Europol and the Schengen Information System: A Dangerous ‘Unsupervised’ Extension of Powers

Table of Contents: 1. Introduction. – 2. New changes to Europol’s role in the SIS: from accessor to facilitator. – 2.1. From SIS I to SIS II: the origins of a widely used system. – 2.2. The new information alerts: a paradigm change of the SIS. – 3. A dangerous new integrated system of alerts. –3.1. Data quality issues: trusting the source of the information? – 3.2. Pushing the boundaries of the SIS: bypassing constraints and potential misuses. – 3.3. Legal uncertainty and blurred competences within the integrated system. – 4. A need for enhanced and tailored supervision. – 4.1. Supervising the pre-alert phase. – 4.2. Supervising the issuance of alerts. – 4.3. Supervising the post-alert phase. – 5. Concluding remarks. 

Abstract: Regulation (EU) 2022/1190 amending the Regulation (EU) 2018/1862 on the use of the Schengen Information System (hereafter ‘SIS’) in the field of police and judicial cooperation was adopted on the 6^th of July 2022. The Commission stated in the Explanatory Memorandum attached to the proposal that ‘[t]his is an important paradigm change for SIS’. Initially, the idea was to allow Europol to enter information alerts on suspects and criminals and thereby to not only have access but formally update the SIS. Due to the reluctance of some Member States, the reform did not go as far as this. The current legal framework, however, still gives Europol a crucial role, as the Agency can propose Member States to enter information alerts in the SIS. While this is a step down compared to the Commission proposal, this article shows that this remains a paradigm change not only for the SIS, but also for Europol as an agency, and ultimately for the nature of supervision. The article first discusses the new changes of the SIS and their ensuing challenges in relation to data quality, lack of transparency, lack of clarity of the procedure and the extended scope of actions. It then addresses the supervisory challenges that may emerge in this new legal architecture. The issue of supervision shall be addressed pre-alert, before the proposal for an alert has been made, during the alert, when an alert is proposed, and finally post alert after an alert has been entered into the system.

Keywords: Europol – Schengen Information System – information alert – supervision – data protection – legal certainty.

1.   Introduction

The Schengen Information System (SIS) makes Europe safer. This is the redounding key argument that comes up after every change made to the system. The extension of the European Union (EU), the change in political context, the various terrorist attacks, the arrivals of refugees and migrants, and more recently the proliferation of databases and new technologies, has required several changes to the initial system.[1] It became necessary to constantly update it, by introducing new alerts and functionalities for it to be able to remain ‘a vital instrument for enhancing our internal security and strengthening the management of the EU’s external borders’.[2]

The most recent changes to the SIS were made in July 2022,[3] to palliate an existing information gap in the system, with regard to data coming from third countries and international organisations, particularly on foreign terrorist fighters. The proposal emerged in the Commission’s Counter-Terrorism Agenda.[4] Once again, terrorist attacks were a driver for change in the EU, and notably for the system. The Commission argued that it is essential for Europol to get a stronger role in the system, for third country-information, for instance on foreign terrorist fighters, provided by trusted third countries, to be entered into the system.[5] The SIS Regulation introduces a new category of alerts, the so-called ‘information alerts’ that will be studied in this article. 

The objective of the article is to analyse to what extent Europol’s new role in the SIS, particularly in the issuing of information alerts, escapes any supervision. The supervision of Europol and of the SIS is essential and not a new endeavour. Supervision (or more broadly oversight) ensures compliance with the relevant rules and values, including fundamental rights and freedoms. Within the data protection sector, supervision gained momentum with the adoption of the General Data Protection Regulation in 2016.[6]The latter states that data protection supervisory authorities ensure the consistent application of the Regulation and the protection of personal data. When it comes to the supervision of Europol, the recent ‘Big Data’ saga put supervision into the spotlight.[7] The European Data Protection Supervisor (EDPS), the EU’s data protection authority that supervises Europol, opened an own-initiative inquiry on the use of large datasets by Europol. The saga started in 2019, when Europol’s Executive Director asked the EDPS about the compliance of Europol’s data processing activities, as it was receiving increasing amounts of bulk data from Member States and exploiting data of individuals that had no proven link to any criminal activity.[8] The EDPS first admonished Europol,[9] and later, published an order for Europol to erase the data concerning individuals that had no clear established link with criminal activity.[10]This saga got significant attention from the media and NGOs,[11] which emphasised the importance of efficient supervision of EU Agencies, and their role vis-à-vis personal data, including within the SIS.

Personal data are at the heart of the SIS, since the system is composed of alerts containing data on a particular individual or object.[12] By the end of 2023, 91 million alerts were stored in the system, which amounts to an enormous amount of personal data.[13] Supervision of the system emerged early on, essentially performed by national supervisory authorities on their national system. In addition to national supervision, coordinated supervision also took place. EU Agencies role in the system further complexify the system and its supervision. With the expansion of competences of Europol with regard to the SIS, additional supervisory challenges emerge. 

