8.2.2014   

EN

Official Journal of the European Union

C 38/3


Executive Summary of the Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA

(The full text of this Opinion can be found in English, French and German on the EDPS website:http://www.edps.europa.eu)

(2014/C 38/03)

I.   Introduction

I.1.   Context of the opinion

1.

On 27 March 2013, the Commission adopted the proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA (‘the Proposal’). The Proposal was sent by the Commission to the EDPS for consultation on the same day and received on 4 April 2013.

2.

Before the adoption of the Proposal, the EDPS was given the opportunity to provide informal comments. The EDPS welcomes the fact that many of these comments have been taken into account.

3.

The EDPS welcomes the fact that he has been consulted by the Commission and that a reference to the consultation is included in the preambles of the Proposal.

4.

The EDPS was also consulted on the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions establishing a European law Enforcement Training Scheme, adopted in parallel with the Proposal (1). However, he will refrain from issuing a separate reaction on this communication, since he has only very limited comments which are included in part IV of this opinion.

I.2.   Aim of the Proposal

5.

The Proposal is based on Articles 88 and Article 87 (2) (b) of the Treaty on the Functioning of the European Union (TFEU) and has the following aims (2):

align Europol with the requirements of the Lisbon Treaty, by adopting a legal framework under the ordinary legislative procedure;

meet the goals of the Stockholm Programme by making Europol a hub for information exchange between the law enforcement authorities of the Member States and establishing European training schemes and exchange programmes for all relevant law enforcement professionals;

grant Europol new responsibilities, by taking over the tasks of CEPOL and giving a legal basis for the EU cybercrime centre;

ensure a robust data protection regime, in particular by strengthening the supervision structure;

improve the governance of Europol by seeking increased efficiency and aligning it with the principles laid down in the Common approach on EU decentralised agencies.

The EDPS emphasises that the Proposal is of great importance from the perspective of processing of personal data. The processing of information, including personal data, is a principal reason for the existence of Europol. In the current state of EU development, operational police work remains a competence of the Member States. However, this task has an increasingly cross border nature, and the EU level provides support by providing, exchanging and examining information.

I.3.   Aim of the Opinion

6.

This Opinion will focus on the most relevant changes of the legal framework for Europol from the perspective of data protection. It will first analyse the legal context, its development and the consequences for Europol. It will then elaborate on the main changes, which are:

The new information structure for Europol, which implies a merger of the different databases, and its consequences for the principle of purpose limitation.

The strengthening of data protection supervision.

Transfer and exchange of personal data and other information, with a focus of the exchange of personal data with third countries.

7.

Subsequently, the Opinion will discuss a number of specific provisions of the Proposal, with an emphasis on Chapter VII thereof (Articles 34-48) on data protection safeguards.

V.   Conclusions

General

167.

The EDPS emphasises that the Proposal is of great importance from the perspective of processing of personal data. The processing of information, including personal data, is a principal reason for the existence of Europol, and the Proposal already contains strong data protection. This detailed opinion has therefore been adopted with the aim of further strengthening the Proposal.

168.

The EDPS notes that the present Europol Decision provides for a robust data protection regime and considers that this level should not be lowered, independently of the discussions on the proposed data protection Directive. This should be specified in the recital.

169.

The EDPS welcomes the fact that the Proposal aligns Europol with the requirements of Article 88 (2) TFEU, which will ensure that that the activities of Europol will benefit from the full involvement of all the EU institutions concerned.

170.

The EDPS welcomes Article 48 of the Proposal that provides that Regulation (EC) No 45/2001, including the provisions on supervision, is fully applicable to staff and administrative data. However, he regrets that the Commission has not chosen to apply Regulation (EC) No 45/2001 to Europol's core business and to limit the Proposal to additional special rules and derogations which duly take account of the specificities of the law enforcement sector. However, he notes that Recital 32 of the proposal explicitly mentions that data protection rules at Europol should be strengthened and draw on the principles underpinning Regulation (EC) No 45/2001. These principles are also an important reference point for the present opinion.

