Europol’s Data Dominance: The Multifaceted Involvement and Impact of Data Analytics Across Sectors

Table of Contents: 1. Introduction. – 2. From Member State dependency to EU information hub. – 2.1. The first steps towards Europol’s emergence as an information hub. – 2.2. Two decisive changes to Europol’s founding acts. – 2.3. The Recast Europol Regulation. – 3. Europol’s involvement in different areas of EU police and judicial cooperation in criminal matters. – 3.1. EU large-scale information systems and interoperability. – 3.2. PNR Data. – 3.3. AML. – 3.4. Terrorist content online. – 4. What more is there to come? – 4.1. Protection of children online. – 4.2. The Police Cooperation Code and Prüm II. – 5. Conclusion and outlook.

Abstract: On 1st July 2024, Europol celebrated its 25^th anniversary. Evolving from informal police cooperation in the 1970s, the Agency has undergone remarkable changes over the years. Indeed, when the then Europol Drugs Unit commenced its operation in 1999, it seemed difficult to imagine where Europol, as fully-fledged EU Agency, would stand two decades later. Over the years, its capacity to support, coordinate security and even steer cooperation among national authorities through the use of digital technologies transformed Europol into the EU’s primary information hub, developing into a crucial pillar of the EU’s security architecture. With its processing activities, Europol is involved in all areas covered in this Special Section and beyond, from large-scale IT systems, Information Alerts in the Schengen Information System, the processing of PNR data, Anti-Money Laundering (AML) and cooperation between Financial Intelligence Units, the Prüm framework, and illegal content online such as terrorist propaganda. Europol plays a pivotal role in all legislative texts and proposals. Often these topics are addressed in silos. Therefore, this article seeks to address this gap in the literature by looking at the areas covered in this Special Section and Europol’s involvement in all of them.

Keywords: Europol – data analyses – AML – terrorism – police cooperation – PNR.

1.   Introduction

On 1st July 2024, Europol celebrated its 25^th anniversary. Evolving from informal police cooperation in the 1970s,[1] the Agency has undergone remarkable changes over the years. Indeed, when the then Europol Drugs Unit (EDU) commenced its operation in 1999, it seemed difficult to imagine where Europol, as fully-fledged EU Agency, would stand two decades later. Whereas in the first years of its existence, Europol was frequently met with scepticism and reluctance by the EU Member States in terms of its evolving role, this picture has arguably changed. Europol’s capacity to support, coordinate security and even steer cooperation among national authorities through the use of digital technologies transformed Europol into the EU’s primary information hub, developing into a crucial pillar of the EU’s security architecture.

The Agency’s information processing capabilities have become an essential part of information exchanges at multiple levels, not only by providing support on the ground[2] but also by influencing EU policy-making.[3] This may explain the co-legislators’ willingness to increase Europol’s mandate twice within a relatively short timeframe. Already under the 2016 Europol Regulation,[4] the Agency was empowered to tackle more than 30 forms of serious crime and related criminal offences, including terrorism, drug trafficking, money laundering, human trafficking, sexual abuse and exploitation, trafficking in arms and ammunition.[5] The 2022 recast Europol Regulation[6] further strengthened the Agency’s opportunities to cooperate with private parties, its role in research and innovation as well as its cooperation with third countries and the European Public Prosecutor’s Office (EPPO).[7] In addition, Europol’s mandate to process information by way of analysis of large and complex datasets was further broadened.[8] The recast Europol Regulation should be seen as an important step towards making the Agency a central information hub in the EU Area of Freedom, Security and Justice (AFSJ) not only for the exchange of data analyses with national authorities for law enforcement purposes, but also as regards cooperation with other EU Agencies, third countries and private parties.[9] Importantly, Europol strives to being involved in all relevant EU initiatives by leveraging its tailor-made expertise in the specific areas of its competence and utilizing its institutional autonomy and professional expertise.[10]

A long time has passed since Europol was dependent on receiving information from its national counterparts.[11] From a reliance on its national counterparts to provide it with necessary information to carry out its tasks, Europol developed analytical skills and knowledge to support national authorities.[12] Nowadays, the Agency appears to be inundated by data the national authorities transmit to it[13] and while it might seem as if Europol cannot make use of all those data it receives, the expertise it developed during the years made it an important partner of many law enforcement authorities in the Member States.[14]

Furthermore, certain Member States proactively suggested more involvement of the Agency in technology foresight and innovation[15] and, progressively, these developments led to the inclusion of Europol in areas beyond its initial mandate as the European Drug Unit and arguably even beyond the one under the Agency’s previous founding act,[16] eventually leading to the adoption of the 2022 recast Europol Regulation. The above developments may explain why Europol is involved in all areas covered in this Special Section and beyond, from large-scale IT systems[17] and, in particular, the proposal of alerts in the Schengen Information System,[18] the processing of PNR data,[19] anti-money laundering (AML)[20] and cooperation between Financial Intelligence Units (FIUs), the Prüm II framework,[21] and the removal of illegal content online such as terrorist propaganda or CSAM.[22] Europol plays a pivotal role in all legislative texts and proposals. Often these topics are addressed in silos. This article seeks to address this gap in the literature by looking at the areas covered in this Special Section and Europol’s involvement in all of them.

To that end, the article will provide an overview of the Agency’s role in the different areas covered in the articles of the Special Section. It will thereby primarily focus on the complexity of Europol’s involvement and how the intertwindness of the different areas may easily lead to a situation where information about an individual may be collected in seemingly disconnected fields that nevertheless establish a link in its analyses. The main objective of the assessment in this article is to demonstrate how the interwindeness of these different fields will make it difficult to exercise individual rights and challenge certain decisions being made based on the results of Europol’s data analyses. Due to the obscurity in which data analyses are necessarily carried out in the law enforcement context, challenging those decisions remains difficult if not impossible. Therefore, additional avenues to ensure oversight of the operations remain essential.

