OPINION OF THE EUROPEAN DATA PROTECTION SUPERVISOR on the Proposal for a Council Decision establishing the European Police Office (Europol).
The Proposal for a Council Decision establishing the European Police Office (Europol) was sent by the Commission to the EDPS for advice on 20 December 2006.
The objective of the proposal is not a major change in the mandate or the activities of Europol, but mainly to provide Europol with a new and more flexible legal basis. However, the proposal also contains substantive changes, so as to further improve Europol's functioning. It extends the mandate of Europol and it contains several new provisions, aiming to further facilitate the work of Europol.
The EDPS understands the need for a new and more flexible legal basis for Europol, but pays specific attention to the substantive changes, the applicable laws on data protection and the growing similarities between Europol and Community bodies.
As to the substantive changes, the EDPS recommends:
- including specific conditions and limitations in the text of the decision with respect to information and intelligence coming from private parties, inter alia in order to ensure the accuracy of this information since these are personal data that have been collected for commercial purposes in a commercial environment;
- ensuring that processing of personal data whose relevance have not yet been assessed is strictly limited to the purpose of assessing its relevance. These data should be stored in separate databases until the relevance to a specific task of Europol is established, for no longer than 6 months;
- as to interoperability with other processing systems outside of Europol, applying strict conditions and guarantees, when the interlinking with another database is actually put in place;
- including safeguards for the access to the data of persons who have not (yet) committed a crime. The safeguards given under the Europol Convention should not be weakened;
- ensuring that the need for continued storage of personal data relating to individuals should be reviewed every year and the review documented;
- that computerised access and retrieval of data from other national and international information systems should be allowed only on a case by case basis, under strict conditions;
- as to the right of access: the reference to national law in Article 29(3) (providing that the request for access shall be fully dealt with by Europol within three months following its
- receipt by Europol in accordance with this Article and with the laws and procedures of the Member State in which the request is made) should be deleted and be replaced by harmonised rules on scope, substance and procedure preferably in the Council Framework Decision on the protection of personal data or, where necessary, in the Council Decision. Article 29(4) (lists the grounds for refusal of access to personal data, in case the data subject wants to exercise his right of access to personal data concerning him) should be reworded and only allow refusal of access ‘if such refusal is necessary’. The consultation mechanism laid down in Article 29(5) (this mechanism makes the access conditional upon consultation of all competent authorities concerned and, with regard to analysis files, also upon consensus of Europol and all Member States participating in the analysis or directly concerned) shall be deleted as it overturns the fundamental nature of the right of access. Access should be granted as a general principle and may be restricted only under specific circumstances. Instead, according to the text of the proposal, access would be granted only after consultation is carried out and consensus is reached.
The present Council Decision should not be adopted before the adoption by Council of a framework on data protection, guaranteeing an appropriate level of data protection in conformity with the conclusions of the EDPS in his two opinions on the Commission proposal for a Council Framework Decision.
Lastly, the EDPS also considers that it is necessary to ensure the application of Regulation (EC) No 45/2001.