Europol’s
tailor-made data protection
framework
Daniel Drewer
Head Data Protection Office
Budapest 5 February 2015
Europol’s Tasks
 Exchange of information
between Member States
 Obtain, collate and analyze
information and intelligence
 To support national
investigations
 Computerized system of
collected information
Europol – the European FBI?
Any operational action by
Europol must be carried out in
liaison and in agreement with
the authorities of the Member
State or States whose territory
is concerned. The application of
coercive measures shall be the
exclusive responsibility of the
competent national authorities.
Information Exchange
Exchange of information
among the EU MS and
between the EU and third
countries involved
Direct contacts with EU MS’
experts
Cooperation with Third
States and organisations
incl. Eurojust and Interpol
Possibility to process law enforcement data
in tailor-made IT systems
Europol Information System (Article 11 ECD)
Analysis work files (Article 14 ECD)
New systems (Article 10.2 ECD)
The processing of personal data
has to be explicitly allowed and
defined in order to protect
individual’s rights!
Europol Information System
Large reference database
6
AWFs
Initiation of Investigations
operational
Support of Investigations
Analysis
Overview on Crime
Situation in EU
strategic
Decision Making
Analysis Work Files (AWFs)
Data subjects
 Suspects
 Witnesses
 Victims
 Contacts and associates
 Informants
8
Key capabilities – Our information (2014)
•
Europol
Information
System
•
Analysis
Work
Files
•
Secure
Information
Exchange
Network
Application
9
 255.431 data items
 76.137 persons
 14 countries using data loaders
 103.778 searches
 29 specialised analysis projects
 78.798 persons in CT
 672.065 persons in SOC
 Modern analytical techniques, e.g. SNA
 141.908 messages exchanged
 8.537 new cases initiated
 More than 340 competent authorities
connected
 More than 4.000 users
Data Protection at Europol
Why is data protection of
particular importance to
Europol?
“Data Protection hinders effective
law enforcement” !?
Occasional prejudice in the
law enforcement community
Message to the Controllers and Processors
We are sitting in one boat!?
 Data Protection leads to high quality of data
 Any failure to comply with it’s tailor-made data
protection framework might prevent the criminal
from being convicted
 Cases of imminent criminal danger are subject
to exemption rules
Data Protection acquis at Europol
 Europol Council Decision
 Implementing Rules, e.g. the
Analysis Rules, Third States,
Confidentiality
 Council of Europe Convention 108
from 1981
 Council of Europe Recommendation
R(87)15 – Use of personal data in
the police sector
 Regulation (EC) 45/2001
 Framework Decision on Data
Protection in 3rd Pillar NOT
applicable
Processing of personal data is part of
core business
Europol as an “Intelligence Broker”
Enhance “intelligence led policing”
Data protection is one important
element to be considered when
measuring Europol’s operational
powers and limits
New meaning of Data Protection in the postSnowden age?
Debate on healthy balance
between security and privacy
more important than ever!
LE operations regulated by law
in far more detail
Oversight mechanisms are more
transparent
No “full take” -> no haystack but a (pretty big) pile of needles
Supervision of Europol (Internal)
Tasks of the Data Protection Officer
 Ensuring, in an independent manner, lawfulness and
compliance
 Audits Europol’s systems (Information System,
AWFs)
 Regular audit plans (monthly for the EIS)
 Audit reports are sent to the Director, MB and JSB
 Ensuring that data subjects are informed of their
rights under the ECD at their request
 Cooperating with the JSB
 Preparing an annual report and communicating that
report to the MB and to the JSB
16
Supervision of Europol (External)
JSB: tasks
 Review the activities of Europol in order to ensure
that the rights of the individual are not violated by
the storage, processing and use of the data held by
Europol
 Monitor the permissibility of the transmission of
data originating from Europol
 Examining and commenting on the opening of AWFs
 Providing opinions relating to implementation and
interpretation of the Europol Council Decision
 Providing opinions if Europol wishes to conclude an
operational agreement with third parties
17
Supervision of Europol (Indirect)
National Supervisory Bodies
 Monitor independently, in
accordance with national
law, communication of
personal data to and from
Europol
 Access at national unit and
at liaison offices on Europol
premises
 Data subject has a right to
request national supervisory
body to ensure that input or
communication of personal
data to Europol are lawful
Challenges ahead
 New legal framework for Europol (Europol
Regulation)
 Specific accommodation for Law
Enforcement purposes (tailor-made data
protection framework)
INTEGRATED DATA MANAGEMENT
 Framework for Open Sources Intelligence
(OSINT)
 New supervisory governance model
(coordinated supervision: DPAs and EDPS +
strong supervisory powers)
Police information collected via drones





Personal data shared with Europol has
to be lawfully obtained by national
authorities
The data collection must respect
fundamental rights and has to be in
compliance with the national law of the
contributing state
Europol has procedural measures in
place to insure that incoming data is
checked for compliance prior to data
entry
Europol has been inspected in 2014 by
the Joint Supervisory Body in relation
to the lawfulness of data collected in
the states/organisations
The inspection report is available to
the public:
http://europoljsb.consilium.europa.eu
Questions?
Thank you!
Daniel Drewer
Head Data Protection Office
dpo@europol.europa.eu