Abstract
This article explores the evolving legal framework governing Europol’s processing of non-data subject categorised (non-DSC) data, with a focus on the interplay between autonomy, discretion, accountability, responsibility and transparency. It analyses the progressive development of Europol’s frameworks under the 1995 Europol Convention, the 2009 Europol Council Decision, the 2016 Europol Regulation and the 2022 amending Regulation. The article demonstrates how Europol moved from a position of legal uncertainty and was largely reliant on Member States, towards a more structured and centralised framework. Particular attention is given to the legal bases for non-DSC data processing, internal data management architectures and the agency’s evolving responsibilities. While formal legislative reforms only modestly increased Europol’s autonomy and discretion, the agency expanded its operational scope in practice, especially based on the increasing volumes of data Member States send to Europol. In response, accountability and transparency mechanisms were reinforced, especially the European Data Protection Supervisor and the Europol Data Protection Officer. The article concludes that Europol’s capacity to process non-DSC data has grown steadily, but this expansion has been accompanied by stricter legal safeguards and accountability, resulting in a calibrated balance between operational effectiveness and institutional accountability.
Introduction
As global data volumes continue to rise, national law enforcement authorities have increasingly shared large amounts of information with the European Law Enforcement Cooperation Agency (hereafter: Europol). To analyse these data, Europol employed its Computer Forensic Network (hereafter: CFN), a separate environment with less stringent data protection requirements, and 1 as of 2019, it contains approximately two petabytes of data. 2 This was disclosed to the European Data Protection Supervisor (hereafter: EDPS), 3 who in 2020 admonished Europol for processing substantial volumes of data without data subject categorisation (hereafter: DSC) – that is, the attribution of a label of a suspect, victim or other, to each data subject in Europol’s data processing environment. 4 Under the applicable legal framework, Europol was authorised to process only DSC data for cross-checking and analysis. In 2022, the EDPS ordered Europol to delete non-categorised data, that is, non-DSC data, after six months if categorisation had not been completed. However, before the first six-month period elapsed, the Union legislator adopted the 2022 amending Europol Regulation, effectively suspending the application of the 2022 EDPS Decision and establishing a framework for DSC. 5 Although this appeared novel, Europol has been engaging in DSC since 1998. 6
Given the volume of data involved, the absence of an explicit legal basis for performing DSC and the comparatively lenient data protection standards of the CFN, 7 Europol was subject to two critical EDPS decisions. 8 It was portrayed as operating beyond effective control 9 and unfavourably equated with the USA’s National Security Agency. 10 The concerns relate directly to the degree of accountability and transparency within Europol’s actions. As accountability and transparency are relevant only in contexts where autonomy and discretion are present, 11 this article examines the following research question: To what extent have Europol’s enhanced data analysis powers over large volumes of non-DSC data increased its autonomy and discretion vis-à-vis Member States and the Union legislator, and how have accountability and transparency mechanisms evolved in response? Europol’s autonomy vis-à-vis the Union legislator implies actions or decisions that engage with limitations inherent in the legal framework.
This desk-based research employed a snowball method 12 to collect relevant legislation, preparatory documents, decisions and internal documents from Europol and the EDPS. In addition, semi-structured qualitative interviews were conducted with carefully selected individuals to gain insights into the negotiations on the 2022 Europol Regulation, the EDPS’ decisions and Europol’s actions. 13
This article examines the evolving legal framework governing Europol’s processing of non-DSC data, with a particular emphasis on the interrelated concepts of autonomy, discretion, accountability, responsibility and transparency. By analysing the 1995 Europol Convention, the 2009 ECD, the 2016 Europol Regulation and the 2022 amending Europol Regulation, the article traces how Europol’s legal and operational framework has progressively shifted from ambiguity to greater structure. It begins by clarifying key conceptual terms (part 2) before outlining the progressive development of Europol’s legal mandates, with a focus on its data processing and accountability framework (part 3). Particular attention is given to Europol’s internal architectures for managing non-DSC data, even in the absence of explicit legislative mandates (part 4). The analysis further assesses the shifted balance of responsibility for non-DSC data processing (part 5), and the article argues that while Europol’s formal autonomy and discretion have increased only very modestly through legislative reform, the agency has effectively expanded its operational scope through evolving practices (part 6). This expansion, in turn, has necessitated a reinforcement of accountability and transparency mechanisms, particularly the role of its Management Board, the EDPS and other institutional actors (part 7). Finally, the article answers the central research question by synthesising the key findings on Europol’s autonomy, discretion, accountability, responsibility and transparency in the context of non-DSC data processing (part 8).
Conceptual framework: Autonomy, discretion, accountability, responsibility and transparency
The central research question encompasses several abstract concepts, notably autonomy, discretion, transparency, accountability and, closely related to the latter, responsibility. Although each concept can stand independently, they are interlinked in a manner that consistently recurs in discussions on the accountability of EU agencies, 14 including Europol. 15 In the absence of autonomy and discretion, the rationale for requiring transparency and mechanisms of accountability would be limited or even non-existent. 16 The interdependence underpins growing criticisms of Justice and Home Affairs agencies in response to the progressive expansion of their competencies. 17 While this part provides a theoretical framework, the subsequent part examines how Europol implements and complies with these concepts.
The concept of autonomy originates from the Greek word autonomos, meaning self-governing (auto and nomos). In the context of public administration, autonomy refers to the capacity of an agency to make decisions and act independently, free from external interference. As noted by Thatcher, ‘agency autonomy is seen in policy making and implementation’. 18 This article focuses on policy autonomy, defined as ‘the extent to which agencies can decide on goals, prioritise tasks, choose clients or target audiences, determine working methods, and draw conclusions and opinions’. 19 Discretion, a concept often closely associated with autonomy, has been widely discussed in public administration literature. 20 For this article, discretion is understood as ‘the absence of legal norms or principles that, once interpreted, would be capable of indicating the solution that should apply in a specific case’. 21
Both autonomy and discretion originate from a preference to either grant an agent decision-making capacity (autonomy) or to permit the absence of detailed rules (discretion), thereby necessitating mechanisms to ensure accountability and transparency. 22 The term accountability has roots in the term ‘accounting’ and was initially associated with the financial sector. 23 Another root lies in ancient Greece, where leaders were required to render accounts before the polis. As such, accountability ‘lies, historically, at the intersection of the notions of accounting and answering’. 24 While modern notions of accountability have evolved from financial oversight, the Greek tradition highlights its public and democratic dimension. Over time, multiple definitions of ‘public accountability’ have emerged. 25 This article adopts the definition proposed by Bovens: ‘a relationship between an actor and a forum, in which the actor has an obligation to explain and justify his or her conduct, the forum can pose questions and pass judgment, and the actor may face consequences’. 26 According to Bovens, accountability functions as an ex post control mechanism. 27 He identifies three forms of public accountability: vertical electoral accountability (i.e. fair and institutionalised elections), a second form of vertical accountability (i.e. society vs. the state, such as liability) and horizontal accountability referring to institutionalised actions through political, legal, administrative and social mechanisms.28,29 This article primarily considers horizontal accountability.
Accountability and responsibility are often regarded as two sides of the same coin, both fundamental principles of good governance. 30 The 1996 Dutch Van Traa Report succinctly captured this interdependence with the statement: ‘No competence without responsibility, and no responsibility without accountability’. 31 Although a universally accepted definition of responsibility remains elusive, scholars have proposed a range of interpretations. 32 One perspective defines it as ‘a relationship of obedience on the part of the person acting to an external controlling authority’. 33 A broader conceptualisation describes a responsible individual as ‘a responsible person is one who is answerable for his acts to some other person or body, who has to give an account of his doings and therefore must be able to conduct himself rationally’. 34 This latter interpretation suggests that responsibility entails exercising a competence in good faith, in accordance with one’s personal ‘beliefs, professional values, and character traits’. 35 Given the occasionally conflicting nature of these definitions and the normative concerns associated with the former, this article adopts the understanding of responsibility as the good-faith performance of an act.