This article deals with the supervision of the system and Europol’s role in it, focusing on the supervisory challenges posed by the newest changes made to the SIS. To do so, the article starts by retracing the origins of the SIS and Europol’s role in it, showing the shift of its role from accessor to a facilitator. It then moves to the new integrated system of alerts introduced by the newest amendments and discussed the attached dangers of it. Finally, the paper argues for the need of enhanced and tailored supervision, dividing the information alert process into three distinct stages. As it stands, the system lacks efficient supervisory mechanisms to palliate the potential dangers of it.

2.   New changes to Europol’s role in the SIS: from accessor to facilitator

The SIS story started in 1990, with the Schengen Convention.[14] Its legal framework got subsequently amended several times, transforming it from an intergovernmental project to the first generation of the system (SIS I), and finally the second generation of the system (SIS II).  Europol did not get access to the system since the beginning, but its role was more progressive.

2.1.  From SIS I to SIS II: the origins of a widely used system

The Schengen area was initiated in 1985 by five countries, namely Germany, France, Belgium, the Netherlands, and Luxembourg. They signed an agreement dealing with the free circulation of goods and individuals.[15] The abolition of internal borders automatically brings along stronger security risks, and an increase in cross-border criminal activities.[16] Five years later, the Schengen Convention was adopted, which introduced among others the SIS, a joint information system that would enable ‘to maintain public policy and public security, including national security, in the territories of the Contracting parties and to apply the provisions of this Convention relating to the movement of persons in those territories […]’.[17]

As noted by this provision, the system from its origins had a dual purpose; an immigration and a law enforcement one. The system allowed Schengen States to get access to reports on individuals and objects to support border controls, police and customs checks, and the issuing of visas and residence permits.[18] The system grew bigger, including more Member States, and with the Treaty of Amsterdam, the system got integrated into the EU framework alongside the rest of the Schengen acquis, through a Protocol attached to the Treaty.[19] In March 2001, the system already counted 17 Contracting Parties. 

In a nutshell, the system is currently made up of a central system (C-SIS), and national databases in every participating State (N-SIS). A communication infrastructure provides for an encrypted network between these two types of databases. In addition, Supplementary Information Requests at the National Entry (SIRENE) Bureaux’s are set up in each Contracting State, to allow for the exchange of additional information between the members.[20] The system works on a ‘hit/no-hit basis’, meaning that where information on a person or an object already exists in the system, a hit occurs when the system is queried with data of that person or object.

The first generation of the system proved successful but had its limits. From the technical side, as noted above, in 2001, the system was operated in 17 Schengen States. However, it only allowed for the participation of 18 members.[21] The outdated technology used for the first generation could not live up to the expansion of the EU. The system also faced criticism for potential data protection issues.[22] These concerned notably issues of data quality, as well as the risk of breaching the principle of purpose limitation. This is for instance linked to the close intertwinement between law enforcement and immigration information, and the divergent interpretation of what constitutes a risk leading to uneven entry of alerts by Member States. These shortcomings showed that the first generation of the system was insufficient and that a second generation had to be adopted.[23]

The existing limits, pushed by the tragic terrorist attacks of 9/11, led to the adoption of two new Decisions in 2006: (1) on the establishment, operation, and use of the SIS II, and (2) on the issuance of vehicle registration.[24] In 2007, a Council decision for policing purposes was adopted.[25] Originally, the launch was planned for 2007, but the second generation of the system faced several setbacks and delays.[26] The second generation SIS (SIS II) thus only entered into operation in 2013. It brought along significant changes. First and foremost, the SIS II had enhanced functionalities, with the possibility of entering alphanumeric data and biometrics (fingerprints and photographs).[27] New types of alerts can also be entered, notably on stolen aircraft and boats, and a link can be created between different alerts.[28]

While Europol’s access to the system was already discussed in 1999, the idea was opposed by some Member States.[29]Consequently, Europol got access to the SIS only in 2005, when discussions for the second generation of the system were already on the table.[30] Europol was able to access, and directly search the data entered into the system that falls under Europol’s mandate. In addition, Europol could also, if needed, request supplementary information from the concerned Member States, through the Europol National Units (ENU).[31] The Agency’s access got subsequently extended in 2018 in the legislative package of three Regulations amending the SIS II.[32] Europol was given full access to all alerts entered in the system and was to be informed of any hit linked to terrorist offences.[33] The aim of the package was to make the SIS a central tool for the fight against terrorism and serious crime, that ensures a high level of security within the EU.[34] By then, the system included seven types of alerts on people or objects:[35] (1) alerts on persons wanted for arrest or extradition;[36] (2) alerts on missing persons, or vulnerable persons who need to be prevented from travelling;[37] (3) alerts on persons, such as witnesses, sought to assist with a judicial procedure;[38] (4) alerts on persons or objects subject to discreet, inquiry or specific checks;[39] (5) objects sought for the purpose of seizure or their use as evidence in criminal proceedings;[40] (6) alerts on unknown wanted persons;[41] (7) alerts on unwelcome third-country nationals, including irregular migrants subject to a return decision. [42]

The story of the SIS II does not end here, as a more recent Regulation has been adopted in 2022 to further introduce alerts and extend Europol’s role therein.[43]

2.2.  The new information alerts: a paradigm change of the SIS 

Regulation 2022/1190 strengthened and extended the system, and brought along significant changes to the database, as well as Europol’s role in it. This extension was essentially driven by the information gap identified in the system, according to which personal data from third countries and international organisations only rarely made it into the SIS, as alerts are inserted by Member States authorities. 

