EU Grants Europol Supervised Data Processing PowersPowers Remove GDPR Restrictions; Independent Authority Will Oversee Use
Europol, the European Union's police agency, will now have the power to receive and process datasets from private parties and pursue research projects for better handling of security-related cases. The use of these powers, granted by the European Parliament, will be overseen by the European Data Protection Supervisor and the Fundamental Rights Officer, a newly created role.
Parliament granted the new powers after taking a poll on Wednesday, in which 480 members of the European Parliament voted in favor of the powers and 143 voted against them. Twenty members abstained.
The final endorsement of these additional powers comes on the back of an agreement reached in February 2022 between Parliament and council negotiators on strengthening the mandate of Europol, which supports police investigations carried out by law enforcement authorities in the EU's member states, Parliament says.
Parliament member Javier Zarzalejos emphasized the importance of the mandate. "This regulation, and the new mandate for Europol, mark a substantial leap forward in the capabilities of the agency, in its ability to support member states, in its governance framework and, last but certainly not least, in the enhanced system of safeguards we have put in place," he says.
Erich Kron, security awareness advocate at cybersecurity firm KnowBe4, says that while the mandate is welcome, one must not throw caution to the wind. "One of the tougher issues we face in the modern digital world is that of privacy, especially when we generate the huge digital footprint we do now. With the amount of data generated and proliferation of cybercrime, law enforcement does need to have access to data. But it is very difficult to separate the information of law-abiding citizens from that of criminals, especially when initially looking through big data," Kron says.
The negotiations that took place between the European Parliament and the EU Council in February 2022 clarified that by using these powers, Europol can pursue research and innovation projects, process large datasets and help national authorities of member states screen foreign direct investment in security-related cases.
Currently, due to GDPR restrictions, receiving and processing of data is not allowed for any purpose without legal consent, according to the regulatory laws. But with these powers, "Europol will be able to receive data from private companies, for example communication providers," the statement from Parliament says. The agency will also have the right to process personal data, "but they will have to be deleted after a certain time," it adds.
To keep a tab on what data has been requested, acquired and processed, the European Data Protection Supervisor - or EDPS - will be able to access these records of data transfers on request, according to Parliament. "The EDPS will oversee Europol's personal data processing operations, and work together with the agency's data protection officer," it says.
The Fundamental Rights Officer
Parliament has also created a new post, called the Fundamental Rights Officer, who will ensure compliance with EU data protection rules.
"To balance the police agency's new powers with appropriate supervision, the co-legislators agreed that the agency will create a new post for a fundamental rights officer," that statement from Parliament says.
Kron tells Information Security Media Group that while giving more powers to Europol to combat crime using digital means is a noble thing, balancing that power can be a challenge, and the role of the Fundamental Rights Officer can help.
"By instituting a Fundamental Rights Officer to add oversight, the hope is that this additional authority can be supervised. But it is important that the people involved in this post are knowledgeable about electronic data and how it can be misused as well as how it can be properly used - something that many governments have struggled with when dealing with the ethics of privacy and data," Kron says.
Since the mandate has already been approved, the next step in the process is adoption of legal text by the council, after which it will be published in the EU's official journal before finally taking effect. The European Parliament did not immediately respond to ISMG's request for information about the time frame for these actions.
Data Protection Authorities Weigh In
In February 2022, the European Commission proposed the Data Act, which would ensure fairness in the digital environment, stimulate a healthy data market, open opportunities for data-driven innovation and make data more accessible for all.
This is in line with the commission's 2030 digital objectives and is a step up from the Data Governance Act adopted by the commission at the end of 2020, which provided a legal framework for sharing nonpersonal data.
The International Association of Privacy Professionals - or IAPP - confirms this and says, "The Data Act is meant to go one step forward, introducing binding requirements for the manufacturer of connected devices and related services to provide access to the data that users create."
The overall principle of the Data Act, according to IAPP, is that business users and consumers should be able to access, manage and share the data they generate when using a connected device or a respective service such as virtual assistants.
The European Data Protection Board, or EDPB - which comprises representatives from the national data protection authorities - and the European Data Protection Supervisor, or EDPS - which is responsible for overseeing the application of the GDPR in member states - have reviewed the proposal of the Data Act and released a joint statement.
The data protection agencies have welcomed the suggestions made in the proposal but also noted their apprehensions: "Since the Data Act would also apply to highly sensitive personal data, the EDPS and EDPB urge the co-legislators to ensure that data subjects' rights are duly protected," the statement says.
Wojciech Wiewiórowski of EDPS says the current draft does not "properly" define government access to data while EDPB Chair Andrea Jelinek says a "clear distribution of competences" among regulators is needed to avoid "fragmented supervision," according to the joint statement.
The EDPS and EDPB have also raised concerns about the lawfulness, necessity and proportionality of the obligation to make data available to EU member states' public sector bodies and to EU institutions, bodies, offices and agencies - or EUIs - in case of "exceptional need. "[We] urge the co-legislators to define much more stringently the hypotheses of emergency or 'exceptional need,' and which public sector bodies and EUIs should be able to request data," the data protection authorities say.
The two authorities have, however, also lauded the designation of data protection supervisory authorities as being responsible for monitoring the application of the Data Act. They also suggest the commission should include the national Data Protection Authorities, or DPAs, in this designation.