Regulation (EU) 2022/991 of the European Parliament and of the Council of 8 June 2022 amending Regulation (EU) 2016/794, as regards Europol’s cooperation with private parties, the processing of personal data by Europol in support of criminal investigations, and Europol’s role in research and innovation

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 88 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1) The European Union Agency for Law Enforcement Cooperation (Europol) was established by Regulation (EU) 2016/794 of the European Parliament and of the Council (2) to support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combating serious crime affecting two or more Member States, terrorism and forms of crime which affect a common interest covered by a Union policy.

(2) Europe faces a security landscape in flux, with evolving and increasingly complex security threats. Terrorists and other criminals exploit the digital transformation and new technologies, in particular both the inter-connectivity and the blurring of the boundaries between the physical and the digital world, for example by concealing their crimes and their identities through the use of increasingly sophisticated techniques. Terrorists and other criminals have proven their ability to adapt their modes of operation and to develop new criminal activities in times of crisis, including by leveraging technology-enabled tools to multiply and expand the range and scale of their criminal activities. Terrorism remains a significant threat to the freedom and way of life of Union citizens.

(3) Evolving and complex threats spread across borders, cover a variety of crimes that they facilitate, and manifest themselves in poly-criminal organised crime groups that engage in a wide range of criminal activities. As action at national level and cross-border cooperation do not suffice to address those transnational security threats, competent authorities of the Member States have increasingly made use of the support and expertise that Europol offers to prevent and counter serious crime and terrorism. Since Regulation (EU) 2016/794 became applicable, the operational importance of Europol’s tasks has increased substantially. Furthermore, the new threat environment changes the scope and type of support Member States need and expect from Europol to keep citizens safe.

(4) Additional tasks should therefore be conferred upon Europol by this Regulation to allow Europol to better support competent authorities of the Member States while fully preserving the responsibilities of the Member States in the area of national security laid down in Article 4(2) of the Treaty on European Union (TEU). Europol’s reinforced mandate should be balanced with strengthened safeguards with regard to fundamental rights and increased accountability, liability and oversight, including parliamentary oversight and oversight through the Management Board of Europol (‘the Management Board’). To allow Europol to fulfil its reinforced mandate, it should be provided with adequate human and financial resources to support its additional tasks.

(5) As the Union faces increasing threats from organised crime groups and terrorist attacks, an effective law enforcement response must include the availability of well-trained interoperable special intervention units specialised in the control of man-made crisis situations. In the Union, the special intervention units of the Member States cooperate on the basis of Council Decision 2008/617/JHA (3). Europol should be able to support those special intervention units by providing technical and financial support, complementing the efforts undertaken by Member States.

(6) In recent years, large-scale cyberattacks, including attacks originating in third countries, have targeted public and private entities alike across many jurisdictions within the Union and outside it, affecting various sectors including transport, health and financial services. The prevention, detection, investigation and prosecution of such cyberattacks is supported by coordination and cooperation between relevant actors, including the European Union Agency for Cybersecurity (ENISA) established by Regulation (EU) 2019/881 of the European Parliament and of the Council (4), competent authorities on the security of network and information systems within the meaning of Directive (EU) 2016/1148 of the European Parliament and of the Council (5), competent authorities of the Member States and private parties. In order to ensure effective cooperation between all relevant actors at Union and national level on cyberattacks and cyber threats, Europol should cooperate with ENISA in particular through the exchange of information and analytical support in areas that fall within their respective competences.

(7) High-risk criminals play a leading role in criminal networks and their criminal activities pose a high risk for the Union’s internal security. To combat high-risk organised crime groups and their leading members, Europol should be able to support Member States in focusing their investigative response on identifying the members and the leading members of those networks, their criminal activities and their financial assets.

(8) The threats posed by serious crime require a coordinated, coherent, multi-disciplinary and multi-agency response. Europol should be able to facilitate and support intelligence-led, Member State-driven security initiatives that aim to identify, prioritise and address serious crime threats, such as the European Multidisciplinary Platform Against Criminal Threats (EMPACT). Europol should be able to provide administrative, logistical, financial and operational support to such initiatives.