2.2.1. Changes brought by the new Regulation 

The key amendment to Regulation 2018/1862 concerns the introduction of a new category of alerts.[44] In particular, according to its Article 37a an eighth category of alerts is introduced, namely information alerts on third-country nationals in the interest of the EU. The alert targets solely third-country nationals who are suspected of involvement in terrorist offences or other serious crimes and may for example include data on foreign terrorist fighters.[45] Counter-terrorism was the primary driving force behind the amendment,[46] but the scope of application was further extended to also encompass other serious crimes beyond terrorism. According to Article 37a of Regulation 2018/1862, Europol can propose to one or more Member States to enter information alerts in two situations.[47] Firstly, where there is a factual indication that a person intends to commit or is committing a terrorist offence or a serious crime. Second, where an overall assessment of a person gives reason to believe that the person may commit a terrorist offence or serious crime. Once Europol proposes to enter an alert, Europol’s Data Protection Officer (DPO) is notified, and the relevant information is shared with one or more Member States. These proceed to a second verification and analysis and decide whether to enter the information alert in the SIS or not, or whether to use the data to enter another alert. The procedure of the information alert is shown in the figure below. 

Figure 1: Procedure for information alert in the SIS (Author’s compilation based on Regulation (EU) 2022/1190.

Figure 1 describes the process of information alerts and shows how the responsibility shifts from the EU Agency to the Member State, which conducts the last verification check, on the basis of Europol’s data essentially. Europol must share all the information it holds on the case to one or more Member States and inform them if it receives additional data in relation to the proposal.[48]

The introduction of information alerts constitutes a paradigm shift for the SIS, as for the first time, an EU agency plays a preponderant role within the SIS; indeed, Europol becomes the initiator and evaluator of alerts, and shares all relevant information with the Member States. 

2.2.2.   Europol as a crucial middleman 

While the amendments significantly strengthened the role of the Agency in the system, it did not go as far as initially planned. The Commission proposal originally introduced the possibility for Europol to directly enter alerts into the SIS, through information alerts, not only in respect to third-country nationals.[49] Europol still plays a crucial role in the introduction of information alerts but cannot enter the alert in the system on its own. 

As noted above, the amendments were made to fill a perceived information gap. Data from third countries and international organisations on individuals suspected or convicted of terrorist offences or other crimes, only rarely made it into the SIS.[50] The information is not necessarily shared with Member States, which can thus not enter an alert in the SIS or is being shared but Member State cannot enter the alert under national law. 

On the contrary, Europol has long-standing relations with third countries and international organisations, which involve information sharing. It signed, for instance, 17 operational agreements with third countries, and one with Interpol.[51] This means that Europol can get and enter data providing from the latter in its own information system. However, these are not accessible to front-line officers through the SIS. This leads to an information and security gap, since data of approximatively 1,000 non-EU foreign terrorist fighters for example is in the hands of Europol, but not inserted in the SIS.[52] Linked to the fact that the SIS is frequently consulted (12,7 billion searches in 2022),[53] this leaves a lacuna, which the Commission tried to fill.[54]

Regulation (EU) 2022/1190 gives Europol the role of the middleman between on the one side, third countries and international organisation and on the other side, Member States. Europol can propose Member States to enter information alerts in two situations, mentioned above.[55] In doing so, Europol shares information with the Member State, that may in big part come from third countries and international organisations. Thus, it plays an intermediate role between the third country data, and the Member State, resulting potentially in an alert within the SIS. This does not mean that Member States do not have bilateral agreements with third countries and all EU Member States are member of Interpol. However, the assessment as to whether an alert is in the interest of the EU may be more difficult to be undertaken by a single national authority in a Member State, when the person in question does not have any links with that Member States It remains a big role for Europol, who becomes closer to becoming a custodian of the database, by playing a key influencing role within the system. It went from a ‘read only’ access to all categories of data, to a facilitator for the introduction of alerts. While the role of Europol is supposedly solely limited to information alerts, it goes beyond, as shown in Figure 1. As noted in the Regulation, Member States may decide to enter another type of alert on the same person.[56] This pushes Europol’s influencing role even further.

Finally, Europol also pre-assesses the necessity of the alerts. In doing so, it notably analyses the reliability of the source of information and the accuracy of the information received and shared it with the relevant Member State.[57] The Agency is therefore not only instrumental at initiating the registration of the alert, but also participates in its assessment, which gives Europol significant indirect power vis-à-vis the system compared to its previous status where it only had read-only access to the alerts.

3.   A dangerous new integrated system of alerts

The changes made to the SIS do not come without risks. The main challenges of the new integrated system of alerts relate to the quality of the data used to enter the alert, to the essence of the alerts themselves causing a potential misuse of alerts, and to the procedure and responsibility, characterised by legal uncertainty. 