Finally, within the framework of public accountability, openness to the general public is essential – this is captured by the principle of transparency. 36 The Court of Justice of the European Union (hereafter: CJEU) defines transparency as ‘enable citizens to participate more closely in the decision-making process, thereby ensuring that the administration enjoys greater legitimacy and is more effective and accountable to citizens in a democratic system’. 37 Transparency is particularly important when public authorities adopt measures that affect individuals or grant access to personal files, 38 especially in contexts relevant to the right of defence. 39
The evolution of Europol’s legal frameworks
Operational framework
While processing personal data was prohibited for the Europol Drugs Unit, Europol’s predecessor, 40 the 1995 Europol Convention introduced a predefined computerised system that permitted such processing. 41 This system comprised the Europol Information System (hereafter: EIS) and the Analytical Working Files (hereafter: AWFs). It allowed Europol to process only data related to specified categories and enumerated data sets (ie DSC data). However, with the adoption of the 1998 Council Implementing Decision on AWFs, Europol’s data processing competencies extended to include non-DSC data (cf. Infra). 42 The 2003 Danish protocol expanded it by allowing personal data processing for six months to check its relevance. 43
The 2009 Europol Council Decision (hereafter: ECD) replaced the 1995 Europol Convention 44 and consolidated all core competences, including the provision introduced by the Danish protocol that authorised the processing of personal data for six months to check its relevance. 45 In parallel, the Council reissued its Implementing Decision on AWFs, resulting in the 2009 Council Implementing Decision on AWFs. 46
The 2016 Europol Regulation replaced the ECD, formally discontinued the predefined data processing system (EIS and AWFs) in favour of a purpose-based approach 47 under Article 18, however, in practice, the EIS was retained and the Europol Analysis system (hereafter: EAS), composed of Analysis Projects (hereafter: AP), has superseded the AWFs. This purpose-based approach enables the creation of a ‘data lake’, 48 a centralised environment for data processing. 49 However, the Regulation did not include provisions for performing DSC, but Europol retained the authority to process personal data for six months to check its relevance. 50 The Management Board, which replaced the Council, implements Europol’s data processing competencies through non-binding guidelines, none of which address DSC. 51
The 2022 amending Europol Regulation introduced two additional data processing purposes 52 and amended Article 18 by incorporating several new paragraphs: paragraph 5a on performing DSC, paragraph 6a on the processing of non-DSC data (6a) and paragraph 6b on the role of the Management Board in implementing these provisions. Furthermore, a new Article 18a was added, allowing Europol to process non-DSC data in the context of an ongoing specific criminal investigation. Finally, Articles 74a and 74b were introduced as transitional provisions, serving as the legislative response to the 2022 EDPS Decision. 53
Accountability and transparency framework
The 1995 Europol Convention established several entities within Europol, including the Executive Director and the Management Board. 54 Political accountability was vested in the Council, which appoints Europol’s Executive Director. Additionally, the Convention created a Joint Supervisory Body (JSB), an independent external entity overseeing Europol’s data processing activities, which ensures administrative accountability. Legal accountability before the CJEU was not included; most Member States declared their intention to bring matters before the CJEU in cases of doubt regarding the interpretation or application of the Convention. 55 Citizens could seek compensation for Europol’s actions before national courts, 56 and have the right to access Europol data relating to them and to request the correction or deletion of such data. 57
The 2009 ECD formalised the appointment of Europol’s Data Protection Officer (hereafter: DPO) as an independent internal actor responsible for overseeing Europol’s data processing activities, ensuring supplementary administrative accountability. 58 Citizens are also provided avenues to perform public access requests to Europol’s documents, thereby enhancing transparency. 59
The 2016 Europol Regulation introduced the Joint Parliamentary Scrutiny Group (hereafter: JPSG), comprising Members of the European Parliament and national parliamentarians, to hold Europol politically accountable. Simultaneously, the EDPS assumed responsibility for supervising Europol’s data processing activities and taking over the administrative accountability from the JSB. Furthermore, citizens were granted the right to lodge complaints with the EDPS regarding Europol’s data processing. 60 Additionally, the Regulation conferred upon the CJEU the authority to hold Europol legally accountable, including adjudicating compensation claims 61 and handling preliminary reference procedures. 62 The 2022 amending Europol Regulation enhances the roles of Europol’s DPO and the EDPS, reinforcing administrative accountability. 63 Also, two JPSG members shall be invited to at least two ordinary Management Board meetings annually. 64
DSC at Europol: The meaning, relevance and architecture
The meaning and relevance of DSC for Europol
The 1981 Council of Europe Convention for the Protection of Individuals concerning Automatic Processing of Personal Data established several restrictions aimed at minimising the processing of personal data, 65 particularly concerning its retention. 66 This principle of data minimisation was reiterated in the 1987 Recommendation on the use of personal data in the police sector, which emphasised that data collection should be limited to what is strictly necessary. 67 While these principles provided a sound normative basis, their practical implementation proved significantly more complex. In response, the Council introduced categories of data subjects as a means to operationalise the restrictions. DSC refers to the process of assigning a specific category label to a data subject, for example, suspect or victim. Under Europol’s legal framework, six categories are defined, and the agency is prohibited from processing personal data outside of these predefined classifications. Moreover, the category assigned to a data subject determines the volume and type of data that may be stored; for example, less data can be retained on a victim than on a suspect. DSC thus ensures that Europol processes personal data when it falls within a legally recognised category. Initially, DSC was linked to the EIS and the AWFs, which permitted processing of two and six categories, respectively. The 2016 Europol Regulation replaced this with a purpose-based approach and introduced Annex II (hereafter: Annex II), which specifies the categories of data subjects and links each category to one or more specific data processing purposes in Article 18. In doing so, the Union legislator imposes clear limitations on Europol’s data processing competencies, thereby constraining its autonomy and discretion.
Europol has carried out DSC since its establishment, primarily because it receives data from the law enforcement authorities of Member States, which often do not apply Europol’s specific DSC framework. The 2016 Law Enforcement Directive, for the first time, obliges national law enforcement authorities to perform DSC. 68 However, unlike Annex II, the Directive does not provide an exhaustive list of DSCs, thereby allowing for divergent national approaches to categorise across the EU. 69 Consequently, Europol is required to categorise incoming data from Member States’ law enforcement authorities before such data can be integrated into Europol’s databases. 70 This obligation illustrates the limited degree of autonomy Europol enjoys vis-à-vis national competent authorities in the context of DSC, as derived from EU law.
Europol’s architecture to perform DSC
While the concept of performing DSC was initially straightforward, it has evolved to include the extraction of relevant information from large volumes of data. This extraction process falls under the domain of Computer Forensics, a subfield of forensic science. Computer Forensics, often used interchangeably with digital forensics, can be defined as ‘the use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation and presentation of digital evidence derived from digital sources to facilitate or further the reconstruction of events found to be criminal or helping to anticipate the unauthorized actions shown to be disruptive to planned operations’. 71 In simplified terms, this refers to a competent authority systematically extracting pertinent information from vast datasets. 72 For over two decades, this technical process was largely unregulated within Europol’s legal framework, thereby granting the agency considerable autonomy in how it implemented DSC. This changed with the adoption of the 2022 amending Europol Regulation, which introduced legal provisions addressing these practices.
The 1995 Europol convention mandated Europol to assist Member States through advice and research on forensic police methods, but not to carry out forensic analysis. When Europol nevertheless engaged in computer forensics, it did so based, at best, on an implied competence. 73 The 2009 ECD expanded Europol’s mandate by permitting it to provide forensic support to Member States. 74 However, the 2016 Europol Regulation did not contain an explicit legal basis for such support, except insofar as it was covered by the competencies of the European Cybercrime Centre (hereafter: EC3). 75 The lack of an explicit competence was addressed by the 2022 amending Europol Regulation, which explicitly authorised Europol to provide forensic support to Member States during investigative measures. 76 Thus, Europol operated without a clear legal mandate for conducting forensic analysis under at least two of its governing legal instruments.
However, in practice, Europol, in 2002, established the High-Tech Crime Centre (hereafter: HTCC) to address the evolving threats posed by organised crime groups’ ‘modern high-tech equipment’ 77 and to coordinate and support investigations. 78 By 2004, Europol had initiated forensic data examinations. 79 Under the 2008 French presidency, Europol, particularly the HTCC, was tasked with coordinating a ‘European response to Internet-related crime’, 80 leading to the creation of an AWF named Cyborg which focused on ‘e-banking attacks, complex phishing cases, hacking of (financial) databases’. 81 Concurrently, Europol established a Forensic IT Environment (hereafter: FITE). 82 In 2010, the establishment of the CFN under the 2009 ECD 83 provided a dedicated facility for forensic data processing, enabling Europol to extract and analyse crime-related information from digitised data. 84 The tool was designed to ‘identify relevant information from vast amounts of computer data’. 85 In 2011, the HTCC was replaced by the EC3, 86 which included a ‘Forensic IT lab which [. . .] serve[s] as a dedicated environment for computer forensics carried out by Europol staff’. 87 Following the 2015 Paris attacks, Europol received 16.7 TB of data, marking the commencement of increased data sharing. 88 The CFN was used for this data, as it is a ‘horizontal system, in that it supports intelligence and operational activities across all types of crime commodities (not just cybercrime)’. 89 In 2016, Drewer and Ellerman assessed the CFN as more shielded than the EAS, with access limited to what is strictly necessary. 90 In 2018, Europol’s DPO stated: ‘many processing operations in the CFN environment are not up to the same standards as the ordinary EAS environment’, yet ‘applying those standards may, however, render a number of necessary CFN processing operations impossible’. 91 Furthermore, the CFN was ‘used by all Analysis Projects for purposes of operational analysis, next to the [. . .] EAS’. 92 The 2020 Europol action plan, adopted in response to the 2020 EDPS admonishment, aimed to limit access rights and establish a separate, secure processing environment, that is, the New Forensic Environment (hereafter: the NFE). The NFE replicated the CFN’s revised mapping structure and replaced the CFN, 93 but with enhanced access controls, separate processing from subsequent analysis, compartmentalised data 94 and audit logging. 95 In 2023, the NFE became fully operational and an integral part of Europol’s new and larger data processing environment, that is, the New Environment for Operations (hereafter: NEO). 96 The NEO aims to implement, the previously unimplemented, 97 Europol’s ‘data lake’ 98 which should ‘maximise the value of available data [. . .], and consolidate and rationalise toolsets’. 99 To address risks, primarily concerning access rights, Europol established a Data Management Portal to regulate access rights. 100
Europol’s legal frameworks have afforded it considerable autonomy in its actions. Notably, while only one of these frameworks explicitly authorised the performance of computer forensics, this did not preclude Europol from engaging in such actions, thereby demonstrating its autonomy vis-à-vis the Union legislator. The establishment of the CFN further exemplifies Europol’s capacity to implement computer forensics autonomously. Moreover, the volume of data transmitted to Europol has significantly increased over time, reaching up to two petabytes within the CFN, indicating a growing reliance by Member States on Europol’s forensic capabilities. However, with the introduction of the NFE, certain operational constraints have been imposed on Europol staff, including enhanced access controls via the Data Management Portal. Nonetheless, these measures should not be overstated in terms of their impact on Europol’s operational flexibility, considering the increasing volumes of data provided by Member States in a single contribution. The preceding illustrates Europol’s ability to undertake tasks without explicit legal competence; the subsequent part will assess the implications of its longstanding lack of formal responsibility and accountability in this regard.
From fragmentation to centralisation: The evolution of responsibility for non-DSC DATA
Under the 1995 Europol Convention 101 and the 2009 ECD, 102 Europol was responsible for handling the data streams from third countries to Europol and for all data processed within its computerised system. However, the 1998 and 2009 Council Implementing Decisions explicitly permitted Europol to process data prior to its inclusion in an AWF, 103 assigning responsibility not to Europol but to the Member State providing the data. While the 1995 Europol Convention lacked an explicit provision, the 2009 ECD formally endorsed it. 104 As a result, Europol could receive and process data, paper files and documents, including non-DSC data, without bearing responsibility. This framework changed with the adoption of the 2016 Europol Regulation, which made Europol responsible for data, including non-DSC data, from the moment of receipt. This marked a clear shift in responsibility, reflecting the abolition of Europol’s pre-established databases and distinguishing the obligations of Member States from those of Europol. 105 Importantly, this transition did not curtail Europol’s ability to continue processing data, including non-DSC data. Rather, it underscored the need for legal consistency across Europol’s regulatory instruments. Consequently, presumed consistency between all its legal frameworks is preferable, as an alternative approach was neither mentioned nor (apparently) desired and ran counter to the principles of legal certainty 106 and legitimate expectations,107,108 While the 2022 amending Europol Regulation introduced a more explicit framework for processing non-DSC data, it did not alter Europol’s responsibilities in this regard.
In addition to Europol’s expanded responsibility concerning data processing, Europol’s responsibility to implement these competencies also evolved. Under the Council Implementing Decisions, Europol’s Management could only provide a draft to the Council, with the latter making the final decision. This changed with the adoption of the 2016 Europol Regulation, which transferred certain decision-making powers from the Council to the Management Board, for example, data processing guidelines. 109 The 2022 amending Europol Regulation further empowered the Management Board, authorising it to adopt implementing decisions concerning Europol’s (non-DSC) data processing, in addition to issuing guidelines. 110 Despite this competence, several factors underscore the central role of Europol’s Executive Director. Firstly, Europol’s Executive Director is responsible for drafting the Management Board Decisions. 111 Secondly, the Management Board Decisions reproduce parts of Europol’s legal framework, rather than specifying Europol’s implementation of its non-DSC processing competencies (e.g. the lack of criteria for ‘an ongoing specific criminal investigation’ in Article 18a).112,113 Thirdly, no implementing decisions are foreseen for key elements of Articles 18 and 18a of the Consolidated 2016 Europol Regulation (e.g. the assessment for Article 18a).114,115 As a result, Europol’s Executive Director and, potentially, Europol’s staff more broadly play a crucial role in the interpretation and application of Europol’s legislative framework, as well as in implementing the decisions adopted by Europol’s Management Board.