One of Europol’s tasks is the provision of information in form of data analytics to the Member States in order to assist in their criminal investigations. Because in a majority of cases, the analysed information includes personal data, data protection law may arguably one of the most tangible avenue for individuals to exercise their rights in terms of access to data about them, including ancillary rights (such as the right of rectification or the right to restrict processing). Therefore, this article will emphasise on the importance of data protection law as an important means to achieve accountability of EU Agencies such as Europol directly towards individuals.[23]

Against this backdrop, Section I will provide a brief overview of the developments the Agency underwent during the past 25 years, and focus on the 2016 and 2022 Europol reforms. Thereafter, Section II will demonstrate, by way of assessing different legislative texts, reports, and strategic documents, Europol’s role in the relevant policy areas covered by this Special Section. Section III will provide an insight into the future by taking into consideration the recently adopted legislative proposals that are that regulate Europol as an actor. The conclusion will recapitulate how different areas covered by this Special Section may be interconnected by Europol’s way of analysing data from different crime areas to connect the dots between those areas. It will also highlight the pivotal and overarching role Europol plays in police and criminal justice cooperation which, when looking into each legal instrument separately, may not be as prominently visible. In addition, the article will outline some of the practical difficulties that exist in the exercise of individual rights and the supervision of Europol’s data analyses.

2.   From Member State dependency to EU information hub

2.1.  The first steps towards Europol’s emergence as an information hub

Prior to the establishment of the European Drug Unit, Europol's predecessor, in June 1993, already during the 1970s, several initiatives paved the way for the Agency’s formation. In 1976, the so-called TREVI group that was established to address challenges related to terrorism in Europe comprised representatives of the interior and justice ministries from the 12 Member States of the then European Economic Community as an informal, intergovernmental structure.[24] By 1987, the Ministers of Justice and Internal Affairs were discussing a proposal to develop a network of National Drugs Intelligence Units (NDIUs) that was meant to coordinate the intelligence-gathering and dissemination of information on drug trafficking and drug-related crime.[25] Together with primarily national discussions on the possibility to establish a European police agency and first references to it in 1991, the Treaty of Maastricht codified these ideas.[26]

Although the Europol Convention[27] was adopted in 1995, it was not until July 1999 that Europol commenced its activities.[28]However, during the first years of Europol’s operational existence, the policy priorities where not represented in the legislation that followed. While the proposal for a Framework Decision on the principle of availability that was proposed in 2005 already foresaw Europol as an information hub and sought to introduce direct online access to available information for both Member States’ law enforcement authorities as well as for Europol officers,[29] the Council Framework Decision on the Swedish initiative from 2006 mentioned Europol only marginally.[30]

Europol was not conceived as an executive police body and hence has no coercive powers, such as the power to make arrests.[31]This might explain the need for the Agency to develop it expertise in other areas. Europol’s first steps towards developing into an EU information hub emerged with the occurrence of new cyber threats that increased after the proposal for a Framework Decision on the principle of availability was silently abolished due to its supposedly excessive information sharing between national and EU actors.[32]

Nevertheless, Europol’s potential role as central EU policing actor progressively became evident in key policy documents, such as the Hague Programme from 2005[33] and the Stockholm Programme from 2010.[34] The 2008 Council Conclusions on measures against cybercrime,[35] was the first initiative to establish a European Cyber Crime Centre (EC3). While Europol was merely invited to set up a network of police to improve knowledge sharing, the establishment of a European platform to enable the sharing of cybercrime information was still left to the Member States and the Commission.[36] Nevertheless, Europol became increasingly visible in that area and, in 2013, the EC3 was established as a sub-unit within the Agency.[37]

The EU’s activities in police and judicial cooperation in criminal matters were given new impetus with the entry into force of the Lisbon Treaty, which stipulated a high level of security through measures to prevent and combat crime as one of the Union’s objectives.[38] The Lisbon Treaty not only abolished the pillar structure and granted the EU more competences to legislate in the area of police and criminal justice cooperation. Article 88 of the TFEU provided a legal basis for Europol’s mandate under EU primary law.[39]

The digitalisation of serious crime increasingly being committed online and thereby inevitably having a cross-border dimension also shifted the role and importance of Europol.[40] The expertise it had built up in a forward thinking way during the years when it was still very much dependent on the willingness of national authorities to share information gathered at domestic level was starting to pay off.[41] Europol became a sought-after stakeholder that was able to leverage its expertise from primarily collaboration and sharing towards becoming the EU’s hub for innovation for policing solutions.[42]The Agency became the central intermediary between public and private stakeholders,[43] a development that was certainly propelled through an increasing reliance on private actors in criminal investigations. Over time, a networking concept that has been described as ‘Uberisation’[44] developed as a collaboration model that follows an integrated data management approach between public and private actors rather than one that aims at accumulating data received from national authorities only.[45]

At the same time, Europol’s role became more prominent, allowing it to have a presence in many legislative instruments in the field of police and judicial cooperation in criminal matters. Consequently, all areas discussed in this Special Section are, in one way or another, interconnected through the role of Europol. Just like its very own modus operandi, collaboration, sharing and networking, the Agency connects the different areas that might otherwise seem separated from each other. And similar to its data environment, in which Europol may connect links between criminal activity, suspicions or otherwise hypothetically associated individuals, the Agency interconnects different areas of EU policy and law making by being involved not only as a crucial intermediary but often as one of the central actors in police cooperation at EU level.

In order to develop into the EU’s criminal intelligence information hub, the Agency established a complex and sophisticated data environment, existing of different systems.[46] Launched in 2005, the Europol Information System (EIS), Europol’s central criminal information and intelligence database, covers all of its mandated crime areas. The data in the EIS is stored within different online ‘entities’, which can be linked to each other in different ways in order to create a structured picture of criminal cases.[47]

Designated users in the national authorities of the Member States may query the EIS and may use the Secure Information Exchange Network Application (SIENA) for follow-up exchanges via the Europol National Units in case of hits. The entity that inserted the data into the EIS is responsible for data accuracy and reliability, is to ensure the storage limitation of the data and must guarantee that the data inserted into the system are up to date. The inserting authority is the so-called owner of the data and may restrict access to the information provided to the system, so that the designated EIS users in the Member States may not always find the same information when running a query in the system. In those cases, the owner of the data is notified that a search was carried out and may contact the querying user to share the relevant and sought for information.[48] How far Europol staff members and additional Europol partners have access to restricted data remains unclear. In addition, the responsibilities attached to the data ownership after Europol used the information for its own analyses may be difficult to allocate.

