On Thursday, 22 September, the European Data Protection Supervisor (EDPS) announced in a press release that it had initiated legal action before the Court of Justice of the European Union (CJEU) on 16 September in order to annul two provisions of the newly amended Europol Regulation, which came into force on 28 June, that have an impact on personal data operations carried out in the past by Europol.
Allowing data that had been stored outside a clear legal framework to be retroactively processed, these “provisions [in Europol’s new mandate] seriously undermine legal certainty for individuals’ personal data and threaten the independence of the EDPS”, the press release goes on to state.
The new provisions, “articles 74a and 74b, have the effect of legalising retroactively Europol’s practice of processing large volumes of individuals’ personal data with no established link to criminal activity. This type of personal data processing is something that the EDPS found to be in breach of the [previous] Europol Regulation [dating back to 2016]”, as it had indicated last January (see EUROPE 12866/10).
In an order, the EDPS had indeed requested that Europol delete the datasets in question “within a predefined and clear time limit”, but the French Presidency of the Council of the EU had paved the way for a legal solution (see EUROPE 12881/5) that would make it possible to retroactively legalise this type of data processing—the retention of which Member States considered to be crucial in order to fight crime and assist their investigations. The EDPS order was consequently annulled.
On 22 September, the Greens/EFA group in the European Parliament—which had voted against this Europol reform—called for there to be an urgent debate in the European Parliament’s Committee on Civil Liberties.
Link to the EDPS’s position: https://aeur.eu/f/37u (Original version in French by Solenn Paulic)