Evolving autonomy and discretion in Europol’s processing of non-DSC data
The 1995 Convention and the 2009 ECD
The 1995 Europol Convention and 2009 ECD contained no provisions on performing DSC. However, the 1998 and 2009 Council Implementing Decisions on AWFs permit such processing. 116 According to the 1998 Council Implementing Decision on AWFs, data intended for inclusion in an AWF may be ‘communicated either in a structured or unstructured form’. Moreover, ‘after receipt of such data, it shall be determined, as soon as possible, to what extent they shall be included in a specific file’. To facilitate this determination, ‘such data may be accessed [. . .] by [. . .] a Europol analyst [. . .] for the purpose of determining whether or not the data may be included’ in an AWF. Finally, ‘data, paper files, and documents shall be returned . . ., or be deleted or destroyed, where they are no longer necessary for the purposes set out in this Article’. 117
The preceding paragraph supports several key conclusions. Firstly, Europol was permitted to receive structured and unstructured data. Secondly, a temporal and procedural framework was established to assess information – including personal data – prior to its potential inclusion in a Europol database. Thirdly, Europol staff were authorised to review the submitted information and exercise discretion in determining whether to incorporate it into an AWF. Fourthly, this extraction process was required to occur ‘as soon as possible’, and Europol could retain data, paper files and documents for ‘no longer [than] necessary’. At that stage, the retained data would become subject to DSC before being entered into an AWF. Accordingly, the 1998 and 2009 Council Implementing Decisions provided a legal basis for Europol to process non-DSC data and extract relevant data while imposing clear limitations. The 1998 Council Implementing Decision, in particular, contained at least five specific restrictions on the processing of non-DSC data and the performance of DSC. Firstly, the data provider was required to specify the purpose for which the non-DSC data were supplied. Secondly, access rights to the data were limited to the providing Member States and designated Europol analysts. Thirdly, Europol’s Executive Director was obligated to restrict access to ‘a Europol analyst duly authorised’. Fourthly, Europol was permitted to process the data solely for the purpose of assessing its potential inclusion in an AWF. Fifthly, Europol had to ensure that ‘data, paper files or documents [were] stored separately from the analysis work file’. 118 Finally, Member States retained access to the submitted data throughout this process and were expected to supervise Europol’s actions. 119
Europol retained considerable autonomy and discretion in its processing of non-DSC data, and the limitations imposed by the relevant Council Implementing Decisions should not be overstated. Beyond requirements for separate storage and restricted access rights, much of the regulatory framework governing non-DSC processing closely mirrored that applicable to Europol databases, such as the EIS and the AWFs. As a result, the practical distinctions between DSC and non-DSC processing were minimal. 120 Moreover, both the 1998 and 2009 Council Implementing Decisions imposed no restrictions on the methods used by Europol to carry out DSC, although the manner of processing was subject to some constraints. This effectively granted Europol full autonomy over the techniques employed, and significant discretion in the broader exercise of its data processing functions.
The 2016 Europol regulation
The 2016 Europol Regulation remains vague regarding the specific practice of performing DSC, although it broadly defines processing as ‘every operation [. . .] upon personal data’. Article 18 of the 2016 Europol Regulation stipulates that ‘[p]ersonal data may be processed only for the purposes’ in paragraph two and further clarifies that ‘the categories of personal data and categories of data subject whose data may be collected and processed for each purpose referred to in paragraph 2 [of Article 18 of the 2016 Europol Regulation] are listed in Annex II’. This framework establishes a clear legal limitation: Europol is not permitted to process personal data beyond the purposes set out in Article 18(2), nor may it process data relating to DSCs not listed in Annex II for these purposes. Notably, the 2017 Management Board Guidelines on the application of Article 18 do not refer to performing DSC, thereby leaving this aspect of Europol’s data processing regime undefined. Interestingly, however, the Union legislator included an implicit derogation in the form of Article 18(6) of the 2016 Europol Regulation.
Although the 2016 Europol Regulation does not provide an explicit legal basis for performing DSC, the EDPS has acknowledged that he did ‘not consider that there is a legislative intention to prohibit such a practice’. 121 Moreover, the Regulation requires Member States to submit data in compliance with national law, that is, the implementing legislation of the LED. 122 As a result, Member States may submit personal data to Europol that does not align with the categories listed in Annex II. Given that Europol can receive non-DSC data, it logically follows that it must also be able to transform such data into DSC-compliant formats. Otherwise, Europol would be unable to process these data for the purposes enumerated in Article 18(2). In the absence of an explicit competence, an implied competence and additional derogation from Article 18(2) may be inferred 123 : if Europol receives non-DSC data from a Member State and Article 18(2) permits only the processing of DSC data, then a transformation into DSC data becomes a necessary precondition for lawful processing. Accordingly, Europol must be implicitly empowered to carry out DSC. The alternative would require Member States to refrain from submitting any non-DSC data, a scenario that appears neither realistic nor intended by the Union legislator. As a result, and in light of the responsibility shift introduced by the 2016 Regulation, Europol was placed in a position to autonomously process non-DSC data due to the lack of a legal framework regulating non-DSC processing. Nevertheless, it continued to observe the restrictions set out in the 1998 and 2009 Council Implementing Decisions. 124 Europol maintained this degree of autonomy for some time before further regulatory action was taken.
Following internal assessments, 125 Europol’s Executive Director notified the EDPS on 1 April 2019 of ‘major compliance issues’ related to processing of large volumes of non-DSC data. 126 This disclosure led to the 2020 EDPS admonishment concerning Europol’s non-DSC processing. In response, Europol adopted an action plan aimed at mitigating the impact of non-DSC processing on data subjects. 127 The action plan introduced several changes to Europol’s approach to non-DSC processing. These included the following: flagging data contributions where DSC was pending at the level of the contributor (action 1), labelling of non-DSC data internally within Europol (action 2), restricting access to non-DSC data (action 3), increasing the frequency of periodic reviews of stored non-DSC data (action 4) and appointing a data quality controller to oversee compliance (action 5). As the EDPS found the existing safeguards, based on the 1998 and 2009 Council Implementing Decisions, insufficient, all measures except Action 3 were introduced as entirely new compliance mechanisms. 128 In practice, Action 3 resulted in a further narrowing of access rights, limiting data access to a smaller group of analysts. It also prompted the implementation of internal compartmentalisation within Europol’s CFN, whereby each Analysis Project (AP) now has its dedicated data folder. 129 Analysts granted access are also required to liaise with the relevant AP to identify which non-DSC data should be extracted. 130 An additional, informal measure now mandates an extra layer of review prior to including data in an AP. 131 The introduction of these measures underscores the level of operational autonomy granted to Europol by the Union legislator. However, this autonomy remains constrained by data protection obligations, which require Europol to impose significant limitations on its processing capacities. Furthermore, as Europol increasingly receives larger volumes of data from national competent authorities in single contributions, 132 the effect of these safeguards is somewhat diluted, allowing more non-DSC data to be processed within a single operational environment.
The 2022 Amending Europol Regulation
Both paragraph 6a of Article 18 and Article 18a provide a legal basis for processing data to perform DSC. Article 18(6a) permits such processing only in limited circumstances, specifically where it is ‘strictly necessary’ to determine whether personal data complies with Annex II. By contrast, Article 18a authorises the processing of data in a ‘specific criminal investigation’. The Management Board has clarified, through its implementing decision, that Europol is permitted to perform DSC when supporting a specific criminal investigation under Article 18a. 133 While Article 18a thus establishes a broader legal purpose than Article 18(6a), this does not necessarily indicate an expansion of Europol’s autonomy; in practice, Europol already had this autonomy under earlier legal frameworks, yet not restricted to ‘specific criminal investigation’. Both provisions also regulate the methods by which DSC may be performed. Under Article 18(6a), Europol may use all data processing purposes. By contrast, Article 18a limits permissible methods to operational analysis and, in exceptional cases, cross-checking. Considering the overarching and general nature of Article 18 of the 2016 Europol Regulation to perform DSC, these innovations demonstrate Europol’s decreasing autonomy vis-à-vis the Member States from a legal point of view. In practice, the increasing volumes of data shared with Europol could, in time, undermine some of these restrictions and enhance Europol’s autonomy.
In addition to the key distinctions previously discussed, Articles 18(6a) and 18a share several important similarities, particularly with respect to data protection safeguards. These include requirements for Member States to specify a processing purpose, limitations on access imposed by Member States and restrictions on access rights for Europol staff. While the earlier Council Implementing Decisions required that non-DSC data have ‘separate storage’ from and ‘for inclusion’ in an AWF, Articles 18(6a) and 18a impose stricter conditions by mandating that such data be ‘functionally separated from other data’. 134 Prior to the 2020 Europol action plan, the CFN did not contain designated folders for each AP, rendering the ‘separate storage’ requirement relatively limited in practice. 135 Currently, Europol interprets ‘functionally separate from other data’ as requiring full isolation, including from other non-DSC data, demonstrating a stricter application of the functional separation principle. 136 To facilitate the extraction of DSC from non-DSC data, certain linkages must remain in place to enable analysts to perform DSC effectively. Notably, this demonstrates Europol’s reduced autonomy; however, increasing volumes of data could reduce the impact of such restriction and re-enhance autonomy. Another noteworthy similarity is the inclusion of a data verification process in the Management Board Decisions implementing Articles 18(6a) and 18a of the consolidated 2016 Europol Regulation. Although this verification process is not explicitly provided for in the 2022 amending Regulation, it ensures that only DSC data are processed for the purposes listed in Article 18(2), thereby preventing the improper use of non-DSC data. This verification mechanism effectively codifies Action 2 of Europol’s 2020 Action Plan, which introduced mandatory labelling of non-DSC data to improve compliance and transparency in the processing framework.
