Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 52021XX0628(02)

Summary of the Opinion of the European Data Protection Supervisor on the Recommendation for a Council decision authorising the opening of negotiations for a cooperation agreement between the EU and Interpol (The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu) 2021/C 251/06

OJ C 251, 28.6.2021, p. 7–10 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

28.6.2021   

EN

Official Journal of the European Union

C 251/7

Summary of the Opinion of the European Data Protection Supervisor on the Recommendation for a Council decision authorising the opening of negotiations for a cooperation agreement between the EU and Interpol

(The full text of this Opinion can be found in English, French and German on the EDPS website www.edps.europa.eu)

(2021/C 251/06)

On 14 April 2021, the Commission adopted a Recommendation for a Council Decision authorising the opening of negotiations for a cooperation agreement between the EU and the International Criminal Police Organization (Interpol).

Despite existing cooperation with Interpol, the Commission identified areas where cooperation could and should be stepped up, or even set up in new areas, to address a series of indispensable operational needs and to implement existing legal acts, with the aim of better supporting Member States in preventing and combating terrorism and organised crime. These operational needs require concluding a cooperation agreement with Interpol.

The EDPS wishes to highlight that the objective of supporting the (current and future) cooperation between the EU and Interpol across a wide range of activities in a single legal instrument renders the envisaged agreement highly heterogeneous in nature. He therefore underlines the need for an in-depth impact assessment and that the approach should not lead to a weakening of the fundamental rights and freedoms of natural persons, in particular of their rights to data protection and to privacy.

The EU data protection law regime provides, in principle, that data transfers to an international organisation can take place without additional requirements only when that international organisation ensures an adequate level of protection. When the international organisation has not been declared as adequate, exceptions apply for specific transfers, as long as appropriate safeguards are adduced. Therefore, the EDPS also makes three main recommendations to ensure that the envisaged agreement is capable of adducing appropriate safeguards:

It should be made clear in the negotiating directives that it is necessary to ensure that the envisaged agreement generally complies with the Charter, with the relevant horizontal data protection legislation (Regulation (EU) 2018/1725, Regulation (EU) 2016/679 and Directive (EU) 2016/680 and with the specific data protection requirements and safeguards in the basic acts establishing the EU agencies or IT systems.

The future agreement should explicitly clarify that there will be no reciprocal direct or indirect access by Interpol to the EU databases.

In the context of onward transfers, it should be explicitly laid down that personal data transferred by the EU to Interpol will not be used to request, hand down or execute a death penalty or any form of cruel and inhuman treatment.

Finally, the EDPS recommends that the citations in the preamble of the Recommendation not only refer to the appropriate procedural legal basis but also to the relevant substantive legal basis, among which Article 16 TFEU considering the subject matter of the future agreement.

The EDPS also remains available to provide further advice during the negotiations and the formal consultation which has to take place on the proposal to Council for the signature and conclusion of the agreement pursuant to Article 218 TFEU, as per Article 42(1) Regulation (EU) 2018/1725.

1.   INTRODUCTION AND BACKGROUND

1.

 The International Criminal Police Organisation (Interpol) (1) is the largest global criminal police inter-governmental organisation, with 194 member countries. The EU and Interpol already have long-standing and deep cooperation in a range of law enforcement-related areas. Interpol is a key partner for the EU in the field of internal and external security, including countering terrorism and organised crime, as well as in integrated border management.

2.

 The 2020 EU Security Union strategy (2) calls on the Member States to step up cooperation between the EU and Interpol, as essential to enhance cooperation and information exchange. The strategy recognises that Interpol has an important role to play in this respect. In addition to the existing cooperation with Interpol, areas where cooperation could be stepped up or even set up to address a series of operational needs, and to implement existing legal acts, have been identified, with the aim of better supporting Member States in preventing and combating terrorism and organised crime.

3.

 Therefore, on 14 April 2021, the Commission adopted a Recommendation for a Council Decision authorising the opening of negotiations for a cooperation agreement between the EU and Interpol (3) (hereinafter, the ‘Recommendation’).

4.

