The dangerous increasing support of Europol in national criminal investigations: An additional layer of complexity

Vice President for Promoting our European Way of Life Margaritis Schinas, stated at the time of the adoption of Europol’s amendment that “Europol is a true example of where EU action helps protect us all. Today’s agreement will give Europol the right tools and safeguard to support police forces in analysing big data to investigate crime and in developing pioneering methods to tackle cybercrime.” While some characterized the changes as an achievement for the adaptability and operational role of Europol, others argued that it undermines fundamental rights and weakens data protection. This paper analyses the amendments made to the Regulation and explores Europol’s increasing role of in national investigations and the associated dangers of it. The paper starts with a historical analysis of Europol’s legal framework and role in national criminal investigations, before diving into the core of the Regulation. After 2022, Europol supports Member States’ investigations in many ways. First, through the continuous retention of large and complex datasets, which was strongly criticized by NGOs and the EDPS. Second, through the transformation of Europol into the information hub and broker for the exchanges of data with private parties. Third, more indirectly, through Europol’s support of research and innovation projects, for national authorities to use and explore new technologies in their work. However, these amendments are not without dangers. The Regulation of 2022 pushes the boundaries of Europol’s competences further, by circumventing existing limits and questioning the legality of the operations. The stronger role of Europol lacks sufficient safeguards and efficient oversight. This is highly problematic considering the impact Europol may have on national investigations, and as a result on the situation of individuals.


Introduction
Europol plays a key role in national criminal investigations as a criminal information hub and by delivering strong operational help to national law enforcement authorities. 1It is a high-security operational centre, that offers analysis and support to Member States in preventing and combating all forms of serious international and organised crime, cybercrime and terrorism.Indeed, as the European Commissioner for Home Affairs, Ylva Johansson, has stated, "[b]ecause fighting organised crime and terrorism depends on police cooperation at the European level, Europol is irreplaceable in supporting law enforcement authorities in their investigations." 2This strong role did not come overnight.Initially, Member States were reluctant to give such a strong position to an EU agency and did not fully trust the agency. 3Over time, however, Europol has become indispensable, and is used as a tool by Member States to strengthen security in the EU, and several amendments to the Europol Regulation have served to solidify its status.This is particularly evident with the most recent amendments to the Europol Regulation, made in 2022 to deal with increasingly complex security threats (with the digital transformation, the use of new technologies, and an increasingly wide and complex cross-border element). 4Criminal operations and actions at the national level do not suffice to deal with transnational security threats.As a result, Member States must increasingly rely on Europol's expertise. 5ith a focus on the protection of personal data, this article explores the 2022 amendments to question the extent to which the expansion of Europol's powers is detrimental to individuals' fundamental rights.While the new Regulation allows the agency to better support national criminal investigations, notably with information, analysis, and expertise, it also comes with its challenges.Among others, it circumvents national procedural safeguards, such as the requirement of a warrant when accessing data from private parties, as well as the right to be informed.Furthermore, as the European Data Protection Supervisor (EDPS) stated "[…] the expansion of Europol's mandate has not been compensated with strong data protection safeguards". 6he article starts by retracing the origins of Europol and its route towards becoming the criminal information hub of the EU.It then extensively analyses Europol's latest amendments, by emphasising the main ways through which Europol can now contribute to national criminal investigations.The article argues that this reinforced mandate did not go hand in hand with strong data protection safeguards.Drawing on the pre-existing fragmentation in legal frameworks in the police cooperation sector, the article highlights the novel and existing challenges that appear for the protection of an individual's personal data.It then goes beyond the current situation, to address upcoming data protection challenges that may occur if the proposal of Prüm II (automated data exchange for police cooperation) is adopted. 7Within it, Europol should play a central and key role, and its power over police cooperation in the EU will once again be strengthened.

Tracing the development of Europol: Towards the criminal information hub of the EU
The European Commission, the Council, and Europol itself often refer to the agency as the information hub for law enforcement authorities in the EU. 8 The road towards this central role of Europol has however not been without pitfalls, and Europol was not directly established as a powerful and influential body.After several amendments, Europol gained a more prominent position in the EU security landscape.This position has been further enhanced by the 2022 amendments.

