The European Data Protection Supervisor (EDPS) filed a legal action last week, made public on Thursday (22 September), against the EU co-legislators that have recently adopted a bolstered mandate for the law enforcement agency Europol.

For the EDPS, the privacy watchdog in charge of EU bodies, the provisions that the institutions have adopted call into question the rule of law at the EU level and threaten the very independence of the supervisory authority.

The measures that the Supervisor is bringing before the EU Court of Justice are related to the fact that the new mandate retroactively legalises Europol’s data retention practices. As a result, the mandate has annulled the decision of the EU data protection authority that ordered the law enforcement agency to datasets for which it had no jurisdiction at the time.

For the European Data Protection Supervisor Wojciech Wiewiórowski, the reasons for the lawsuit are twofold.

“Firstly, to protect legal certainty for individuals in the highly sensitive field of law enforcement where the processing of personal data implies severe risks for data subjects,” Wiewiórowski said.

“Secondly, to make sure that the EU legislator cannot unduly ‘move the goalposts’ in the area of privacy and data protection, where the independent character of the exercise of a supervisory authority’s enforcement powers requires legal certainty of the rules being enforced.”

The Europol saga dates back to 2019, when the executive director of the law enforcement agency, Catherine De Bolle, asked the EDPS for advice on the compliance of its data processing practices, as Europol was receiving increasing amounts of bulk data from the member states.

The issue was that Europol became specialised in supporting cross-border investigations by crunching Big Data, which was no longer related to people with a proven connection to criminal activities.

In September 2020, the EDPS concluded in an admonishment that Europol was overstepping its mandate. In particular, the agency’s new activities went against the principle of data minimisation, in its processing of bulk data, and storage limitations, as it set itself no limit for the retention of data.

In December 2020, the Commission presented a proposal to review and expand Europol’s mandate as part of a broader counter-terrorism package. For the EU executive, the agency’s new expertise in data crunching is an indispensable tool to fight crime in a digitalised world.

By contrast, critics pointed out that the Commission was legitimising illegal data processing activities, setting a dangerous precedent for law enforcement agencies to continuously test how far they could go in their surveillance activities.

The new mandate was agreed upon in February, providing much more latitude to Europol. For instance, the mandate sets no limits to the transferring of large data sets to the agency, including from countries that do not have a clean record on fundamental powers.

At the same time, the EDPS’ role was downsized. In particular, the data protection authority would only be informed about new operational data processing at the end of investigations, which might take years to conclude.

In the original proposal from the Commission, the Supervisor was meant to decide whether the new datasets went along the principle of proportionality and fundamental rights. The adopted text leaves the decision to Europol, whereas the EDPS is just informed about the data transfer.

However, what crossed the line for Wiewiórowski was the fact that the mandate de facto annulled the decision that the authority took when concluding its probe. In January 2022, the EDPS ordered Europol to, within a year, delete all data that is not criminally relevant.

As a result, the mandate enables Europol to continue processing the data already in its possession. Moreover, the deadline for assessing whether newly received data are linked to criminal activities has been extended from six months of EDPS’ order to three years.

These provisions establish a concerning precedent for the Supervisor as the co-legislators, the EU Council and Parliament, have overridden a supervisory authority based on their political will. Therefore, there is a risk that, in future, data protection authorities might become compelled by undue political pressure, undermining their independence.

The action for annulment will now land on the EU Court of Justice’s desk. The European Commission did not reply to EURACTIV’s request for comment by the time of publication.

[Edited by Nathalie Weatherald]

Source: Euractiv.com