(9) The Schengen Information System (SIS), established in the field of police cooperation and judicial cooperation in criminal matters by Regulation (EU) 2018/1862 of the European Parliament and of the Council (6), is an essential tool for maintaining a high level of security within the area of freedom, security and justice. Europol, as a hub for information exchange in the Union, receives and holds valuable information from third countries and international organisations on persons suspected to be involved in crimes that fall within Europol’s objectives. Within the framework of its objectives and its task of supporting the Member States in preventing and combating serious crime and terrorism, Europol should support the Member States in processing data provided by third countries or international organisations to it by proposing the possible entry by Member States of alerts in SIS under a new category of information alerts in the interest of the Union (‘information alerts’), in order to make those information alerts available to the end-users of SIS. To that end, a periodic reporting mechanism should be put in place in order to ensure that Member States and Europol are informed about the outcome of the verification and analysis of those data and about whether the information has been entered in SIS. The modalities for Member States’ cooperation for the processing of such data and the entry of alerts in SIS, in particular as concerns the fight against terrorism, should be subject to continuous coordination among the Member States. The Management Board should specify the criteria on the basis of which it should be possible for Europol to issue proposals for the entry of such information alerts in SIS.

(10) Europol has an important role to play in support of the evaluation and monitoring mechanism to verify the application of the Schengen acquis established by Council Regulation (EU) No 1053/2013 (7). Europol should therefore, on request of the Member States, contribute with its expertise, analyses, reports and other relevant information to the evaluation and monitoring mechanism to verify the application of the Schengen acquis.

(11) Risk assessments help to anticipate new trends and to address new threats posed by serious crime and terrorism. To support the Commission and the Member States in carrying out effective risk assessments, Europol should provide the Commission and the Member States with threat assessment analyses based on the information it holds on criminal phenomena and trends, without prejudice to Union law on customs risk management.

(12) In order for Union funding for security research to achieve its aim of ensuring that that research develop its full potential and address the needs of law enforcement, Europol should assist the Commission in identifying key research themes and in drawing up and implementing the Union framework programmes for research and innovation that are relevant to Europol’s objectives. Where relevant, it should be possible for Europol to disseminate the results of its research and innovation activities as part of its contribution to creating synergies between the research and innovation activities of relevant Union bodies. When designing and conceptualising research and innovation activities relevant to Europol’s objectives, Europol should be able, where appropriate, to consult the Joint Research Centre (JRC) of the Commission. Europol should take all necessary measures to avoid conflicts of interest. Where Europol assists the Commission in identifying key research themes and in drawing up and implementing a Union framework programme, Europol should not receive funding from that programme. It is important that Europol is able to rely upon the provision of adequate funding in order to be able to assist the Member States and the Commission in the area of research and innovation.

(13) It is possible for the Union and the Member States to adopt restrictive measures relating to foreign direct investment on the grounds of security or public order. To that end, Regulation (EU) 2019/452 of the European Parliament and of the Council (8) establishes a framework for the screening of foreign direct investments into the Union. Foreign direct investments in emerging technologies deserve particular attention as they can have significant implications for security and public order, in particular when such technologies are used by competent authorities of the Member States. Given the involvement of Europol in monitoring emerging technologies and its involvement in developing new ways of using those technologies for law enforcement purposes, in particular through its Innovation Lab and through the EU Innovation Hub for Internal Security, Europol has extensive knowledge regarding the opportunities offered by such technologies as well as the risks associated with their use. It should therefore be possible for Europol to support Member States in the screening of foreign direct investments into the Union and the related risks to security that concern undertakings that provide technologies, including software, used by Europol for the prevention and investigation of crimes that fall within Europol’s objectives or critical technologies that could be used to facilitate terrorism. In that context, Europol’s expertise should support the screening of the foreign direct investments and the related risks to security. Particular account should be taken of whether the foreign investor has already been involved in activities affecting security, whether there is a serious risk that the foreign investor engages in illegal or criminal activities and whether the foreign investor is controlled directly or indirectly by the government of a third country, including through subsidies.

(14) Europol provides specialised expertise for combating serious crime and terrorism. Upon request by a Member State, Europol staff should be able to provide operational support to the competent authorities of that Member State in operations and investigations, in particular by facilitating cross-border information exchange and providing forensic and technical support in operations and investigations, including in the context of joint investigation teams. Upon request by a Member State, Europol staff should be entitled to be present during the execution of investigative measures in that Member State. Europol staff should not have the power to execute investigative measures.