From an intergovernmental body to a key support for national law enforcement authorities
Europol came into being as an international organ under the Europol Convention of 1995, which came into force on 1 October 1998. 9Initially, Member States were reluctant to transfer important powers to this supranational entity, as police cooperation and security remained a sensitive national concern. 10They thus preferred the creation of an external body to the EU established under a Convention. 11This rigid legal basis required unanimity of the Member States to any amendments made.With the increasingly cross-border nature of the security threats in the EU, Member States started grasping the potential of Europol and transformed it into an EU agency (first through a Council Decision in 2009, and then through a Regulation in 2016). 12ven before its establishment, however, Europol was mentioned in the Treaty of Maastricht of 1992 and envisaged as 'a Union-wide system for exchanging information' within the Union. 13This emphasized, before its creation, the central position of Europol concerning data processing and exchanges between law enforcement authorities.However, at its inception, Europol was limited in two regards from directly becoming a strong information centre.Firstly, from a practical perspective, there was a reluctance of Member States to share information with Europol, particularly when it came to ongoing criminal investigations. 14For some time, Member States preferred to cooperate bilaterally rather than using Europol as they did not fully trust the agency and feared a leakage of data or a compromised investigation. 15Secondly, from a formal perspective, the scope of competence of Europol was restricted.Under the Convention, the agency was competent to support law enforcement action "in preventing and combating terrorism, unlawful drug trafficking and other serious forms of international crime". 16The latter category included crimes against life and personal freedom, crimes against property or public goods, and illegal trading or harm to the environment. 17Under the Convention, the existence of a criminal organised structure had to exist.This formal restriction was abandoned when Europol was integrated as an EU Agency through the subsequent Council Decision of 2009. 18The Council Decision expanded Europol's competences, as the agency was also competent to support criminal investigations where involvement of organised crime could not be demonstrated from the beginning, or which took place outside of an organised context. 19This expansion of scope allowed for a broader sharing of national data.Europol also cooperates with third countries and international organisations, 20 and (albeit more recently) with private parties, 21 which further contributes to Europol becoming the criminal EU information hub.Throughout the years, Europol played a key role in national criminal investigations, through its databases, but also its operational support and expertise.With the new amendments in 2022, Europol gained an even stronger role in supporting national criminal investigations. 22 enhanced role with the 2022 amendments to Europol Regulation As noted above, the Europol Regulation was amended in June 2022 as a response to the changing security landscape and increasingly complex security threats, emerging notably from digital transformation, that the EU is facing. 23The changes were aimed at strengthening Europol by giving it the necessary tools and capabilities to better support Member States in countering serious crimes.This section considers several key changes.

(i) Information hub for private parties
The new Regulation transforms Europol beyond its classical role of EU criminal information hub by allowing for data exchanges with private parties.Before 2022, Europol was allowed to receive personal data from private parties only indirectly via competent intermediaries and could transfer personal data to private parties only under exceptional circumstances. 24This was considered insufficient, 25 and has resulted in Europol's powers being extended to allow for cooperation with private parties, which significantly helps national criminal investigations. 26his development has occurred in two respects.Firstly, Europol has become the EU contact point for private parties that want to voluntarily share data with national competent authorities.In these situations, Europol then uses this data to determine the competent jurisdiction and assists in the investigation of the relevant crime. 27Secondly, Europol has taken on the role of EU central hub in cases of online crises and the dissemination of online child sexual abuse material. 28In this respect, Europol is empowered not only to collect the data but also to process and exchange it with private parties established within the EU, but also (exceptionally) those established in a third country not subject to an adequacy decision or international cooperation agreement. 29The cooperation with private parties is essential to deal with the contemporary criminal landscape which is marked by a strong digitalisation.Private parties hold an increasing amount of data which is relevant for law enforcement authorities to solve criminal investigations. 30This can be, for example, IP addresses, traffic data, or content of electronic communications. 31This required an enhanced cooperation between Europol and private parties, to equip it with the tools to continue its support to Member States and its key role as the "nerve centre of the EU's internal security architecture". 32i) Analysis and retention of large and complex datasets The 2022 amendments also brought changes to Europol's powers to process personal data of individuals.Europol processes a vast amount of personal data as evidenced by its Annual Activity Reports. 33This is evidenced in table 1, below, which gathers some of the operational contributions received by Europol in 2021.The table only covers operational contributions received in 2021 and does not cover all the centres, but already shows the vast amount of data that Europol is collecting every year.
