(ORIGINAL PUBLISHED on EU LAW ANALYSIS)
by Steve PEERS
The EU’s police cooperation agency, Europol, has played a major role in the development of Justice and Home Affairs cooperation in the EU from an early stage. Europol was originally set up informally, then on the basis of a 1995 Convention, subsequently replaced by a Council Decision in 2009. While its powers have gradually been expanded, so has the controversy about its accountability and the adequacy of its data protection rules. Since it is a creature of the former ‘third pillar’ (the previous special rules on policing and criminal law) it is something of a ‘dinosaur’ in institutional terms, being an essentially intergovernmental body.
With the entry into force of the Treaty of Lisbon, the European Parliament (EP) now has joint powers with the Council as regards the adoption of a Regulation governing Europol, and the Treaty now refers expressly to the importance of ensuring accountability to both national parliaments and the EP. Furthermore, the EU institutions agreed in 2012 a ‘Common Understanding’ on standard rules which would apply to the governance of EU agencies. To expand Europol’s powers further, while addressing the issues of governance, accountability and data protection, the Commission proposed a new Regulation reconstituting Europol in 2013.
At the most recent Justice and Home Affairs Council, ministers agreed the Council’s position on the Commission’s proposal. Since the European Parliament also recently agreed its own position, this clears the way for negotiations to take place between the two institutions for a final deal, once the EP is fully operational again following the recent elections. This is therefore a good time to examine the progress of discussions on the proposed Regulation so far.
It should be noted that Ireland has opted in to this proposed Regulation, while the UK and Denmark have opted out. The UK’s objections are due to the proposals to place national law enforcement bodies to comply with Europol’s requests to start investigations, and to supply information to Europol without a national security exception. However, as discussed further below, the Council’s and EP’s positions on the proposal address these issues, raising the possibility that the UK will opt in after adoption of the Regulation.
First and foremost, the Commission failed in its attempt to merge together Europol with the European Police College. The Commission thought it was a good idea to merge the two, given the overlap of their subject-matter. There has never been a merger of EU agencies before, for essentially political reasons: Member States fight bitter battles to host EU agencies, and so are reluctant to let one go once they have one. However, unusually, in this case the original host of the European Police College, the UK, was rather keen to kick the agency out, as it was planning to sell the space where the College was located and declared itself unable to find a new one.
So there was a golden opportunity to merge these two agencies, but neither the European Parliament nor the Council wanted to take it. In light of the Commission’s inflexible insistence on its proposal, an unprecedented group of 25 Member States tabled an initiative to amend the previous Decision establishing the European Police College, which was subsequently adopted. This new Regulation simply moves the College to Budapest. The Council has requested the Commission to make a separate proposal making further changes to the Police College, but it remains to be seen whether the Commission will do so, or whether it will continue to sulk about the failure of its original suggestion for a merger.
The Commission’s second main objective related to Europol itself. It cannot carry out ‘coercive powers’, according to the Treaties, and all three institutions agree that a clause to this effect should appear in the new Regulation. So it is destined to remain an agency which gathers and analyses information, and it is only able to do the latter to the extent that it does the former. As dinosaurs go, Europol is clearly a herbivore, not a carnivore.
But the Commission nonetheless hoped to give Europol some sharper teeth. So it proposed two key amendments: a clarification of Member States’ obligation to give information to Europol, and an enlargement of Europol’s access to national databases. In parallel to this, the Commission’s proposal removed the detailed rules on the structure of data processing that existed in the Europol Decision (and before that, in the Europol Convention). In place of these very specific rules on analysis files and the Europol Information System, et al, there would instead be general provisions on data processing, which would be centred upon an obligation to ensure ‘privacy by design’.
The Council weakened the proposed rules which required national authorities in principle to act upon Europol’s request to initiate investigations. However, this issue is mainly symbolic, since there was no absolute obligation to act, under the Commission’s proposals (authorities could ‘decide not to comply’ with a request, on any grounds).
Furthermore, the Council did not accept the Commission’s proposal to allow Europol to contact national authorities directly in all cases, without going through the ‘Europol national units’ (the official points of contact between Europol and national forces). Instead, it simply provided (as at present) for the possibility for Member States to allow this. It also reinserted the current provisions which allow national authorities to refuse requests for information from Europol on grounds of national security, current investigations or intelligence activities.
However, the Council agreed with the proposal to give Europol a list of other new powers, and added new provisions giving Europol the power to assist with Schengen evaluations, as well as the evaluation of candidate Member States. It also specified that Member States have to allow their Financial Intelligence Units (special units dealing with money laundering) to collaborate with Europol. Finally, it wants to extend the fields of crime which Europol deals with to include war crimes and genocide as well as insider trading.
For its part, the EP, like the Council, voted against strengthening the provisions relating to Europol requests to Member States, although it did agree to Europol’s direct contact with national authorities (under certain conditions). It also agreed to retain the provisions allowing authorities to refuse requests from information from Europol.
Furthermore, the EP wants to reinsert the existing conditions relating to Europol’s participation in joint investigation teams, whereas the Commission (and the Council) want to provide only for general rules in this respect.