3.1.  Data quality issues: trusting the source of the information?

As described in Section III of the article, Europol proposes to a Member State to enter information alerts in the system. This information essentially comes from third countries and international organisations, with which Europol maintains relationships.[58]

As mentioned previously, Europol can process personal data provided by third countries and international organisations.[59]Exchanges of personal data with third countries and international organisations can be made for example, on the basis of an adequacy decision of the Commission, an international agreement concluded between the EU and the third country or international organisations, or an operational agreement concluded by Europol before May 2017.[60] This means that Europol can process the data received and enter it in its own information system. The operational agreements, were in some cases, adopted more than twenty years ago. The agreements with the United States, and Interpol, date for example from 2001.[61] In principle, the Commission was supposed to assess these cooperation agreements by the 14 June 2021, particularly with regard to data protection provisions with the aim of assessing whether the agreements still fulfil the EU data protection requirements and standards, as developed in legislation and case-law. As of today, this has still not been done. This is surprising, since the Commission admitted that some agreements do not meet anymore the high data protection standards developed in the EU.[62] This becomes clear when one compares the existing operational agreements with the recent draft agreement for a cooperation agreement between the EU and New Zealand, for the purpose of exchanging personal data with Europol.[63] The old cooperation agreements must be replaced. This is even more alarming with the criticism that arose over Interpol’s notices. States abuse the Interpol’s Notice System to persecute not only terrorists, but also civil society activists, journalists, human rights defenders, and refugees.[64] This perverted use may then also be seen within the SIS, as it is unclear how detailed and credible the assessment by Europol may be.[65]

In addition to the formal legal basis, derogations are also provided for in Europol’s Regulation, under which either the Management Board, of the Executive Director may authorise the exceptional exchange of personal data.[66] In light of this, some Working Arrangements (WA), which are agreements that do not in principle provide for exchanges of personal data, still include provisions on personal data exchanges, when the derogations apply. Consequently, the WA either contain a provision on personal data (WA with Israel, Japan, and New Zealand), or a whole chapter on personal data (the other WA).[67] This is highly problematic as these derogatory regimes may apply with countries with limited data protection standards, and outside of the public’s eye. Normally law enforcement operates based on the secrecy of investigations but the secrecy and opacity of Europol’s work is significantly different from national law enforcement practices, which in the case of the SIS also require a national decision to base the alert.

Some safeguards are introduced within Regulation 2022/1190; Europol notably establishes whether the information alert is necessary and justified, for instance by analysing and checking the reliability of the source of information, and the accuracy of the information on the person.[68] This may include subsequent exchanges with the third country or international organisation. However, these do not address the elephant in the room, being that the sharing of information from third countries and international organisation itself is based on outdated legal basis. This may cause data protection issues, as data might have been obtained under lower data protection standards.

Alongside potential issues of data quality and accuracy, that may arise notably in the misuse of data (particularly biometric data), the implications for individuals subject to an alert can be severe and affect other fundamental rights, such as the prohibition of inhumane and degrading treatment under Article 4 of the EU Charter of Fundamental Rights. An alert may lead to the arrest of the individual by the police. When it comes to information alerts, as will be argued in the paragraph iii.3. below, there is a lack of clarity on the action to be taken when an alert is entered into the system.[69] In other words, Member States have the discretion to decide which action to perform shall a hit occur on such an alert. 

3.2.  Pushing the boundaries of the SIS: bypassing constraints and potential misuses

The changes to the system faced criticism, notably by NGOs, who pointed out the dangerous misuse of the system to persecute political opponents.[70] This is not a new issue. The SIS has already previously been used as a political tool by authoritarian and dictatorial regimes to persecute and arrest their opponents.[71] The story of the Open Dialogue Foundation President Lyudmyla Kozlovska (Human rights defender from Ukraine living in Poland for years) perfectly illustrates this issue.[72] She was informed in Belgium that she was subject to an alert in the SIS as a threat to Polish national security, and consequently to the EU. This was probably linked to her NGO and her husbands’ criticism on the controversial reforms in Poland, notably with regard to the appointment of judges. She was subsequently deported to Ukraine in 2018. This shows how alerts within the SIS may be misused for an illegal purpose, namely the prosecution of political opponents. This problem also reaches beyond the limits of the SIS and is visible within Interpol. Contracting States similarly misused Interpol’s Notice System to persecute civil society activists, journalists, human rights defenders, and refugees.[73] While the issue is not new, it might be further exacerbated with the introduction of information alerts. In fact, unscrupulous third countries can then also persecute political opponents through Europol by using the SIS as a motor. It is true that Europol will not notify the third country of a match, but the system could be used as a filter to prevent such individuals to seek refuge in the EU, for example if they apply for a Schengen visa.

Furthermore, this new type of alerts might also be a way to bypass previously existing constraints. First, concerning the access to data from third countries. As pointed out earlier, Member States may not get the same amount of information from third countries or cannot enter the alert in the system under national law. Europol, with the new changes, may serve as a data laundering body, allowing to circumvent the previously existing limits.[74] The new alerts can also circumvent another limit, that is the one of national interest. To introduce alerts, Member States must have a national decision and interest. With the category of information alerts, it suffices to establish a threat against collective EU internal security, without having to prove a national interest.[75] This allows for broader purposes, but also the risk of more alerts added in the system without sufficient justification and purpose. 