In principle, data collected by Europol must be the object of a data subject categorisation (DSC).This means that Europol's Executive Director must define and identify the specific categories of personal data and data subjects of the processing operations, for example suspects, potential future criminals, contacts and associates, or victims. 34Europol, however, also receives large datasets from Member States which, because of their characteristics, format, or size, did not undergo this data classification process.This has been the object of controversy with the EDPS, 35 and was brought to the attention of journalists and NGOs. 36In April 2019, Europol's Executive Director informed the EDPS of major issues of compliance with the agency's processing of large and complex datasets. 37n recent years, Europol received large datasets, representing millions of messages, from several Member States, including data of individuals that had no clear link to any criminal activity. 38The Guardian, drawing on internal documents of Europol, even stated that at least four petabytes of data were stored by Europol (amounting to four billion books). 39efore the 2022 amendments, the agency was not allowed to process the personal data of individuals who had no clear link to a crime or criminal conduct.Europol could only process data on limited categories of data subjects listed in Annex II B. 40 These include suspects, potential future criminals, contacts and associates, victims, witnesses, and informants. 41Europol could not go beyond that.The EDPS thus started an own-initiative inquiry on the use of Big Data Analytics by Europol. 42According to the EDPS, it is impossible when receiving such large data sets to ensure that the information contained complies with this limitation.As the EDPS stated "[t]he volume of information is so big that its content is often unknown until the moment when the analyst extracts relevant entities for their input into the relevant databases". 43This went against the Europol Regulation and increased the risk of data subjects being wrongfully linked to criminal activity.This may then, in turn, cause damage to the personal and family life of an individual, as well as his/her freedom of movement and occupation.
The EDPS ended up first issuing a formal admonishment to Europol in September 2020, 44 and then in January 2022, an order to erase data concerning individuals with no established link to criminal activity. 45In this order, the EDPS also required the DSC to be conducted within six months for new datasets and twelve months for the existing ones.The whole 'Big Data' saga will be further analysed in the subsequent section of the paper dealing with the dangerous expansion of Europol's powers.
With the new amendments of 2022, the legislator legalised Europol's analysis of large datasets.In principle, Europol is allowed to process data that are subject to DSC, including suspects, potential future criminals, contacts and associates, victims, witnesses, and informants. 46With the new amendment, Europol may now process data sets without DSC to support criminal investigations in certain situations. 47Those include investigative data to support an ongoing specific criminal investigation, or data needed to cross-check information.In addition, the new Regulation allows Europol to continue to process large datasets without DSC, which the Member States already shared with Europol before the amendment. 48The possibility for Europol to analyse large datasets is key for national criminal investigations.Europol noted that Member States increasingly share larger volumes of data, which is not limited to targeted data anymore but includes large and complex datasets. 49National law enforcement authorities send the data that they collect in cross-border criminal investigations to Europol and require the agency to provide them with intelligence product. 50Europol's processing of Big Data offers multiple opportunities for criminal investigations.It allows Europol to increase its profiling, to better detect cross-border links, notably between crimes, and to support Member States that do not have the technological means needed to analyse Big Data. 51The potential of this has been seen after the terrorist attacks in France when French authorities sent Europol 16.7 terabytes of data for it to identify linkages to persons formerly unrelated to the terrorist attacks. 52ii) Contribution to the Schengen Information System (SIS) The SIS is one of the EU's largest information databases, set up in 1990 to maintain public policy and security within the Schengen Area. 53The system has been amended several times, to include both alphanumerical data and biometrics (namely fingerprints and photographs), and a vast number of alerts. 54These include among others, alerts on persons wanted for arrest or extradition, alerts on missing persons, alerts on vulnerable persons, and alerts on objects sought for seizure or use as evidence in criminal proceedings. 55Initially, Europol was not involved in the setting up and functioning of the SIS.However, Europol quickly gained access to the system, and was able to directly access and search data that fell under its mandate. 56Europol could also request supplementary information from the relevant Member States.In 2018, Europol got full access to all alerts, as well as the right to be informed of any hit linked to a terrorist offence. 57A hit occurs in the system when information on a person or object exists within the system. 58Through its access to the alert, Europol did not directly contribute to national criminal investigations.However, this has changed in 2022 through amendments to the Europol Regulation, 59 and also to the SIS II Regulation (and particularly Regulation 2018/1862 on the use of the SIS in the field of police cooperation and judicial cooperation in criminal matters). 60hese two legal instruments mention an expanded role of Europol in the system, with the introduction of a new category of alerts: information alerts. 61These target third-country nationals who are suspected of being involved in terrorist offences or other serious crimes, and encompass data on foreign terrorist fighters. 62Europol plays a key role, as it is the one who proposes to one (or more) Member States to enter such alerts in the system. 63It can do so on two occasions.On the one hand, where there are factual indications that a person intends to commit or is committing a terrorist offence or serious crime.On the other hand, where a general assessment of a person gives reasons to believe that he/she may commit a terrorist offence or serious crime.While Member States take the final decision, Europol strongly influences national criminal investigations, by sharing information that essentially comes from third countries and international organisations.Data on foreign terrorist fighters entered in the SIS may for example support Member States in national operations on terrorist operations, or extremist groups.(iv) Indirect support through an enhanced role in research and innovation It is essential for Europol to help Member States develop technological tools to fight serious crime, as Member States must strengthen their capabilities to better investigate criminal offences in the current digitalisation era. 64Before 2022, however, this was not possible.Originally, Europol did not have the mandate to support Member States by fostering research and innovation. 65Europol was neither able to implement its innovation projects, nor to process personal data for research and innovation purposes. 66This lack of legal basis restrained Europol's potential to, for example, develop AI-based tools for law enforcement.A change was required to complement the national efforts with EU-level support. 67he latest amendment to the Europol introduced one last function that will serve to increase its ability to support Member States and better protect EU citizens: an enhanced role in research and innovation. 68Notably, the recent amendments help Member States to use new technologies, explore new tools and approaches, and develop technological solutions, for example in the sphere of artificial intelligence. 69More concretely, Europol can now develop, train, test and validate algorithms. 70To do so, Europol can process personal data after authorisation by the Executive Director. 71However, this new role comes with a significant issue relating to data protection: individuals are not informed that their data is being used to test algorithms.