Besides the EIS and SIENA, the Europol Analysis System (EAS) as an operational information system hosts data that Europol received from its stakeholders to manage information centrally and ensures the use of a wide range of analytical tools to apply investigative capabilities as effectively as possible.[49]

Operational 24/7, Europol’s Operational Centre is responsible for handling all incoming information[50] via the constant flow of data between Europol and its operational partners, assesses the data to be included in Europol databases, maintains a centralised cross-checking service against all existing data and produces analytical reports whenever hits are found in crosschecks.[51]

2.2.  Two decisive changes to Europol’s founding acts

Following the Paris terrorist attacks, the 2016 Europol Regulation was adopted and entered into force on 1 May 2017.[52] The Regulation enabled the Agency to enhance information sharing with its national counterparts as well as with private parties and to pave the way to making Europol the EU’s primary information hub. It abandoned the so-called silo-based approach that separated processing operations in accordance with the databases and work files, and replaced it by a list of legitimate purposes for which Europol could process the data collected to allow for the linkage of information from different sources and discover correlations.[53]The Regulation introduced a technology-neutral approach to data management and processing that rendered the analyses more flexible than the previous regime regulated by the Europol Council Decision. Instead of references to the different information processing systems in which the processing took place previously, the 2016 Regulation laid down the purpose(s) for which data could be processed.[54] Thus, while processing of data by Europol had formerly been system-specific (indicating which data could be processed in which system), under the 2016 Europol Regulation, information processing started to depend on the purpose for which data could be processed.[55] To implement this change, the Agency moved away from its existing separate systems to an integrated, overarching, central data repository and operational environment.[56]

Furthermore, Article 18(2)(a) of the 2016 Europol Regulation allowed the Agency to engage in data mining, by performing ‘cross-checking aimed at identifying connections or other relevant links between information’ regarding persons who are suspected of having committed, who were convicted of, or against whom there are factual indications to believe that they will commit a crime.[57] Under Article 18(2)(b) and (c), Europol was to process personal data for analyses of strategic and thematic nature and for the purpose of operational analyses.[58]

The 2016 Europol Regulation could thus be viewed as a mandate setting instrument as it introduced a number of substantive and procedural changes for the work of Europol: the systems used by the Agency became interoperable or interconnected, and the modalities of processing carried out by Europol started to be defined by the purposes such as cross-checking, strategic/thematic analysis/operational analysis/facilitating information exchange. There was no longer a need of duplication of datasets in different systems, but only one dataset to be used in an integrated data management concept, so-called data lakes. In addition, the processing of data moved at the centre of Europol’s activities, and allowed it to maintain that its operational needs necessitate a tailor-made data protection regime that would allow sufficient flexibility for the Agency to carry out its tasks.[59] While arguably, coupled with the restraint of the Agency emerging from the reliance on Member States’ willingness to share data, this tailor-made regime provided for a robust data protection framework, it was not aligned with the rules applicable at national level under Directive 2016/680 (Law Enforcement Directive, (LED)).[60] In addition, the EU Data Protection Regulation (EUDPR)[61] that applies to the processing of personal data carried out by EU institutions, bodies, offices and agencies and entered into force in December 2018, would only apply to the processing of operational personal data by Europol after the 2022 reform.

2.3.  The Recast Europol Regulation 

On 20 December 2020, the Commission proposed amendments to the Europol Regulation.[62] The recast Europol Regulation implemented changes to further strengthen the data protection framework applicable to the Agency.[63] Most of the novel provisions represent an alignment with the rules at national level and those applicable to other EU Agencies, as they already existed in the data protection instruments that apply to national authorities as well as to EU law enforcement Agencies such as Eurojust and the EPPO.[64] Those existing rules apply to the remaining EU bodies, offices and agencies that are subject to the lex generalis framework under the EUDPR in addition to their standalone data protection provisions, or the legal instruments that have been aligned with the rules under the LED within the revision of data protection rules applicable to former third pillar instruments.[65]

In a nutshell, the recast Europol Regulation introduced new opportunities for the Agency to process large and complex datasets, put forward a strengthened mandate for Europol to cooperate effectively with private parties,[66] third countries and other EU Agencies, and reinforced Europol’s role in research and innovation.[67] The provisions on research and innovation signify additional possibilities for Europol to engage in broadly defined processing.[68]

Therefore, the recast Europol Regulation, while introducing data protection rules similar to those applicable to comparable authorities, offers a whole new range of processing capabilities to the Agency, which will be mentioned in the subsequent sections of this contribution.[69]

3.   Europol’s involvement in different areas of EU police and judicial cooperation in criminal matters

3.1.  EU large-scale information systems and interoperability

Since 2016, tremendous developments have taken place in terms of large-scale information systems that were set up for internal security, migration and asylum purposes both at the external borders and within the Schengen Area. From what were initially only three databases – the Schengen Information System, the Visa Information System and Eurodac – the Union established a common European IT architecture with three entirely new databases: the Entry/Exit System, the European Travel Information and Authorization System and the European Criminal Records Information System for Third Country Nationals and stateless persons. Moreover, all of the founding acts of the existing databases were revised in order to accommodate additional objectives, store further categories of personal data, grant access to additional authorities (both at national and at EU level) and to upgrade the systems in terms of general functionalities. In addition, the AFSJ databases are supposed to increasingly employ algorithmic matching techniques and pre-vetting analyses. In a final step, all of the operational and yet -to -be- established systems are supposed to improve their capacities by inter-exchanging the data they store.

While the EU databases were initially established in so-called silos and compartmentalized according to their individual purposes, they are now to become interconnected, or interoperable. Full interoperability was to be established by the end of 2023. That initial date, however, was postponed and the interoperable system might now be operational only after 2025.[70]Interoperability will connect all EU databases for borders, migration and security and is to ensure that these underlying systems ‘talk’ to each other. Thus, when issuing a query in the centralized system, end users will be able to access information from all connected databases in accordance with their access rights and restrictions in the underlying databases.