171.

The EDPS recommends specifying in the recitals of the Proposal that the new data protection framework of the EU institutions and bodies will be applicable to Europol as soon as it is adopted. In addition, the application of the data protection regime for EU institutions and bodies to Europol should be clarified within the instrument replacing Regulation (EC) No 45/2001, as first announced in 2010, in the context of the review of the data protection package. At the latest from the moment of the adoption of the new general framework, the main new elements of the data protection reform (i.e. accountability principle, data protection impact assessment, privacy by design and by default and notification of personal data breach) should also be applied to Europol. This should also be mentioned in the recitals.

New Europol information structure

172.

The EDPS understands the need for flexibility in connection with the changing context, as well as in light of the growing roles of Europol. The existing information architecture is not necessarily the benchmark for the future. It is at the discretion of the EU legislator to determine the information structure of Europol. In his role of advisor to the EU legislator the EDPS focuses on the question to what extent the choice of the legislators is constrained by the principles of data protection.

173.

In relation to Article 24 of the Proposal, he:

recommends defining the notions of strategic, thematic and operational analysis in the Proposal and deleting the possibility to process personal data for strategic or thematic analysis, unless a sound justification is given.

Recommends concerning Article 24(1)(c) clearly defining a specific purpose for each operational analysis case and requiring that only relevant personal data shall be processed according to the defined specific purpose.

recommends adding in the Proposal the following elements: (i) all cross-matching operations by Europol analysts shall be specifically motivated, (ii) retrieval of data following a consultation shall be limited to the strict minimum required and specifically motivated, (iii) traceability of all operations related to the cross-matches shall be ensured and (iv) only authorised staff in charge of the purpose for which the data were initially collected may modify that data. This would be in line with the current practice within Europol.

Strengthening data protection supervision

174.

Article 45 of the Proposal recognises that supervision of the processing operations foreseen in the Proposal is a task that also requires the active involvement of national data protection authorities (3). Cooperation between the EDPS and national supervisory authorities is crucial for effective supervision in this area.

175.

The EDPS welcomes Article 45 of the Proposal. This states that data processing by the national authorities is subject to national supervision, and thus reflects the key role of national supervisory authorities. He also welcomes the requirement that the national supervisory authorities should keep the EDPS informed on any actions they take with respect to Europol

176.

The EDPS welcomes:

the provisions on supervision that provide a strong architecture for supervision on data processing. Account is taken of the responsibilities at national level and at EU level, and a system is laid down for coordination between all involved data protection authorities

the recognition in the Proposal of the EDPS’ role as the authority established to supervise all the EU institutions and bodies.

Article 47 on cooperation and coordination with the national supervisory authorities, but suggests clarifying that the cooperation envisaged includes both bilateral and collective cooperation. A recital should further emphasise the importance of cooperation between the different supervisory authorities and provide examples of how such cooperation could be best enhanced.

Transfer

177.

The EDPS suggests inserting a sentence in Article 26(1) of the Proposal stating that the competent authorities of the Member States shall access and search information on a need-to-know basis and to the extent necessary for the legitimate performance of their tasks. Article 26(2) should be amended and aligned with Article 27(2).

178.

The EDPS welcomes that, in principle, transfer to third countries and international organisations can only take place on the basis of adequacy or a binding agreement providing adequate safeguards. A binding agreement will ensure legal certainty as well as full accountability of Europol for the transfer. A binding agreement should always be needed for massive, structural and repetitive transfers. However, he understands that there are situations in which a binding agreement can not be required. Those situations should be exceptional, should be based on real necessity and only allowed for limited cases, and strong safeguards — substantial as well as procedural — are needed.

179.