Article 18(6a) permits Europol to process non-DSC data for up to eighteen months, but only where it is ‘strictly necessary’ to assess compliance with Annex II. An extension of up to an additional eighteen months is allowed only in cases that are both ‘necessary’ and ‘justified’. However, the Europol Management Board Decision implements Article 18(6a) by establishing its default application to all non-DSC data, effectively removing the conditional ‘strictly necessary’ threshold from the initial processing period. 137 This interpretation was contested by the EDPS. 138 Nevertheless, the absence of a general legal basis for DSC outside Article 18(6a) has created a legislative gap, making the provision the only viable foundation for Europol’s general processing of non-DSC data. Additionally, the Regulation requires Europol to notify the EDPS in the event of an extension beyond the initial eighteen-month period. Instead, the Management Board decision mandates a formal justifying decision as a precondition for such an extension. 139 Notably, the 2022 amending Europol Regulation includes neither the default application of Article 18(6a) nor the justification decision for prolonging data retention. The implementation of Article 18(6a) illustrates Europol’s increased autonomy (vis-à-vis the Union legislator), but its decreased autonomy (vis-à-vis the Member States) when compared with Article 18 of the 2016 Europol Regulation. In effect, Europol and the EDPS have arranged the default application of paragraph 6a in exchange for tighter restrictions on extending the processing period.
Article 18a does not establish a general legal basis to perform DSC. Instead, it authorises the processing of non-DSC data solely for the purpose of supporting ongoing specific criminal investigations within the scope of Europol’s objectives. Before using Article 18a, Europol is required to conduct an assessment demonstrating the necessity of processing non-DSC data for a specific criminal investigation, 140 without actually processing the data. 141 This raises questions about the practical significance of such an assessment, particularly given the absence of detailed criteria to guide its application. 142 Additionally, Europol is only obliged to record the results of the assessments justifying the use of Article 18a, without engaging in data processing beforehand. 143 Consequently, the assessment appears to have minimal impact on Europol’s discretion in applying Article 18a. Following the assessment, Europol must determine whether the situation qualifies as an ‘ongoing specific criminal investigation’. Since Europol lacks investigative powers, such a determination must be made in the context of its supporting role. Defining an investigation solely based on a single Member State’s involvement would conflict with Europol’s mandate to combat serious cross-border crime and undermine the principles laid out in its founding treaties. 144 Therefore, Europol should define the scope based on the data providers’ indications. Europol is expected to document this determination in a Europol Ongoing Specific Criminal Investigation Support Order (OSCISO). 145 While this approach does not increase Europol’s autonomy, it does enhance coordination among Member States and reinforces Europol’s facilitating role in cross-border investigations.
Europol’s legal framework does not establish any formal link between Articles 18(6a) and 18a. Nevertheless, Europol’s Management Board treats Article 18a as a derogation from Article 18(6a). 146 However, this interpretation is legally unconvincing. Article 18a does not constitute a derogation from Article 18(6a); rather, it imposes stricter limitations, particularly regarding the use of cross-checking is permitted as a standard method under Article 18(6a), but only allowed ‘exceptionally’ under Article 18a. Moreover, for a genuine derogation to exist, there must be functional reversibility – that is, data should be capable of moving between both regimes (from Article 18a to 18(6a) and vice versa). This is not the case, as the two provisions are designed for distinct legal and operational contexts and do not permit such interchangeability. 147 Despite this, Europol applies the Article 18a assessment to distinguish non-DSC data. 148 If the assessment concludes that the data do not fall within the scope of an ‘ongoing specific criminal investigation’ under Article 18a, then Europol can process the data under Article 18(6a). This procedural approach enables Europol to prevent potential overextension of Article 18a by Member States, without foreclosing its legitimate use where appropriate. Although this practice does not significantly expand Europol’s autonomy, it does afford the agency a limited degree of discretion in regulating the legal basis for processing non-DSC data submitted by Member States. In this way, Europol balances operational necessity with legal constraint, while ensuring Member State cooperation remains within the intended scope of the Regulation.
Strengthening accountability and transparency in response to operational expansion
Developments in accountability and transparency of non-DSC processing
Given Europol’s lack of responsibility prior to the 2016 Europol Regulation, significant questions arise regarding Europol’s accountability for the actions it undertook. Under the 1998 and 2009 Council Implementing Decisions, Europol was required to comply with national data protection legislation when processing data prior to its inclusion in an AWF. Although a common data protection standard exists, 149 Europol’s accountability remained chaotic. Both the JSB and, under the 2009 ECD, Europol’s DPO were granted access to all data processed by Europol. However, this raises a fundamental concern: how can these actors hold Europol accountable for actions for which it is not legally responsible? Responsibility for data processing rested with the Member States, and it would have been possible for either the Council or individual Member States to introduce mechanisms to ensure accountability in light of this allocation. The Council, for instance, could have imposed stricter limitations on Europol’s processing of non-DSC information or enhanced accountability mechanisms, but it did not pursue such measures. As a result, accountability for processing non-DSC data under the 1995 Europol Convention and the 2009 ECD remains chaotic, as all or none could hold Europol accountable.
Following the adoption of the 2016 Europol Regulation and the associated shift in responsibility, Europol’s autonomy remained largely unchanged. While it no longer operated under 28 distinct national data protection frameworks, it became subject to a single, centralised regime and could be held accountable by both the EDPS and Europol’s DPO, as evidenced by, respectively, the 2020 and 2022 EDPS Decisions and Europol’s DPO’s annual reports. 150 While this might suggest that Europol’s DPO and the EDPS exercised rigorous accountability from the outset, the reality was different: both delayed taking action on Europol’s non-DSC processing – Europol’s DPO only addressed the issues after two years, and the EDPS waited even longer, acting only after intervention by the DPO. Nonetheless, the preceding highlights a key weakness of Europol’s accountability framework: the reliance on general accountability mechanisms rather than provisions tailored to the specific data processing framework. Notably, the EDPS acknowledged Europol’s competence to perform DSC, 151 yet serious concerns existed regarding processing large volumes of non-DSC data, the absence of explicit legal authorisation for DSC and insufficient supervisory controls. 152 Furthermore, Europol’s DPO even issued conflicting signals on Europol’s CFN. 153 Similarly, the JPSG was not offered specific information regarding non-DSC processing, but obtained information following questions from Members of the European Parliament. 154 Although Europol publishes several of its internal documents in the interest of transparency, the highly technical nature and volume of these materials limit public accessibility and understanding, particularly concerning the NEO and the NFE. While these criticisms are significant, Europol’s accountability mechanisms have substantially improved concerning non-DSC processing since the 2016 Regulation came into force.
The 2022 amending Europol Regulation clarified the legal framework and addressed several shortcomings by introducing additional reporting and transparency obligations to Europol’s DPO, the EDPS and the JPSG. As part of its clarified legal framework, the Management Board authority was granted the authority to adopt decisions regarding the processing of non-DSC data. Europol’s Management Board is required to consult the EDPS prior to the adoption. The EDPS has been critical of Europol’s initial Management Board, resulting in new ones significantly enhancing data protection. 155 Although not legally required, these decisions are published in the interest of transparency. Nevertheless, accountability remains complex. The sometimes imprecise language of Management Board decisions grants considerable discretion to Europol’s Executive Director and, by extension, to Europol staff. 156 This complexity is compounded by the legal immunity enjoyed by Europol staff members, which further complicates the enforcement of accountability within Europol’s structure. 157 In addition, in the context of Article 18(6a), the EDPS has strengthened Europol’s accountability by increasing the information duty on the extended non-DSC processing to a justifying decision, which limits Europol’s discretion. Regarding Article 18a, both Europol’s DPO and the EDPS can access the OSCISO. 158 Also, only positive assessments on Article 18a should be provided to the EDPS. In addition, Europol should also inform the JPSG on the use of Article 18a, thereby creating political accountability concerning these new competencies. Regarding the EDPS and Europol’s DPO remain responsible for supervising Europol’s data processing activities, including its non-DSC processing. 159 Notably, the general provisions in Europol’s legal framework also ensure its accountability. 160 Consequently, Europol’s autonomy vis-à-vis the Member States is not without enhanced accountability compared to Europol’s previous legal frameworks.
Data retention, accountability, transparency and legal conflict
In addition to the broader examination of Europol’s accountability in processing non-DSC data, a specific analysis of its data retention practices is necessary, particularly in light of the 2022 EDPS Decision permitting non-DSC data retention for six months. Under the 1995 Europol Convention, data could be retained within Europol’s computerised systems for as long as necessary. 161 This flexible retention standard was maintained in both the 2009 ECD and the Consolidated 2016 Europol Regulation, each of which permitted data storage ‘for as long as necessary’. 162 Across these successive legal frameworks, Europol has been granted broad discretion in determining what constitutes necessary in terms of data retention. Importantly, all prior instruments allowed Europol to process data for two purposes outside of its central computerised systems: (1) to perform DSC and (2) to assess the relevance of incoming data (i.e. current Article 18(6) of the Consolidated Europol Regulation). Each purpose has been accompanied by specific legal provisions, including defined retention periods.
For the first purpose (performing DSC), the 1998 Council Implementing Decision on AWFs allowed Europol to process non-DSC data for as long as necessary before its potential inclusion in a specific AWF. 163 For the second purpose (assessing the relevance of data), the 2003 Danish protocol introduced a strict six-month retention limit. 164 The 2009 ECD incorporated both purposes: the first in Article 29(2) and the 2009 Council Implementing Decision on AWFs, and the second in Article 10(4). 165 The ECD preserved both retention periods. The 2016 Europol Regulation, however, retained only the second purpose explicitly through Article 18(6). The explicit legal basis for the first purpose was omitted, yet, in practice, Europol continued processing non-DSC data for as long as necessary to perform DSC, 166 in line with the data protection requirements in the 1998 and 2009 Council Implementing Decisions. 167 These two purposes differ substantially. The second purpose permits the temporary processing of potentially irrelevant data to identify relevant data and establish a processing purpose. By contrast, under the first purpose, data may only be processed once a predefined purpose has already been assigned. Moreover, while the second purpose involves exploratory processing – potentially encompassing large volumes of data with no specific relevance, the first purpose presupposes that the data are already partially relevant, as determined by national law enforcement authorities or Europol itself. Additionally, the first purpose was subject to stricter data protection conditions, whereas the second entailed fewer safeguards. In light of these distinctions – and given Europol’s consistent adherence to the earlier legal frameworks, as well as its demonstrated willingness to enhance data protection standards following its 2020 Action Plan – the EDPS could arguably have permitted Europol to continue processing non-DSC ‘for as long as necessary’ under the first purpose, rather than imposing a maximum six-month retention period by analogy with the second purpose.
