On Wednesday, Sept. 6, the General Court of the European Union (GEU) rejected an appeal by the European Data Protection Supervisor (EDPS) against the EU legislature's amendments to the recent Europol regulation. The challenged provisions give Europol, the EU Agency for Law Enforcement Cooperation, the ability to process large datasets of EU citizens, regardless of whether the data is related to a specific criminal activity. The EDPS plans to appeal further to the EU's highest court.
In 2016, the EU celebrated the entry into force of the so-called "Europol Regulation" ((EU) 2022/991). The regulation establishes a legal framework for national enforcement authorities in the Union to cooperate in anti-crime operations, as well as a supervisory system for other institutions to monitor the agency's activities. The supervisors include the EDPS, who is specifically responsible for supervising Europol's processing of EU citizens' personal data. Last year, the European Parliament and the European Council, the Union's co-legislators, approved an amended version of the regulation that seeks, among other things, to expand Europol's powers. According to two amendments, the agency's new powers would also apply to any data that Europol had legally retained at the time the amended regulation came into force (June 2022).
Before the EU legislature even adopted the new amendments, the EDPS had serious concerns that Europol's storage of citizens' data ignored fundamental data protection principles, such as data minimization and limitation of storage. According to the EDPS, Europol stored individuals' data for an indefinite period of time, even when this information could not be linked to any criminal activity. The latter was an explicit procedural requirement for Europol to process personal data. The European privacy watchdog therefore ordered Europol to delete all information stored for longer than 6 months that was not categorized as criminally relevant (1).
Before the deadline to comply with the decision expired, the EU legislature approved the amendments to the Europol regulation, which in practice would allow Europol to continue arbitrarily retaining and processing citizens' personal data. The only condition for such processing to be legitimate is that Europol receive authorization from the member state concerned or other EU law enforcement agencies. This is in addition to the fact that under the new amendments Europol may also receive data directly from private parties to combat (online) crime.
In an unprecedented move, the EDPS decided to appeal directly to the CFU, the Union's first instance court, for the annulment of the disputed amendments to the Europol Regulation. According to the EDPS, these extended powers imply in practice that Europol would be allowed to treat personal data in the same way, regardless of whether they are related to criminal activities. Moreover, the EDPS also questioned the legality of Europol's ability to retrospectively process data collections it had access to before the new rules became applicable. In particular, the EDPS complained that the extension of Europol's mandate is not balanced by strong data protection safeguards that would allow for effective supervision of the agency's new powers (2). The watchdog also argued that the EU legislature's attempt to circumvent the EDPS' oversight could set a "worrying precedent" to the detriment of the privacy watchdog's future political independence.
Nevertheless, the CFI rejected the EDPS' appeal on the grounds that it does not have a privileged status to seek the annulment of a binding act of an EU institution (3). Under EU constitutional law, one of the conditions for legal and natural persons seeking to challenge a binding act of an EU institution before an EU court is that the plaintiff can prove that the challenged act directly affects their legal position. In this case, the CFI did not accept the argument that the new Europol Regulation directly affects the mandate of the EDPS. In particular, the CFI argued here that the EDPS' first order against Europol is an administrative decision that cannot have any legal or factual relationship with the new legislative measures.
PONT | Data & Privacy Web has contacted the EDPS for further comment on the GEU's judgment. The EDPS states that it is considering taking further steps to request the CJEU to give its opinion on the substance of the disputed legal provisions.
(1) https://edps.europa.eu/data-protection/our-work/publications/investigations/edps-orders-europol-erase-data-concerning_en;
(2) https://edps.europa.eu/press-publications/press-news/press-releases/2022/edps-takes-legal-action-new-europol-regulation-puts-rule-law-and-edps-independence-under-threat_en;
(3) https://curia.europa.eu/jcms/upload/docs/application/pdf/2023-09/cp230134en.pdf
