Europol’s tailor-made data protection framework

Daniel DrewerHead Data Protection OfficeBudapest 5 February 2015

Europol’s Tasks

Exchange of information between Member States

Obtain, collate and analyze information and intelligence

To support national investigations

Computerized system of collected information

Europol – the European FBI?

Any operational action by Europol must be carried out in liaison and in agreement with the authorities of the Member State or States whose territory is concerned. The application of coercive measures shall be the exclusive responsibility of the competent national authorities.

Information Exchange

Exchange of information among the EU MS and between the EU and third countries involved

Direct contacts with EU MS’ experts

Cooperation with Third States and organisations incl. Eurojust and Interpol

Possibility to process law enforcement data in tailor-made IT systems

Europol Information System (Article 11 ECD) Analysis work files (Article 14 ECD)

New systems (Article 10.2 ECD)

The processing of personal data has to be explicitly allowed and defined in order to protect individual’s rights!

6

Europol Information System

Large reference database

AWFs

Analysis strategic

Support of Investigations

Overview on CrimeSituation in EU

Decision Making

Initiation of Investigations

operational

8

Analysis Work Files (AWFs) Data subjects

Suspects

Witnesses

Victims

Contacts and associates

Informants

9

Key capabilities – Our information (2014)

•Europol Information System

•AnalysisWork Files

•Secure Information Exchange Network Application

255.431 data items 76.137 persons 14 countries using data loaders 103.778 searches

29 specialised analysis projects 78.798 persons in CT 672.065 persons in SOC Modern analytical techniques, e.g. SNA 141.908 messages exchanged 8.537 new cases initiated More than 340 competent authorities connected More than 4.000 users

Data Protection at Europol

Why is data protection of particular importance to

Europol?

“Data Protection hinders effective law enforcement” !?

Occasional prejudice in the law enforcement community

Message to the Controllers and Processors

We are sitting in one boat!?

Data Protection leads to high quality of data

Any failure to comply with it’s tailor-made data

protection framework might prevent the criminal from

being convicted

Cases of imminent criminal danger are subject

to exemption rules

Data Protection acquis at Europol

Europol Council Decision

Implementing Rules, e.g. the Analysis Rules, Third States, Confidentiality

Council of Europe Convention 108 from 1981

Council of Europe Recommendation R(87)15 – Use of personal data in the police sector

Regulation (EC) 45/2001

Framework Decision on Data Protection in 3rd Pillar NOT applicable

Processing of personal data is part of core business

Europol as an “Intelligence Broker” Enhance “intelligence led policing”

Data protection is one important element to be considered when measuring Europol’s operational powers and limits

New meaning of Data Protection in the post-Snowden age?

Debate on healthy balance between security and privacy more important than ever!

LE operations regulated by law in far more detail

Oversight mechanisms are more transparent

No “full take” -> no haystack - but a (pretty big) pile of needles

16

Supervision of Europol (Internal)Tasks of the Data Protection Officer

Ensuring, in an independent manner, lawfulness and compliance

Audits Europol’s systems (Information System, AWFs)

Regular audit plans (monthly for the EIS) Audit reports are sent to the Director, MB and JSB Ensuring that data subjects are informed of their

rights under the ECD at their request Cooperating with the JSB Preparing an annual report and communicating that

report to the MB and to the JSB

17

Supervision of Europol (External) JSB: tasks

Review the activities of Europol in order to ensure that the rights of the individual are not violated by the storage, processing and use of the data held by Europol

Monitor the permissibility of the transmission of data originating from Europol

Examining and commenting on the opening of AWFs Providing opinions relating to implementation and

interpretation of the Europol Council Decision Providing opinions if Europol wishes to conclude an

operational agreement with third parties

Supervision of Europol (Indirect) National Supervisory Bodies

Monitor independently, in accordance with national law, communication of personal data to and from Europol

Access at national unit and at liaison offices on Europol premises

Data subject has a right to request national supervisory body to ensure that input or communication of personal data to Europol are lawful

Challenges ahead

New legal framework for Europol (Europol

Regulation)

Specific accommodation for Law

Enforcement purposes (tailor-made data

protection framework)

INTEGRATED DATA MANAGEMENT

Framework for Open Sources Intelligence

(OSINT)

New supervisory governance model

(coordinated supervision: DPAs and EDPS +

strong supervisory powers)

Police information collected via drones

Personal data shared with Europol has to be lawfully obtained by national authorities

The data collection must respect fundamental rights and has to be in compliance with the national law of the contributing state

Europol has procedural measures in place to insure that incoming data is checked for compliance prior to data entry

Europol has been inspected in 2014 by the Joint Supervisory Body in relation to the lawfulness of data collected in the states/organisations

The inspection report is available to the public: http://europoljsb.consilium.europa.eu

Questions?

Thank you!

Daniel DrewerHead Data Protection Office

dpo@europol.europa.eu