europol’s tailor-made data protection framework daniel drewer head data protection office budapest...
TRANSCRIPT
Europol’s tailor-made data protection framework
Daniel DrewerHead Data Protection OfficeBudapest 5 February 2015
Europol’s Tasks
Exchange of information between Member States
Obtain, collate and analyze information and intelligence
To support national investigations
Computerized system of collected information
Europol – the European FBI?
Any operational action by Europol must be carried out in liaison and in agreement with the authorities of the Member State or States whose territory is concerned. The application of coercive measures shall be the exclusive responsibility of the competent national authorities.
Information Exchange
Exchange of information among the EU MS and between the EU and third countries involved
Direct contacts with EU MS’ experts
Cooperation with Third States and organisations incl. Eurojust and Interpol
Possibility to process law enforcement data in tailor-made IT systems
Europol Information System (Article 11 ECD) Analysis work files (Article 14 ECD)
New systems (Article 10.2 ECD)
The processing of personal data has to be explicitly allowed and defined in order to protect individual’s rights!
AWFs
Analysis strategic
Support of Investigations
Overview on CrimeSituation in EU
Decision Making
Initiation of Investigations
operational
8
Analysis Work Files (AWFs) Data subjects
Suspects
Witnesses
Victims
Contacts and associates
Informants
9
Key capabilities – Our information (2014)
•Europol Information System
•AnalysisWork Files
•Secure Information Exchange Network Application
255.431 data items 76.137 persons 14 countries using data loaders 103.778 searches
29 specialised analysis projects 78.798 persons in CT 672.065 persons in SOC Modern analytical techniques, e.g. SNA 141.908 messages exchanged 8.537 new cases initiated More than 340 competent authorities connected More than 4.000 users
“Data Protection hinders effective law enforcement” !?
Occasional prejudice in the law enforcement community
Message to the Controllers and Processors
We are sitting in one boat!?
Data Protection leads to high quality of data
Any failure to comply with it’s tailor-made data
protection framework might prevent the criminal from
being convicted
Cases of imminent criminal danger are subject
to exemption rules
Data Protection acquis at Europol
Europol Council Decision
Implementing Rules, e.g. the Analysis Rules, Third States, Confidentiality
Council of Europe Convention 108 from 1981
Council of Europe Recommendation R(87)15 – Use of personal data in the police sector
Regulation (EC) 45/2001
Framework Decision on Data Protection in 3rd Pillar NOT applicable
Processing of personal data is part of core business
Europol as an “Intelligence Broker” Enhance “intelligence led policing”
Data protection is one important element to be considered when measuring Europol’s operational powers and limits
New meaning of Data Protection in the post-Snowden age?
Debate on healthy balance between security and privacy more important than ever!
LE operations regulated by law in far more detail
Oversight mechanisms are more transparent
No “full take” -> no haystack - but a (pretty big) pile of needles
16
Supervision of Europol (Internal)Tasks of the Data Protection Officer
Ensuring, in an independent manner, lawfulness and compliance
Audits Europol’s systems (Information System, AWFs)
Regular audit plans (monthly for the EIS) Audit reports are sent to the Director, MB and JSB Ensuring that data subjects are informed of their
rights under the ECD at their request Cooperating with the JSB Preparing an annual report and communicating that
report to the MB and to the JSB
17
Supervision of Europol (External) JSB: tasks
Review the activities of Europol in order to ensure that the rights of the individual are not violated by the storage, processing and use of the data held by Europol
Monitor the permissibility of the transmission of data originating from Europol
Examining and commenting on the opening of AWFs Providing opinions relating to implementation and
interpretation of the Europol Council Decision Providing opinions if Europol wishes to conclude an
operational agreement with third parties
Supervision of Europol (Indirect) National Supervisory Bodies
Monitor independently, in accordance with national law, communication of personal data to and from Europol
Access at national unit and at liaison offices on Europol premises
Data subject has a right to request national supervisory body to ensure that input or communication of personal data to Europol are lawful
Challenges ahead
New legal framework for Europol (Europol
Regulation)
Specific accommodation for Law
Enforcement purposes (tailor-made data
protection framework)
INTEGRATED DATA MANAGEMENT
Framework for Open Sources Intelligence
(OSINT)
New supervisory governance model
(coordinated supervision: DPAs and EDPS +
strong supervisory powers)
Police information collected via drones
Personal data shared with Europol has to be lawfully obtained by national authorities
The data collection must respect fundamental rights and has to be in compliance with the national law of the contributing state
Europol has procedural measures in place to insure that incoming data is checked for compliance prior to data entry
Europol has been inspected in 2014 by the Joint Supervisory Body in relation to the lawfulness of data collected in the states/organisations
The inspection report is available to the public: http://europoljsb.consilium.europa.eu