«Brussels, 27.3.2013 COM(2013) 173 final 2013/0091 (COD) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the European Union ...»
• Ensure a robust data protection regime for Europol, in particular to guarantee that the data protection supervisor of Europol has full independence, can act effectively and has sufficient powers of intervention.
• To improve the governance of Europol by seeking increased efficiency and aligning it with the principles laid down in the Common Approach on EU decentralised agencies.
The proposal achieves these aims in the following way:
1. Aligning Europol with the requirements of the Treaty of Lisbon, increasing its accountability EN EN The regulation ensures that Europol’s activities are subject to scrutiny by the democratically elected representatives of the EU citizens. The proposed rules are in line with the Commission’s 2010 Communication on the procedures for the scrutiny of Europol’s activities by the European Parliament, together with national Parliaments.20
In particular, the European Parliament and national Parliaments:
• receive information through annual activity reports and final accounts each year;
• receive for information threat assessments, strategic analyses and general situation reports relating to Europol’s objective as well as the results of studies and evaluations commissioned by Europol, and working arrangements agreed with authorities of third countries to implement international agreements concluded by the European Union with this third country;
• receive for information the multi-annual and annual work programme as adopted;
• receive reports on quantity and quality of information provided to Europol by each Member State and on the performance of its National Unit;
• may discuss with the Executive Director and the Chairperson of the Management Board matters relating to Europol- taking into account the obligations of discretion and confidentiality.
In addition, the European Parliament:
• fulfils its functions of the budgetary authority, in particular: receives the statement of estimates, receives the report on the budgetary and financial management for that financial year, may ask for any information required for the discharge procedure and gives a discharge to the Executive Director in respect of the implementation of the budget;
• is consulted on the multi-annual work programme of Europol;
• receives for information the annual work programme of Europol;
• may invite the candidate for the Executive Director of Europol or a Deputy Executive Director selected by the Management Board for a hearing before the competent parliamentary committee;
• may invite the Executive Director to reply to its questions on his/her performance.
In order to allow the European Parliament to exercise the scrutiny but at the same time to guarantee confidentiality of operational information, Europol and the European Parliament need to conclude working arrangement on the access to European Union Classified Information and sensitive non-classified information processed by or through Europol.
2. Europol as a hub for information exchange between law enforcement authorities in the Member States In order to improve Europol’s intelligence picture, so that it can better support Member States and better inform EU policy setting, the proposal seeks to enhance the supply of information by Member States to Europol. This is done by strengthening the obligation for Member States to provide Europol with relevant data. An incentive is offered by extending the possibility for law enforcement services to receive financial support to cross border investigations in areas COM (2010) 776 final.
EN EN other than euro counterfeiting. A reporting mechanism to monitor Member States’ contribution of data to Europol is introduced.
To enable Europol to better establish links between data already in its possession and subsequently analysing them, the agency’s processing architecture is re-designed. It no longer pre-defines data bases or systems but instead adopts a ‘privacy by design’ approach and full transparency towards the Data Protection Officer at Europol and the European Data Protection Supervisor, the EDPS. High data protection and data security standards are achieved by means of procedural safeguards that apply to any specific type of information.
The regulation sets out in detail the purposes of data processing activities (cross-checking, strategic analyses or other general nature, operational analyses in specific cases), the sources of information and who may access data. It also lists categories of personal data and data subjects whose data may be collected for each specific information processing activity. This would enable Europol to adapt its IT architecture to future challenges and the needs of the law enforcement authorities in the EU. Once in place, it would allow Europol to link and make analyses of relevant data, reduce delays in identifying trends and patterns and reduce multiple storage of data. At the same time, high data protection standards would be guaranteed.
Observance of those standards will be supervised by the European Data Protection Supervisor.
In this way Europol analysts would gain a broader picture on serious criminality and terrorism in the EU. They would be able to quickly identify trends and patterns across all criminal areas and build more comprehensive and relevant intelligence reports to support Member States’ law enforcement authorities.
3. New responsibilities: training and developing EU centres to fight specific crimes To ensure synergies in EU support for policing, and to allow full implementation of the EU Law Enforcement Training Scheme proposed in parallel with this regulation,21 Europol will take over and build on the tasks formerly carried out by CEPOL. Closer links between training and operational work will lead to more targeted and relevant training for law enforcement officers.
Europol, through a new department known as the Europol Academy will assume responsibility for supporting, developing, delivering and coordinating training for law enforcement officers at the strategic level, and not only (as is the case under the current CEPOL Decision) senior police officers. These activities will address needs for awareness and knowledge of international and Union instruments, encouragement of cross-border cooperation, specialized knowledge in specific criminal or policing thematic areas and preparation for participation in EU civilian police missions in third countries. It will be responsible for developing and evaluating educational tools, linked to requirements identified in regular training needs assessments. It will contribute to research and seek to establish partnerships with Union bodies and private academic institutions as appropriate.
The composition, functions and procedures of the Management Board reflect Europol’s new responsibilities for law enforcement training, as well as the best practice set out in the Common Approach on EU decentralised agencies.
A Scientific Committee for Training will advise the Management Board in order to guarantee and guide the scientific quality of Europol’s training activities.