While the EDPS ‘could’ have permitted Europol to retain non-DSC data beyond six months, a more critical question remains: should the EDPS have done so, particularly in light of the legal framework established by the 2016 Europol Regulation? The 2013 Commission proposal for a Europol Regulation did not include a provision analogous to the Danish protocol’s six-month retention limit for relevance checks. Instead, it envisioned general data retention ‘for as long as necessary’ within a dedicated chapter on ‘Data Protection Safeguards’. 168 The European Parliament introduced the six-month limit now found in Article 18(6), allowing a temporary retention period to assess the relevance of data. 169 However, this six-month limitation appears exclusively in Article 18 and not within the overarching chapter on data protection safeguards, which governs the entirety of Europol’s data processing and permits data retention for as long as necessary. Consequently, the structure of the 2016 Europol Regulation suggests that the general rule remains open-ended retention based on necessity, while the six-month limit in Article 18(6) should be understood as a narrow derogation applicable only to that specific context. Accordingly, Europol staff were afforded considerable discretion in determining what constitutes ‘necessary’. Despite this, the 2022 EDPS Decision required Europol to delete non-DSC data after six months if DSC had not occurred, applying Article 18(6) by analogy. 170 This interpretation conflicts with the 2016 Europol Regulation, which permits more flexible data retention outside the limited scope of Article 18(6). Therefore, the EDPS’s decision arguably restricted Europol’s discretion in a manner inconsistent with the Regulation, especially considering the significantly enhanced data protection framework following the implementation of the 2020 Europol action plan (cf. Supra). Thus, he ‘should’ have allowed Europol to process non-DSC data for as long as necessary.
The 2022 amending Europol Regulation introduced two distinct retention regimes for non-DSC data: processing as long as necessary under Article 18a, and a fixed maximum three years under Article 18(6a). The latter represents a further derogation from the general principle of necessity-based retention and significantly curtails Europol’s discretion in processing non-DSC data, particularly given the requirement for a formal justification to extend processing beyond the initial eighteen-month period (cf. supra). In direct response to the 2022 EDPS Decision, the 2022 amending Europol Regulation also incorporated Articles 74a and 74b, which address its legal implications. Specifically, these provisions preclude the application of the six-month maximum retention period to non-DSC data received by Europol before the entry into force of the 2022 amending Europol Regulation. Notably, Europol completed processing all pre-amendment non-DSC data by the end of 2022. 171 The EDPS challenged the legality of Articles 74a and 74b before the General Court, contending that they constituted an unlawful circumvention of the 2022 EDPS Decision. 172 However, Council preparatory documents suggest otherwise, explicitly stating that the new provisions are intended to clarify the legal situation in light of the 2022 EDPS Decision. 173 This indicates that the legislative intent was not to undermine the EDPS but to address legal uncertainty following his decision and legal inconsistency regarding the longer data retention in the 2022 amending Europol Regulation. Moreover, the Union legislator enjoys broad discretion in the legislative process, 174 as demonstrated. 175 The General Court ultimately declared the case inadmissible without addressing the substantive legal questions. 176 The EDPS has since appealed to the CJEU, with a still pending ruling. 177 As a result, while the EDPS has demonstrated a strong willingness to address the issue and ensure Europol’s accountability, the necessity of legally challenging Articles 74a and 74b remains open to question, particularly in light of Europol’s full compliance with the EDPS Decision by the end of 2022.
Conclusion: Specified capabilities and structured controls
Although Europol’s legal frameworks have undergone a significant transformation, this article demonstrates that their impact on Europol’s autonomy, discretion, accountability, responsibility and transparency has been asymmetrical. The requirement to perform DSC remains essential for ensuring compliance with data protection principles, thereby constituting a limitation on Europol’s operational autonomy. Nonetheless, Europol has autonomously developed a comprehensive infrastructure to carry out DSC, often in the absence of explicit authorisation from the Union legislator.
Notably, under Europol’s initial legal frameworks, responsibility for processing non-DSC data rested with the providing Member State, not with Europol itself. This changed with the adoption of the 2016 Europol Regulation, which marked a significant shift by assigning Europol responsibility for all data it receive, including non-DSC data. The 2022 amending Europol Regulation did not alter this allocation of responsibility. Mirroring this development, the authority to define rules on non-DSC processing initially lay with the Council but was later transferred – following the 2016 Regulation – to Europol’s Management Board, in coordination with the Executive Director and, to some extent, Europol’s staff.
Europol has consistently operated in a context of legal uncertainty regarding the processing of non-DSC data, which has effectively afforded it considerable autonomy vis-à-vis the Member States. In particular, the absence of an explicit legal basis in the 2016 Europol Regulation could have precluded such processing; however, in practice, Europol continued to process non-DSC data while adhering to pre-existing data protection safeguards, thereby maintaining its autonomy. This autonomy, however, has been progressively constrained by a series of data protection measures, especially following the adoption of the 2020 Europol Action Plan. Although the 2022 amending Europol Regulation attracted criticism, it largely preserved Europol’s existing level of autonomy, yet caused some decreases. Notably, possible decreases in autonomy risk of being undermined by the practical impact of increasing volumes of data sent to Europol. Throughout the evolution of its legal framework, Europol has exercised a notable degree of discretion in its handling of non-DSC data, with this discretion expanding in certain respects following the 2022 amendments.
The initial two legal frameworks brought minimal change and effectively left accountability entirely with the Member States, as data processing responsibilities rested with them. This approach was revised with the adoption of the 2016 Europol Regulation, which established a robust accountability structure. Under this framework, the EDPS, Europol’s DPO and additional accountability mechanisms are tasked with ensuring compliance with Europol’s data protection obligations. However, this framework was not tailored to Europol’s non-DSC processing. Notably, following the 2022 amending Europol Regulation, several tailored provisions concerning non-DSC processing were introduced to enhance accountability. The EDPS accepted limited manifestations of Europol’s autonomy vis-à-vis the Union legislator, as reflected in certain Management Board decisions. However, this limited autonomy should not be mistaken for a relaxation of accountability, as the EDPS has adopted – and maintains – a notably strict stance on Europol’s retention of non-DSC data. In addition to established mechanisms, Europol contributes to transparency by publishing documents related to its non-DSC data processing and responding to public access requests.
In conclusion, this article finds that while Europol’s autonomy and discretion have evolved only marginally in formal legal terms, they have been effectively expanded through the increasing volume of non-DSC data provided to the agency. Despite this relatively static legal evolution in autonomy and discretion, Europol’s responsibility, transparency and accountability mechanisms have undergone significant development, including specific reporting duties and enhanced transparency obligations relating to the processing of non-DSC data.
Footnotes
Declaration of conflicting interests
The author declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author received no financial support for the research, authorship, and/or publication of this article.
1.
Annual Report of the Europol Data Protection Officer 2017, at 11; see also Annual Report of the Europol Data Protection Officer 2018, at 16.
2.
EDPS, ‘Own initiative inquiry on Europol’s “Big Data Challenge”’, 30 April 2019, 1.
3.
ibid.
4.
EDPS Decision on the own initiative inquiry on Europol’s big data challenge.
5.
European Parliament and Council, ‘Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA’, 11 May 2016; European Parliament and Council, ‘Regulation (EU) 2022/991 of the European Parliament and of the Council of 8 June 2022 amending Regulation (EU) 2016/794, as regards Europol’s cooperation with private parties, the processing of personal data by Europol in support of criminal investigations, and Europol’s role in research and innovation’, 2022 (References to the amendments to the 2016 Europol Regulation introduced by this regulation will refer to the non-binding consolidated version of the Europol Regulation); European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA’, 11 May 2016, Article 74a–74b.
6.
Council Act of 3 November 1998 adopting rules applicable to Europol analysis files, Article 3.
7.
See footnote 1.
8.
EDPS Decision on the own initiative inquiry on Europol’s big data challenge; EDPS Decision on the retention by Europol of datasets lacking Data Subject Categorisation.
9.
Jane Kilpatrick and Chris Jones, Empowering the Police, Removing Protections: The New Europol Regulation (Statewatch 2022); Chloé Berthélémy, ‘Europol’s Ever-Increasing Mandate: European Parliament Failed to Stand Up for Fundamental Rights’ <https://edri.org/our-work/europols-ever-increasing-mandate-european-parliament-failed-to-stand-up-for-fundamental-rights/> accessed 5 May 2022; ‘New Europol Rules Massively Expand Police Powers and Reduce Rights Protections’ <
> accessed 10 November 2022.
10.
Chloé Berthélémy, ‘How Europol’s Reform Enables “NSA-Style” Surveillance Operations’ accessed 22 February 2022; Apostolis Fotiadis et al., ‘Europol to be Europe’s NSA?’ accessed 22 February 2022; EDRi, ‘The EU’s Own “Snowden Scandal”: Europol’s Data Mining’ (accessed 19 January 2022); Edouard Ombredane, ‘Europol Is Moving Closer to Being “NSA-Like Mass Surveillance Agency”’ <> accessed 22 February 2022.
11.
See footnote 16.
12.
Laura Maas et al., ‘The Definitions of Health Apps and Medical Apps from the Perspective of Public Health and Law: Qualitative Analysis of an Interdisciplinary Literature Overview’ (2022) 10 JMIR mHealth and uHealth e37980; Khushal Vibhute and Filipos Ayanale, Legal Research Methods Teaching Material (Justice and Legal System Research Institute 2009).
13.
Commission co-worker I (Interviewed 3 March 2023); Commission co-worker II (Interviewed 7 June 2023); Assistant to an MEP I (Interviewed 20 February 2023); Assistant to an MEP II (Interviewed 27 February 2023); EDPS co-worker (Interviewed 26 April 2023); Former Europol co-worker (Interviewed 31 July 2023); Europol co-worker (Informal conversations on 19 September 2022 and 20 March 2023).
14.
Jane Kilpatrick, ‘Frontex: More Power, No Responsibility? Mega-Agency Lacks Real Accountability Structure’ <> accessed 19 April 2022; Agostina Pirrello, ‘The European Union Agency for Asylum: Legal Remedies and National Articulations in Composite Procedures’ (2024) 30 European Law Journal 165, 180; Tom Huisjes and Stanisław Tosza, ‘Eurojust: Mechanisms Controlling the Agency for Coordination and Cooperation’ in Miroslava Scholten and Alex Brenninkmeijer (eds), Criminal Matters’ in Controlling EU Agencies – The Rule of Law in a Multi-Jurisdictional Legal Order (Edward Elgar Publishing Ltd 2020), 234–251.
15.
Steve Peers, ‘Governance and the Third Pillar: The Accountability of Europol’ in Deirdre Curtin and Ramses Wessel (eds), Good Governance and the European Union (Intersentia 2005), 253–276; Madalina Busuioc, Deirdre Curtin and Martijn Groenleer, ‘Agency Growth Between Autonomy and Accountability: The European Police Office as a “Living Institution”’ in Berthold Rittberger and Arndt Wonka (eds), Agency Governance in the EU (Routledge 2012), 70–89; Chloé Berthélémy, ‘Europol Inches Closer to Increasing Its Powers Despite Lacking Accountability’ <> accessed 10 June 2021.