Finally, Regulation 2022/1190 also pushes the boundaries of the SIS further in terms of data exchanges. Before then the essential part of exchanges occurred through entry of alerts and access to the system, as well as through the SIRENE Network.[76] With the amendments made to the SIS, new data exchanges appear, outside of the system itself. In fact, as shown in Figure 1, Europol shares all the available information it holds on the case, and the result of their assessment with the Member State to which it proposes to enter an information alert. Notwithstanding the outcome of the proposal, an additional layer of exchanges occurs, that according to the Regulation, escapes any supervision.[77]Coordinated supervision of SIS applies horizontally, but it is doubtful that it includes the stage prior to the insertion of an alert to the system.

3.3.  Legal uncertainty and blurred competences within the integrated system 

The issue of legal uncertainty arises on three main levels occurring pre-alert, during the pre-evaluation of Europol and the assessment of the Member State, and post-alert once the information alert entered the system.

The first situation where legal uncertainty is noted is when Europol decides or not to propose to one (or more) Member States to enter an information alert. As stated above, Europol conducts a pre-evaluation according to which it determines whether it is necessary and justified to enter the alert in the SIS.[78] In the Commission proposal, two additional sub-categories were added under Article 37a(3): 

‘(b) a verification confirmed that entering the alert is necessary for achieving Europol’s objectives as laid down in Article 3 of Regulation (EU) 2016/794;

[…]

(d) a consultation, involving the sharing of information on the person concerned with Member States participating in Regulation (EU) 2016/794 in accordance with Article 7 of the Regulation, confirmed that: 

(i) no intention was expressed by a Member State to enter an alert in SIS on the person concerned; 

(ii) no reasoned objection was expressed by a Member State regarding the proposed entry of an alert in SIS on the person concerned by Europol’.[79]

The revised SIS rules do not contain these additional sub-provisions, and no other provision replaces them, arguably because the rules do not foresee a role for the agency as one inserting the alerts but rather as their initiator. Within its formal comments, the EDPS mentioned that the proposal gives wide discretion to Europol to decide whether or not to issue an alert.[80] It deplored the lack of specific criteria that could guide Europol’s decision. In the adopted Regulation, no elements are added that could limit the Agency’s discretion. Thus, it is impossible to know how Europol interprets the necessity and justification of an information alert. Practice might give indications, but since Europol’s work has been criticised for its lack of transparency, access to relevant documents and indications might be very challenging.[81]

The discretion of Europol is then limited afterwards when the Member State decides or not to enter the information alert in the system. However, then, the second situation of lack of clarity arises. According to the Regulation and Figure 1 above, Member States can decide to enter the information alert in the system, or to use the data to enter another alert, or to simply dismiss the proposal.[82]The Member States discretion concerns there not only the issuing or not of the alert, but also the analysis it does of the proposal. No additional elements are given on how the Member States assesses the proposals, and how it decides on it. They solely have to inform the other Member States and Europol of the outcome of the analysis and their decision. No justification is required, Member States remain fully competent on the matter. 

The final instance where there is legal uncertainty, is in case of a ‘hit’ once the information alert is entered in the system. Article 37b of the Regulation precisely touches upon this aspect, but only notes that the executing Member State shall transmit certain information to the issuing Member State, which then informs Europol of a hit.[83] The Regulation thus mentions a reporting obligation but does not clarify which other action shall be taken by the frontline officers, which is subject to national law. This creates issues of legal certainty and foreseeability, as it is impossible to predict what could happen. This matters as this will have direct consequences on the individuals subject to a SIS alert. Guidance and clear implementing criteria would help avoiding legal uncertainty.

Next to the issue of legal uncertainty, the new procedure of information alert also brings along a blurring of competences. This integrated system of information alerts starts with data from third countries or international organisations, moves to Europol who proposes an alert and assesses it, and finally ends at the national level, where a national authority decides after another evaluation whether to enter the alert in the system or not. In the end, Europol plays a key role in the process, but the responsibility lies on the Member States. In this regard, if the information is correct, Europol can wash its hands off and place the responsibility on the Member State to adequately respond. If the information is incorrect, Europol also washes its hand off, and exposes the Member State who recorded the alert unlawfully.[84] This potential responsibility immunity of the Agency is problematic regarding the fact that they initiate the alert, and pre-evaluate them, playing thus a pivotal role in the introduction of the alert in the system.[85]

4.   A need for enhanced and tailored supervision 

Section 3 highlighted the various challenges of the changes brought by Regulation (EU) 2022/1190, be it with regard to fundamental rights, impacted or issues of legal certainty. It is essential that these new changes are subject to efficient supervision, to ensure compliance with relevant rules and values (here particularly data protection rules). Supervision must occur of the SIS in general, but also of the actors involved in the issuance of information alerts, namely Member States and Europol. As the Commission stated already in its White Paper of 2001, EU agencies must be subject to an ‘effective system of supervision’[86] competent on the matter. 

The article argues that the supervision of the new integrated system of alerts must be divided into three distinct phases. First, the pre-alert phase, where Europol is essentially involved in receving the data from third countries, and developing a proposal after evaluation. Second, the issuing of the alert phase, which occurs at the national level, where the Member State decides or not to enter the alert in the SIS. Third, the post-alert phase, once the information alert has been issued, which relates for example to the possibility of an extension of the alert. 

