By Lisette Mustert
Blogpost 58/2023
On 6 September of this year, the General Court declared the European Data Protection Supervisor’s (EDPS) action to annul two provisions laid down in the new Europol Regulation inadmissible (T-578/22). These two provisions retroactively legalise unlawful data processing activities by the EU Agency for Law Enforcement Cooperation (Europol). While this action for annulment could help in bringing an end to the lengthy saga between the EDPS and Europol, the lack of legal standing seems to imply that the EDPS will have to continue to make ‘the best of it’ by resorting to its (limited) administrative enforcement powers.
This blogpost argues that the new Europol Regulation forms a threat to the protection of the fundamental right to data protection, while the EDPS’ possibilities for monitoring and supervising compliance with the EU’s data protection rules remain limited. Furthermore, the separation of powers seems to reduce the EDPS’ possibilities to intervene in the law-making process, which makes it particularly relevant that the EDPS is able to seek legal protection where new legislative initiatives violate the fundamental right to data protection, something that is currently being denied by the General Court.
Background to the case: fundamental rights protection under pressure
The saga between the EDPS and Europol goes back to 2019 when Europol’s Executive Director informed the EDPS about the Agency’s issues with compliance with the data protection rules. Europol is an EU agency responsible for coordinating cooperation between law enforcement authorities in the Member States to prevent and combat serious international and organized crime, cybercrime and terrorism. For that purpose, Europol has far-reaching powers related to collecting and processing personal data. The EDPS is generally responsible for monitoring and supervising compliance with the EU’s data protection rules by the EU institutions and bodies (Article 4 of Regulation (EU) 2018/1725).
With regard to Europol, Regulation (EU) 2016/794 (hereinafter: initial Europol Regulation) lays down both the rules for data protection applicable to Europol and the supervisory tasks of the EDPS. This Regulation has now been amended by Regulation (EU) 2022/991 (hereinafter: new Europol Regulation). Hence, the EDPS has a role in ensuring that the right balance is being found between the protection of public interests (security) and the fundamental right to data protection. Under the initial Europol Regulation, it could do so by exercising its powers in accordance with Article 43, according to which the EDPS could inter alia monitor the application of the Regulation, conduct inquiries on the basis of a complaint or its own initiative, advise Europol, or carry out prior consultations on processing.
The Executive Director revealed that Europol acted beyond its powers by processing large datasets from several Member States which included personal data of individuals not linked to a criminal activity. The initial Europol Regulation did not provide for such processing operations. Instead, Europol could only process personal data from several categories of data subjects listed in Annex II B of the initial Regulation – such as persons suspected of committing a criminal offence, future criminals, witnesses, victims, contacts, or associates, et cetera. In several contributions, Sarah Tas has extensively discussed the, what she calls, ‘ping-pong game of a Big Data Challenge’ that started between the EDPS and Europol after this revelation of the Executive Director.
As a first response, the EDPS commenced an own-initiative investigation, after which it adopted an admonishment decision to Europol in which it concluded that the Agency breached the provisions that determine the categories of data subjects that Europol is allowed to process. Furthermore, Europol did not comply with the data minimisation and storage limitation principles (Article 28(1)(e) of the initial Regulation). Therefore, the EDPS required Europol to adopt an action plan to remedy the situation. However, no concrete action was taken by Europol and, therefore, the EDPS eventually adopted a decision in January 2022 using its corrective powers in accordance with Article 43(3)(e) of the initial Regulation. In its decision, the EDPS ordered Europol to delete all personal data held on individuals with no established link to a criminal activity, and ‘to ensure data subject categorization for new datasets to be completed within six months and for existing datasets within twelve months’ (Tas 2022).
This order could have brought an end to Europol’s data protection violations, however, the opposite is true. Instead, the EU institutions retroactively legalised Europol’s data processing activities, and thereby overruled the EDPS’ decision by adopting a new Regulation amending the initial Europol Regulation (EDPS 2022). According to Articles 74a and 74b of this new Regulation, Europol is now ‘expressly allowed to hold on to large and complex datasets received before the new Regulation enters into force and analyse them for a period up to three years’ (Tas 2022). Europol can now lawfully process vast amounts of personal data from individuals outside of the remit of Annex II – i.e., personal data of individuals with no established link to a criminal activity – for an extended period of time. This undermines both the principles of data minimisation and storage limitation (Quintel 2022, p. 94). Tas even warns for the possibility that this provision enables mass surveillance in the EU by means of the vast collection of personal data and predictive policing (Tas 2023, p. 543-545).
While the EDPS may have had some influence during the legislative process based on Articles 42 and 52(3) of Regulation 2018/1725 which requires the Commission to consult the EDPS where its proposal for a legislative act impact the protection of the fundamental right to data protection, this influence is limited. Indeed, the EDPS adopted an opinion (4/2021) reflecting on the Commission’s proposal of the new Europol Regulation, which did not yet include Articles 74a and 74b.