One of the objectives of interoperability is to facilitate and streamline access by national and EU (law enforcement) Agencies to information stored in EU large-scale information systems that were not exclusively established for law enforcement purposes. The term ‘streamlining’ is the notion used to describe the ‘aligning’ and ‘simplifying’ of the conditions for providing access across various systems. Ultimately, the interoperable system is also to be connected to certain Europol data, which may be queried through the European Search Portal, one of the interoperable components.[71]

Europol’s increasing opportunities for processing Third Country Nationals’ personal data has gone hand in hand with the revision of operational and the establishment of new EU large-scale information systems. Europol has progressively engaged in the processing of Third Country Nationals’ personal data and is inter alia responsible for operational and strategic support in intelligence-led investigations, analysis and forensics related to migrant smuggling.[72] In 2017, Europol ‘guest officers’ were deployed to designated hot spots for the carrying out of secondary security checks on Third Country Nationals.[73] In that regard, the establishment of the European Migrant Smuggling Centre (EMSC) was a further step in deepening the sharing of intelligence between Europol and other authorities involved in border control and migration management.[74] Within the scope of the EMSC, Europol is to support to the tackling of cross-border crime such as migrant smuggling and trafficking in human beings, thereby exchanging personal data with Member State authorities and additional EU bodies. A legislative proposal from November 2023[75] aims at establishing a European Centre Against Migrant Smuggling which is to reinforce Europol’s support to the prevention and combatting of migrant smuggling and trafficking in human beings.[76]

In addition to the activities of the EMSC, the EU Internet Referral Unit (IRU), which is based at Europol’s European Counter Terrorism Centre (ECTC) and will from part of the discussion in Section 4, monitors online content related to migrant smuggling and referring websites that are connected to migrant smuggling criminal networks to the relevant online service providers for removal.[77]

With the Interoperability regulations, the Agency was given a bigger role so as to be able to search, access and retrieve data from both the EU information systems and the interoperable components. Even before the Interoperability Regulations were proposed, Europol’s access to the EU information systems had become self-evident, as demonstrated in Napieralski’s article in this Special Section. Both the Interoperability Regulations and the recast Europol Regulation contribute to the Agency’s new role in the context of migration management and border control. The recast Regulation broadened the Agency’s mandate to enable it to analyse large and complex datasets and leaves sufficient flexibility to allow the Agency to perform substantive processing activities that are laid down in sector-specific legislation. The only provision that specifically refers to the EU large-scale information systems in the Europol Regulation itself is the possibility for it to propose the entering of so-called information alerts in the Schengen Information System.[78] The remaining tasks of Europol relating to EU large scale information systems and interoperability are scattered in the constituting acts of the (highly complex) framework of interoperable EU information systems.

Europol’s role regarding the Schengen Information System was progressively strengthened over the years and in 2019, steps were taken to enable Europol’s searches in the Schengen Information System[79] and its access to the Visa Information System.[80]The data in the Visa Information System will be automatically processed by using the interoperability European Search Portal to query the remaining systems, including Europol data.[81] In addition, Europol will be represented in the Visa Information System Screening Board.[82]

The European Travel Information Authorisation System allows for the pre-vetting of Third Country Nationals by matching their personal data against screening rules and a watch-list that will be fed with data from Europol’s analyses and consist of data relating to people who are suspected of having committed or taken part in a terrorist offence or other serious criminal offence. For purposes of follow-up action with regard to hits in the European Travel Information Authorisation System watch list, Europol will issue an opinion where data was entered by its staff into the watch list.[83] With the European Travel Information Authorisation System and Visa Information System-recast mechanisms becoming operational in 2024-25, Europol prepares to have in place a 24/7 service that is expected to provide swift follow-up and reasoned opinions on hits of visa or travel authorisation applications against Europol data.[84]

In practical terms, Europol may use the opportunities made available by the interoperability of EU databases in order to occupy a travel intelligence function and to further expand the use of biometrics.[85] In 2020, the so-called Future Group on Travel Intelligence and Border Management, an informal and independent gathering of experts discussing the future of travel intelligence and (intelligent) border management, was set up.[86] Europol’s role was to share and disseminate the Group’s findings and to explain the possibilities and lessons learned to all stakeholders. The Group’s final report, dated March 2022, highlighted the new cooperation opportunities that the new architecture of EU information systems for borders, migration and security provides. In the Report, Europol and the European Border and Coast Guard Agency suggest ways to merge the capacity of different authorities at national and EU level in order to maximize operational benefits. In particular, the agencies propose making it easier for law enforcement and border authorities to proactively share strategic information, trends and patterns regarding Third Country Nationals. Although the Group was dissolved before the end of 2022, Europol maintained that the Group establishes comprehensive study material for the next decade, to propose improvements in relation to the future of Travel Intel and external border management.[87]

Europol’s future objectives in relation to travel intelligence will be to build-up its capabilities in that area towards a fully-fledged European Travel Intelligence Centre (ETIC)[88] and to cooperate with the relevant EU agencies and national authorities to implement its roadmaps related to travel intelligence and to EU systems interoperability. In addition, the Agency aims at taking up a more prominent role through an improved information management architecture with fully integrated data management and advanced capabilities.

3.2.  PNR Data

As explained by Mendos-Kuskonmaz in this Special Section, under the so-called PNR Directive, Passenger Information Units (PIUs) are responsible for conducting an initial assessment of PNR data in form of operational processing. PIUs process PNR data for different purposes, inter alia, to carry out an assessment of passengers to identify persons who represent a security risk and require further examination, to respond to requests from competent law enforcement authorities and to analyse PNR data for the purpose of updating or creating new criteria to be used in the passenger assessment in order to identify any persons who may be involved in a terrorist offence or serious crime.[89] Such processing could be regarded as proactive preventive policing by means of algorithmic analysis of large datasets received by private actors.[90] The results of such analyses are forwarded to national law enforcement authorities.[91]