 According to the explanatory memorandum (4), the envisaged EU-Interpol cooperation agreement would pursue the following aims:

Regulate cooperation between European Union Agency for Law Enforcement Cooperation (Europol) (5) and Interpol, taking into account the latest developments in combating terrorism, cross-border and transnational serious, organised crime, the current operational needs, Europol’s mandate, and the EU’s latest data protection regime.

Provide the safeguards and guarantees needed to give controlled access to Interpol’s Stolen and Lost Travel Document (SLTD) and Travel Document Associated With Notices (TDAWN) databases via the European Search Portal (ESP), by EU Member States and EU agencies, as necessary to carry out their tasks, in line with their access rights, with EU or national law covering such access and in full compliance with EU data protection requirements and with fundamental rights (6).

Provide the necessary safeguards and guarantees to enable EU Member States and Frontex (7) (its European Travel Information and Authorisation System Central Unit (‛ETIAS’)) to access Interpol databases via the ESP in compliance with EU data protection requirements and with fundamental rights.

Provide the necessary safeguards and guarantees to implement a revised Visa Information System Regulation (8) enabling EU Member States to access SLTD and TDAWN databases through the ESP when examining applications for visas or residence permits, in full compliance with EU data protection requirements and with fundamental rights.

Set up and regulate cooperation between the European Public Prosecutor’s Office (‘the EPPO’), as established by Regulation (EU) 2017/1939 (‘the EPPO Regulation’) (9) and Interpol, in line with their mandates, and in full compliance with EU data protection requirements and with fundamental rights.

Provide the legal basis to authorise Europol, Frontex category 1 staff (statutory staff of the standing corps (10)) and EPPO to access relevant Interpol databases to carry out their tasks, in full compliance with EU data protection requirements and with fundamental rights.

Provide the legal basis to authorise Eurojust (11) and EPPO to exchange operational information with Interpol, in full compliance with EU data protection requirements and with fundamental rights.

5.

 Pursuant to Article 42(1) of Regulation (EU) 2018/1725, the Commission has to consult the EDPS following the adoption of a recommendation to the Council pursuant to Article 218 TFEU, where there is an impact on the protection of individuals’ rights and freedoms with regard to the processing of personal data. The EDPS was also consulted informally during the process of preparation of the recommendation, and communicated his informal comments in August 2020. He welcomes the fact that his views have been sought (and implemented to some extent) at an early stage of the procedure and encourages the Commission to continue with this good practice.

6.

 The EDPS was formally consulted by the Commission on 14 April 2021 and expects that a reference to this Opinion will be included in the preamble of the Council Decision. The present Opinion is without prejudice to any future additional comments or recommendations by the EDPS, in particular if further issues are identified or new information becomes available and of the formal consultation which has to take place on the proposals to Council for the signature and conclusion of the agreement pursuant to Article 218 TFEU, as per Article 42(1) Regulation (EU) 2018/1725. In this regard, the EDPS welcomes Recital 19 of the Recommendation according to which the Commission should consult him during the negotiation of the agreement or, in any event, before the agreement is concluded. Furthermore, this Opinion is without prejudice to any future action that may be taken by the EDPS in the exercise of his powers pursuant to Article 58 of Regulation (EU) 2018/1725.

5.   CONCLUSIONS

43.

 The EDPS welcomes that the agreement should fully respect the fundamental rights and observe the principles recognised by the Charter, in particular the right to a private and family life, enshrined in Article 7 of the Charter, the right to the protection of personal data, enshrined in Article 8 of the Charter and the right to effective remedy and fair trial enshrined by Article 47 of the Charter.

44.

 However, it should be made clear in the mandate that the agreement should include the following three levels of compliance:

generally with the Charter;

with the relevant horizontal data protection legislation: Regulation (EU) 2018/1725, Directive (EU) 2016/680 and Regulation (EU) 2016/679;

with the specific data protection requirements and safeguards in the basic acts establishing the EU agencies or IT systems.

45.

 Also, the objective of underpinning a significant amount of the (current and future) cooperation between the EU and Interpol in a single legal instrument renders the envisaged agreement highly heterogeneous in nature, encompassing a wide range of activities. The EDPS therefore underlines the need for an in-depth impact assessment and that the approach should not lead to a weakening of the fundamental rights and freedoms of natural persons, and in particular of their rights to data protection and to privacy.