16.
Deirdre Curtin, ‘Holding (Quasi-) Autonomous EU Administrative Actors to Public Account’ (2007) 13 European Law Journal 523, 541, at 525; Madalina Busuioc, ‘Accountability, Control and Independence: The Case of European Agencies’ (2009) 15 European Law Journal 599, 615, at 604; Grønnegaard Christensen and Lehmann Nielsen, ‘Administrative Capacity, Structural Choice and the Creation of EU Agencies’ (2010) 17 Journal of European Public Policy 176, 204, at 177.
17.
Max Griera and Elisa Braun, ‘EU Asylum Agency Bosses Favored “Friendly Circle” for Promotions, Watchdog Finds’ <https://www.politico.eu/article/eu-asylum-agency-bosses-promotions-watchdog-probe/> accessed 15 May 2025; EDPS, ‘EDPS Reprimands Frontex for Non-compliance with Regulation (EU) 2019/1896’ <https://www.edps.europa.eu/press-publications/press-news/press-releases/2025/edps-reprimands-frontex-non-compliance-regulation-eu-20191896_en> accessed 8 January 2025; Ombudsman, ‘Ombdusman Asks Frontex to Improve Its Accountability’ <> accessed 18 January 2022.
18.
Mark Thatcher, ‘The Third Force? Independent Regulatory Agencies and Elected Politicians in Europe’ (2005) 18 Governance: An International Journal of Policy, Administration, and Institutions 347, 373, at 369.
19.
Jesper Johnsøn, Lech Marcinkowski and David Sześciło, Organisation of Public Administration: Agency Governance, Autonomy and Accountability (OECD Publishing 2021), 9.
20.
Darren Hawkins et al., ‘Delegation Under Anarchy: States, International Organizations, and Principal-Agent Theory’ in Darren Hawkins et al. (eds), Delegation and Agency in International Organizations (Cambridge University Press 2006), 8; Daniel P Carpenter, The Forging of Bureaucratic Autonomy Reputations, Networks, and Policy Innovation in Executive Agencies, 1862–1928, Princeton Studies in American Politics (Princeton University Press 2002), 17; Gordon L Clark, ‘A Theory of Local Autonomy’ (1984) 74 Annals of the Association of American Geographers 195–208, at 198–199.
21.
Joana Mendes, ‘Bounded Discretion in EU Law: A Limited Judicial Paradigm in a Changing EU’ (2017) 80 The Modern Law Review 443, 472, at 461; see also Peter Mascini, ‘Discretion from a Legal Perspective’ in Tony Evans and Peter Hupe (eds), Discretion and the Quest for Controlled Freedom (Palgrave Macmillan 2020), 122–123 (‘a public officer has discretion whenever the effective limits on his power leave him free to make a choice among possible courses of action or inaction’).
22.
Curtin, ‘Holding (Quasi-) Autonomous’ (n 6); Christensen and Nielsen, ‘Administrative Capacity’ (n 16); Busuioc, ‘Accountability, Control and Independence’ (n 16).
23.
Mark Bovens, Robert Goodin and Thomas Schillemans, ‘Public Accountability’ in Mark Bovens, Robert Goodin and Thomas Schillemans (eds), The Oxford Handbook of Public Accountability (Oxford University Press 2014), 2–3.
24.
Public accountability – a summary analysis.
25.
Sergio Carrera, Leonhard den Hertog and Joanna Parkin, ‘The Peculiar Nature of EU Home Affairs Agencies in Migration Control: Beyond Accountability Versus Autonomy?’ (2013) 15 European Journal of Migration and Law 337, 358, at 338; Article 29 Data Protection Working Party, ‘Opinion 3/2010 on the principle of accountability’, 13 July 2010, 7; Satoko Horii, ‘Accountability, Dependency, and EU Agencies: The Hotspot Approach in the Refugee Crisis’ (2018) 37 Refugee Survey Quarterly 204, 230, at 210.
26.
Carrera, den Hertog and Parkin, ‘The Peculiar Nature of EU Home Affairs’ (n 25).
27.
Mark Bovens, ‘Analysing and Assessing Accountability: A Conceptual Framework’ (2007) 13 European Law Journal 447, 468, at 453, 454; Busuioc, ‘Accountability, Control and Independence’ (n 16) 605.
28.
Maranke Wieringa, ‘What to Account for When Accounting for Algorithms’ (2020), FAT*, 4.
29.
Guillermo O’Donnell, ‘The Quality of Democracy: Why the Rule of Law Matters’ (2004) 15 Journal of Democracy 32, 46, at 37.
30.
Article 29 Data Protection Working Party, ‘Opinion 3/2010’ (n 25); Lars Lindkvist and Sue Llewellyn, ‘Accountability, Responsibility and Organization’ (2003) 19 Scandinavian Journal of Management 251, 273, at 252.
31.
Enquêtecommissie, Enquête Opsporingsmethoden (1996), Tweede kamer der Staten-Generaal, 9.
32.
Lindkvist and Llewellyn, ‘Accountability, Responsibility and Organization’ (n 30) 252.
33.
Herman Finer, ‘Better Governmental Personnel’ (1936) 51 Political Science Quarterly 569, 599, at 580; Helen Smith, ‘Clinical AI: Opacity, Accountability, Responsibility and Liability’ 2021 36 AI & Society 535, 545, at 542; by analogy Stephen McGrath and Jonathan Whitty, ‘Accountability and Responsibility Defined’ (2018) 11 International Journal of Managing Projects in Business 687, 707, at 695 (‘an obligation to satisfactorily perform a task’); Bivins, ‘Responsibility and Accountability’, in Kathy Fitzpatricks and Carolyn Bronstein (eds), Ethics in Public Relations – Responsible Advocacy (SAGE 2006), 19–38.
34.
Carl J Friedrich et al., Problems of the American Public Service, The Commission of Inquiry on Public Service Personnel (McGraw-Hill Book Company, Inc. 1935), 30.
35.
Ting Gong, ‘Objective Responsibility vs. Subjective Responsibility: A Critical Reading of the CCP’s Internal Supervision Regulation’ (2008) 8 China Review 77–102, at 79; Terry Cooper, The Responsible Administrator: An Approach to Ethics for the Administrative Role (5th edn, Jossey-Bass 2006), 6.
36.
Gabriele Abels, ‘Citizen Involvement in Public Policy-making: Does it Improve Democratic Legitimacy and Accountability? The Case of pTA’ (2007) 13 Interdisciplinary Information Sciences 103, 116, at 106.
37.
Court of Justice, 9 November 2010, C-92/09 and C-93/09, para. 68.
38.
Article 41 Charter of Fundamental Rights of the European Union, 1 December 2009.
39.
Article 48; European Parliament and Council, ‘Directive 2012/13/EU of the European Parliament and of the Council of 22 May 2012 on the right to information in criminal proceedings, 2012/13/EU’, 22 May 2012.
40.
TREVI Ministers, ‘Ministerial Agreement on the establishment of the Europol Drugs Unit’ (1993); Joint Action of 10 March 1995 adopted by the Council on the basis of Article K.3 of the Treaty on European Union concerning the Europol Drugs Unit (95/73/JHA), Article 4(2)(2).
41.
Council, ‘Convention based on Article K.3 of the Treaty on European Union, on the establishment of a European Police Office (Europol Convention)’, 1995, Articles 7–12.
42.
Council Act of 3 November 1998 adopting rules applicable to Europol analysis files.
43.
Protocol Drawn up on the basis of Article 43(1) of the Convention on the Establishment of a European Police Office (Europol Convention), amending that Convention.
44.
Council, ‘Council Decision of 6 April 2009 establishing the European Police Office (Europol)’, 2009.
45.
ibid Article 10(4).
46.
Council Decision 2009/936/JHA of 30 November 2009 adopting the implementing rules for Europol analysis work files.
47.
European Parliament and Council, ‘Regulation (EU) 2016/794’ (n 5) Article 18(2).
48.
49.
Commission Staff Working Document – Impact Assessment on adapting the European Police Office’s legal framework with the Lisbon Treaty – Accompanying the proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for law enforcement cooperation and training (Europol) and repealing Council Decisions 2009/371/JHA and 2005/681/JHA; Annual Report of the Europol Data Protection Officer 2018, at 14; Fanny Coudert, ‘The Europol Regulation and Purpose Limitation: From the “Silo-Based Approach” to . . . What Exactly?’ (2017) 3 European Data Protection Law Review 314.
50.
European Parliament and Council, ‘Regulation (EU) 2016/794’ (n 5) Article 18(6).
51.
Management Board Decision adopting the guidelines further specifying the procedures for processing of information for the European Law Enforcement Agency in accordance with Article 18 of the Europol Regulation.
52.
The Europol’s most wanted list purpose was not excluded from compliance with Annex II, but legislators forgot to modify Annex II leaving unclear how data conformity with Annex II remains assured. This raises legality concerns, yet an implied modification to Annex II is an acceptable, yet uncertain, solution.
53.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Articles 74a and 74b.
54.
Council, ‘Convention based on Article K.3’ (n 41) Article 27.
55.
Declaration iuncto Article 40(2).
56.
ibid 38–39; Council, ‘Council Decision of 6 April 2009’ (n 44) 52–54; European Parliament and Council, ‘Regulation (EU) 2016/794’ (n 5) Article 50(1); see also Court of Justice of the European Union, 5 March 2024, C-755/21, paras 54–72.
57.
Council, ‘Convention based on Article K.3’ (n 41) 19–20; Council, ‘Council Decision of 6 April 2009’ (n 44) 30–31; European Parliament and Council, ‘Regulation (EU) 2016/794’ (n 5) 36–37.
58.
Alexandra De Moor and Gert Vermeulen, ‘The Europol Council Decision: Transforming Europol into an Agency of the European Union’ (2010) 47 Common Market Law Review 1089–1121, at 1116.
59.
Council, ‘Council Decision of 6 April 2009’ (n 44) 45.
60.
61.
European Parliament and Council, ‘Regulation (EU) 2016/794’ (n 5) Article 50(1); Court of Justice of the European Union, 21 December 2023, C-281/22; see also General Court of the EU, 6 September 2023, T-600/21.
62.
