Operational since 1999, the European Union Agency for Law Enforcement Cooperation, commonly known as Europol, aims at supporting national police authorities in the EU in combating transnational criminal networks.
Over the past years, though, the agency has interpreted its mandate in a much broader way, leading the European Data Protection Supervisor to sound the alarm over its respect for privacy norms.
Europol, the EU watchdog said, has engaged in collecting and holding a huge amount of personal data it was not authorised to keep. Not only those of criminals or suspects, but details about migrants, refugees, witnesses, activists — a “big ark” of almost four terabytes of data.
After months of work with the fabulous @LudekStavinoha @Balkanizator @daniel_howden and with the support of #IJ4EU + @LHreports, our investigation into the expanding role of Europol is out on @guardian, @derspiegel @DomaniGiornale @Mediapart & @News247gr. Thread with links. pic.twitter.com/9Ds88uegJ6
— giacomo zandonini (@giacomo_zando) January 10, 2022
The first part of this cross-border investigation revealed how Europol has consistently tried bypassing data protection norms while carrying out mass surveillance programmes.
Thanks to freedom-of-information requests and leaks, the team was able to reconstruct the long brinkmanship between Europol and the European Data Protection Supervisor, which resulted in an order by the latter to erase personal data that Europol was holding unlawfully.
For the second part of the investigation, the team dug into Europol programmes that aim to monitor migrants and asylum seekers who cross EU external borders.
Some of Europol’s data is received through a programme called PeDRA (Processing of Personal Data for Risk Analysis), run by Frontex, the European Border and Coast Guard agency. Launched in 2016, in the wake of the November 2015 terrorist attacks in Paris, PeDRA seeks to collect and share information about suspects of cross-border crime, by debriefing newly arrived migrants.
Internal documents obtained by the team show how, in late 2021, Frontex secretly enlarged PeDRA, allowing for the collection of extremely sensitive data, such as sexual orientation and political preferences, sidelining its own data protection office.
Meanwhile, in June 2022, a new Europol regulation entered into force, significantly expanding its mandate.
The agency will be able to receive large datasets from private parties — such as social media and social analytics companies — and from non-EU countries, including from authoritarian regimes. It will have its own research and development structure, allowing for a wider use of artificial intelligence, machine learning and predictive policing tools.
Shedding light on Europol’s functioning and its impact on citizens will thus be a crucial task for journalists in the years to come.