4.1.  Supervising the pre-alert phase

As described above, the pre-alert phase concerns essentially Europol’s role in the process. It encompasses the supervision of the information provided to the Agency by third countries or international organisations, but also the supervision of the proposal itself.

According to Europol’s Regulation, several supervisory authorities supervise Europol’s data related actions. The EDPS is the main central supervisor of Europol, responsible for monitoring and ensuring the application of Europol’s Regulation.[87] It performs external supervision of the Agency and can use various powers to do so, ranging from advisory powers to the use of corrective powers. Alongside, the EDPS, the DPO ensures the internal supervision of the Agency, even though the advice to the controller does not necessarily need to be followed by the controller. This is a member of Europol’s staff, that ensures the lawfulness and compliance of the Agency’s processing operations.[88] Coordinated supervision was previously conducted by Europol’s Cooperation Board, composed of national supervisory authorities of each Member State and members of the EDPS.[89] With the entry into force of the new Regulation, the Board ceased to exist and was replaced by the Coordinated Supervision Committee (CSC).[90] Administrative supervision may also be performed by the European Commission, as stated above, it should for example evaluate the operational agreements to ensure their compliance with data protection rules.[91] The European Ombudsman is not analysed here, as it deals with administrative inquiries and not data protection-related matters.[92] Politically, oversight takes place within the European Parliament, and more particularly in the Joint Parliamentary Scrutiny Group (JPSG), composed by members of national Parliaments and members of the European Parliament (MEPs).[93] Finally, it is worth considering the SIS II Supervision Coordination Group, composed of national supervisory authorities and the EDPS,[94] now replaced by the Coordinated Supervision Committee (CSC).

 When analysing the supervision of the source of information and the proposals to enter an information alert, all these organs must be looked at consecutively, to see whether in theory and in practice efficient supervision is in place.

4.1.1. The supervision of the source of information

Europol’s cooperation with third countries or international organisations is generally based on an adequacy decision of the Commission, an international agreement concluded by the EU, or an operational agreement concluded by Europol before May 2017.[95] The previous section showed that these agreements were for some signed more than twenty years ago,[96] and do not meet the current data protection standards within the EU.[97] The first issue one must look at is whether the information Europol receives is adequately supervised.

The Commission failed its duty to evaluate the existing operational agreement, which was planned for June 2021,[98] and still has not seen the light. Thus, it is highly likely that data are being shared with Europol, dismissing the European data protection standards. The old operational agreements do not for example include clear references to data protection principles, the need for efficient oversight, the prohibition of automated processing of personal data (subject to exceptions) and clarifications on the right of access for data subjects.[99] It is urgent, particularly due to the introduction of the category of information alert to deal with these long-standing issues. Since the exchanges of personal data between Europol and third countries or international organisations form the source of the information alerts, their legality must be ensured. Other supervisory authorities did not deal with the supervision of these operational agreements. MEPs simply asked when these evaluations will be performed,[100] and Europol’s Cooperation Board pointed out that these agreements are subject of concern and that a swift review of them shall be made by the European Commission.[101]

Notwithstanding this, Europol’s cooperation with third countries and international organisations has only very briefly been dealt with by supervisory authorities. When it comes to the EDPS, he essentially gave two opinions, one on the negotiating mandate to conclude an international agreement with New Zealand,[102] and another one on eight negotiating mandates to conclude international agreements with third countries from the Middle East and North Africa (Algeria, Egypt, Israel, Jordan, Lebanon, Morocco, Tunisia, and Turkey).[103] Within them, the EDPS essentially recommends the clarification of certain points and the development of additional safeguards and controls to better protect personal data. Regarding the eight agreements, further impact assessments shall be carried out to evaluate the fundamental rights risks posed by this cooperation. These countries are partly characterised either by their current political instability, by their dictatorships, or by their lack of data protection law.[104] These opinions are, however, nowadays of limited impact, as these agreements have not yet seen the light and will not be the source of the data within the information alert. Alongside these opinions, the EDPS made an inquiry into model WA used by Europol to establish relations with third countries, which it closed in 2019.[105] Within it, the EDPS also inspected specific transfers authorised on a case-by-case basis and pointed out the need to avoid overusing the derogations. He recommended that exceptional transfers shall require advice from the DPO and include an obligation to regularly verify whether the conditions are still met to prevent systematic transfers of personal data.[106] This inquiry is interesting but remains limited in terms of supervision, as it is the only one that has been made so far, on two exceptional transfers. 

Turning to the DPO function, it essentially assisted the EDPS in its inspection on the transfers of data to third countries,[107] and participated in the assessment of a potential transfer of personal data to a third country with which Europol does not have an operational agreement.[108]

The JPSG’s supervision is without impact, as it merely mentioned Europol’s cooperation with third countries when discussing the changes brought to Europol’s Regulation.[109] This limited supervision is surprising since Europol has a long-standing relation with third countries and international organisations and supervisory authorities had sufficient time and material to be able to ensure their supervision. It is insufficient and highly worrying as this data now plays a bigger role, and will be entered within the SIS, which is the most widely used EU databases.[110] If the source of the data and the exchanges are not sufficiently supervised, it is difficult to trust the rest of the process. It is not necessary here to analyse the CSC, as the supervision of the sources of information is outside of the system. 

