The Future of Digitalisation in EU Law Enforcement: Enhanced Exchanges of Personal Data, Privatisation and Algorithmisation

A central pillar of the development of European Union (EU) Criminal law has been the establishment of legal and technical avenues aiming at facilitating the collection, retention and transfers of personal data, in the context of fighting terrorism and other serious criminal offences. As technological evolution has offered national law enforcement authorities enhanced opportunities to collect, store and exchange personal data seamlessly and in a timely manner, an elaborate EU legal framework regulating different forms of processing personal data has emerged. Legislative initiatives at supranational level have been relied upon Article 87(2)(a) of the Treaty on the Functioning of the European Union (TFEU), which provides for the setting-up of information exchange mechanisms which enable the collection, storage, further processing, analysis and exchange of relevant information. 

Initiatives in this respect have been two-pronged.[1]

Firstly, emphasis has been placed on the establishment of EU-wide centralised information systems for law enforcement purposes. The setting up of the Schengen Information System (SIS) is emblematic in this context. The SIS is perhaps the best-known multinational IT system in the EU that became operational in 1995 as a ‘flanking’ measure assisting the abolition of internal borders in the Schengen area. It aims to ensure a high level of security across the participating states and to enable the exchange of information for the purposes of controls on persons and objects. With a view to facilitating both border control and police investigations and to those ends, national authorities register in SIS so-called ‘alerts’ in relation to specific categories of persons and objects, such as persons wanted for arrest and extradition, missing persons, or irregular migrants.[2] Alerts are essentially requests by the state that issued the alert (issuing state) to the other Schengen countries to take a certain action and execute the alert.[3] Thus, by default, SIS is designed to operate as a hybrid instrument; on the one hand, as a tool for police and judicial cooperation in criminal matters, and on the other hand, as an instrument for immigration control. 

Another EU large-scale system in the field of migration and security is the European Criminal Record Information System for Third-Country Nationals (ECRIS-TCN),[4] which is currently under development. The ECRIS-TCN will be a centralised system for the exchange of criminal records on convicted third-country nationals and stateless persons and is meant to complement the already existing, decentralised ECRIS system through which information on the criminal records of EU nationals is exchanged among Member States (see below).[5] This database is also characterised by its hybrid nature; though established under a criminal justice cooperation legal basis (Article 82(1)(d), the ECRIS-TCN will be consulted for immigration-related objectives e.g. to support the operation of the Visa Information System (VIS) and the European Travel Information and Authorisation System (ETIAS), as well as immigration decision-making.[6]

Furthermore, databases have also been set up in the framework of Europol, the EU’s criminal information hub.[7] Europol's mandate is to support actions by EU Member States' law enforcement authorities and ensure their cooperation for the purpose of preventing and combating serious crime affecting two or more Member States, terrorism, and forms of crime that affect a common interest covered by an EU policy. To fulfil its objectives, Europol carries out a series of tasks, with its information-related tasks being at the core of its activities, along with providing operational support and expertise to Member States' criminal investigations. Europol’s information comes from various sources; Member States; EU bodies, third countries and international organisations as well as private parties and private persons[8] and is organised in an integrated, overarching, central data repository, following a simplified and controversial approach, whereby instead of specific databases, the rules for information processing relate to the purposes of processing the data.[9] Importantly, since its setting up, Europol has undergone remarkable changes marked by continuous reforms to its legal basis, which have increased the agency’s information processing capacities. For example, Regulation (EU) 2022/991 has increased the agency’s role to cooperate with private parties, propose to Member States the registration of alerts in SIS, support criminal investigations, and in research and innovation.[10] In September 2025, the co-legislators agreed on additional reforms in tackling migrant smuggling.[11] The increase in information processing capacity has been coupled with institutional and scholarly attention, including the so-called ‘bid data’ challenge concerning the processing of mass amounts of personal data beyond its mandate,[12] or the agency’s civil liability for unlawful disclosure of personal data during cross-border cooperation with Member State.[13]

