The EU Council and the European Parliament reached an informal agreement last week on new amendments to the so-called "Prüm" regulatory framework. The new system will facilitate the international exchange of personal data in police databases of EU member states. The initiative was already severely criticized by the European privacy watchdog last year.
The already existing Prüm I rules allow national enforcement agencies to access the databases of their counterparts in other member states. These contain highly sensitive data types such as DNA, fingerprints and car license plates. Already under the previous Prüm I system, authorized agents can automatically scan these databases looking for a match to an individual biometric profile. This data remains anonymized until a match is found and the administrators of the databases provide the identity of the matched profile in accordance with national criminal law.
The new regulation (Prüm II) expands the spectrum of data categories in which law enforcement agencies can obtain automated access. Soon it will also be possible to access facial images and criminal records in police databases of other member states. Furthermore, Europol, the EU's police cooperation agency, will have greater powers to search these databases for international investigative operations.
Prüm II also introduces new requirements for the underlying IT infrastructure. A new central router , a data sharing system, is being deployed that will allow member states and Europol to exchange data in a more efficient and secure manner. Furthermore, the router ensures the interoperability of the search system with the European Police Records Index System (EPRIS). Paul Tang, a member of the Socialist Group in the European Parliament, pushed during the negotiation phase for mandatory stricter checks on national databases before they are connected to the router. Tang also succeeded in introducing more safeguards for the accuracy of the data being exchanged, such as mandatory human intervention in the exchange process and minimum data quality standards. All this is to ensure that mismatches do not lead to false suspicions. "We have struck a balance between efficient data sharing and maintaining privacy. Police must now maintain a high level of privacy when sharing data. Tonight, on top of that, we set even stricter conditions for human verification of national databases," Tang said.
Last year, the European Data Protection Supervisor (EDPS), the European data protection supervisor, took a critical position on the Prüm II bill. In addition to the same concerns expressed by Tang about data reliability, the supervisor noted in an opinion that the regulation's application framework remained too vague (1). According to the EDPS, searches of biometric data would only be allowed for serious crimes and not for all offenses. Furthermore, the EDPS expressed concern about Europol's increasing intrusion into large datasets of European citizens, which is not accompanied by corresponding oversight mechanisms on the EU agency. The EDPS could not comment on the final draft of the regulation because the organization had not yet received it.
https://edps.europa.eu/data-protection/our-work/publications/opinions/2022-03-02-edps-opinion-regulation-automated-data-exchange-police-cooperation_en