The role of the EDPS is also not so well-developed compared to other EU agencies or bodies with advising powers. Whereas in other areas of law there is, for instance, a need for the Commission to give reasons if it wants to set aside advice from an expert EU body or agency, this is not the case with regard to EDPS opinions – for example, the Commission cannot simply set aside the European Aviation Safety Agency’s advice on technical rules (Article 75(2)(b) of Regulation (EU) 2018/1139). Therefore, the only avenue to challenge Articles 74a and 74b for the EDPS was to initiate an action for annulment before the General Court, as the EDPS did in September 2022. In its action, the EDPS argued that overruling the EDPS’ order addressed to Europol, threatens not only its independence, but also the safeguarding of legal certainty for individuals and the principle of non-retroactivity of legal acts (see T-578/22, para. 20). This action for annulment was, however, dismissed by the General Court for several reasons, as discussed below.
Checks and balances: the separation of powers is ensured and a lack of ‘checks’ confirmed
It seems as if the EDPS foresaw difficulties in gaining legal standing before the General Court due to the strict standing requirements of proving direct and individual concern under Article 263(4) TFEU. Therefore, the EDPS argued before the Court that, regardless of Article 263(4) TFEU, it should have legal standing ‘to defend his institutional prerogatives’ (T-578/22, para. 40). In its argumentation, the EDPS referred to the principle of institutional balance to defend the EDPS’ prerogatives as an independent supervisory authority of the EU institutions and bodies. Such independent supervision is an individual’s right pursuant to Article 8(3) of the Charter of Fundamental Rights (CFR) and Article 16(2) of the Treaty on the Functioning of the EU (TFEU) (see also Docksey and Propp 2023, p. 24). Simply put, the EDPS argued that it cannot guarantee independent supervision since the contested provisions counter the EDPS’ enforcement activity. The EDPS here referred to the judgment in Case C-70/88 Parliament v Commission, which held that the Court must ‘be able to maintain the institutional balance and, consequently, review the observance of the Parliament’s prerogatives when called upon to do so […] by means of a legal remedy’ (para. 23).
The General Court, however, dismissed the EDPS’ argument, first, by clarifying that the EDPS is not an EU institution. Although the General Court acknowledged the particular status of the EDPS based on Articles 8(3) CFR and 16(2) TFEU, this special status which allows the EDPS to supervise independently compliance with data protection rules, ‘is not intended to limit the powers of the EU legislature’ (T-578/22, para. 48). The General Court continued, that it is for the Parliament and the Council alone to decide on the content of legislative acts; while the EDPS supervises compliance – in complete independence – within the framework of such legislative acts. A relevant question arises here whether the EDPS is then actually able to supervise effectively Europol’s processing activities, a matter that will be discussed in the next section.
Furthermore, the General Court seems to overlook that the specific circumstances before it were rather peculiar and not at all as simple as the EU legislature having adopted legislation, which an independent supervisory authority shall subsequently monitor and supervise. Instead, legislation had been adopted that counteracts the decision of an independent supervisory authority retrospectively. This sets a worrying precedent where the EU legislature can apparently ‘move the goalposts’ in the area of data protection. As the EDPS rightly argued, while the data protection authorities in the EU are supposed to act in complete independence, such authorities may now feel the need to consider political preferences in their decision-making as they may risk to see their decision being overridden by legislative action (EDPS 2022).
The General Court seemed, however, satisfied with the fact that the EDPS has the power to seek ex post judicial review since Article 58(4) of Regulation (EU) 2018/1725 provides that the EDPS has the power to refer matters to the CJEU (T-578/22, para. 64). According to the General Court, this is sufficient for the EDPS to protect its prerogatives. Case T-578/22 itself, however, already demonstrates the downsides of this system, more specifically, regarding the classic concerns about demonstrating direct and individual concern as a non-privileged applicant.
The General Court first clarified that the EDPS has no standing before the CJEU as a (semi-) privileged applicant, referring to the fact that the EDPS is established by secondary EU law (T-578/22, paras. 33-36). Nevertheless, the EDPS has the power to refer a matter to the EU courts as a non-privileged applicant, if the conditions of Article 263(4) TFEU are satisfied. As such, the General Court held that ‘such a legal person is indeed equally as likely as any other person or entity to have its rights or interests adversely affected by that act and must, therefore, be able to seek the annulment of that act’ (T-578/22, para. 65). Regarding ‘direct concern’, the General Court repeated the CJEU’s well-established case law that ‘the contested measure must directly affect the legal situation of the applicant and […] leave no discretion to its addressees who are entrusted with the task of implementing it […]’ (T-578/22, para. 70). This much-criticised strict test proves to be difficult to meet also in this case. Hence, the General Court rather easily concludes that the EDPS was not prevented from exercising its own powers as it saw fit and, therefore, the two contested provisions are not of direct concern to the EDPS.