We have seen that Europol plays undeniably a central role in the EU's internal security and police cooperation.It transformed from an intergovernmental body, not fully trusted by Member States, to the EU criminal information hub.The recent amendments of Europol Regulation in 2022 further increased its prominent role, regarding the development of technological tools, cooperation with private parties, analysis of large datasets and influence in the SIS.This expansion further pushes the boundaries of Europol's original mandate and purpose ever further, not only supporting Member States but playing a similar role to national law enforcement authorities.As will be analysed in the section below, this strengthening of powers did not go hand in hand with adequate data protection safeguards.

A strengthening of Europol's powers without adequate data protection safeguards
Europol strongly supports Member States in national criminal investigations and aims to continue to do so in the future.While one can witness a constant expansion of Europol's competencies, some issues remain unresolved.The EU police and criminal justice sector is currently still regulated by a mosaic of different legal frameworks, creating fragmentation and uncertainty that undermine the protection of individuals' personal data.In addition, with the new amendments to the Europol Regulation, new data protection challenges emerge, particularly related to the fact that Europol may be used to circumvent existing national constraints.

The continued fragmentation in the data protection framework in police cooperation
Many rules exist in the police sector.First and foremost, the Law Enforcement Directive (LED) was adopted in 2016 as part of the data protection package. 72It has often been considered to be the little sister of the GDPR in the field of prevention, investigation and prosecution of criminal offences.It aimed at providing high standards of data protection, but remains an instrument of minimum harmonisation, which means that the Member States must transpose the directive into their national law. 73The Directive offers broad discretion to the Member States, which already creates divergences in the implementation of the legal framework in the EU.To name a few, differences exist in the definition of what constitutes a criminal offence, the rights given to data subjects and the designation of competent authorities. 74In some Member States, an authority may be considered administrative, whereas in another it would be a criminal authority.The LED applies to national competent authorities but does not apply to EU bodies.
Therefore, next to the general legal framework on police cooperation (the LED), the EU adopted a data protection Regulation applicable to EU institutions, agencies, bodies, and offices (EUDPR). 75n principle, Europol being an EU agency, should fall under the scope of the latter Regulation.At the time of the adoption of the Regulation, it was stated that the Regulation would not apply to Europol's processing of operational personal data until the current Regulation of 2016 was amended. 76With the changes brought to Europol Regulation in 2022, the EUDPR became applicable to Europol.However, data processing by Europol continued to be subject to a complex legal framework since both the EUDPR (particularly Chapter IX on the processing of operational personal data by EU agencies) and the specific rules of Europol Regulation applied to it. 77In this way, the Europol Regulation may slightly depart from the core data protection principles of the EUDPR, for example when it comes it to data categorisation and storage limitation rules of large datasets. 78rticle 18a of Europol Regulation of 2022 provides for the possibility to process personal data outside of the DSC, in support of ongoing specific criminal investigations.This prior processing is limited to a period of six months. 79This has a significant impact on the protection of personal data, as it not only allows for extensive data processing outside of the remit of Annex II (which limits the 72.Directive  categories of data subjects about whom Europol may process personal data), but also subsequently allows for an extended storage period. 80Europol can store the data without DSC for as long as necessary to support the investigation, or even beyond that period to ensure the veracity, reliability, and traceability of the criminal intelligence process. 81This article, therefore, derogates from the general principles of data minimisation and storage limitation. 82It should thus only be used in exceptional situations to remain compliant with the EUDPR.