Data processing and data protection
Europol’s powers are inevitably closely linked with the data processing and data protection rules that apply to its processing of personal data. On this point, the Commission’s main objective with its proposal was to enhance the data protection framework of Europol by ensuring that its data protection supervisor was fully independent and had effective powers.
To this end, the Commission suggested more detailed rules on data processing and more data protection rights for individuals. The rules on external transfers of data outside the EU, which currently allow Europol itself to sign treaties with the Council’s approval, would be replaced by the general external relations rules of EU law (treaty negotiations carried out by the Commission, treaties concluded by the Council after consent by the EP). In general, the rules on transferring data to third States would be modelled on the rules in the EU data protection directive (see the recent post on this blog), allowing for transfers in principle only where a third State’s data protection has been judged ‘adequate’, with limited derogations from this rule. The supervisory powers currently held by a Joint Supervisory Board would be transferred to existing European Data Protection Supervisor (EDPS), which has data protection supervisory power as regards most EU agencies.
The Council would amend the proposal to add a general power to process personal data in order to facilitate information exchange between Europol, other EU bodies, third countries, Member States and international organisations. Also, the Council would impose an absolute obligation for Europol to inform Member States about information concerning them. The Council would also allow for broader derogations from the normal rules as regards the transfers of data to third countries, adding grounds relating to legal claims and the combating of criminal offences.
As for data protection rules, the Council would strengthen the proposal by banning the selection of a group persons purely on the basis of a ‘sensitive’ ground, such as racial origin. It would also add a requirement for Europol to notify its data protection officer and the EDPS in the event of a security breach. Europol would also have to inform data subjects of the time period for the processing of their data, and the right to make requests to Europol for erasure, et al of that data.
However, the Council would drop the requirement for Europol to report on its processing of sensitive data every six months to the EDPS. Also, Europol would have to comply with any Member State’s objection to the release of data which it provided to Europol. A data subject’s request for correction et al of personal data would have to be funnelled through a national authority, rather than addressed directly to Europol, and the Council would include very broad grounds for Europol to refuse such requests.
The Council is also keen to amend the institutional ‘architecture’ regarding data protection in the Commission’s proposal. It would cut back a little on the proposed powers of the EDPS, and impose the condition that it considers law enforcement concerns when it communicates with data subjects. National data protection bodies would have the power to comment on the draft annual report of the EDPS before its conclusion. More generally, the EDPS would have further obligations to consult national data protection bodies, and the Council wants to establish a Cooperation Board that would have a large number of advisory powers.
For its part, the EP would subject all access to personal data by Europol to general rules of necessity and proportionality and the adoption of specific rules setting out data protection principles. The categories of personal data which could be processed would be more tightly restricted, and the EP does not support anything similar to a general power to process personal data to facilitate relations with the Member States, et al. There would be a requirement to carry out an impact assessment before data processing operations.
The EP would ban access to Europol data by OLAF, the EU’s anti-fraud body, and also would impose a ban on processing of data obtained by means which breach human rights. Pre-existing treaties with third states relating to the processing of personal data would have to be renegotiated within five years. The EDPS would have to be consulted before treaties with third States are negotiated.
While the EP broadly agrees with the Council regarding the derogations from the external transfer rules, it wants to require Europol’s Executive Director to consider the record of the third country concerned before authorising the use of these derogations. The EP also agrees with the Council on a clause regarding notification of a data breach to the EDPS, although its version is more detailed, and the EP also wants a clause on notification of such breaches to the data subject. Finally, the EP wants more detail in the annual report by the EDPS, and proposes more cooperation between the EDPS and national authorities, although it does not support the Council’s idea of creating a Board.
First of all, as regards Europol’s management board, in accordance with the Common Understanding on EU Agencies, the Commission proposed that it have two representatives, alongside one from each Member State. However, both the EP and Council want to cut this back to one representative (as at present). Moreover, the EP (based on the Common Understanding, which refers to full EP members on agencies’ management boards) proposes to let an observer from its Joint Parliamentary Scrutiny Group (see below) attend meetings of the Management Board. Both the EP and the Council want to drop the proposed clause (based on the Common Understanding) which would require Member States to limit turnover in the Board.
The EP supports the Commission’s proposal to ‘aim to achieve a balanced representation between men and women’ on the board, but the Council does not.
Next, the Council and Commission agree that (in accordance with the Common Understanding) members of the Management Board should have standard terms of four years. However, the EP wants their term of office to be set by each Member State.
Furthermore, the Council wants the chair of the Management Board to come (as at present) from one of the three Member States which is jointly holding the Council Presidency, whereas the Commission and the EP reject this. Finally, the EP wants all members of the Management Board to sign a declaration of interests, for such declarations to be published, and for the Commission to have the power to object to draft Management Board decisions on fundamental legal or policy grounds. These proposals are based on the Common Understanding.
Secondly, the Council wants to retain its current powers to appoint Europol’s Executive Director and the Deputy Executive Directors, instead of shifting this power to the Management Board as the Commission proposes, in accordance with the Common Understanding on agencies (the EP agrees with the Commission). But the Council does not want to share this power with the EP.
