EU grants Europol supervised data processing powers
Cybercrime , Fraud and cybercrime management , General Data Protection Regulation (GDPR)
Powers remove GDPR restrictions; An independent authority will oversee the use
Mihir Bagwe •
May 6, 2022
Europol, the European Union’s police agency, will now have the power to receive and process datasets from private parties and to pursue research projects for better handling of security-related cases. The use of these powers, granted by the European Parliament, will be supervised by the European Data Protection Supervisor and the Fundamental Rights Officer, a newly created function.
See also: Live Webinar | Remote Employees and the Big Resignation: How Do You Handle Insider Threats?
Parliament granted the new powers after holding a poll on Wednesday, in which 480 members of the European Parliament voted in favor of the powers and 143 voted against. Twenty deputies abstained.
The final approval of these additional powers follows an agreement reached in February 2022 between Parliament and Council negotiators on strengthening the mandate of Europol, which supports police investigations by law enforcement authorities in EU member states. EU, says Parliament.
Deputy Javier Zarzalejos stressed the importance of the mandate. “This regulation and Europol’s new mandate mark a substantial leap forward in the agency’s capabilities, in its ability to support Member States, in its governance framework and, last but not least, in the strengthened system of safeguards that we have put in place,” he says.
Erich Kron, a security awareness advocate at cybersecurity firm KnowBe4, says while the mandate is welcome, caution shouldn’t be wavered. “One of the most difficult issues we face in the modern digital world is that of privacy, especially when generating the huge digital footprint we currently have. With the amount of data being generated and the proliferation of cybercrime, law enforcement must have access to the data. But it is very difficult to separate the information of law-abiding citizens from that of criminals, especially when initially looking at big data,” Kron says.
The negotiations that took place between the European Parliament and the Council of the EU in February 2022 clarified that by using these powers, Europol can pursue research and innovation projects, process large data sets and help national authorities of Member States to screen foreign direct investment in security-related matters. .
Currently, due to GDPR restrictions, the receipt and processing of data is not permitted for any purpose without legal consent, in accordance with regulatory laws. But with these powers, “Europol will be able to receive data from private companies, for example communication providers”, says the press release from the Parliament. The agency will also have the right to process personal data, “but it will have to be deleted after a certain period of time”, he adds.
To keep an eye on what data has been requested, acquired and processed, the European Data Protection Supervisor – or EDPS – will be able to access these records of data transfers upon request, according to the Parliament. “The EDPS will oversee Europol’s personal data processing operations and work in conjunction with the agency’s data protection officer,” he said.
The delegate for fundamental rights
Parliament has also created a new post, called the Fundamental Rights Officer, who will ensure compliance with EU data protection rules.
“To balance the new powers of the police agency with appropriate oversight, the co-legislators agreed that the agency would create a new position of fundamental rights officer,” this statement from Parliament reads.
Kron told Information Security Media Group that while giving Europol more powers to fight crime using digital means is a noble thing, balancing that power can be a challenge, and the role of the rights officer fundamentals can help.
“By instituting a fundamental rights officer to add control, the hope is that this additional authority can be overseen. But it is important that those involved in this position are knowledgeable about electronic data and how they can misused as well as how they can be properly used – something that many governments have struggled with when dealing with privacy and data ethics,” says Kron.
Given that the mandate has already been approved, the next step in the process is the adoption of the legal text by the Council, after which it will be published in the official journal of the EU before finally entering into force. The European Parliament did not immediately respond to ISMG’s request for information on the timing of these actions.
Data protection authorities weigh
In February 2022, the European Commission proposed the Data Act, which would ensure fairness in the digital environment, stimulate a healthy data market, open up opportunities for data-driven innovation and make data more accessible to all.
This is in line with the commission’s 2030 digital targets and is a step up from the Data Governance Act passed by the commission at the end of 2020, which provided a legal framework for sharing non-personal data.
The International Association of Privacy Professionals – or IAPP – confirms this and says: “Data law is meant to take a step forward, introducing binding requirements for the manufacturer of connected devices and related services to to provide access to data created by users”.
The general principle of data law, according to the IAPP, is that business users and consumers should be able to access, manage and share the data they generate when using a connected device or a respective service such as virtual assistants.
The European Data Protection Board, or EDPB – which includes representatives of national data protection authorities – and the European Data Protection Supervisor, or EDPS – which is responsible for overseeing the application of the GDPR in the States members – discussed the Data Act proposal and issued a joint statement.
Data protection agencies welcomed the suggestions made in the proposal but also expressed their apprehensions: “Since the data law would also apply to highly sensitive personal data, the EDPS and the EDPS urge the co-legislators to ensure that the rights of data subjects are duly protected,” the statement read.
Wojciech Wiewiórowski of the EDPS says the current draft does not “correctly” define government access to data, while EDPS chair Andrea Jelinek says a “clear division of competences” between regulators is needed to avoid a “fragmented supervision”, according to the joint statement.
The EDPS and the EDPS also expressed concerns about the legality, necessity and proportionality of the obligation to make the data available to public sector bodies of EU Member States and to institutions, bodies, offices and EU agencies – or EUI – in case of “exceptional need.”[We] urge the co-legislators to define much more strictly the assumptions of urgency or “exceptional need”, and which public sector bodies and EUI should be able to request data”, say the data protection authorities.
The two authorities, however, also welcomed the designation of data protection supervisory authorities as being responsible for monitoring the application of the computer law. They also suggest the commission should include national data protection authorities, or DPAs, in that designation.