New Europol rules expanded the powers of the EU law enforcement agency while reducing human rights protections and oversight over its data processing operations, according to a report by Statewatch.
Enforcement of the rules started in June.
Europol processes data exchange between EU members and other entities. Therefore, the new rules increase the powers of all law enforcement agencies that work with Europol.
The new rules allow Europol to process “investigative data” that could cover anyone anywhere as long as it is related to a “specific criminal investigation.” The agency is, therefore, allowed to process large quantities of data transferred to its member states on individuals who might be innocent and with no links to crime, and as a result, legalizes an activity Europol was reprimanded for by the European Data Protection Supervisor (EDPS).
The new rules also allow Europol to launch “research and innovation” projects, which will focus on the use of machine learning, artificial intelligence, and big data to process sensitive data like ethnicity and genetic information.
Data obtained from non-EU countries can now be used for “information alerts” in the Schengen Information System database.
Biometric data obtained from non-EU countries can be provided to national police forces in the EU. That risks data from non-EU countries illegally or in violation of human rights to be “laundered” through European police forces, and then used to harass activists and dissidents.
The report also notes that the new rules loosen limitations on international data transfers. A legal agreement is not required to authorize the transfer of personal data to international organizations and non-EU countries. The priority countries for international cooperation include Morocco, Turkey, Egypt, and Algeria, which are either a dictatorship or have authoritarian regimes.
Independent and external oversight for data processing has also been reduced. The requirements for referring new data processing operations to the EDPS have been increased. Additionally, even if the new data processing meets the threshold for reference to the EDPS, when Europol decides the data processing is “urgent and necessary to [prevent and combat an immediate threat,” it can start the data processing without a green light from the EDPS.
The law enforcement agency is required to have a Fundamental Rights Officer (FRO). But the independence of the role is compromised because the FRO will be appointed by Europol’s Management Board, proposed by the Executive Director, and “shall report directly to the Executive Director.”
“With the new rules agreed in June, the EU has decided to reinforce that model, encouraging Europol and the member states to hoover up vast quantities of data, develop artificial intelligence technologies to examine it, and increase cooperation with states with appalling human rights records,” said Statewatch’s Director Chris Jones.