New regulation: Europol becomes the Big Data police

Following the decision of the EU interior ministers, the new Europol law will come into force in June. The police agency will thus receive new areas of responsibility and powers.

Comparatively quickly, EU member states and the Parliament have launched a new Europol regulation. Once set up to fight drug trafficking, the agency is being given even more powers. However, the agency in The Hague is still not a „European FBI“.

At the end of 2020, the Commission had presented its proposal for the new regulation; in May this year, the three EU decision-making bodies agreed on a final version. After the Parliament, the EU interior ministers also confirmed the final version last week. Now only the publication in the Official Journal is missing, then the new law will apply.

Start as „European Police Office“

Following a Council decision, Europol began its work in 1999 as the „European Police Office“. It thus combined various predecessors, among them the „Europol Drugs Unit“ (EDU) established four years earlier and the TREVI group (Terrorisme, Radicalisme, Extrémisme et Violence Internationale), in which the interior ministers of the member states of the European Communities had come together as an informal circle since 1975.

From then on, Europol was to be responsible for all serious cases of terrorism, drug trafficking and other serious crime when they were organised and involved two or more member states. However, Europol had no operational powers at that time, which the Council only changed with a protocol adopted in 2002. It allowed the police office to participate in joint investigation teams with police forces of the member states.

Since 2009 also responsible for football matches and summit protests

In 2009, the member states transformed the Police Office into an agency financed from the general budget of the Union with another Council decision. Since then, the „prevention“ of criminal offences has also been part of Europol’s remit – meaning the shifting of criminal prosecution to the so-called preliminary stage, as the Federal Criminal Police Office in Germany did at the time. Since 2009, Europol has also been allowed to receive information from private individuals, i.e. companies or organisations, and to provide the police forces of the member states with situation reports and analyses.

The threshold that Europol can only act if the suspects are a „criminal organisation“ was also dropped with the 2009 Council decision. In addition, the agency’s new main task was to support the member states at „major international events“. This refers to football matches or large-scale summits, such as those that had taken place two years earlier in Heiligendamm amid widespread protest.

Setting up new databases

The 2009 Regulation also stipulates the establishment of new databases. Europol had previously set up the centralised Europol Information System (EIS). It is populated by the police forces of the member states and stores suspects or potential future criminals. As a directory, the EIS works on the hit/no hit principle, allowing stakeholders to find out whether a correlating record exists at Europol, one of the EU member states or cooperation partners such as Interpol.

Currently, there are about 1.5 million entries in the EIS on persons, objects or events, about a third of which come from Germany. In 2021, the authorities conducted more than 12 million searches in it, compared to ten million in 2020. 76 per cent of these queries came from Germany last year.

With various Analysis Projects (APs), Europol has also been allowed to keep cross-border case files since 2009 and to „predictively“ analyse the information they contain. APs exist on various phenomena, including Islamist and non-Islamist terrorism, „foreign fighters“, human smuggling, cyber and environmental crime or sexual abuse of children.

Storage in the „data lake“

To analyse the unstructured data stored in the APs, Europol had initially procured the software Gotham from the US company Palantir. In the meantime, the analysis is carried out with an allegedly self-programmed „automated data extraction tool“.

With the renewal of the regulation in 2016, Europol introduced an “ Integrated Data Management Concept“. This was intended to solve the problem that the same data on a person had to be entered separately into the EIS and the Analysis Projects.

Instead of being in „silos“, each with specific access rights, crime-related information from the APs and the EIS is now in a horizontal „data lake“. Access rights are no longer assigned according to the type of data, but according to the purpose of its processing.

New regulation legalises unlawful storage practice

Originally, the 2016 regulation was also intended to strengthen the control of Europol. Since then, the agency has been subject to the European Data Protection Supervisor (EDPS), who can check the enforcement of data protection rules. A blunt sword, as it turned out in the course of the adoption of the current regulation.

Poland’s acting EDPS Wojciech Wiewiórowski had found that Europol was also storing and processing information on a large scale from non-suspects, including contacts of suspected criminals. According to the British daily newspaper The Guardian, this is said to amount to four quadrillion bytes. Wiewiórowski had therefore instructed Europol to delete this data immediately.

With the new regulation now in force, however, this illegal storage practice will be legalised retroactively. Europol is also to be allowed to retain all personal data for at least 18 months if they have not yet been analysed for their content. Europol is allowed to extend this period up to three years without asking the data protection commissioner for permission.

Toothless parliamentary control

The 2016 recast was also intended to develop the agency’s „centres of excellence“. Europol had already set up a European Cybercrime Centre, followed in 2016 by a Counter-Terrorism Centre (ECTC) and a Migrant Smuggling Centre (EMSC). They have additional resources and staff, produce early warning reports and deploy „mobile investigative support teams“ for raids and other operations in member states.

The 2016 regulation also stipulates the establishment of a Joint Parliamentary Control Group (JPSG) of national and EU MPs, which was constituted in 2018. However, there can be no talk of actual control; the forum is far too large and cumbersome for that. Moreover, its mandate is sometimes grossly misinterpreted. During the German Council Presidency, the Interior Minister of Lower Saxony, Boris Pistorius, took over the co-chairmanship. The SPD politician used this to spread the call for the agency to be „further strengthened and adequately equipped“ – in other words, the opposite of a hemming in of Europol, as would be expected of a parliamentary control group.

