European Union Agency for Law Enforcement Cooperation (Europol)
The European Parliament adopted by 610 votes to 37 with 28 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council on the European Union Agency for Law Enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA.
Parliament stressed that point 31 of the Interinstitutional Agreement of 2 December 2013 between the European Parliament, the Council and the Commission on budgetary discipline, on cooperation in budgetary matters and on sound financial management shall apply for the extension of the mandate of Europol. It emphasised that any decision of the legislative authority in favour of such an extension shall be without prejudice to the decisions of the budgetary authority in the context of the annual budgetary procedure;
Once the European Parliament and the Council agree upon the Regulation, the Commission needs to fully take the agreement into account in order to meet the budgetary and staff requirements of Europol and its new tasks, in particular the European Cybercrime Centre.
Parliament adopted its position in first reading following the ordinary legislative procedure. The amendments adopted in plenary amend the proposal as follows:
1) Rejecting the merger of Europol and Cepol: Parliament considered that Europol should not merge with the European Police College (CEPOL), since these two organisations had very different objectives and tasks when it came to cooperation in the European area of freedom, security and justice. Accordingly, a series of amendments keeping this position in mind appeared throughout the text and references to CEPOL were deleted.
2) Europol’s tasks: Parliament re-defined these tasks. The Agency shall support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combating organised crime, terrorism and other forms of serious crime, in such a way to require a common approach by Member States taking in account the scale, significance and consequences of the offences.
-EUROPOL’s investigations: Parliament also re-defined the framework of joint investigation teams. Accordingly, whenever a cooperation between Europol and Member States has been established regarding a specific investigation, clear provisions should be drawn up between Europol and those Member States involved, outlining the specific tasks to be carried out, the degree of participation with the investigative or judicial proceedings of the Member states, and the division of responsibilities and the applicable law for the purposes of judicial oversight.
Europol shall not apply coercive measures and Europol officers shall not take part in the application of coercive measures.
3) Data protection: generally, Parliament clarified the data to which EUROPOL might have access, stressing that the principles of relevance and proportionality must be observed with regard to personal data processing. It called for, inter alia:
· Europol’s power to exchange personal data with other Union bodies to be restricted so that the data concerns only those persons who have committed or who are thought likely to commit offences in respect of which Europol has competence;
· the exchange of personal data with third countries and international organisations to strike an appropriate balance between the need for effective enforcement and personal data protection;
· data protection rules at Europol to be strengthened and aligned with other relevant data protection instruments applicable to processing of personal data in the area of police cooperation in the Union to ensure a high level of protection of individuals with regard to processing of personal data and to respect the principles of accountability and transparency;
· straitening monitoring of Europol so that the European Data Protection Supervisor shall, where relevant, use the expertise and experience of national data protection authorities in carrying out his duties;
· ensuring the right of access to data, so that any data subject wishing to exercise the right of access to personal data may make a request to that effect free of charge to the authority appointed for this purpose in the Member State of his/her choice.
-Use, management and purpose of data: apart from provisions on data protection, Parliament set out a new framework regarding EUROPOL’s use of data:
· personal data may only be processed for specific purposes and limited to the minimum necessary, and the report contains provisions on purpose limitation (such as specific analysis);
· Europol may temporarily, in exceptional cases, process data for the purpose of determining whether such data are relevant to its tasks and the purposes set out in the text;
· personal data may be processed by only those duly authorised staff who need them for the performance of their tasks;
· Europol shall keep detailed records of all hits and information accessed and the EDPS must play an active role to ensure that the Agency respects its obligations regarding data protection;
· Europol should be able to exchange personal data with law enforcement authorities of third countries and with international organisations such as Interpol to the extent necessary and proportionate for the accomplishment of its tasks.
Information about victims and witnesses: unlike the position taken by its competent committee, Parliament retained the terms of the Commission proposal regarding data processing on victims of a criminal offence, witnesses or other persons who can provide information or minors. Accordingly, the processing of personal data on victims of a criminal offence, witnesses or other persons who can provide information on criminal offences, or on persons under the age of 18 shall be prohibited unless it is strictly necessary and duly justified for preventing or combating crime that falls under Europol's objectives (the committee had stated that Europol must not process this kind of data).
Parliament also wanted Europol shall make publicly available a document setting out in an intelligible form the provisions regarding the processing of personal data and the means available for the exercise of the rights of data subjects.
The resolution contained provisions on: (i) notification of a personal data breach to the European Data Protection Supervisor; (ii) communication of a personal data breach to the data subject. The EDPS shall take utmost account of the position of the competent national supervisory authorities.
Parliament added that Europol shall carry out an impact assessment containing at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, and the measures envisaged to address those risks.
-Transfer of data to third parties: personal data shall only be transferred by Europol to Union bodies, third countries and international organisations, if this is necessary for preventing and combating crime and if the recipient gives an explicit undertaking that the data will be used solely for the purpose for which they were transmitted.
Any information that has been obtained by a third country, international organisation or private party in violation of fundamental rights, as enshrined in the EU Charter of Fundamental Rights, shall not be processed.
Europol shall make publicly available a regular updated list of international and cooperation agreements it has with third countries and international organisations, by posting this list on its website, and it shall consult the EDPS.
The transfer will be authorised if it is necessary to safeguard legitimate interests of the data subject where the law of the Member State or third country transferring the personal data so provides or is essential for the prevention of an immediate and serious threat to public security of a Member State or a third country.
Derogations may not be applicable to systematic, massive or structural transfers.
3) Increasing Parliamentary oversight: Parliament proposed creating a Joint Parliamentary Scrutiny Group, comprising members of European Parliament and national parliaments. The Chairperson of the Management Board, the Executive Director and a representative of the Commission shall appear before the Group at its request to discuss matters relating to Europol, and fundamental rights on data protection.
Other institutional provisions: Parliament introduced new provisions on:
· the EDPS to strengthen the latter’s role regarding Europol;
· executive board: the Commission’s text proposed the creation of such a Board, but the committee deleted such references since it felt it was not necessary to have such a Board to guarantee that Europol is run transparently and democratically.
· mandates of the President and Vice-President: these will go from 4 to 5 years.
Parliament also set up a prior notification and red-flag-mechanism whereby the Commission shall activate a warning system if it has serious concerns that the Management Board may be about to take decisions which would not comply with Europol's mandate.
National unit: Parliament specified that Europol shall liaise with a single national unit in each Member State, to be established or designated. There are several new provisions clarifying the tasks of the Unit. Parliament observed that each year Europol shall draw up a report regarding information sharing by each Member State and on the performance of its National Unit. The report shall be analysed by the Management Board with the objective of continuously improving the mutual cooperation between Europol and Member States. The annual report shall be sent to the European Parliament, the Council, the Commission and national parliaments.
Report: lastly, Parliament wanted the annual activity report, the work programmes and the evaluation reports to be presented to the Joint Parliamentary Scrutiny Group, which may request any relevant document necessary for the fulfilment of its tasks, subject to rules governing the treatment of confidential information by the European Parliament.