Another example of divergence between the two legal instruments can be seen in the provision on the restriction of processing operations.While the EUDPR provides for only two situations where instead of erasing operational personal data, the controller restricts the processing (to ascertain the accuracy of the data or to use it as evidence), 83 Europol Regulation adds a third situation (the protection of the vital interest of the data subject or another person). 84These differences reduce data protection safeguards and create further legal fragmentation of data protection in the EU. 85he cooperation between national authorities and Europol perfectly illustrates this fragmentation and the challenges that data subjects face.If an individual, as has been the case of the Dutch activist Frank van der Linde, wants to obtain access to all the data held on them by the police, many different procedures must be triggered. 86In principle, the data subject would request access to the data in his/ her country of residence (in the case of van der Linde, the Netherlands).According to the LED, the national authority must confirm whether they have personal data on the individual and notify them whether they disclosed such data for example to Europol. 87This does not suffice, as it is also highly possible that Europol holds data on that individual, that it obtained via other sources. 88The individual must then use the procedure under the Europol Regulation, which is lengthy, complex, and provides only indirect access through the national authority of the respective Member State. 89This becomes inherently complicated, particularly since within Europol data can be stored in different systems.This is what occurred with Frank van der Linde, where after the cancellation of a SIENA message on the platform (a secure platform used by law enforcement authorities to communicate) a second item of his personal data was found on another system of Europol. 90his overall fragmented and asymmetrical application of data protection rules in the police cooperation sector can seriously undermine individuals' fundamental rights, particularly their right to data protection.This is highly problematic, particularly when the strengthening of Europol's competencies is already in itself lacking appropriate data protection safeguards.

The dangerous expansion of Europol powers to the detriment of individuals' protection of personal data
The new amendments made to Europol Regulation have been criticized as they empower the agency but also remove fundamental rights protection. 91They not only weaken individuals' protection of personal data but also allow Europol to circumvent (legal) limits that exist at the national level to the detriment of individuals rights.

(i) Undermining individuals' fundamental right to data protection
The weakening of the right to data protection is anchored within the challenges related to Big Data, which was briefly touched upon in the previous section.The issue relates to Europol's continuous processing of large datasets from Member States, which includes data of individuals that has no clear link to any criminal activity. 92The EDPS dealt with the matter and issued a formal admonishment to Europol in September 2020 stating that the agency had been unlawfully processing data of individuals with no established link to criminal activity. 93After several exchanges with Europol, the EDPS ended up ordering Europol to erase the said data and required DSC to be completed within six months for new datasets, and twelve months for existing ones. 94The response of the legislators was troublingignoring the European watchdog's opinion and retroactively legalising what had been found to be an illegal practice (since the practice was not provided for in the old Regulation). 95This is problematic on two main levels.
Firstly, it allows Europol to continue to play a key role vis-à-vis Big Data and process data on individuals who do not fall under Annex II of the Regulation, and to hold on to those large datasets received before 2022, for a period of up to three years. 96This undermines the principle of data minimisation and storage limitation and goes against the advice of the EDPS.One could even go as far as saying that this enables mass surveillance in the EU, through the vast collection of personal data and the use of predictive policing. 97he second issue is the undermining of any systems of checks and balances, by silencing the opinion of the EDPS.The legislator, by ignoring the EDPS' order, essentially threatened the body's independence.As a response, the EDPS brought an action for annulment to the Court of Justice against the new Regulation, to safeguard legal certainty for individuals and ensure the EDPS' independence. 98However, this action was declared inadmissible by the General Court. 99Even after the amendments were adopted, supervision was once again set aside.Despite the legal requirement introduced in the Regulation, Europol's Management Board adopted the implementing decision 91.'Amended Europol Regulation Weakens Data Protection Supervision' (n 6); Jane Kilpatrick  specifying the conditions for processing large datasets, without formally consulting the EDPS. 100 While informal conversations took place between Europol and the EDPS, this can in no way replace the formal consultation required by law.
Therefore, alongside the existing fragmentation in the EU police cooperation sector, this disregard for oversight further reduces data subjects' rights and weakens the power of supervisory authorities, whose precise role is to ensure the agency's compliance with data protection rules.One may wonder whether new types of oversight mechanisms should be considered, in line with oversight bodies over intelligence agencies. 101i) Circumventing existing national restrictions Europol, as a supporting agency, has been seen as a potential solution to (alleged) national shortcomings.This became clear in three instances: (1) the analysis and retention of large datasets; (2) the cooperation with private parties; and (3) the contribution to the SIS.