Secondly, a set of legislative initiatives have aimed at eliminating obstacles to the exchange of personal data among national law enforcement authorities. In that regard, legal instruments boosting cooperation through decentralised mechanisms of information exchange have been adopted. As mentioned above, the ECRIS facilitates the exchange of criminal records amongst national authorities by interconnecting national criminal records databases.[14] This is sole legal instrument that has not been subject to legislative reform (albeit criminal record information was the subject matter of the ECRIS-TCN). Furthermore, Member States’ law enforcement authorities may exchange existing information and intelligence effectively and expeditiously for the purpose of conducting criminal investigations or criminal intelligence operations. Here, the so-called ‘Swedish Initiative’ – Framework Decision 2006/960/JHA – was replaced by Directive 2023/977,[15] to remedy flaws of the previous legal framework. Framework Decision 2006/960 was scarcely used in practice, in part due to the lack of clarity as its relationship with judicial cooperation instruments, such as the Directive regarding the European Investigation Order (EIO),[16] and the use of the exchanged information as evidence in criminal proceedings. This issue is still unsatisfactorily resolved; whereas the Directive emphasises that it does not affect Union legal acts on cross-border evidence gathering, pure consent to the use of already submitted information as evidence in criminal judicial proceedings suffices, giving the impression that such consent ‘is only a rubberstamp by the authorities of the requested state circumventing the rules of the legislation on judicial cooperation’.[17]

The Directive constitutes part of the EU Police Cooperation Code package, intended to enhance law enforcement cooperation across Member States and to give EU police officers more modern tools for information exchange. That package also includes a revision of the Prüm regime, first developed outside the EU framework but subsequently incorporated into EU law. The Prüm Decisions regulated the exchange of DNA, fingerprint and vehicle registration data between EU law enforcement authorities.[18] Following a rocky implementation whereby the development of connections in-between the Member States took far longer than expected, Prüm II further automates the cross-border sharing of data for police cooperation. As a novelty, Regulation (EU) the Prüm II Regulation contains two new data categories: facial images and police records (reference numbers of suspects and convicted criminals). It also lays down rules for the exchange of core data after a confirmed biometric data match.[19] Considering that due to late implementation, various Member States could not offer much of first-hand experience, legislative action in this context seems to have been primarily driven by the possibilities offered by the evolution of technology and the emphasis on simplifying and streamlining exchanges of personal data to maximise law enforcement cooperation. This approach has been at the expense of fundamental rights enshrined in the Charter, without fully scrutinising the necessity and proportionality of expanding its scope of the existing legal instruments In particular, with the expansion of Prüm II to facial images, new large-scale databases containing this category of personal data are in the making,[20] which will deepen biometric surveillance, promote further the use of Artificial Intelligence (AI) in the field of police cooperation and criminal justice with significant risks for discriminatory treatment of different groups of people (for example, marginalised or black persons).

Another level of boosting the collection, analysis and exchange of personal data for law enforcement purposes in the EU has been via the co-option of the private sector. This aspect of the privatisation of law enforcement consists of calling on private companies or professions to cooperate with state authorities in the fight against crime. The co-option of the private sector has been conceptualised as privatised surveillance or co-production of security,[21] reconfiguring the relationship between the private and the public and leading to the mass collection and further processing of a wide range of personal data, which can then be repurposed and used by the state for law enforcement purposes. The private-public cooperation takes place in various forms. A major move to involve the private sector in cooperating with the state in the fight against crime has occurred in the field of anti-money laundering (AML) and terrorism financing, whereby dedicated Financial Information Units (FIUs) receive information on suspicious transaction by different entities of the private sector, which is then further processed and exchanged.[22] Over time, the EU AML framework has also been subject to continuous reforms and additions, marked by the successive expansion of the obliged entities subject to AML rules (e.g. to include Crypto-Asset Service Providers (‘CASPs’) or crowdfunding platforms).[23] Thus, financial surveillance has over time significantly expanded, as has the cooperation between FIUs under rules, which have traditionally favoured extensive information exchanges without correspondent clarity about the applicable EU data protection regime.[24]