46.

 In the absence of an adequacy decision concerning Interpol, the envisaged agreement could be a legal basis allowing the transfer of personal data to Interpol provided that it would be legally binding and enforceable against all parties to the agreement and that it would include appropriate data protection safeguards.

47.

 The EDPS considers that adducing appropriate safeguards implies that the international agreement concluded with Interpol should:

ensure safeguards introduced in existing EU legislation with regard to the transfer by the concerned EU agencies and bodies and the onward transfers of personal data are respected, including the specific provisions relating to the transfers of operational data by Europol and EPPO. In particular, in the context of onward transfers, it should be explicitly laid down that personal data transferred by the EU to Interpol will not be used to request, hand down or execute a death penalty or any form of cruel and inhuman treatment;

explicitly clarify that there will be no reciprocal direct or indirect access by Interpol to the EU databases;

spell out when and under what circumstances automated individual decisions are allowed (or not);

contain more details on the obligation of Interpol to notify in the event of a personal data breach;

contain more operational details on technical and organisational measures for the security of personal data should be provided.

48.

 Also, the EDPS recommends specifying in the mandate the possibility to suspend or terminate the agreement in cases of breaches of its provisions on personal data by one of the parties and that personal data falling within the scope of the agreement transferred prior to its suspension or termination may continue to be processed in accordance with the agreement.

49.

 Finally, the EDPS recommends that the citations in the preamble of the Recommendation not only refer to the appropriate procedural legal basis but also to the relevant substantive legal basis, among which Article 16 TFEU.

Brussels, 25 May 2021.

Wojciech Rafał WIEWIÓROWSKI

(1)  Constitution of the ICPO-Interpol [I/CONS/GA/1956 (2017)].

(2)  Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and social Committee and the Committee of the Regions on the EU Security Union Strategy, Brussels, 24 July 2020, COM(2020) 605 final.

(3)  COM(2021)177 final.

(4)  Page 8.

(5)  Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53) (‘the Europol Regulation’). According to the explanatory memorandum, there is already a cooperation agreement with Interpol that provides for the exchange of personal data, concluded in 2001, well before the Europol Regulation. However, this agreement does not give direct or indirect access by Europol to information and Interpol’s databases, in particular its Notices containing information on terrorists. In addition, the Agency only exchanges information with Interpol and accesses Interpol’s databases for the performance of the Agency’s tasks through Interpol’s Liaison Officer at Europol or the Agency’s Liaison Officer at Interpol. The agreement was supplemented later by several cooperation-related documents agreed or concluded between the organisations, for instance on cooperation through Liaison Officers and the establishment, implementation and operation of a secure communication line for the exchange of information.

(6)  Following the adoption of regulations on interoperability between EU information systems in the fields of borders and visa i.e. Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA (OJ L 135, 22.5.2019, p. 27) and Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85).

(7)  Frontex refers to the European Border and Coast Guard Agency. Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624 (OJ L 295, 14.11.2019, p. 1) (‘the Frontex Regulation ’).

(8)  Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60); proposal for a Regulation of the European Parliament and of the Council amending Regulation (EC) No 767/2008, Regulation (EC) No 810/2009, Regulation (EU) 2017/2226, Regulation (EU) 2016/399, Regulation XX/2018 [Interoperability Regulation], and Decision 2004/512/EC and repealing Council Decision 2008/633/JHA (COM/2018/302 final) and see political agreement: https://data.consilium.europa.eu/doc/document/ST-5537-2021-INIT/en/pdf

(9)  Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, p. 1) (‘the EPPO Regulation’).

(10)  According to Article 54 of the Frontex Regulation, the European Border and Coast Guard standing corps must be composed of four categories of operational staff. Category 1 includes statutory staff deployed as members of the teams in operational areas in accordance with Article 55 of this Regulation. The Agency must contribute members of its statutory staff (category 1) to the standing corps to be deployed in operational areas as members of the teams with the tasks and powers provided for in Article 82 of this Regulation. Their tasks include countering cross-border crime and terrorism.

(11)  Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138) (‘the Eurojust Regulation’).

Top