The General Court made an explicit comparison to Joined Cases C-177/19 P to C-179/19 P Germany and Ville de Paris v Commission, in which the Court of Justice had adopted the strict interpretation that, if an EU act does not prevent a public legal person – in this case, several cities across the EU – from exercising its own powers as it sees fit, that EU act also does not directly affect its legal situation. The General Court followed this precedent set by the ECJ and thus held that the EDPS is not directly concerned since the new Regulation has no bearing on the nature and scope of the EDPS’ tasks, and its powers have not been altered (T-578/22, paras. 73-74). It is questionable, however, whether a comparison with the case law referred to by the General Court makes sense here due to the special status of the EDPS – and other data protection authorities acting in complete independence – which arguably should make the threshold of undue interference of the legislator with the scope of such authorities’ tasks lower.
Administrative supervision: not apt for Europol’s increased powers
The General Court argued that, due to the clear separation of powers, the EU legislature is responsible for the content of a legal framework that the EDPS shall monitor and supervise. It remains questionable whether the EDPS is able to do so in practice. As mentioned, the EDPS’ role in the legislative process is limited – e.g., as compared to other EU agencies and bodies with advisory powers –, and the EDPS cannot simply challenge legislative acts that risk to violate EU law, as illustrated by the General Court’s judgment discussed here.
With regard to supervising compliance with the EU’s data protection rules, the EDPS has generally less control over Europol than over the other EU institutions, bodies, offices and agencies. While the EDPS’ supervisory competences are increased in the new Europol Regulation (see, e.g., Article 43(3)(j)-(l) of the new Europol Regulation), the requested full harmonization by the EDPS of its supervisory powers over Europol with its general powers under Regulation (EU) 2018/1725 was not adopted (EDPS Opinion 4/2021). Furthermore, in the context of Europol’s stronger mandate regarding large datasets specifically, stronger supervision is not ensured (Tas 2022). While the initial Commission proposal provided, for example, that the EDPS could rule whether the datasets including personal data received from a third country ‘are disproportionate or collected in violation of fundamental rights’ (Tas 2022 and Commission Proposal COM(2020) 796 final, Article 18a), the adopted new Regulation requires from Europol only to consult the EDPS where it processes personal data of data subjects not listed in Annex II. Hence, Europol must inform the EDPS before its Management Board can adopt decisions regarding processing operations that are particularly intrusive for individuals (see Articles 11(1)(q), 18(6b) and 18a(5) of the new Europol Regulation). While this should allow the EDPS to provide an independent opinion, Statewatch has already given warning that this procedure is rather ineffective since Europol’s Management Board adopted such decisions without formally consulting the EDPS (instead only informal consultation on the draft Management Board decision was organized at staff level). Furthermore, Europol only provided the EDPS with one week to respond to its draft Management Board Decisions, which also do not always include all relevant information for the EDPS to decide (EDPS letter 2022). For that reason, the EDPS had referred these Management Board Decisions to the European Parliament in 2022, in accordance with Article 43(3)(g) of the new Regulation. Such general disregard for administrative oversight further threatens the protection of data subjects’ rights.
Conclusion
This blogpost argues that the new Europol Regulation sets a worrying precedent which apparently allows the EU legislature to ‘move the goalposts’ in the area of data protection. The strict separation of powers indeed requires the EU legislature to decide on the content of legislative acts, while supervisory authorities monitor and supervise these. However, in the context of retroactively legalizing actions which were first illegal, this seems to be a too simplistic conclusion, especially since the EDPS shall enjoy complete independence, a high standard set by the CJEU (see Case C-518/07 Commission v Germany and Case C-614/10 Commission v Austria). Furthermore, while powers should be separated, supervision must also be ensured effectively.
As set out in this blogpost, the EDPS has, in theory, several ways to check compliance with the EU’s data protection rules. First, it can advise the EU institutions on the adoption of new EU legislation – which may have only limited effects. Secondly, as stressed by the General Court, the EDPS may bring an action for annulment – which seems impossible in many instances due to the strict interpretation of the standing requirements related to direct and individual concern. All that is left for the EDPS is then to resort to its monitoring and supervising powers and to make ‘the best of it’ by ensuring that the scarce data protection safeguards in the amended Europol Regulation are at least complied with. Therefore, the new Europol Regulation seems to form a threat to the full protection of the fundamental right to data protection. Hence, it comes as no surprise that the EDPS has already appealed the General Court’s ruling (pending Case C-698/23 P).