Other examples of privatised surveillance are the retention of metadata by telecommunications companies;[25] the transfer of air travellers’ data (passenger name record (PNR) data) already collected for business purposes and their processing by specialised national Passenger Information Units (PIUs), as per the prescriptions of the EU PNR Directive;[26] and the preservation and transfer of electronic evidence data, such as emails, text massages, information on IP addresses.[27] The proliferation of legislative activity has been coupled with the emergence of an elaborate case law by the Court of Justice of the European Union (EU) on data retention and the processing of PNR data. In a series of judgments, such as La Quadrature du Net and Others[28] and La Ligue des Droits Humains from June 2022,[29]the Court has placed limits on state surveillance and has provided extensive guidelines to both the EU and national legislature transposing EU legislation on the necessary safeguards for lawful processing of personal data in the law enforcement context. Whereas the EU PNR Directive was partly re-written by the CJEU,[30] in the case of telecommunications metadata, implementing those guidelines into revised legal regime following the invalidation of the Data Retention Directive has proved to be a particularly hard endeavour. A revision of the e-Privacy Directive was withdrawn and the European Commission is aimed at proposing new harmonising on obliging service providers to store such data to addressed the fragmented and uneven legal landscape that has since prevailed in the Member States,[31]

One trend in deepening the public-private divide has emerged in the context of online content moderation, whereby several legal instruments have empowered transnational corporations operating in the digital environment as hosting providers to perform quasi-public functions in the transnational context. This trend started in 2021 with the adoption of the Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online (TERREG).[32] The Digital Services Act (DSA) is of broader application and imposes due diligence obligations to all digital services, including on the fast removal of illegal online content.[33] Whereas the DSA has been adopted under an internal market legal basis – Article 114 TFEU – it has a distinct law enforcement dimension, in the sense that online intermediaries and platforms such as marketplaces, social networks and content-sharing platforms are entrusted with policing tasks in preventing illegal and harmful activities online and the spread of disinformation. At the heart of fulfilling these tasks, lies a delicate balance between online safety and the protection of users’ fundamental rights, particularly freedom of expression. In this context, questions about the degree of interference in the control of public opinion and the role of private companies as gatekeepers at the threshold of fundamental rights are crucial. These questions are heightened when considering the legislative proposal for online content moderation in the content of preventing and combating child sexual abuse online (CSAM) – the so-called Chat Control.[34] Under the proposal, the detection of known, or unknown CSAM as well as grooming will entail the scanning even of private communications of all individuals irrespective of suspicion (through the use of – potentially unreliable – AI tools. Chat Control not only goes against the DSA paradigm, which forbids general monitoring, but importantly, if adopted, it will mark the end of privacy and of end-to-end encryption and the prevalence of mass surveillance of online activity.[35] At the time of finalising this editorial, the proposal faces significant deadlock within the Council of the EU, with several Member States forming a blocking minority’ standing against Chat Control, including Germany, Luxembourg and Netherlands. 