COM (2013) 172 final.
EN EN To enhance the EU’s capacity to confront specific crime phenomena, which particularly call for a common effort, Europol is given a possibility to develop centres to fight specific forms of crime, for example the European Cybercrime Centre.
Such EU centres integrating various approaches towards fighting the specific form of crime would add value to the Member States actions. They could, for instance, be information focal points, pool expertise to support Member States in capacity building, support Member States’ investigations or become the collective voice of the European investigators across law enforcement in the specific area.
4. Robust data protection regime The proposal reinforces the data protection regime applicable to Europol’s activities. In
particular, the following measures are taken:
• The existing autonomous Europol data protection regime is further strengthened by drawing to a large extent on the principles underpinning Regulation (EC) No 45/2001 on the protection of individual with regard to processing of personal data by the Community institutions and bodies and on the free movement of such data.22 As Declaration 21 attached to the Treaty recognizes the specificity of personal data processing in the law enforcement context, the data protection rules of Europol have however been aligned with other data protection instruments applicable in the area of police and judicial cooperation. These are in particular the Convention No. 10823 and Recommendation No R (87) of the Council of Europe24 and Council Framework Decision 2008/977 on the protection of personal data processed in the framework of police and judicial cooperation.25 This will ensure a high level of protection of individuals with regard to processing of personal data, while taking into due account the specificity of law enforcement.
• Access by Member States to personal data held by Europol and relating to operational analyses, is made indirect based on a hit/no hit system: an automated comparison produces an anonymous ‘hit’ if the data held by the requesting Member State match data held by Europol. The related personal or case data are only provided in response to a separate follow-up request.
• The processing of personal data on victims, witnesses, persons different from suspects, and minors is prohibited unless strictly necessary. This limitation also applies to data revealing racial or ethnic origin, political opinions, religions or beliefs, trade-union membership and of data concerning health or sex life (sensitive personal data). Furthermore, sensitive personal data can only be processed where they supplement other personal data already processed by Europol. Europol is obliged to provide every six months an overview of all sensitive personal data to the EDPS. Finally, no decision which produces legal effects concerning a data subject can be taken solely on the basis of automated processing of sensitive personal data, unless it is authorised by EU or national law or by the EDPS.
OJ L 8, 12.1.2001, p. 1-22.
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Strasbourg, 28.1.1981.
Council of Europe Committee of Ministers Recommendation No. R(87) 15 to the Member States on regulating the use of personal data in the police sector, 17.9.1987.
OJ L 350, 30.12.2008, p. 60. The Commission has proposed to replace this instrument by a Directive, COM (2012) 10 final.
EN EN • To increase transparency, individuals’ right of access to personal data held by Europol is reinforced. The information that Europol must provide to an individual requesting access to his/her data is listed in the Regulation.
• The proposal sets clear rules on the division of responsibility in data protection matters, in particular it makes Europol responsible for reviewing the continued need to store personal data at regular intervals.
• The obligation of logging and documentation is extended from covering access to a wider range of data processing activities: collection, alteration, access, disclosure, combination and erasure. To ensure better control over the use of data and clarity on who has been processing it, the regulation prohibits modification of the logs.
• Any individual can turn to Europol for compensation for unlawful data processing or an action incompatible with the provisions of this Regulation. In such a case Europol and a Member State in which damage has occurred are jointly and severally liable (Europol on the basis of Article 340 of the Treaty and the Member State on the basis of its national law).
• The role of Europol’s external data protection supervisory authority is strengthened.
The European Data Protection Supervisor will be competent for the supervision of processing of personal data by Europol. This ensures full compliance with the criteria of independence established in the case-law of the Court of Justice and, due to the EDPS’ enforcement powers, effectiveness of data protection supervision.
• The national data protection authorities remain however competent for supervision of input, the retrieval and any communication to Europol of personal data by the Member State concerned. They also remain responsible for examining whether such input, retrieval or communication violates the rights of the data subject.
• The Regulation introduces elements of “joint supervision” on data transferred to and processed at Europol. In specific issues requiring national involvement and in order to ensure coherent application of this regulation throughout the European Union, the European Data Protection Supervisor and national supervisory authorities, each acting within its competences, should co-operate with each other.
5. Improved governance The proposal improves the governance of Europol by seeking efficiency gains, streamlining procedures, notably with respect to the Management Board and the Executive Director, and by aligning Europol with the principles laid down in the Common Approach on EU decentralised agencies.
The Commission and the Member States are represented on the Management Board of Europol in order to effectively control its workings. In order to reflect the dual mandate of the new Agency – operational support and training for law enforcement – the full members of the Management Board are appointed on the basis of their knowledge of law enforcement cooperation, whereas alternate members are appointed on the basis of their knowledge of training for law enforcement officers. The alternate members will act as full members whenever training is discussed or decided. The Management Board will be advised by a scientific committee on technical training issues (Scientific Committee for Training).
The Management Board is given the necessary powers, in particular to establish the budget, verify its execution, adopt the appropriate financial rules and planning documents, establish transparent working procedures for decision-making by the Executive Director of Europol, adopt the annual activity report, and appoint an Executive Director.