4.1.2. The supervision of the proposal to enter an information alert

Before proposing to a Member State its registration into the SIS, Europol pre-evaluates the information alert to determine whether it is necessary and justified by evaluating the reliability of the source of information and the accuracy of the information.[111] No information whatsoever is provided for on the criteria it may use to do this evaluation.

The Regulation mentions that ‘Europol shall notify its Data Protection Office where it makes such a proposal’.[112] This means that the DPO is involved in the procedure. However, it is simply a notification, and the DPO’s opinion is not requested. This is not satisfactory, as a notification does not ensure the protection of personal data. A solution could be to ask for the mandatory advice from the DPO, who can thus assess the information alerts, and the source of the information ensuring high safeguards.

The other supervisory authorities are completely left out of the equation, even the EDPS. A notification and consultation to the EDPS could have ensured a more dynamic supervision of the new procedure. A satisfactory addition could have been to subject the proposals of an information alert to the prior consultation mechanism, which is an important safeguard for new types of processing operations. Article 39 of Europol’s Regulation details the procedure, according to which the EDPS shall carry out a prior consultation of the processing activities.[113] However, it is not supposed to apply to specific individual operational activities, but to the use of new information technology systems for processing personal data. For it to be used, a change must occur. Europol could consult the EDPS for proposal to enter information alerts stemming from a specific third country. This would change a broader trend to limit supervisory powers of the EDPS, that has also been seen regarding Europol’s processing of Big Data.[114] In this context, the EDPS is merely notified by the Data Protection Officer, if relevant, about dataset transfers from third countries, and is not involved in the assessment of their proportionality.

Not adding supervisory safeguards does not amount to no supervision. Supervisory authorities are free to conduct supervisory tasks on their own over the proposal to enter information alerts. The practice will show whether this will be the case. What can already be noted though, is that supervisory authorities lack resources to deal with all the matters, and ensure follows-up, and may thus not supervise the procedure daily. Since these activities will occur outside of the public’s eye, it is essential that supervisory authorities investigate it to ensure the protection of personal data.

The proposal from Europol to the Member State includes a lot of personal data, emerging from third countries or international organisations and from Europol’s analysis of it. This new information sharing will not be supervised whatsoever, as what might be subject to supervision is solely the proposal and not this additional information sharing. This is a lacuna that might never get solved. 

4.2.  Supervising the issuance of alerts 

The second phase of the information alert process takes place at the national level. Once Europol sends the proposal to one (or more) Member State, the latter verifies and analyses it before deciding whether to enter the alert in the system or not.[115]

Nothing more is added on the criteria the Member States look at to conduct their analysis: is the Member State checking the data quality and accuracy (particularly coming from third countries)? Is it evaluating solely the assessment of Europol? In addition, there is no mention of the role of national supervisory authorities ensuring Member States compliance with relevant data protection rules. Perhaps the application of Directive (EU) 2016/680 – the Law Enforcement Directive (LED)[116] as a lex generalis regarding the operation of SIS is of interest here. National supervisory authorities are competent to supervise the national competent authorities, and more particularly the SIRENE Bureaux’s (the contact points for the system). Thus, their role in the issuing of alerts is also relevant. These authorities can perform audits, give opinions and have anforcement power.[117] They could give opinions on the possibility to enter (or not) the information alert and supervise the evaluation of the Member State, performing thus ex antesupervision. 

In a few years, once the procedure of information alert has been in motion for more than two years, an audit could be performed by each national supervisory authority, to check if national competent authorities act in compliance with data protection standards. For now, it is mandatory to conduct an audit and supervise SIRENE Bureaux’s at least once every four years.[118] The results of this could then be discussed in the CSC, where members of national supervisory authorities sit, alongside members of the EDPS.[119]Nowadays, there is a fragmentation in the supervision of the SIRENE Bureaux, depending on the Member States.[120] Audits must only be made every four years, and national supervisors essentially put their resources at the service of the implementation of the GDPR. Their work on SIS is thus more marginal.

While this adds another layer of protection, it remains outside of Europol’s realm. Since Europol plays a pivotal role in the introduction of these alerts, and the provision of the data, the supervision shall occur essentially at the European level. But as the EDPS positively pointed out, this additional safeguard adds a mandatory step before introducing the alert.[121] It is, however, not sufficient.

4.3.  Supervising the post-alert phase 

The last phase of the process relates to the post-alert phase. In other words, the period starts once the Member State decided to enter the information alert within the system, or to use the data and enter it through another alert.