López Zurita, ‘Fundamental Rights Complaints in the Preliminary Reference Procedure’ in Melanie Fink (ed), Redressing Fundamental Rights Violations by the EU – The Promise of the ‘Complete System of Remedies’ (1st edn, Cambridge University Press 2024), 98–120, at 98 (‘This is how the procedure for a preliminary ruling in Article 267 TFEU came to the fore: it filled the gaps of access to the Court left by the interpretation of Article 263 TFEU’); Florin Coman-Kund, ‘Legal Protection Against Fundamental Rights Breaches Through Factual Conduct by the European Union 12’ in Melanie Fink (ed), Redressing Fundamental Rights Violations by the EU – The Promise of the ‘Complete System of Remedies’ (1st edn, Cambridge University Press 2024), 311–344 (‘A reading of Article 267 TFEU in light of the fundamental right to an effective legal remedy enshrined in Article 47 CFR offers support for the view that the category of acts of EU bodies “without any exception” encompasses also physical acts representing factual conduct’); Koen Bovend’eerdt, Argyro Karagianni and Miroslava Scholten, ‘EU Law Enforcement Authorities and Access to Justice’ in Melanie Fink (ed), Redressing Fundamental Rights Violations by the EU – The Promise of the ‘Complete System of Remedies’ (1st edn, Cambridge University Press 2024), 271–310 (‘. . . a person can indirectly have an OLAF act reviewed when a national court refers a preliminary question on the validity of an OLAF act to the Court of Justice’); see also Court of Justice of the European Union, 21 December 2023, C-281/22; see also Court of Justice of the European Union, 23 January 2018, C-179/16.
63.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) 41, 41a, 41b and 43.
64.
ibid Article 14(4)(d).
65.
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
66.
Article 29 Data Protection Working Party, ‘Opinion on some key issues of the Law Enforcement Directive (EU 2016/680)’, 29 November 2017, 5; Mark Leiser and Bart Custers, ‘The Law Enforcement Directive: Conceptual Challenges of EU Directive 2016/680’ (2019) 5 European Data Protection Law Review 367, 378.
67.
Committee of Ministers of the Council of Europe, ‘Recommendation No. R (87)15 of the Committee of Ministers to Member States regulating the use of personal data in the police sector, R(87) 15’, 17 September 1987; Committee of Ministers of the Council of Europe, ‘Explanatory Memorandum to Recommendation No. R(87) 15 of the Committee of Ministers to member states regulation the use of personal data in the police sector’, 17 September 1987.
68.
European Parliament and Council, ‘Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA’, 27 April 2016, Article 6.
69.
ibid; Court of Justice of the Court of Justice of the European Union, 26 January 2023, C-205/21, para. 84.
70.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Article 7(6)(d).
71.
Brian Carrier, File System Forensic Analysis (1st edn, Addison-Wesley Professional 2005), 118; See also Gary Palmer, ‘A Road Map for Digital Forensic Research’ (2001), The Digital Forensic Research Conference, 1–49, at 16–19.
72.
KK Sinhu and BB Meshram, ‘Digital Forensic Investigation Tools and Procedures’ (2012) 4 International Journal Computer Network and Information Security 10; Neha Kishore, Sapna Saxena and Priya Raina, ‘Big Data as a Challenge and Opportunity in Digital Forensic Investigation’, 2017 2nd International Conference on Telecommunication and Networks (TEL-NET), Noida, India, 2017; Sara Sarwar Mir, Umar Shoaib and Muhammad Shahzad Sarfraz, ‘Analysis of Digital Forensic Investigation Models (2016) 14 International Journal of Computer Science and Information Security (IJCSIS) 10.
73.
Article 3 Council Act of 3 November 1998 adopting rules applicable to Europol analysis files.
74.
Council, ‘Council Decision of 6 April 2009’ (n 44) Article 5(4)(d); See also Proposal for a Council Decision establishing the European Police Office (Europol), at 5; JSB, ‘Opinion of the Joint Supervisory Body of Europol (Opinion 07/07) with respect to the proposal for a Council Decision establishing the European Police Office (Europol)’, 5 March 2007, 5–8.
75.
Neil Robinson et al., Feasibility Study for a European Cybercrime Centre (European Union 2012), 88–89; Communication from the Commission to the Council and the European Parliament – Tackling Crime in our Digital Age: Establishing a European Cybercrime Centre, at 4–5; see also EDPS, ‘Opinion of the European Data Protection Supervisor on the Communication from the European Commission to the Council and the European Parliament on the establishment of a European Cybercrime Centre’, 29 June 2012.
76.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Article 4(5).
77.
Europol, ‘Europol Annual Report 2002’, 2003; Europol, ‘Europol Annual Report 2003’, 2004, 14.
78.
EDPS Decision on the own initiative inquiry on Europol’s big data challenge; Europol, ‘Europol Annual Report 2002’, 2003, 9; United Kingdom House of Lords – European Union Committee, ‘Memorandum by Europol’, 2010.
79.
Europol, ‘Europol Annual Report 2004’, 2005, 12; see also Europol, ‘Europol Annual Report 2008’, 2009, 24; See also Europol, ‘Europol Review – General Report on Europol Activities’, 2011, 43.
80.
ibid; Franca König, The Rise of EU Police Cooperation – Governing Differentiated Integration (1st edn, Routledge 2022).
81.
ibid.
82.
Europol, ‘Europol Annual Report 2008’, 2009, 24; EDPS Decision on the own initiative inquiry on Europol’s big data challenge.
83.
Council, ‘Council Decision of 6 April 2009’ (n 44).
84.
Europol, ‘Europol Review’ (n 79) 15.
85.
ibid 15; Robinson et al., Feasibility Study for a European Cybercrime Centre.
86.
Europol, ‘Europol Annual Report 2002’, 2003, 9; Europol, ‘Europol Annual Report 2003’, 2004, 13; Europol, ‘Europol Review’ (n 79) 38.
87.
Europol, ‘Europol Review – General Report on Europol Activities’, 2013, 38.
88.
Robinson et al., Feasibility Study for a European Cybercrime Centre; EU Counter-Terrorism Coordinator, ‘Information Sharing in the Counter-Terrorism Context: Use of Europol and Eurojust’, 2016, 5; Europol, ‘2016 – Consolidated Annual Activity Report’, 2017, 10; Daniel Drewer and Jan Ellerman, ‘May the (Well-Balanced) Force Be with Us! The Launch of the European Counter Terrorism Centre (ECTC)’ (2016) 32 Computer Law & Security Review 195, 204, at 198.
89.
Robinson et al., Feasibility Study for a European Cybercrime Centre.
90.
Drewer and Ellerman, ‘May the (Well-Balanced) Force’.
91.
Annual Report of the Europol Data Protection Officer 2017, at 11; see also Annual Report of the Data Protection Officer 2018, at 16.
92.
EDPS, ‘Own initiative inquiry’ (n 2).
93.
Europol, ‘Europol Action Plan addressing the risk raised in the European Data Protection Supervisor (EDPS) Decision on “Europol’s Big Data Challenge” – Progress Report March 2021’, 17 March 2021, 13.
94.
ibid.
95.
Europol, ‘Europol Action Plan addressing the risk raised in the European Data Protection Supervisor (EDPS) Decision on “Europol’s Big Data Challenge”’, 17 November 2020, 5.
96.
Europol Management Board, ‘Europol Programming Document – 2023–2025’, 20 December 2022, 35; Europol Management Board, ‘Europol Programming Document – 2024–2026’, 18 December 2023, 70.
97.
Europol, ‘Europol reply to written questions from the Member of the European Parliament (MEP), Mr Patrick Breyer, to the Joint Parliamentary Scrutiny Group (JPSG)’, 3 August 2021; Joseph Cox, ‘A Giant Malware Sandbox Is Europol’s Secret to Fighting Hackers’ (accessed 1 December 2022).
98.
European Parliament and Council, ‘Regulation (EU) 2016/794’ (n 5) Article 18(2); First whereas of Management Board Decision adopting the guidelines further specifying the procedures for processing of information for the European Law Enforcement Agency in accordance with Articles 18 of the Europol Regulation; See also Europol, ‘2020 – Consolidated Annual Activity Report’, 9 June 2021, 7.
99.
Europol, ‘2020 – Consolidated Annual Activity Report, 9 June 2021, 95.
100.
Europol – Executive Director, ‘EDPS Decision on the own initiative inquiry on Europol’s “Big Data Challenge” – Reply to your letter on 19 April 2021’, 2 June 2021, 2; Europol, ‘Europol Action Plan addressing the risk raised in the European Data Protection Supervisor (EDPS) Decision on “Europol’s Big Data Challenge” – Progress Report October 2021’, 19 October 2021, 4.
101.
Council, ‘Convention based on Article K.3’ (n 41) Article 15.
102.
Council, ‘Council Decision of 6 April 2009’ (n 44) Article 29.
103.
Article 3 Council Act of 3 November 1998 adopting rules applicable to Europol analysis files; Article 3 Council Decision 2009/936/JHA of 30 November 2009 adopting the implementing rules for Europol analysis work files (‘After receipt of such data, it shall be determined as soon as possible to what extent they shall be included in a specific file’; ‘the data referred to in paragraph 1 shall remain under the responsibility of the Member State which supplied them, and shall be subject to the national legislation of that Member State until such data are included in an analysis work file’).
104.
Council, ‘Council Decision of 6 April 2009’ (n 44) Article 29(2).
105.
Cf. infra on CFN (p. 10).
106.
A deviating approach could affect ongoing investigations.
107.
As demonstrated earlier, the EC3 was created in 2012 and introduced in the 2016 Regulation. Including the EC3 in the legislation but preventing Europol from using it because of an unclear legal framework would run against every expectation, and the Commission would not have supported Europol in its preparatory work on Forensics.
108.
Court of Justice, 27 November 2007, C-435/06, paras 51–52; Court of Justice, 26 June 2001, C-173/99, paras 37–39; Court of Justice, 19 November 1998, C-162/97, para. 57; Court of Justice, 15 February 1996, C-63/93 (‘That principle [Principle of legitimate expectations], which is part of the Community legal order [. . .], is the corollary of the principle of legal certainty, which requires that legal rules be clear and precise, and aims to ensure that situations and legal relationships governed by Community law remain foreseeable’); Geo Quinot, ‘Substantive Legitimate Expectations in South African and European Administrative Law’ (2004) 5 German Law Journal 21, 65–85, at 68; Maarten den Heijer, Teun van Os van den Abeelen and Antanina Maslyka, ‘On the Use and Misue of Recitals in European Union Law’ (2019) Amsterdam Law School Legal Studies Research Paper, at 25; Tadas Klimas and Jurate Vaiciukaite, ‘The Law of Recitals in European Community Legislation’ (2008) 15 ILSA Journal of International & Comparative Law 33.
109.
See also Presidency, ‘Evaluation of European Union agencies – Endorsement of the Joint Statement and Common Approach’, 18 June 2012.
110.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Articles 18(6b) and 18a(5)(2).
111.
Articles 18(6b) and 18a(5)(2).
112.
Article 3(1bis) Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18a of the Europol Regulation.
113.
EDPS, ‘EDPS Informal comments on Europol Draft Management Board Decision on the conditions related to the processing of personal data on the basis of 18(2) of the amended Europol Regulation’, 12 May 2022, 2.