(15) One of Europol’s objectives is to support and strengthen action by the competent authorities of the Member States and their mutual cooperation in preventing and combating forms of crime which affect a common interest covered by a Union policy. To strengthen that support, the Executive Director of Europol (‘the Executive Director’) should be able to propose to the competent authorities of a Member State that they initiate, conduct or coordinate the investigation of a crime which concerns only that Member State but affects a common interest covered by a Union policy. Europol should inform Eurojust and, where relevant, the European Public Prosecutor’s Office (‘the EPPO’) established by Council Regulation (EU) 2017/1939 (9), of any such proposal.

(16) Publishing the identity and certain personal data of suspects or convicted individuals who are wanted on the basis of a national judicial decision increases the chances of Member States locating and arresting such individuals. To support Member States in locating and arresting such individuals, Europol should be able to publish on its website information on Europe’s most wanted fugitives as regards criminal offences that fall within Europol’s objectives. To the same end, Europol should facilitate the provision by the public of information on those individuals to the Member States and Europol.

(17) Once Europol ascertains that personal data that it receives fall within its objectives, it should be able to process those personal data in the following four situations. In the first situation, the personal data received relate to any of the categories of data subjects listed in Annex II of Regulation (EU) 2016/794 (‘Annex II’). In the second situation, the personal data received consist of investigative data that contain data that do not relate to any of the categories of data subjects listed in Annex II but have been provided, pursuant to a request for Europol’s support for a specific criminal investigation, by a Member State, the EPPO, Eurojust or a third country, provided that that Member State, the EPPO, Eurojust or that third country is authorised to process such investigative data in accordance with procedural requirements and safeguards applicable under Union and national law. In that situation, Europol should be able to process those investigative data for as long as it supports that specific criminal investigation. In the third situation, the personal data received might not relate to the categories of data subjects listed in Annex II and have not been provided pursuant to a request for Europol’s support for a specific criminal investigation. In that situation, it should be possible for Europol to verify whether those personal data relate to any of those categories of data subjects. In the fourth situation, the personal data received have been submitted for the purpose of research and innovation projects and do not relate to the categories of data subjects listed in Annex II.

(18) In accordance with Article 73 of Regulation (EU) 2018/1725 of the European Parliament and of the Council (10), where applicable and as far as possible, Europol is to make a clear distinction between the personal data that relate to the different categories of data subjects listed in Annex II.

(19) Where Member States use Europol’s infrastructure for the exchange of personal data on crimes that do not fall within Europol’s objectives, Europol should not have access to those data and should be considered to be a processor pursuant to Article 87 of Regulation (EU) 2018/1725. In those cases, Europol should be able to process data that do not relate to the categories of data subjects listed in Annex II. Where Member States use Europol’s infrastructure for the exchange of personal data on crimes that fall within Europol’s objectives and where they grant Europol access to those data, the requirements linked to the categories of data subjects listed in Annex II should apply to any other processing of those data by Europol.

(20) While respecting the principle of data minimisation, Europol should be able to verify whether personal data received in the context of preventing and combating crimes that fall within its objectives relate to one of the categories of data subjects listed in Annex II. To that end, Europol should be able to carry out a pre-analysis of personal data received with the sole purpose of determining whether such data relate to any of those categories of data subjects by checking those personal data against data it already holds, without further analysing those personal data. Such pre-analysis should take place prior to, and separate from, Europol’s data processing for cross-checking, strategic analysis, operational analysis or the exchange of information, and after Europol has established that the data in question are relevant and necessary for the performance of its tasks. Once Europol has ascertained that those personal data relate to the categories of data subjects listed in Annex II, Europol should be able to process those personal data for cross-checking, strategic analysis, operational analysis or the exchange of information. If Europol concludes that those personal data do not relate to the categories of data subjects listed in Annex II, it should delete those data.

(21) The categorisation of personal data in a given data set may change over time as a result of new information that becomes available in the context of criminal investigations, for example regarding additional suspects. For that reason, Europol should be allowed to process personal data where it is strictly necessary and proportionate for the purpose of determining the categories of data subjects to which the data in question relate for a period of up to 18 months from the moment Europol ascertains that those data fall within its objectives. Europol should be able to extend that period up to three years in duly justified cases and provided that such an extension is necessary and proportionate. The European Data Protection Supervisor (EDPS) should be informed of the extension. Where the processing of personal data for the purpose of determining the categories of data subjects is no longer necessary and justified and, in any event, after the end of the maximum processing period, Europol should delete the personal data.