Thirdly, the Commission proposed the creation of a new Executive Board as part of the management structure. The EP rejects this idea completely, whereas the Council can accept it on condition that the Management Board agrees unanimously to create it, leaving it to the Board (rather than the Regulation) to set out the details.
Finally, the Council wants to curtail the scope of the future reviews of the Regulation, while the EP wants to enhance them to include the provisions on parliamentary accountability. The Commission and EP support the possibility of a future amendment or repeal of the Regulation, while the Council wants to drop this possibility. It should be noted that the Common Understanding refers to the possibility of disbanding an agency.
Currently, the EP can receive reports on Europol, plays a role as regards the budget, is consulted upon implementing measures and can hold hearings with the Director. Due to concerns about ensuring more effective parliamentary accountability for Europol’s actions, the Commission proposed a number of reforms, in particular sending the EP and national parliaments more reports, and involving the EP more in the process of choosing the (Executive) Director.
In response, the Council insists upon separate references to the EP and national parliaments. It would also delete many of the proposed powers for the EP, in particular dropping the proposed obligation for the Executive Director to report to the EP and the obligation for the candidate to be Executive Director to make a statement before the EP.
Conversely, the EP would enhance the parliamentary role in the Regulation, in particular by creating a Joint Parliamentary Scrutiny Group, which would comprise members of both the EP and national parliaments. In its view, references to the EP in the proposal should be replaced by references to this group.
There would also be greater powers for the Joint Parliamentary Scrutiny Group as regards the process of appointing the Executive Director.
The EP and the Council agree broadly on the modest extension of Europol powers, including in particular the removal of provisions relating to the European Police College and retaining the current limits on Europol’s powers as regards national authorities, so these will likely be the least controversial issues to negotiate. It is striking that these institutions did not take the opportunity either to reduce the agencies’ costs by means of a merger, or at least to increase their efficiency by means of co-location.
As regards data protection, there are significant differences between the EP and the Council as regards: the broadening or tightening of the grounds for data processing; the details as regards notification of security breaches; the rights of data subjects; the architecture of data protection authorities; and the grounds to refuse a data subject’s requests. Both support some further powers for national authorities.
Two specific points should be highlighted here. First of all, the Council’s suggestion of a general power for Europol to process personal data in order to facilitate information exchange has to be rejected on legal grounds, since this is far too broad and imprecise a legal basis on which to justify the exchange of personal data. The EP has the better approach: if (as all the institutions agree) EU legislation should no longer regulate the details of Europol’s databases and analysis files, there need to be strong and specific data protection principles in the Regulation instead.
Secondly, while both the EP and the Council agree on a general derogation from the external transfer rules for the combating of criminal offences, this exception is likely to become the rule, since combating criminal offences is Europol’s whole raison d’etre.
As for governance and accountability, the main issues are the extent of parliamentary powers, and also the nature of those powers (ie, whether there should be separate or joint roles for the EP and national parliaments). It is striking that the Council is keen to have a joint data protection supervisory body, but not a joint parliamentary body, whereas the EP’s preferences are the other way around. Remarkably, the Council’s removal of the (Executive) Director’s obligation to report to the EP would actually mean lessparliamentary accountability on this point than under the current Decision.
Also, the EP and the Council differ as regards: whether there should be an executive board; the role of Council as compared to the Management Board in appointing the executive director; retaining a special status for the Council Presidency chairing the Management Board; rules on conflict of interest; other aspects of the composition and functioning of the Management Board (term, turnover, gender equality, Commission control, conflict of interests); and the review and possible disbanding of Europol.
On these issues, the Council’s suggestion to go backwards, by eliminating any role for the EP questioning the Executive Director, is simply antedivulian. It flies in the face of the specific reference to parliamentary accountability in the Treaties, given the obvious importance that parliamentary questioning of an agency director can play in ensuring that body’s accountability.
The Council’s attempts to defend the status quo can also be seen in its approach to the appointment of the (Executive) Director and the composition and chairing of the Management Board. The more modern approach of the EP as regards gender equality, declarations of interests, scrutiny by the Commission, and review or disbanding of Europol, should be preferred. Furthermore, accountability surely demands a single parliamentary observer on the Management Board, given that 28 Member States will each have a voting member to advocate their interests.
It is striking that two years after agreeing standard rules on EU agencies, in a bid to forestall future conflicts and difficult negotiations, all three agencies have taken a ‘pick and mix’ approach to the Common Understanding, each selecting certain points that they like from these common principles and rejecting those which they dislike.
Overall, it is clear that the Council’s preference is for Europol to remain an essentially intergovernmental body, with merely another incremental increase in its powers, a modest enhancement of the data protection rules, and no significant change in either its governance or parliamentary accountability. The EP agrees that the increase in its powers should be limited, but is pushing instead for a modernisation of the agency in light of the Treaty of Lisbon and the Common Understanding, as regards stricter data protection rules, reforming its governance, and greater accountability. Time will tell whether the Council will succeed in preserving this intergovernmental dinosaur.