114.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Articles 18(6b) and 18a(5)(2).
115.
Articles 18(6b) and 18a(5)(2).
116.
Article 3 Council Act of 3 November 1998 adopting rules applicable to Europol analysis files.
117.
Article 3 Council Decision 2009/936/JHA of 30 November 2009 adopting the implementing rules for Europol analysis work files.
118.
Article 3 Council Act of 3 November 1998 adopting rules applicable to Europol analysis files.
119.
Article 3(2)(2); Article 3(2)(2) Council Decision 2009/936/JHA of 30 November 2009 adopting the implementing rules for Europol analysis work files.
120.
Council, ‘Convention based on Article K.3’ (n 41) Articles 8–12; Council, ‘Council Decision of 6 April 2009’ (n 44) Articles 11–16.
121.
EDPS follow-up of the own-initiative inquiry on Europol’s Big Data Challenge, at 7.
122.
Article 7(6)(d) European Parliament and Council, ‘Regulation (EU) 2016/794’ (n 5).
123.
Court of Justice, 17 October 1995, C-478/93, para 32; General Court, 24 October 2019, T-332/17, para. 69; Merijn Chamon and Valerie Demedts, ‘Constitutional Limits to the EU Agencies’ External Relations’ (2017) TARN, p. 4, n. 13.
124.
Europol, ‘Europol Action Plan’ (n 95).
125.
Annual Report of the Europol Data Protection Officer 2017, at 11; Annual Report of the Europol Data Protection Officer 2018, at 16; EDPS Decision on the own initiative inquiry on Europol’s big data challenge.
126.
EDPS Decision on the own initiative inquiry on Europol’s big data challenge.
127.
Europol, ‘Europol Action Plan’ (n 95).
128.
ibid.
129.
Europol, ‘Europol Action Plan’ (n 93); Europol, ‘Europol Action Plan’ (n 100).
130.
Europol, ‘Europol Action Plan’ (n 93) 14.
131.
EDPS, ‘EDPS follow-up to the inquiry on Europol’s Big Data Challenge (2019-0370 and 2021-0699) – Provisional analysis’, 26 July 2021, 5.
132.
Interview with Europol co-worker.
133.
Article 6(3) Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18a of the Europol Regulation.
134.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Articles 18(6a)(2) and 18a(5)(1).
135.
Europol, ‘Europol Action Plan’ (n 93).
136.
Article 2(6) Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18(6a) of Europol Regulation; Article 2(3) Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18a of the Europol Regulation; see also Europol, ‘Europol Action Plan’ (n 100) 4, 10–11.
137.
Articles 2(6), 3(3) and 4(3) Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18(6a) of Europol Regulation.
138.
EDPS, ‘EDPS Informal comments’ (n 113) 5.
139.
Article 7 Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18(6a) of Europol Regulation; Court of Justice, 6 October 2020, C-623/17, para. 78; See also Article 29 Data Protection Working Party, ‘Opinion on some key issues’ (n 66) 7–8.
140.
Article 3(2) Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18a of the Europol Regulation (‘Such assessment shall take into account, the type of the data provided [including structure, encryption, complexity], the context of the submission including its relevance to the investigation as well as the specific instructions of the data provider that requested the support as per paragraph 1’).
141.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Articles 18a(1) and 18a(5); Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18a of the Europol Regulation, Article 3(2).
142.
EDPS, ‘Case 2022-0454 Consultation on Europol’s MB Decisions – Informal comments EDPS’, 16 May 2022.
143.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Article 18a(1)(2); Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18a of the Europol Regulation, Article 3(2ter).
144.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Article 3; Article 88 Treaty on the Functioning of the European Union.
145.
Article 3(1bis) Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18a of the Europol Regulation.
146.
EDPS, ‘EDPS Informal comments’ (n 113) 6; Article 3(2bis) Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18a of the Europol Regulation.
147.
Articles 18(6a)(3) and A18a(5) iuncto Article 18a(3, 4 and 6) European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5).
148.
Management Board Decision on the conditions related to the processing of personal data on the basis of Article 18a of the Europol Regulation, Article 3(2-2ter).
149.
Both the Member States and Europol had to comply with Convention 108 of the Council of Europe.
150.
Annual Report of the Europol Data Protection Officer 2017, at 11; Annual Report of the Europol Data Protection Officer 2018, at 16.
151.
EDPS, ‘EDPS follow-up’ (n 131) 7.
152.
EDRi, ‘The EU’s Own’ (n 10); Berthélémy, ‘How Europol’s Reform’ (n 10); Fotiadis et al., ‘Europol to be Europe’s NSA?’
153.
See footnotes 90–91.
154.
Europol, ‘Europol reply to written questions from the Member of the European Parliament (MEP), Mr Patrick Breyer, to the Joint Parliamentary Scrutiny Group (JPSG)’, 3 October 2021; Ebner, ‘Europol – reply to written parliamentary question from the Member of the European Parliament, Mr Patrick Breyer, to the European Commission’, 9 June 2022.
155.
EDPS, ‘EDPS Supervisory Opinion on Europol’s Management Board Decision Adopted Pursuant to Articles 11(1)(q), 18 and 18a of the Europol Regulation (Case 2022-0923)’, 17 November 2022.
156.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Article 16(5).
157.
ibid Article 63.
158.
European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5), Article 43(4)(a).
159.
EDPS, ‘Joint Parliamentary Scrutiny Group – speaking points’, 24 October 2022, 3.
160.
See part 3(b).
161.
Council, ‘Convention based on Article K.3’ (n 41) Article 21(1); Council, ‘Council Decision of 6 April 2009’ (n 44) Article 20(1); European Parliament and Council, ‘Consolidated Regulation (EU) 2016/794’ (n 5) Article 31.
162.
Council, ‘Council Decision of 6 April 2009’ (n 44) Article 20(1); European Parliament and Council, ‘Regulation (EU) 2016/794’ (n 5) Article 31(1).
163.
Article 3 Council Act of 3 November 1998 adopting rules applicable to Europol analysis files; Article 3 Council Decision 2009/936/JHA of 30 November 2009 adopting the implementing rules for Europol analysis work files; European Court of Human Rights, 4 June 2013, 7841/08 and 57900/12; European Court of Human Rights, 24 April 2019, 43514/15, para. 119: (‘However, in the absence of any rules setting a definitive maximum time limit on the retention of such data the applicant was entirely reliant on the diligent application of the highly flexible safeguards [. . .] to ensure the proportionate retention of his data. Where the state chooses to put in place such a system, the necessity of the effective procedural safeguards becomes decisive’).
164.
See JSB, Opinion nr. 03-09 of the JSB in respect of the draft Council Act drawing up a Protocol amending the Europol Convention, 2003, 03; Decision by the Contracting Parties meeting within the Council of 12 June 2007 adopting rules implementing Article 6a of the Convention on the establishment of a European Police Office (Europol Convention; 2007/413/JHA); Decision of the Management Board of Europol of 4 June 2009 on the conditions related to the processing of data on the basis of Article 10(4) of the Europol Decision (2009/1010/JHA). (Aside from the six months retention period, both the 2007 and 2009 Decision of the Management Board on, respectively, Articles 6a of the 2003 protocol and 10(4) of the 2009 Europol Council Decision allow only processing by ‘duly authorised Europol staff’.)
165.
Article 3 Council Decision 2009/936/JHA of 30 November 2009 adopting the implementing rules for Europol analysis work files; Council, ‘Council Decision of 6 April 2009’ (n 44) Article 10(4).
166.
Europol – Executive Director, ‘Cooperation Between the European Data Protection Supervisor (EDPS) and Europol’, 20 October 2021.
167.
Europol, ‘Europol Action Plan’ (n 95) 2. (The action plan requires Europol to flag pending DSC files, ‘to increase the regular reviews of large datasets’ and appoint a full-time Data Quality control coordinator. These are four additional measures on top of the initial ones. Limiting access rights and data minimisation were included in the 1998 and 2009 Council Implementing Decision, but the EDPS wanted to strengthen the applied measures [see EDPS Decision on the own initiative inquiry on Europol’s big data challenge].)
168.
Recitals 34 and 35 Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA.
169.
Amendment 128 European Parliament, ‘European Parliament legislative resolution of 25 February 2014 on the proposal for a regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA (COM(2013)0173 – C7-0094/2013 – 2013/0091(COD))’, 25 February 2014. (‘Europol may temporarily, in exceptional cases, process data for the purpose of determining whether such data are relevant to its tasks and for which of the purposes referred to under paragraph 1’; Emphasis added.) Later, during the interinstitutional negotiations, the emphasised words were removed.
170.
EDPS Decision on the retention by Europol of datasets lacking Data Subject Categorisation.
171.
Europol, ‘Europol answer to the written Joint Parliamentary Scrutiny Group (JPSG) questions from the: Members of the European Parliament (MEPs), Ms Saskia Bricmont, Mr Patrick Breyer, Ms Gwendoline Delbos-Corfield and Mr Daniel Freund, National Members of Parliament, Ms Stéphanie Empain (Luxembourg) and Eva Platteau (Belgium), delegates to the’, 30 June 2023, at 3.
172.
EDPS, ‘EDPS takes legal action as new Europol Regulation puts rule of law and EDPS independence under threat’ accessed 14 January 2023.
173.
Proposition de Règlement du Parlement Européen et du Conseil modifiant le règlement (UE) 2016/794 en ce qui concerne la coopération d’Europol avec les parties privées, le traitement de données à caractère personnel par Europol à l’appui d’enquêtes pénales et le rôle d’Europol en matière de recherche et d’innovation − Préparation du trilogue.
174.
Court of Justice of the European Union, 8 December 2020, C-626/18 (‘the EU legislature must be allowed a broad discretion in areas in which its action involves political, economic and social choices and in which it is called upon to undertake complex assessments and evaluations’); Court of Justice of the European Union, 3 December 2019, C-482/17; Court of Justice of the European Union, 6 September 2017, C-643/15; Court of Justice of the European Union, 1 March 2016, C-440/14P.
175.
Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast) iuncto Regulation (EU) 2021/1232 of the European Parliament and of the Council of 14 July 2021 on a temporary derogation from certain provisions of Directive 2002/58/EC as regards the use of technologies by providers of number-independent interpersonal communications services for the processing of personal and other data for the purpose of combating online child sexual abuse; EDPS, ‘Formal consultation on EASO’s social media monitoring reports (case 2018-1083)’, 2019 iuncto Article 5 iuncto Article 31(1)(d) Regulation 2021/2303 of the European Parliament and of the Council of 15 December 2021 on the European Union Agency for Asylum and repealing Regulation (EU) No. 439/2010.
176.
General Court of the Court of Justice of the European Union, 6 September 2023, T-578/22.
177.
EDPS v European Parliament and Council [pending].