Finally, the rise of interest in the deployment of Artificial Intelligence (AI) systems in the sphere of criminal law, for example in relation to predictive policing, facial recognition, have sparked debates about the maturity of the current technology and its compatibility with fundamental rights. A key example in this respect is the AI Act, which aims to regulate horizontally the use of AI systems in various contexts and fora and contains restrictions on law enforcement use of AI technology, whilst also giving them significant leeway as regards the type of technologies that can be deployed.[36] At the same time, the automated processing of personal data, which can entail the use of AI, is embedded in a number of EU legal instruments; automated analysis is embedded at the national level in the processing of PNR data transmitted by air carriers and of telecommunications metadata to the PIUs, with the CJEU providing guidance as to the requirements for its lawfulness in La Quadrature du Net[37] and Ligue des Droits Humains.[38]A key question arising from the jurisprudence of the CJEU is the applicability of the Court’s standards to a multiplicity of contexts, such as money laundering obligations to obliged entities,[39] in accordance with the 6th AML Directive. Notwithstanding the different logic under which automated analysis operates, an answer in favour of the transplantability of the CJEU’s safeguards would be grounded on the fact that there is clear continuity in the existing case law.[40] In addition, as mentioned earlier, the upgraded Prüm also fosters the use of AI systems in the provisions to share facial images for the purpose of facial recognition and sharing of police records. Thus, a shift towards algorithmisation is a central aspect of the future of digitalised law enforcement. This is understandable; with the proliferation of information exchange avenues, making sense of huge amounts of data cannot take place without recourse to algorithms, including AI. Nonetheless, the fundamental rights concerns regarding the principle of non-discrimination as well as the existence of meaningful procedural safeguards are acute and the parallel developments in legislation and case law are not always towards the same direction. Although the CJEU has not resolved a series of open questions and there is room for further elaboration (e.g. on how to audit algorithms), its protective scope is contrasted with the significant gaps of the AI Act, particularly as regards classification of AI systems in law enforcement based on the degree of risk of harm to individuals, transparency and accountability.[41]

The previous paragraphs aimed to highlight the tremendous transformation of EU law enforcement in the digital era via the significant burst in legislative activity, particularly with a view to reforming pre-existing legal instruments, as well as the emergence of a significant body of CJEU case law providing significant limits to Member States’ discretionary power and the EU legislature. Piecing together the puzzle of these developments shows a clear tendency to streamline law enforcement work and cooperation through automated means and enhanced transfers of personal data in the fight against crime, including by harvesting the full potential of information that EU agencies, such as Europol, have. Against this backdrop, this two-part Special Section explores and critically appraises various aspects of the EU digital law enforcement architecture in terms of challenges posed to fundamental rights, such the rights to protection of personal data, respect for private life, freedom of expression and effective remedies, and the rule of law. In comprehending the present and future outlook of law enforcement in the era of digitalisation, the Special Section revisits fundamental questions on the necessity and proportionality of surveillance through the maximised processing of personal data in light of the legitimate aim of fighting serious crime and terrorism, and provides insights as to whether, why and how the EU legal framework should be amended or interpreted to delimit the negative consequences for the protection of fundamental rights. 

Two overarching research questions guide the scientific enquiry:

How is the future of EU police cooperation shaped in view of the burst in legislative activity and the jurisprudence of the CJEU?

What is the impact of the legislative initiatives and practices by law enforcement authorities and agencies on the protection of fundamental rights and the rule of law? 

By bringing together scholars both from law, political science and sociology, the Special Section provides a comprehensive critical analysis of the aforementioned developments in the light of the protection of fundamental rights and the rule of law. The underlying aim is to enable the readers to acquire a holistic understanding of the current state of play and future outlook of EU law enforcement in the digital age. 

The first section of the Special Section contains articles shedding light into all three underlying themes. Sarah Tas’s article brings together the SIS with Europol and explains how Regulation 2022/1190 has changed the traditional modus operandi of the former by giving Europol an active role in proposing so-called alerts in the interest of the Union. Europol’s data received from third countries concerning third-country nationals’ links to terrorism as foreign terrorist fighters will not only feed its own databases, but can be translated into actionable alerts in SIS issued by Member States. Acting as a middleman does not put Europol on an equal footing as Member States, which are ultimately responsible for the issuance of this novel category of alerts, but does constitute a major shift in how the SIS operates. This approach of using Europol as a means through which data from third countries are re-baptised as EU data in a clearly preventive logic whereby data collected outside the EU may be useful to the EU Member States as well, comes with significant risks for data quality privacy and legal certaintyy with far reaching consequences on third-country nationals, particularly in an interoperable architecture. Tas rightly notes that the process for creating and supervising these alerts is vague and not well monitored and argues that without strong and clear oversight thought the ‘life cycle’ of the article that is before, after and during an alert is made, there is a real risk of misuse, such as targeting innocent people or political opponents. This is all the more necessary, as opening the door to Europol proposing alerts for now concerns third-country nationals and only in relation to terrorism. However, this could be the gateway for further extension in the future to other areas of criminality and the inclusion of EU nationals too. 