Pistorius‘ broadside goes back to a demand by the German Bundesrat, which also wanted to participate in Europol’s parliamentary control and had itself represented by state interior ministers. A gross misunderstanding, because the Bundesrat is a legislative chamber in the sense of EU law, but not a parliament as envisaged in the control group. Moreover, the Bundesrat is already represented in supervisory bodies of Europol, including for example the Management Board.

On the way to a “European FBI“

Although this even contradicts the EU treaties, Pistorius had called for Europol to develop into a „European FBI“. Such proposals are not new; already at the turn of the millennium, the then German Chancellor Gerhard Schröder wanted to equip Europol with „executive powers along the lines of the Federal Criminal Police Office“. In 2003, the former French Prime Minister Lionel Jospin spoke of Europol as the „core of an operational criminal police force at European level“.

However, even with the regulation that has now been adopted, Europol does not have executive powers in the EU member states, as the FBI does in the entire territory of the federal United States. Thus, Europol itself cannot make arrests, conduct house searches or tap phones.

However, since last year Europol has been coordinating the so-called ATLAS network, which brings together 38 special task forces from the Schengen states and Great Britain, through a Support Office. The network, founded after the attacks of 11 September 2001, has been part of the structures of the European Union since 2008. The EU wants to use it to prepare for large-scale police situations that require the support of other member states. This concerns operations in the event of terrorist attacks, serious and organised crime or other „crisis situations“.

Europol as a quasi-secret service

But even without sovereign powers in the member states, Europol is on its way to becoming a „European FBI“, a kind of quasi-secret service. The new regulation gives the police agency further powers to collect and analyse mass data originating from private individuals. This can be child pornographic content, terrorist or migration-related content from websites that are reported to providers for removal, or logs of millions of intercepted telecommunications.

The scope of such data collection is hinted at by the investigations into Encrochat and Sky ECC and the FBI-founded front company ANOM. Europol has set up investigation teams on the three encrypted telephone networks and, according to its own information, received „hundreds of millions of messages“ on Sky ECC alone, analysed them and then passed them on to the member states concerned.

In the case of Encrochat, the data originally came from a hack by the French secret service, or so it is assumed. Jean-Philippe Lecouffe, head of the gendarmerie’s criminal investigation directorate, was responsible for this. The graduate of the French Military Academy has now been appointed to Europol as deputy director for the „Operations“ department. Europol’s questionable cooperation with EU intelligence services could even become more entrenched with this appointment.

Searches for persons by foreign secret services

Europol will also be allowed to cooperate with foreign secret services. The agency is to process lists of wanted persons from third countries so that they can be entered into the Schengen Information System (SIS II) for arrest or secret observation. Such a procedure has been established in recent years with the FBI and Western Balkan states, but without Europol as a coordinating body.

Europol will not have write access to the SIS II under the new regulation, but the agency may act as a central office for receiving lists from non-EU states. Europol first checks whether an alert already exists on the persons and asks the national intelligence services of the member states whether they object to a search because of their own interests. Europol then looks for an EU member to carry out these searches.

The Parliament had unsuccessfully demanded that the lists could only come from secret services from „trusted third countries“, but this was overturned by the Council. Proposals for the alerting of persons can also come from international organisations such as Interpol.

Decryption and artificial intelligence

One of Europol’s comparatively new tasks is research and development on new technical possibilities for law enforcement and surveillance. To this end, the agency has set up an Innovation Lab that works on the use of robotics and drones.

Europol is also home to a „decryption platform“, which is being funded by the EU Commission with €5 million. Europol wants to use quantum computers for this. For such procedures, Europol also relies on artificial intelligence.

In various EU security research projects, the agency is researching the analysis of big data. In Starlight, Europol is testing the „sustainable use of artificial intelligence in law enforcement agencies“ with the German Federal Police. In Grace, Europol is developing a platform with the German Trojan agency ZITiS to process material showing the sexual exploitation of children. In Aida, stakeholders are working on a „predictive data analytics platform“ for cybercrime and terrorism.

More money, more transparency?

Even for European police authorities, the restructuring of Europol’s information architecture and the new possibilities it offers are often incomprehensible. That is why acting Europol Director Catherine Bolle has launched the Connecting Analysts (CONAN) platform. Investigators from EU member states, EU agencies, third countries and international organisations can use it to share expertise and resources.

Like its remit and powers, Europol’s budget increases every year. Last year, the agency had a budget of around €174 million, and this year it is already at €193 million. Currently, Europol in The Hague has more than 1,000 employees as well as 220 liaison officers from the 27 member states. According to its own figures, Europol supports about 40,000 international investigations every year.

It is not to be expected that the regulation now in force will remedy the control deficit at Europol. It is little consolation that more rights to information are now enshrined in it. In future, citizens of all EU member states will be able to obtain information from Europol about their own personal data stored there. However, this access can also be refused.

Image: Europol in The Hague (Flickr, Rory Hyde, CC BY-NC-SA 2.0).

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.