The EDPS strongly recommends deleting the possibility for Europol to assume Member States' consent. The EDPS also advises adding that consent should be given ‘prior to the transfer’, in the second sentence of Article 29(4). The EDPS also recommends adding in Article 29 a paragraph stating that Europol shall keep detailed records of the transfers of personal data.

180.

The EDPS recommends adding to the Proposal a transitional clause regarding existing cooperation agreements regulating personal data transfers by Europol. This clause should provide for the review of these agreements within a reasonable deadline in order to align them with the requirements of the Proposal. This clause should be included in the substantive provisions of the Proposal and contain a deadline of no longer than two years after the entry into force of the Proposal

181.

For the sake of transparency, the EDPS also recommends adding at the end of Article 31(1) that Europol shall make publicly available the list of its international and cooperation agreements with third countries and international organisations, by posting this list, regularly updated, on its website.

182.

The EDPS recommends adding expressly in Article 31(2) that derogations may not be applicable to frequent, massive or structural transfers, in other words for sets of transfers (and not just for occasional transfers).

183.

The EDPS recommends providing a specific paragraph dedicated to transfers with the EDPS' authorisation. This paragraph, that logically would come before the paragraph on derogations would provide that EDPS may authorise a transfer or a set of transfers where Europol adduces adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals, and as regards the exercises of the corresponding rights. In addition, this authorisation would be granted prior to the transfer/set of transfers, for a period not exceeding one year, renewable.

Other

184.

The opinion includes a large number of other recommendations, aiming at further improving the proposal. Here, some more significant recommendations are listed.

(a)

Deleting the possibility for Europol to directly access national databases (Article 23).

(b)

Where access concerns EU information systems, granting access only on a hit/no hit basis (i.e. a positive or a negative answer). Any information related to the hit should be communicated to Europol after the explicit approval and authorization of transfer by the Member State (if the access concerns data supplied by a Member State), the EU body or the international organisation and be subject to the assessment referred to in Article 35 of the Proposal. The EDPS recommends laying down these conditions in Article 23 of the Proposal.

(c)

Strengthening Article 35 of the Proposal by making the assessment by the Member State providing the information mandatory. The EDPS suggests deleting in Article 35 (1) and (2) the wording ‘as far as possible’ and amending Article 36(4) accordingly.

(d)

Replacing the overview of all personal data referred to in Article 36(2) by statistics on these data for each purpose. As the specific categories of data subjects referred to Article 36(1) also deserve a specific attention, the EDPS suggests including statistics on these data.

(e)

Including in the Proposal a provision that Europol must have a transparent and easily accessible policy with regard to the processing of personal data and for the exercise of the data subjects' rights, in an intelligible form, using clear and plain language. The provision should also state that this policy should be easily available on Europol's website, as well as on the websites of the national supervisory authorities.

(f)

Since Article 41 does not clearly define the responsibility of all parties involved, it should, with regard to Article 41(4 be made clear that the responsibility for compliance with all applicable data protection principles (and not only the ‘legality of the transfer’) lies with the sender of the data. The EDPS recommends amending Article 41 accordingly.

(g)

adding in substantive provision(s) of the Proposal that: (i) an impact assessment similar to what is described in the proposed data protection Regulation shall be carried out for all processing operation on personal data, (ii) the principle of privacy by design and by default shall be applied for the creation of or improvement to systems processing personal data, (iii) the controller shall adopt policies and implement appropriate measures to ensure and be able to demonstrate compliance with the data protection rules, and to ensure that the effectiveness of the measures is verified, and (iv) the Europol DPO and, where necessary, the supervisory authorities, shall be included in the discussions surrounding the processing of personal data.

He also made a few suggestions in relation to the Communication that was adopted in parallel to the proposal.

Done at Brussels, 31 May 2013.

Peter HUSTINX

European Data Protection Supervisor


(1)  COM(2013) 172 final.

(2)  Explanatory Memorandum, part 3.

(3)  See also Resolution 4 of the Spring Conference of European Data Protection Authorities (Lisbon 16-17 May 2013).