Access to the EU PNR data for further use is not only granted to PIUs and national law enforcement authorities, but also to Europol: under the PNR Directive, Member States are to, through their PIUs, exchange the PNR data that they receive amongst each other and with Europol, where this is deemed necessary for the prevention, detection, investigation or prosecution of terrorist offences or serious crime.[92] In particular, under Article 10(1) of the PNR Directive, Europol is entitled to request both PNR data and the results of the processing carried out by the PIUs. For that purpose, the Agency may submit, on a case-by-case basis, an electronic request to the PIU of any Member State through the Europol National Unit for the transmission of specific PNR data or the result of processing those data. For the information exchanges under Article 10, the Europol SIENA must be used.[93] By 2020, a majority of the PIUs in the EU Member States used SIENA for their communications with the PIUs of other Member States.[94]Different projects were carried out in order to facilitate information exchanges between the national PIUs and Europol. For instance, from February 2016 to June 2017, a pilot programme was implemented to explore the possibilities of fostering the exchange of PNR data between the PIUs in the Member States and Europol.[95] In addition, Europol provides support to the national PIUs to carry out operational processing and analyses of PNR. Europol’s role has another dimension; because the use of pre-determined criteria is more demanding from an operational, analytical and technical point of view, it is still at an early stage of implementation in some Member States. Against that background, Since January 2020, Europol provides assistance to the Member States in the development of this processing method. Such assistance is offered through Europol’s Travel Intelligence Task Force. The latter centralises, analyses and distributes relevant information and intelligence on patterns, trends and modus operandi, which are then used by the national PIUs to develop targeting rules.[96]

In addition, Europol offers training and advice to national PIUs that include best practices in investigations and intelligence-gathering/sharing and it supports the coordination of cross-border operations and investigations. Consequently, Europol acts as a central point of contact for PIUs to exchange information with each other and with law enforcement agencies across the EU and in that role it can be assumed to have a first-class overview of the work that is carried out by the different PIUs in the Member States.[97]

A future objective of Europol foresees hosting the Secretariat for the informal working group on PNR and to provide further support to the connectivity and data exchange among the PIUs in the Member States.[98] In addition, the Europol Operational Centre will put an increasing emphasis on the implementation of Europol’s role in the EU PNR within the framework of its travel intelligence operations[99] to develop into a fully-fledged European Travel Intelligence Centre (ETIC) and to complement the work of Frontex.[100] Furthermore, the Agency aims at improving the use of PNR data in investigations related to the trafficking of human beings in order to identify victims and suspects and to further develop effective targeting rules related to trafficking situations.[101]

3.3.  AML

Financial information can play a key role in tackling Money Laundering (ML), Terrorist Financing (TF) and combatting serious crime more generally. The latter includes different types of serious crime, for instance, child sexual exploitation,[102] such as online live streaming of child sexual abuse,[103] but also migrant smuggling,[104] corruption or VAT fraud.[105] Tracing back a financial payment can be essential in investigations to link it to the perpetrators of a serious crime and assist in their prosecution, and cooperation in that regard may be crucial due to the cross-border nature of such crime.

Financial Intelligence Units (FIUs) analyse and exchange information concerning suspicious transactions, serving as intermediaries between the private sector and law enforcement authorities. Similarly to PIUs, FIUs thus present a filtering instance between private actors and law enforcement. However, other than PIUs, which are also involved in the investigation of crime, the mandate of FIUs is limited to financial intelligence. Consequently, the sole purpose of FIUs is to collect evidence where money laundering, associated predicated offences or financing of terrorism is suspected, - before the start of any preliminary proceedings or criminal investigation.[106]

As explained in Karapatakis’ article of this Special Section, during the past years, the EU’s AML framework has progressively been reformed, and the latest legislative initiatives on fighting AML and TF were adopted in April 2024.[107] Preventing and fighting money laundering and the financing of terrorism were top priorities of the EU Security Strategy for 2020-2025,[108] which might explain the fast developments regarding legislative measures to further regulate anti-money laundering and counter terrorism financing. As a result, in 2020, the Commission put forward an Action Plan to establish an EU policy on combatting money laundering[109] and shortly afterwards, proposed an AML Package in July 2021, which included the setting-up of a new EU Anti-Money-Laundering Authority (AMLA).[110]

Europol cooperates with FIUs in a variety of ways to support the prevention and detection of financial crime, but also to detect other serious crime such as terrorist financing and child sexual exploitation.[111] It works closely with national FIUs to facilitate the exchange of information and intelligence related to such crime and supports FIUs by providing analytical and operational support, to identify patterns and trends. In addition, Europol coordinates joint investigations and operations with national FIUs to target and disrupt criminal networks involved in financial crime. Furthermore, Europol works on the development of common standards and practices for FIUs and provides trainings to FIUs,[112] including bilateral meetings with FIUs on how to better cooperate.[113]

In 2020, Europol's European Financial and Economic Crime Centre (EFECC) was established to coordinate EU-wide investigations into money laundering and financial crimes more generally. The EFECC is supposed to assist national law enforcement authorities with analytical support, operational coordination, as well as with training and capacity-building programs. In addition, the Centre currently expands the Agency’s responsiveness and operational performance in the areas of fraud, money laundering, asset recovery, corruption and counterfeiting.[114]

Between 2016 and 2021, Europol hosted FIU.net, a decentralised information exchange network designed to support national FIUs.[115] The Agency managed the system centrally and had technical access to all servers in the network. In practice, this meant that while some FIUs were not even able to delete certain data, only Europol was technically capable of performing such operations.[116] Because not all information processed by FIUs fell within Europol’s mandate, but the Agency nevertheless had access to it, the EDPS considered that Europol would not be permitted to carry out the technical administration of FIU.net. In a Decision from December 2019, the EDPS decided that Europol did not have a sufficiently grounded legal basis to administer the network and imposed a ban on the processing.[117] By December 2021, FIU.net was migrated to the Commission’s Directorate-General for Financial Stability, Financial Services and Capital Markets Union.[118] Thus, while exchanges of information between FUIs and Europol take place via FIU.net, exchanges between law enforcement authorities and Europol take place via SIENA.[119] Such differentiation indicates the separation of tasks and powers between FIUs and national law enforcement authorities and endorses it in the information exchange channels with Europol: while intelligence is shared in FIU.net and in accordance with the GDPR applicable to FIUs, law enforcement information is exchanged via SIENA by competent law enforcement authorities that are subject to the rules under the LED. The preferred option to use FIU.net instead of SIENA for exchanges of information between FIUs and Europol was also expressed in an agreement and confirmed in a meeting of the FIU platform.[120]

Europol argued that, because its recast Regulation provides new possibilities to process personal data for longer periods following the reform of the rules on data categorisation,[121] this could serve as a justification to interconnect SIENA and FIU.net[122] so that Europol would regain a strong role regarding the management of the network.[123] However, because it is not clear whether hosting FUI.net forms part of Europol’s tasks under Article 88 TFEU, such interconnection might be challenged even under its recast Regulation. Nevertheless, Europol aims at improving cooperation with the national FIUs to increase the contributions of financial intelligence to Europol[124] and to manage platforms on such intelligence.[125]

After the start of operations of AMLA, Europol intents to establish strong operational cooperation mechanisms with the new Authority, in order to mitigate the potential risk of duplicating activities and to enhance the fight against money laundering and terrorism financing.[126] In addition, Europol’s plan for the near future is to further develop as the EU law enforcement hub for collecting, processing, analysing and exchanging information and criminal intelligence related to financial and economic crime. Eventually, cooperation between the EFECC and other centres such as the ESOCC, EC3 and ECTC is supposed to be strengthened by supporting their operational work.

