Legislative Observatory
European Parliament
Please fill in this field to find a procedure

European Union Agency for Law Enforcement Cooperation (Europol)

2013/0091(COD)

Opinion of the European Data Protection Supervisor on the Proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA.

On 27 March 2013, the Commission adopted the proposal for a Regulation of the European Parliament and of the Council on the European Union Agency for Law enforcement Cooperation and Training (Europol) and repealing Decisions 2009/371/JHA and 2005/681/JHA. The Proposal was sent by the Commission to the EDPS for consultation on the same day.

The EDPS’s Opinion focuses on the most relevant changes of the legal framework for Europol from the perspective of data protection.

Data protection in the context of the European institutions: the EDPS The EDPS recommends specifying in the recitals of the Proposal that the new data protection framework of the EU institutions and bodies will be applicable to Europol as soon as it is adopted. At the latest from the moment of the adoption of the new general framework, the main new elements of the data protection reform (i.e. accountability principle, data protection impact assessment, privacy by design and by default and notification of personal data breach) should also be applied to Europol.

Transfers of data to third parties: the EDPS proposes a series of new provisions with regard to the matter of transfers of data. While the EDPS welcomes that, in principle, transfer to third countries and international organisations can only take place on the basis of adequacy or a binding agreement providing adequate safeguards, he calls for a binding agreement to ensure legal certainty as well as full accountability of Europol for the transfer (especially for massive, structural and repetitive transfers). However, he understands that there are situations in which a binding agreement can not be required. Those situations should be based on real necessity and only allowed for limited cases, and strong safeguards — substantial as well as procedural — are needed

The EDPS strongly recommends deleting the possibility for Europol to assume Member States' consent. The EDPS also advises adding that consent should be given ‘prior to the transfer’. The EDPS recommends adding to the Proposal a transitional clause regarding existing cooperation agreements regulating personal data transfers by Europol

Moreover, the EDPS recommends:

·        adding expressly that derogations may not be applicable to frequent, massive or structural transfers, in other words for sets of transfers (and not just for occasional transfers).

·        providing a specific paragraph dedicated to transfers with the EDPS' authorisation. This authorisation would be granted prior to the transfer/set of transfers, for a period not exceeding one year, renewable.

Other recommendations: the EDPS also recommends:

·        deleting the possibility for Europol to directly access national databases;

·        where access concerns EU information systems, granting access only on a hit/no hit basis (i.e. a positive or a negative answer). Any information related to the hit should be communicated to Europol after the explicit approval and authorization of transfer by the Member State (if the access concerns data supplied by a Member State), the EU body or the international organisation and be subject to the assessment;

·        including in the proposal a provision that Europol must have a transparent and easily accessible policy with regard to the processing of personal data and for the exercise of the data subjects' rights, in an intelligible form, using clear and plain language;

·        adding provisions regarding the principle of privacy by design from the creation of systems processing personal data.