Firstly, the analysis and retention of large datasets refer to the already mentioned Big Data challenge.Indeed, one of the most debated issues concerns the data retention period.Data retention in the EU has had a complex history.In short, the data retention directive was annulled by the Court of Justice in 2014 in the famous Digital Rights Ireland case, 102 followed by several legislative reforms in the Member States and preliminary references by domestic courts. 103The reactions were clear, the Member States had a commonly shared preference for keeping data retention rules in place to support their fight against crimes.Even though the Court of Justice repeatedly prohibited general and indiscriminate retention of traffic and location data, Member States continuously attempted to circumvent this prohibition.Denmark, for example, proposed a bill maintaining general and indiscriminate data retention. 104France, reintroduced mass data retention justifying it with the major terrorist threat, and Italy kept a maximum retention period of six years. 105his common preference of Member States for data retention was also very visible in the discussions on the amendments to Europol Regulation. 106In general, Member States supported the possibility for Europol to keep large datasets for a longer period, which allows Member States to circumvent their national retention limits.While the EDPS ordered Europol to ensure DSC within six months for new datasets, and twelve months for existing ones, 107 the new amendments provide for it to be kept for a maximum period of three years. 108Member States can, therefore, now send data to Europol, that they are not legally allowed to retain in their domestic systems.
Secondly, when it comes to cooperation with private parties, there was a clear need for national law enforcement authorities to obtain personal data from private parties to support their criminal investigations.Indeed, a study requested by the Commission on the exchange of personal data between Europol and private parties, before the 2022 amendments, found that national law enforcement authorities faced serious challenges in trying to obtain personal data from private parties. 109In practice, they either saw their requests being refused, not answered, or receiving incomplete or delayed data from private parties. 110Often law enforcement authorities needed judicial authorisation to obtain the said data.Issues arose when they filed a request without judicial authorisation, even though it is formally required by the law.Europol was seen as a potential solution to circumvent the existing national restrictions that prevent national authorities from getting access to the relevant information coming from private parties.
Thirdly, Europol's contribution to the current SIS with the novel introduction of information alerts was also seen as a solution to (alleged) national shortcomings. 111With the changes introduced in 2022, Europol can propose to one (or more) Member States to enter information alerts on thirdcountry nationals in the interests of the EU. 112This essentially encompasses data on third-country nationals, suspected of being involved in terrorist offences or other serious crimes (e.g., foreign terrorist fighters). 113The amendments were triggered by an existing information gap in the system.Data from third countries and international organisations on individuals suspected or convicted of terrorist offences (or other crimes), were only rarely inserted into the system. 114This was either because the information was not shared with Member States, or because it was shared but Member States were not allowed to enter the alert under their national law. 115Europol has wider access to such data, as it has strong cooperation relations with third countries and international organisations. 116Approximately 1,000 foreign terrorist fighters are inserted into Europol's information system, but not into the SIS. 117Alerts are essential for front-line officers and national criminal investigations.Thus, Europol once again is seen as a solution to the limitations that exist at the national level.
These three examples show the potential for Europol to be used as a tool to circumvent national limitations.However, this comes with challenges for individuals' right to data protection, as national limitations and rules are put in place for a reason.Issues emerge concerning data minimisation, storage limitation, and risk of misuse of the SIS, for example, to persecute their nationals and, more specifically, political opponents. 118yond data protection safeguardsa need for procedural safeguards?
While the focus of this paper has been the protection of personal data, the expansion of Europol's competence also questions the need to go beyond a mere fundamental rights approach and focus on the introduction of criminal procedural safeguards.As seen previously, Europol significantly contributes to national criminal investigation and allows the circumventing of national constraints.This also applies to procedural safeguards.
The new Regulation brought significant change in the way Europol can cooperate with private parties. 119Europol can receive personal data directly from private parties for purposes of identification of the relevant national unit, 120 and shall become the EU central hub in cases of online crises and the dissemination of online child sexual abuse material. 121This means that in these situations, it can receive personal data directly from private parties, process this data and transfer it on a case-by-case basis.Exceptionally, Europol may also exchange personal data with private parties that are established in a third country not subject to an adequacy decision or international cooperation agreement. 122This new role of Europol is not supported by sufficient procedural safeguards.