Beyond internal cooperation amongst different Europol Centres, the Agency plans to strengthen cooperation with entities from different fields. On the one hand, this includes a multi-agency approach and cooperation with both the European Anti-Fraud Office (Olaf) and the EPPO.[127] On the other hand, according to Europol, this should also cover the Europol Financial Intelligence Public Private Partnership (EFIPPP),[128] which tests opportunities for cross-border cooperation and information exchange between Europol, FIUs, national law enforcement authorities and regulated financial service entities such as banks.[129]

Given Europol’s strong track record of cooperation with national FIUs and LEAs in the EU, it could eventually play an important role in supporting AMLA's work. However, it remains to be seen in how far Europol will be able to set its intended endeavours into motion.

3.4.  Terrorist content online

The risks and problems connected to the spread of terrorist content online have been long acknowledged, not only at national level, but also at the level of the EU.[130] Particularly the prominent role of online platforms in revolutionising modern communication and as influencers of the public opinion has increasingly come to the attention of policy makers over the past years.[131] However, because privatised removal procedures may be influenced by commercial interests, the regulation of content moderation has become one of the main features to limit the powerful position of platforms and other online service providers, also in relation to different fundamental rights of their users.[132] In addition, the matter of content moderation became part of the Security Union Strategy[133]and the Counter-Terrorism Agenda.[134]

Over the past few years, different sets of rules on disinformation and regulation covering illegal hate speech, IP rights violations and illegal content online, such as terrorist content, were adopted. The latter will be subject of this section and, although content moderation touches upon various areas having an impact on additional fundamental rights, it will focus on Europol’s role in removal orders under the so-called Terrorist Content Online Regulation (TCO).[135]

While the Proposal for a Regulation on preventing the dissemination of terrorist content online was issued in September 2018, the Regulation itself entered into force in June 2021 and became applicable one year thereafter, obliging internet companies in the EU to take swift measures to prevent the misuse of their services for the dissemination of terrorist content.[136] The TCO Regulation sets strict time limits to remove content following the receipt of a removal order, requires mandatory duty of care mechanisms for all platforms, obliges the latter to establish effective complaint mechanisms for users of (unjustifiably) removed content, imposes transparency and accountability tools and established a framework for strengthened co-operation between hosting service providers, national authorities and Europol.[137]

Within the context of removal orders, national law enforcement authorities are to share information, coordinate and cooperate with Europol, where appropriate.[138] In addition, both Member States and service providers can use the relevant tools provided by Europol to address the misuse of their services for the dissemination to the public of terrorist content.[139] Where terrorist content concerns an imminent threat to life, relevant information concerning that terrorist content is to be transmitted to Europol for follow-up.[140] As a side note, it remains unclear what such follow-up actually entails, as it would be for the Member States to implement appropriate follow-up action. Presumably, Europol will assist national authorities with intelligence analyses and further use the provided information to carry out subsequent data analyses.

Finally, the competent national authorities are encouraged to send copies of removal order to Europol. This is to allow Europol to provide and annual report regarding the types of content that was removed or to which access was disabled.[141] Importantly, the provision under the TCO Regulation does not limit the use of the copies for additional use by Europol.

Consequently, Europol will not only play a pivotal role regarding the cooperation with service providers for the purpose of taking down terrorist or extremist content. It will also receive copies of removal orders that were sent by the national authorities to provide dedicated tools that it developed, tailored in accordance with the needs of national authorities.[142] In addition, the unit responsible for these tasks may cooperate with other centres within Europol in order to use online content for additional types of crime and the referral process creates opportunities for the Agency to store the information received in its own data environment.[143]

Already in 2015, the development of an EU Internet Referral Unit (IRU) by Europol was agreed upon by the Justice and Home Affairs Council of the EU, [144] which was later formally embedded within the Europol European Counter-Terrorism Centre (ECTC) under the 2016 Europol Regulation.[145] Since its establishment, the IRU structurally intervenes in the content-moderation workflow of online service providers by identifying and flagging terrorist content.[146]

The IRU’s core tasks are to provide support to the competent EU authorities by providing strategic and operational analysis, flagging terrorist and violent extremist content online, detecting and requesting removal of internet content used by smuggling networks to attract migrants and refugees[147] and to execute and support referral processes in close cooperation with the industry.[148] For these tasks, Europol is meant to act as a European Centre of Excellence by systematically monitoring social media accounts and searching publicly available sources.[149] Thus, on the one hand, the IRU closely cooperates with online service providers to refer terrorist and violent extremist content. On the other hand, the ECTC provides information for use in criminal investigations such as the ones carried out by the European Migrant Smuggling Centre as part of the European Serious and Organised Crime Centre.[150]

Europol is currently developing a technical solution for managing referrals and removal orders to hosting service providers. The so-called PERCI, the European Platform for takedown of illegal content online, is supposed to succeed the Internet Referral Management application, currently used by the Member State IRUs and Europol as a central system to transmit referrals.[151]

The TCO Regulation thereby endorses the adoption of data-driven analyses and technology by Europol for the purpose of identifying and referring content to private service providers. It thus not only provides a mandate for Europol to engage in such processing operations. It also institutionalises cooperation between private actors and Europol, as further laid down in the recast Europol Regulation.[152] Both the IRU and potentially also the PERCI platform entail configurations of such public–private security collaboration that remain opaque.[153] Evidently, the confidentiality of criminal investigations needs to be secured and competent authorities as well as Europol must be able to carry out their investigations without being fully transparent about their processing operations. However, when it comes to public-private collaboration, additional factors need to be taken into consideration, including the obligations that service providers have towards their users under the data protection framework of the General Data Protection Regulation.[154]