The Regulation once again does not mention much but notes two aspects. First, Europol should keep records of its proposals to enter information alerts, and report to all Member States every six months whether information alerts were entered into the SIS or not.[122] This allows for transparency of the role of Europol in the process and can serve as a basis for subsequent supervision. If the EDPS for example, wants to open an inquiry into the Agency’s proposal to enter information alerts in the SIS, it will start by analysing the record note of Europol, before diving into the substance of the matter. The reporting obligation to Member States can also generate subsequent supervision within the CSC. Since all Member States are informed about the information alerts that it made into the system, coordinated supervision can occur. The second aspect relates to the national level. According to the Regulation, Member States must also put in place periodic reporting mechanisms, of whether they entered information alerts in the system, or not.[123] This can then be used for national supervisory authorities to perform their supervision (similar to what the EDPS would do over Europol). 

Reporting obligations are useful tools to ensure the transparency of a body’s actions, and support therefore the supervision of them, as well as their accountability. The latter reports mentioned above, allow to shed light and quantify the number of information alerts proposals from Europol, and the number of alerts introduced in the system or not. Without this, it is difficult to grasp the extent of the process. When it comes to the process of an information alert, joint supervision must be favoured, as it is an integrated system, where Europol’s role and national authorities’ role are highly intertwined. Joint investigations between the EDPS (as Europol’s supervisor) and the national supervisory authority from the issuing Member States might prove useful. 

Another important element that should be subject to supervision is the extension of the storage period for information alerts in the system. Article 53 of the Regulation points out that a Member State can enter an alert for a period of one year and reviews it afterwards to decide whether to keep it or not.[124] To do so, the issuing Member State must follow a comprehensive individual assessment on the necessity and proportionality of the extension, which will be recorded.[125] The latter might be done with the support of Europol.[126] There again, no mention is made of a supervisory authority. A simple recording of the assessment and decision must be made. In this situation, with the support of Europol in the individual assessment, a joint supervision may again be recommended. In any case, considering the danger of keeping an information alert in the system, it is essential to ensure the compliance of their extension within the system. Otherwise, there is a risk of having a systemic automatic extension of the storage period, infringing potentially the principle of proportionality, necessity, and oversight. The practice will show how this shall evolve. 

However, since neither the pre-alert phase, nor the issuing of the alert might be efficiently supervised, it is key to ensure, at least, the supervision of the post-alert phase. Otherwise, this new paradigm shifts to the SIS, which circumvents previously existing limits, remains unsupervised. This is highly problematic due to the dangers that this extension of the SIS may cause to individuals’ fundamental rights. This is further exacerbated by the challenges linked to the interoperability, namely the connection, of various EU databases, which as Mitsilegas notes challenges a number of fundamental rights, such as non-discrimination, privacy and effective judicial protection.[127] The interoperability regulations notably incorporate additional security checks for third-country nationals.[128]

5.   Concluding remarks 

This article offered a detailed analysis of the new changes brought by Regulation 2022/1190 to the operation of the SIS, focusing particularly on Europol’s new role in it. The SIS sets an important precedent, within EU databases, showing that EU Agencies are not anymore side-lined, and go beyond a mere read-only access role. Europol does not solely have access to all the alerts entered within the SIS but can also facilitate the introduction of information alerts within it. It plays a crucial role of middleman between third countries or international organisations, and Member States and consequently the SIS. This is only a first steppingstone of this new role the EU intends to give EU Agencies. In the future, it is highly likely that Europol will go beyond proposing to Member States to enter information alerts, to entering them itself, or that alerts will not only concern third-country nationals, but also EU citizens. 

The article emphasised how this change to the system brings along dangers regarding individuals' fundamental rights, issues of legal certainty, but also dangers of misusing the system for illegal purposes. The introduction of information alerts bases itself on a data sharing by third countries and international organisation to Europol, which is an issue. The legal basis of Europol’s relation with the latter is questionable and has not been sufficiently scrutinized. The new process brings about a paradigm shift but remains vague on a number of aspects: criteria for Europol to decide on the proposals, criteria for Member States to assess the proposals and decide to enter the alert (or not) in the system, and actions to be taken in case of a hit. This legal uncertainty increases the risk of opacity of the procedure and may significantly affect individuals’ fundamental rights, by leading for example to restricting their freedom of movement. The risk for alerts to be entered on political opponents, journalists and human rights activists is also further exacerbated with the introduction of this new types of alerts. 

The article finishes by looking at the supervision of the new procedure, dividing it into the pre-alert phase, the issuance of alert phase, and the post-alert phase. Overall, there is a lack of supervision mentioned within the Regulation, which does not expressly provide for supervisory safeguards. This does not mean that no supervision will be made. However, in light of the existing lack of supervision over Europol for example, and the focus of national supervisory authorities on the GDPR, practice might show that the process of information alerts essentially escapes any supervision. In light of the big change the Regulation brings, it is essential to enhance supervision and further develop joint supervision for the integrated process to comply with relevant data protection rules and values. 

For now, information alerts solely concern third-country nationals, which is probably one of the reasons that led to the adoption of Regulation 2022/1190. It is highly unlikely that Member States would have agreed to enter such alerts based on information by third countries concerning their own EU citizens. However, the fact that this essentially affects third country nationals should not be an excuse for reduced safeguards. First, third country nationals should not be treated in a manner to not respect fundamental rights and freedoms. Second, it is highly likely that in the future, this possibility of information alert might be extended to EU nationals as well. In general, if tailored supervision is not ensured, this would set a worrying precedent for potential amendments to other databases as well.