Today (Wednesday 24 June) the European Commission announced a new reform proposal for Europol – the EU’s policing agency – expanding Europol’s operational powers and weakening key data protection safeguards to the tune of €3 billion.
This is the 3rd Europol reform in six years changing Europol’s mandate to increase its powers and budget. This puts the European Commission increasingly at odds with the boundaries set in the EU treaties, which provide only for Europol to remain in a supportive role to Member States’ police authorities and competent solely for serious forms of criminality.
The Commission’s proposal claims that “interference with the rights to privacy and protection of personal data… remains both necessary and proportionate,” however under the proposed changes, anyone could have their personal data stored and processed by this obscure EU police cooperation agency.
Despite acknowledging the most recent Europol reform in 2022 already massively expanded the agency’s mandate, the proposal charges ahead with significant deregulatory measures to further weaken data protection laws and expand operational powers:
- Increasing Europol’s data collection and analysis powers:
- The new mandate introduces an automatic and systematic upload of information exchanged and managed by national police forces to Europol’s databases. It will surely increase the number of people whose personal data is unlawfully accessed by Europol.
- The proposal legalises several of Europol’s unregulated IT systems by establishing a “Europol Analytical Environment”, a “Europol cloud infrastructure”, and hosting a “Police Shared Data Space”. These systems give Member States’ authorities, other EU agencies, and third countries access to Europol’s tools and digital environments for joint data analysis “and other operational and analytical capabilities”.
- Weakening key data protection safeguards presented as modernisation rather than deregulation:
- The new mandate fundamentally undermines data categorisation obligations, allowing Europol to process personal data indiscriminately regardless of whose data it is – including data from people with no link to crime. An exceptional measure under the 2022 revision, such circumventions from Europol’s own data protection rules are now normalised.
- The text mainstreams the use of biometric data to identify and surveil people on Europol’s analytical platform by lowering the threshold for processing such sensitive data in a striking contradiction with the Court of Justice of the EU’s case law.
- Weakening oversight mechanisms:
- Europol can proceed with sensitive data processing operations without prior approval by its data protection watchdog, the European Data Protection Supervisor (EDPS), if Europol deems it “urgent and necessary”, or the EDPS fails to provide their opinion within two months.
- The EDPS is no longer involved when Europol deviates from its own legal framework as oversight powers are transferred to the Data Protection Officer, an internal Europol unit lacking independence and powers.
The far-reaching changes are taking place in the context of an agency which has been repeatedly found guilty of rights violations and illegal data practices.
Just last year, the Commission pushed through a Europol reform that expanded mass surveillance under the guise of “fighting migrant smuggling”, eroding democratic oversight and data sharing safeguards. More than 120 organisations from across Europe had called on MEPs to reject the proposal in its entirety, arguing it is “unlawful, unsafe, and unsubstantiated.”
This proposal continues to reward a police agency known for fundamental rights violations, and further contributes to the EU’s criminalisation logic and increased militarisation of society while diverting funds away from social needs.
Chloé Berthélémy, Senior Policy Advisor, European Digital Rights
“The Commission is once again rewarding Europol’s misconduct by doubling its budget and normalising its unlawful data practices. The new mandate grants the rogue agency all its wildest wishes and continues its transformation into a data black hole – swallowing our fundamental rights, and undermining justice, safety and accountability.”
Sarah Chander, Director, Equinox Initiative for Racial Justice
“The European Commission continues to prioritise criminalisation over care by investing in surveillance and weakening fundamental privacy rights instead of funding welfare services and protection. The €3 billion allocated to Europol – an agency known for treating climate activists as criminal threats – will be used for repression of political opposition rather than serious crime.”
Caterina Rodelli, EU Policy Analyst, Access Now
“The new Europol Regulation is the perfect manifestation of the EU deregulation and militarisation agendas. In the race to innovation and war, the EU Commission is selling our fundamental rights to the highest bidder – in this case surveillance companies such as Palantir or cloud infrastructure providers like Amazon – and is investing on Europol to bring the EU digital police state to new dystopian frontiers.”