Finally, of crucial importance to the IRU’s referral process is the creation of a mechanism for storing suspect online material within Europol itself. For the IRU to intervene in the platforms’ own content moderation workflow, Europol staff needs to first assess whether the content to be flagged falls within its mandate. If that is the case, online content will be referred to the hosting service provider and stored in Europol’s system.[155] Hence, it is not the referral that is the primary leverage, but rather the harvesting of information by the IRU in order to subsequently use the data for additional analyses. It therefore satisfies Europol’s mission as EU information hub to be able to provide the end-result of its data-driven analyses to the Member States. Thus, these datasets, once inserted into Europol’s data environment can, under specific conditions, be processed for subsequent purposes.[156]

4.   What more is there to come?

4.1.  Protection of children online

Content moderation encompasses much more than notice and takedown mechanisms for terrorist content, but it includes also hate-speech, harmful content, copyright infringements, and additional categories of illegal content. Indeed, the removal of Child Sexual Abuse Material (CSAM) preceded the terrorism content debate.[157]

Europol’s EC3 provides assistance to the competent authorities in the Member States in preventing and detecting all forms of criminality associated with the sexual exploitation of children. This includes preventing and intercepting the distribution of child abuse material, and preempting the further dissemination of such material through peer-to-peer networks and commercial platforms. For that purpose, Europol supports its national counterparts with expertise regarding all types of criminal behavior related to the abuse of children in an online environment such as sexual extortion and online live-streaming. Beyond that, Europol’s assistance includes additional forms of online behavior that may not always be of criminal nature such as the solicitation of children and self-generated indecent material.[158]

Europol collects and analyses data and intelligence related to child sexual abuse and exploitation, which can be used to identify trends and patterns and inform prevention strategies. In addition, Europol closely cooperates with the US-based National Centre for Missing & Exploited Children (NCMEC), which receives reports about potential child sexual exploitation or abuse by internet service providers, social media platforms, and other online companies.[159] Once a report is submitted to the NCMEC, its analysts review the information and work with law enforcement authorities to investigate and respond to the potential threat for a child. Europol receives those NCMEC reports targeting online suspects in various EU Member States.[160] Every NCMEC report is stored and cross-checked against Europol data and eventually disseminated to the respective country.[161] Designated law enforcement authorities in the Member States can download the NCMEC reports for their jurisdiction either directly from the NCMEC Web Services via NCMEC’s Case Management Tool or via the Europol route.[162] Hence, over the past years, Europol was arguably able to build up a lot of expertise with regard to analyzing CSAM submitted to it by NCMEC. Furthermore, Europol is involved in obtaining information on CSAM from the US Department of Homeland Security Investigations, cross-checking these reports and forwarding them to the different Member States.[163]

On 11 May 2022, the Commission issued a Proposal for a Regulation laying down rules to prevent and combat child sexual abuse.[164] The proposed text aims at setting rules to effectively address the misuse of online services for purposes of child sexual abuse.[165] Aiming at replacing the current system of voluntary measures applied by service providers,[166] the proposal lays down obligations on providers of relevant information society services to assess and minimise the risk that their services may be misused for online child sexual abuse, obligations on providers of hosting services and providers of interpersonal communication services to detect and report online child sexual abuse and to remove or disable access to such material, and obligations on providers of internet access services to disable access to child sexual abuse material (CSAM).[167]

In addition to the mandatory risk assessment, service providers would have an obligation to, submit a report to a newly established EU Centre on Child Sexual Abuse when becoming aware of any information indicating potential online child sexual abuse on their services. The EU Centre will substitute the EU law enforcement’s reliance on the NCMEC as it would provide a triage role for reports of potential CSAM from providers[168] and act as a hub of expertise to assist Member States regarding best practices on prevention and on assistance to victims.

For that purpose, a close relationship between the EU Centre and Europol is to be established. In order to allow the EU Centre to achieve all of its objectives it is to have its seat at the same location as Europol[169] in order to improve data exchange possibilities between the two Agencies, to create a knowledge hub on combatting CSAM and to rely on the support services of Europol[170] such as information technology, cybersecurity, and communication infrastructure.[171]

In order to facilitate the detection, reporting and removal of CSAM, the EU Centre would analyse and review reports received from service providers and would forward such reports to national law enforcement authorities and Europol. To achieve this objective, Europol and the EU Centre shall provide each other with the fullest possible access to relevant information and information systems.[172] This includes the creation of a database of reports by the EU Centre that Europol would be granted access to.[173]

It is without any doubt that (online) child sexual abuse is one of the most horrific crimes and the generation and dissemination of CSAM as well as the solicitation of children online needs to be prevented, particularly in view of the drastic increase of such crimes in recent years. In addition, to using data analyses to detect and investigate child (sexual) abuse that already took place, exhausting existing possibilities to prevent child (sexual) abuse happening in the first place while protecting end-to-end encrypted private communications of users, including children, is of utmost importance. Yet, while technology experts argue that end-to-end encryption is one of the only technological safeguards to ensure meaningful private communication,[174] the so-called Virtual Global Taskforce, of which Europol is a member, issued a statement in which it argues that the implementation of end-to-end encryption would degrade safety systems and weaken the ability to keep child users safe.[175] This will be a discussion for the future, as secure end-to-end encrypted communication not only provides protection to users and victms of crime, but also safeguards information transmitted by authorities investigating crime. For the latter purposes, the CJEU permitted the inflitration of terminal devices used by criminal networks and to share those data with additional authorities in other Member States under certain circumstances.[176]

4.2.  The Police Cooperation Code and Prüm II

Two further legislative initiatives that are to attribute an enhanced role to Europol are worth mentioning in the context of this Special Section, as they are also related with the Interoperability framework. On the one hand, Europol’s role under the recently adopted Regulation on automated data exchange for police cooperation (Prüm II),[177] which will be connected via the European Search Portal, one of the interoperability components mentioned above. On the other hand, a recently adopted Directive,[178] which aims at facilitating information sharing between law enforcement authorities in the Member States, including Europol. Both form part of the so-called Police Cooperation Code,[179] that was proposed in December 2021 and included – besides the two legislative initiatives mentioned above – a Council Recommendation on operational police cooperation,[180] which will not form of this discussion. This section will give a brief overview of the tasks that Europol obtained under the Prüm II Regulation and the Directive.