The central role of Europol is further highlighted by Tereas Quintel, who provides a bird’s eye view into the magnifying data processing capacities of the agency arising not only from legislative reforms to its own legal basis, but also deriving from reforms to other EU legal instruments that contain Europol-specific provisions. The article highlights how Europol supports Member States in areas such as AML, CSAM, terrorism, and PNR data processing, thus demonstrating the huge amounts of information from many sources and usage of advanced data analytics to identify links between different types of crime. In view of bringing down the silos between Europol databases in lieu of a so-called ‘data lake’, individuals face increasing difficulties in knowing how their personal data are processed or to exercise their individual rights in accordance with EU data protection law. In view of this lack of foreseeability, as a fundamental legality requirement, Quintel also calls for stronger oversight and safeguards since current EU laws on data protection are scattered and sometimes inconsistent with one another. While Europol’s analytical capacity improves cross-border crime prevention, Quintel stresses that it must be matched with clear rules and accountability to ensure that the rights to respect for private life and personal data are respected. 

One avenue for decentralised information exchanges, the Prüm regime, as recently reformed is examined by Nina Amelung and Helena Machado. Their article provides important insights into the manners in which public consultation before the reform shaped the outcome, viewing these consultations acting as ‘technologies of democracy’ whereby official processes appear open but actually hide disagreement and make complex, contested policies seem widely accepted. Amelung and Machado focus on two main changes under Prüm II: linking the system with other EU databases through interoperability and expanding the scope of information exchange to cover facial images. In line with earlier remarks in this editorial, the authors rightly warn that sharing facial images could allow massive data processing without strong safeguards, creating risks of abuse, discrimination and bias, especially in areas like policing, border control, and asylum. The article further shows that instead of promoting real debate, the consultation helped legitimise a security-driven logic, while making it harder to question its impact on rights and democracy. This is an inherent danger when EU legal instruments are subjected to reforms without the prior conduct of dedicated impact assessments, which was in fact called for.[42] Considering that public consultations without the simultaneous conduct of impact assessments constitutes a standardised practice when amending pre-existing legislation, the article serves as a pressing reminder of the need to uphold the Better Regulation Guidelines.[43]

The privatisation of surveillance, including when infused with algorithms, is examined from various angles in the Special Section. Its first part envisages the contribution by Maria Tzanou and Plixavra Vogiatzoglou, whose article examines the applicability of EU fundamental rights law to surveillance conducted for national security purposes viewed through the lens of data retention of telecommunication metadata and the so-called data retention saga. The authors analyse the case law of the CJEU, which has brought into the realm of EU law national measures that impose obligations upon private sector actors, whose activities are regulated by EU law, thus these national measures are subject to CJEU scrutiny, even if they are pursuing the safeguarding of national security. However, they stress the questionable route to reach that conclusion and the significant legal uncertainties, which necessitate a shift in the focus towards protecting individuals themselves, ensuring that their rights remain central even when the objective of national security is invoked. The authors also call for a clearer and stronger EU legal approach that keeps up with the growing use of algorithms and private-sector technology in surveillance, blending lessons from the relevant CJEU to create a more coherent and rights-focused system. In view of the upcoming legislative proposal on a harmonised regime on data retention coupled with the entry into force of the AI Act, the authors’ findings are highly topical to ensure a high level of fundamental rights protection in the digital era.

Stay tuned for the second part of this Special Section where other dimensions of EU digitalised law enforcement are explored.