission has not chosen to apply Regulation (EC) No 45/2001 to Europol's core business and to limit the Proposal to additional special rules and derogations which duly take account of the specificities of the law enforcement sector. However, he notes that Recital 32 of the proposal explicitly mentions that data protection rules at Europol should be strengthened and draw on the principles underpinning Regulation (EC) No 45/2001. These principles are also an important reference point for the present opinion.

171.

The EDPS recommends specifying in the recitals of the Proposal that the new data protection framework of the EU institutions and bodies will be applicable to Europol as soon as it is adopted. In addition, the application of the data protection regime for EU institutions and bodies to Europol should be clarified within the instrument replacing Regulation (EC) No 45/2001, as first announced in 2010, in the context of the review of the data protection package. At the latest from the moment of the adoption of the new general framework, the main new elements of the data protection reform (i.e. accountability principle, data protection impact assessment, privacy by design and by default and notification of personal data breach) should also be applied to Europol. This should also be mentioned in the recitals.

172.

The EDPS understands the need for flexibility in connection with the changing context, as well as in light of the growing roles of Europol. The existing information architecture is not necessarily the benchmark for the future. It is at the discretion of the EU legislator to determine the information structure of Europol. In his role of advisor to the EU legislator the EDPS focuses on the question to what extent the choice of the legislators is constrained by the principles of data protection.

173.

In relation to Article 24 of the Proposal, he:

174.

Article 45 of the Proposal recognises that supervision of the processing operations foreseen in the Proposal is a task that also requires the active involvement of national data protection authorities (3). Cooperation between the EDPS and national supervisory authorities is crucial for effective supervision in this area.

175.

The EDPS welcomes Article 45 of the Proposal. This states that data processing by the national authorities is subject to national supervision, and thus reflects the key role of national supervisory authorities. He also welcomes the requirement that the national supervisory authorities should keep the EDPS informed on any actions they take with respect to Europol

176.

The EDPS welcomes:

177.

The EDPS suggests inserting a sentence in Article 26(1) of the Proposal stating that the competent authorities of the Member States shall access and search information on a need-to-know basis and to the extent necessary for the legitimate performance of their tasks. Article 26(2) should be amended and aligned with Article 27(2).

178.

The EDPS welcomes that, in principle, transfer to third countries and international organisations can only take place on the basis of adequacy or a binding agreement providing adequate safeguards. A binding agreement will ensure legal certainty as well as full accountability of Europol for the transfer. A binding agreement should always be needed for massive, structural and repetitive transfers. However, he understands that there are situations in which a binding agreement can not be required. Those situations should be exceptional, should be based on real necessity and only allowed for limited cases, and strong safeguards — substantial as well as procedural — are needed.

179.

The EDPS strongly recommends deleting the possibility for Europol to assume Member States' consent. The EDPS also advises adding that consent should be given ‘prior to the transfer’, in the second sentence of Article 29(4). The EDPS also recommends adding in Article 29 a paragraph stating that Europol shall keep detailed records of the transfers of personal data.

180.

The EDPS recommends adding to the Proposal a transitional clause regarding existing cooperation agreements regulating personal data transfers by Europol. This clause should provide for the review of these agreements within a reasonable deadline in order to align them with the requirements of the Proposal. This clause should be included in the substantive provisions of the Proposal and contain a deadline of no longer than two years after the entry into force of the Proposal

181.

For the sake of transparency, the EDPS also recommends adding at the end of Article 31(1) that Europol shall make publicly available the list of its international and cooperation agreements with third countries and international organisations, by posting this list, regularly updated, on its website.

182.

The EDPS recommends adding expressly in Article 31(2) that derogations may not be applicable to frequent, massive or structural transfers, in other words for sets of transfers (and not just for occasional transfers).

183.

The EDPS recommends providing a specific paragraph dedicated to transfers with the EDPS' authorisation. This paragraph, that logically would come before the paragraph on derogations would provide that EDPS may authorise a transfer or a set of transfers where Europol adduces adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, and as regards the exercises of the corresponding rights. In addition, this authorisation would be granted prior to the transfer/set of transfers, for a period not exceeding one year, renewable.

184.

The opinion includes a large number of other recommendations, aiming at further improving the proposal. Here, some more significant recommendations are listed.