As illustrated Amelung and Machado in this Special Section, the revision of the Prüm framework aims at reforming the system’s technical architecture by adding new categories of data (facial images and police records) strengthening the inter-authority exchange of information in terms of follow-ups, and by including Europol in the process of information sharing. For the prevention, detection and investigation of criminal offences, participating Member States are to allow national contact points of other participating Member States and Europol the searching of vehicle registration data[181] facial images and[182] police records[183] in their national systems subject to certain conditions.[184] With regard to automated searching of national police record indexes, authorities are to use the European Police Records Index System (EPRIS) infrastructure, which connects those national authorities and Europol.

With the inclusion of Europol, national authorities have the possibility to query biometric data provided by third countries held by Europol and may exchange such data with Europol in case of matches.[185] These systematic exchanges of third countries data between Europol and the Member States were to enhance the Agency’s role as the EU criminal information hub in support to Member States’ operational needs. However, compared to the initial proposal, the co-legislators significantly limited the role of Europol with regard to querying data held by the Member States. Furthermore, numerous conditions and safeguards were added so as to grant Member States more discretion on deciding when data will be shared with Europol. It remains to be seen whether Europol will receive sufficient data to establish cross-border links between criminal cases and to launch more complete analyses for the purpose of criminal investigations.[186] It seems as if certain Member States are still reluctant to share data even with their national counterparts, despite the principle of mutual recognitions[187] and they might be even more hesitant to share data with Europol.

Finally, the Prüm II system will be indirectly connected to the interoperable large-scale IT infrastructure, as the router that will enable the Member States and Europol to exchange data will be connected via a secure communication infrastructure to the ESP. Similar to the provisions on exchanges or police indexes, facial images and vehicle registration data, the co-legislators significantly heightened the threshold regarding requirements and limitations with regard to access to and exchanges with other authorities and Europol.

For instance, Article 57 of the Prüm II Regulation on liability refers to both the Member States and Europol, while the proposal only mentioned the penalties for misuse of data by national authorities and not Europol not mentioning in that provision. These limitations, additional safeguards and further details are to be welcomed. At the same time, they might be an indication of the persisting reluctance of Member States to exchange sensitive information with other authorities at national and EU level.

The second initiative included in the Police Cooperation Code, the Directive on information exchange between law enforcement authorities of Member States, is to ensure that law enforcement authorities have equivalent access to information held by other Member States. For that purpose, the Directive aims at formalising the procedures on information exchanges between Member States, and reinforcing the effective functioning of Single Point of Contacts (SPOCs) for such exchanges, in order to remedy the proliferation of communication channels used for law enforcement information exchange between Member States.[188]

In addition, the Directive is to strengthen Europol’s role as EU criminal information hub by compelling the national authorities to make full use of Europol’s information exchange channel SIENA for all information exchanges under the Directive.[189] Initially SIENA was to become the default information exchange channel for all police cooperation cases where such exchanges would not take place via existing systems such as the SIS.[190] Here, the EDPS noted that transforming SIENA into a mandatory channel for law enforcement exchanges seems appropriate to provide for enhance data security, address fragmentation and facilitate supervision.[191] The adopted Directive allows Member States not to use SIENA to send requests for information, or to provide information.[192] Whether national authorities will make use of this option not to use SIENA and if this will indeed lead to a persistent fragmentation and difficulties in terms of supervision remains to be seen. In addition, the future will show whether the initial intention to reinforce Europol’s role as the EU criminal information hub for offences falling within its mandate will materialise.[193]

5.   Conclusion and outlook

This contribution has illustrated the role of Europol within the different areas in EU police cooperation. Different types of crime in which the Agency offers criminal intelligence support to the Member States became progressively interconnected. Over time, Europol’s mandate expanded into additional areas of criminality, thereby helping the Agency to develop into a powerful EU criminal information hub.

Consequently, it is no longer adequate to analyse the areas of its involvement in isolation. Europol’s current data lake environment allows data analytics based on linking and matching the different fields of specialisation of its operational centres. Consequently, any assessment of Europol’s processing activities, and the accompanying (data protection) safeguards, must be carried out in an interoperable manner. Similarly, the opportunities for individuals to exercise their (data subject) rights at Europol, as well as the supervision and enforcement model of Europol’s processing activities requires a holistic approach. Just like Europol’s databases became increasingly interconnected, allowing sophisticated data analytics, the scrutiny of its work should consider the entire network, instead of examining operations of specialised centres, or different criminal justice policy areas. In the words of, its data analytics, enriching information from different fields of criminal activity, can create a ‘haystack full of needles’. However, it is necessary to ensure that this ‘haystack’ only includes relevant ‘needles’, and all ‘needles in the haystack’ should be able to exercise their individual rights in accordance with the applicable data protection rules.

As mentioned above, the Agency was able to develop sophisticated processing capabilities. This is evidently welcome and of use for the Member State when cooperation in cross-border cases is required, including those covered in this Special Section. Nevertheless, it is important that Europol’s strengthened mandate is always accompanied by adequate safeguards that ensure sufficiently high data protection standards. Often, these safeguards need to be ensured in legislation that is adopted at different times, which makes coherence challenging. From a purely data protection standpoint, concerns could, therefore, arise from the lack of readability of different pieces of EU law that serve as building blocks of Europol’s data processing capabilities. When authorities at national and EU level exchange personal data, or data are exchanged indirectly through the EU large-scale information systems, this makes it difficult to ensure the data protection rules stipulated in the both the recast Europol Regulation and the horizontal rules under the EUDPR are followed. In addition, Chapter IX of the EUDPR on operational data needs to be finalised so as to ensure coherence where systematic exchanges of personal data take place at different levels.

It will be challenging for individuals whose information will be stored in Europol’s data environment to understand how their data will be analysed and utilized, in particular because the analyses carried out by Europol evidently require a certain level of confidentiality. While there is certainly an added value in making use of Europol’s expertise and processing capabilities, attributing it a stronger role must come with adequate safeguards and procedural limitations. In the future, Europol as EU Agency could be exemplary in demonstrating that strong data protection rules can go hand in hand with effective crime prevention, as its enhanced mandate also comes with increased responsibility.