When Europol processes personal data received by a Member State or third country, it can only do so when the initial data has been obtained in accordance with the procedural requirements. 123No such requirements exist when data is received from a private party.This means that there is no assurance that procedural requirements, such as prior review by an independent court or administrative body, 124 have been conducted when Europol directly receives personal data from private parties. 125Similarly, no procedural safeguard is established when Europol decides to transfer personal data to private parties (e.g., public prosecutor, or investigating judge).Thus, the new Regulation allows for the sidestepping of crucial national criminal procedural safeguards.This is highly problematic since Europol is increasingly resembling a national law enforcement authority, in terms of powers and role.and criminal justice measures may be appealing, it is not always achievable in practice. 133It may be challenging, for example, to represent the specific purpose limitation Prüm requirements in the general data protection rules applicable throughout the field.The current Council Decision under Article 26 on purpose limitation distinguishes two situations.Firstly, in a general manner, processing of personal data by the receiving Member State is permitted only for the purposes of the Decision, or exceptionally, with prior authorisation of the concerned Member States. 134This entails essentially the prevention of criminal offences and the maintenance of public order and security for major events. 135Secondly, and more specifically, processing of data by automated search or comparison of DNA profiles or dactyloscopic data, is only allowed under specific circumstances (to establish whether the DNA profiles or dactyloscopic data match; to prepare a police or judicial request for legal assistance if the data match; and to perform logs and records). 136In contrast, the LED provides for the possibility to process personal data for "the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties […]". 137It remains very general and fails to take the specificities of the Prüm regime into account, particularly when it comes to the automated nature of the operations.
In addition, fragmentation exists in the data inclusion retention criteria of forensic databases.It was already pointed out that after the adoption of the Council decision, that there are differences between EU Member States when it comes to the inclusion and retention of the profiles of children and innocent people in forensic DNA databases. 138Whereas Sweden includes personal data in the DNA database only if the person was convicted of a crime and sentenced for over two years, the Netherlands adds any person who has committed any crime (except if the penalty is only paying a fine). 139This is only one example of the overall fragmentation in the existing national rules.This causes concern, as some Member States may be processing and retaining personal data which should in principle legally not be on their system.If the different data protection regime applicable to Europol is added to this situation, the result is a complex mosaic and mismatch of legal frameworks and regimes that renders it ever more complicated for data subjects to safeguard their rights, let alone to understand them.It is highly probable, that when the Regulation of Prüm II is adopted, Europol will end up receiving more information than it is legally entitled to process according to its Regulation. 140

Conclusion
This article offered a detailed analysis of the new amendments to the Europol Regulation and of Europol's increasing support for national criminal investigations.From its very origins, Europol was set up to support national law enforcement authorities in the fight against crimes in the EU.With the increase of cross-border criminality, and digitalisation, Europol has become an indispensable ally for national authorities, to the point of being considered the EU criminal information hub.The amendments of 2022 have enabled Europol to reach a new milestone in its evolution, by strengthening its cooperation with private parties, its analysis of Big Data, its role in the SIS, and by allowing it to contribute to research and innovation projects, putting it as a forerunner in the development of artificial intelligence tools for law enforcement authorities.While this expansion of the agency's competencies strongly supports national criminal investigations, it fails to provide appropriate safeguards for individuals' data protection.
This article specifically dealt with the challenges that Europol's amendments bring when it comes to individuals' fundamental rights, particularly their right to the protection of personal data.It also briefly linked this issue to the sidestepping of national procedural law.The expansion of Europol's powers is grounded in an already fragmented and asymmetrical application of data protection rules in the police cooperation sector.Instead of addressing this fragmentation, the new Europol Regulation embraces them and adds to them by deviating from the general data protection provisions.The Regulation puts in question compliance with several principles of data protection (data minimisation, storage limitation) and dangerously undermines the role of the EDPS and its independence.This may diminish individuals' right to data protection, and Europol's overall compliance with data protection provisions.This article has also emphasised how Europol is frequently used as a tool to circumvent existing national constraints, as has been seen with the SIS.The safeguards put in place by Member States are overlooked in favour of stronger security in the EU.This again undermines individuals' fundamental rights, as national law enforcement authorities simply use Europol to do their "dirty work" with insufficient safeguards.
These existing challenges and fragmentation will further be accentuated in the future, notably with the adoption of Prüm II as well as the Artificial Intelligence Act.New specific data protection legal frameworks will be added to the already existing complex mosaic of legal instruments, making it even more complicated for data subjects to defend their rights.
Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions -The European Agenda on Security' (European Commission 2015) COM(2015) 185 final; 'Council Resolution on the Future of Europol 12463/20' (General Secretariat of the Council 2020) 13956/20; 'Europol Strategy 2020+' (n 2).9. Council Act drawing up the Convention based on Article K.3 of the Treaty on European Union, on the establishment of a European Police Office 1995.10.Madalina Busuioc and Martijn Groenleer, 'Beyond Design: The Evolution of Europol and Eurojust' Amsterdam Centre for European Law and Governance Working Paper Series 2011, 8. 11.Europol Convention 1995.12. Sabine Gless and Thomas Wahl, 'A Comparison of the Evolution and Pace of Police and Judicial Cooperation in Criminal Matters: A Race Between Europol and Eurojust?' in Chloé Brière and Anne Weyembergh (eds), The Needed Balances in EU Criminal Law: Past, Present and Future (Hart Publishing 2018) 342; Council Decision of 6 April 2009 establishing the European Police Office 7. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on automated data exchange for police cooperation ("Prüm II"), amending Council Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/ 1726, 2019/817 and 2019/818 of the European Parliament and of the Council 2021.8. '(Europol) 2009 (OJ L 121); Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/ JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA 2016 (OJ L). 13.Treaty on European Union (Maastricht, 7 February 1992) 1992 (OJ C) 22 art K.1 s.9.
Proposal to Amend the Europol Regulation' (European Parliament 2021) Study requested by the LIBE Committee 44.56.Council Decision 2005/211/JHA of 24 February 2005 concerning the introduction of some new functions for the Schengen Information System, including in the fight against terrorism 2005 (OJ L 068).57.European Commission, Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) 2018/1862 on the establishment, operation and use of the SIS in the field of police cooperation and judicial cooperation in criminal matters as regards the entry of alerts by Europol 2020 [COM(2020) 791 final] art 48(8).58.Parkin (n 54) 4. 59.Regulation (EU) 2022/991.60.Regulation (EU) 2022/1190 of the European Parliament and of the Council of 6 July 2022 amending Regulation (EU) 2018/ 1862 as regards the entry of information alerts into the Schengen Information System (SIS) on third-country nationals in the interest of the Union 2022 (OJ L185).61.Thomas Wahl, 'Legislation on Information Alerts in SIS Passed' (eucrim, 20 July 2022) <https://eucrim.eu/news/legislationon-information-alerts-in-sis-passed/>accessed 11 January 2023.62. Niovi Vavoula, '(Covert) Surveillance of Foreign Terrorism Fighters via the Schengen Information System (SIS): Towards Maximum Operationalisation of Alerts and an Enhanced Role for Europol' (2023) 14 New Journal of European Criminal Law 2, 206.63.Regulation (EU) 2022/1190 art 37a.
54. Joanna Parkin, 'The Difficult Road to the Schengen Information System II: The Legacy of "laboratories" and the Cost for Fundamental Rights and the Rule of Law' (Centre for European Policy Studies 2011); Thomas Wahl, 'New Legal Framework for Schengen Information System -Eucrim' (eucrim, 18 February 2019) <https://eucrim.eu/news/new-legal-framework-schengeninformation-system/>accessed 16 June 2021.55. 'Alerts and Data in SIS' <https://home-affairs.ec.europa.eu/policies/schengen-borders-and-visa/schengen-information-system/alerts-and-data-sis_en> accessed 13 January 2023; Niovi Vavoula and Valsamis Mitsilegas, 'Strengthening Europol's Mandate A Legal Assessment of the Commission's (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA 2016 (OJ L 119/89).73.Plixavra Vogiatzoglou and Thomas Marquenie, 'Assessment of the Implementation of the Law Enforcement Directive' 'Opinion 4/2021 -EDPS Opinion on the Proposal for Amendment of the Europol Regulation' (2021) 14. 86.Romain Lanneau, 'Europol Told to Hand over Personal Data to Dutch Activist Labelled "Terrorist" by Dutch Police' (Statewatch, 16 September 2022) <https://www.statewatch.org/news/2022/september/europol-told-to-hand-over-personal-data-to-dutch-activistlabelled-terrorist-by-dutch-police/>accessed 31 October 2022.87.Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA art 14(c).88.Diana Dimitrova and Paul De Hert, 'The Right of Access Under the Police Directive: Small Steps Forward' in Manel Medina and others (eds), Privacy Technologies and Policy, vol 11079 (Springer International Publishing 2018) 126.89.ibid.90.'Decision of the European Data Protection Supervisor in Complaint Cse 2020-0908 against Europol' (EDPS 2022) 6.