The Future of Digitalisation in EU Law Enforcement: Introduction to the Second Part

The first part of the Special Section highlighted the profound transformation of EU law enforcement through the use of new technologies that facilitate, promote and mandate all the more exchanges of personal data across EU Member States and agencies, the move towards the co-option of the private sector in assuming quasi-public functions relating to law enforcement and the rise in algorithms, powered in many cases by Artificial Intelligence (AI) tools. This second part of the Special Section contains articles that further exemplify and analyse these trends through the lens of fundamental rights and rule of law offering valuable insights into the transformative role of technology in law enforcement. 

In particular, all three trends are embodied in the processing of Passenger Name Records (PNR) data within the EU, that is air travellers data in relation to their flight.[1] Kuşkonmaz examines the evolution of the legal framework underpinning the processing of PNR data, focusing on its role in law enforcement. Originally developed for commercial aviation purposes, the processing of PNR data has been repurposed with the aim of conducting automated risk assessment of travellers with the aim of preventing, detecting, investigating and prosecuting terrorism offences and serious crimes. The case of PNR data thus demonstrates the co-option of the private sector in securing that the wealth of (partly unverified) information provided by travellers will end up at the hands of law enforcement authorities. Yet, the inherent cross-border nature of processing PNR data has meant that PNR data has a distinct border surveillance dimension and should be viewed as symptomatic of the securitisation of mobility within the EU Area of Freedom, Security and Justice (AFSJ) and brings forward the tenuous relationship between border control and law enforcement objectives. This dual function of processing PNR data is highlighted by the Court of Justice of the European Union (CJEU) in Ligue des droits humains.[2] There, the CJEU has essentially re-written the EU PNR Directive by introducing significant constraints on indiscriminate data processing, clarifying the permissible scope of automated analysis of travellers’ personal data, including through AI tools and strengthened the requirements for extrajudicial and judicial oversight.[3] The judgment has already made history for its important findings going beyond the rights to privacy and protection of personal data. Yet, various questions remain open such as the possibility to transplant the Court’s findings in different settings and the challenges stemming from intersectional discrimination, not only direct and indirect, which are explicitly recognised by the Court.[4] The author rightly calls for a substantial redesign of the EU PNR framework to comply with fundamental rights and freedom of movement, yet the adoption of a revised API framework[5]points to a different direction, that of carefully circumventing the Court’s findings.[6] In particular, the creation of a router managed by eu-LISA, through which PNR data will be transferred to the PIUs changes the method in which the data reach them without providing sufficient clarity as to what a router constitutes. Furthermore, the PNR rules have not been reformed, but rather correct interpretation of the EU PNR Directive must be achieved at the national level, raising further legal uncertainties.

Karapatakis’ article sheds light into another instance of privatisation and enhanced information exchanges, that concerning the fight against money laundering. In his article examines the evolving role of Financial Intelligence Units (FIUs) within the reformed EU Anti-Money Laundering (AML) framework, focusing on the privacy and data protection implications of the 6th AML Directive.[7] The development of an AML regime in line with fundamental rights has been an ongoing challenge.[8] The author argues that recent reforms significantly expand FIUs’ access to financial, administrative, and law enforcement information without sufficiently defining the scope of accessible data. Lack of precision is therefore evident here as well. While these developments aim to enhance the effectiveness of AML enforcement and align with international standards, particularly those of the Financial Action Task Force (FATF), the compatibility with Articles 7 and 8 of the EU Charter of Fundamental Rights is rightly contested. Karapatakis demonstrates a persistently disproportionate regime which continuously violates the rights to privacy and personal data protection notwithstanding the successive legal reforms. With the rise cryptocurrencies and the emergence of the European Anti-Money Laundering Authority (AMLA) as a central supervisor the challenges and opportunities for compliance not only with the secondary legislation but also with the Charter multiply and the need to frame the powers of FIUs becomes all the more acute.

Privatisation of EU digitalised law enforcement takes place also by reshaping the relationship between online platforms, governments, and surveillance practices, with the DSA being paradigmatic in this respect. Ó Fathaigh, Zeybek, Bellanova, and Möller argue that the DSA institutionalises and expands forms of public-private cooperation that enable governments to leverage platforms for monitoring, data-gathering, and content control. While the DSA aims to create a safer online environment, it simultaneously enhances both platform-based and state-driven surveillance capacities, raising significant concerns for fundamental rights, particularly the right to private life and freedom of expression. Whereas the DSA has been analysed from various angles,[9]particularly by evaluating its enforcement system, this article analyses key mechanisms of the DSA, such as trusted flaggers, data access orders, and crisis response tools, demonstrating how they may facilitate indirect state intervention in online expression. The authors rightly conclude that without stronger safeguards, the DSA risks normalising pervasive online surveillance and undermining core constitutional principles in the digital sphere. The DSA should be viewed in the broader context of online content moderation rules which include its leges speciales, namely Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online[10] and efforts to tackle the dissemination of online child sexual abuse material and grooming.[11] What emerges from this elaborate framework is conceptual precedence of security over the protection of fundamental rights.[12]

The final article by Sachoulidou examines the rise of automated law enforcement systems under EU law, focusing on their classification as high-risk AI systems under the EU Artificial Intelligence Act (AI Act)[13] and their implications for defence rights. In this sense, the article pursues the implications of the last trend in EU law enforcement for the protection of procedural rights. The author expertly develops a typology of AI-driven policing tools, distinguishing between prediction/prevention-oriented and repression-oriented systems, and critically evaluates the EU’s risk-based regulatory approach. The article argues that the current framework insufficiently differentiates between diverse AI applications and fails to fully address their distinct fundamental rights risks. It highlights how automated decision-making challenges core procedural guarantees, including equality of arms, the right to an adversarial hearing, and the presumption of innocence. To address these issues, Sachoulidou proposes a dual approach: embedding defence rights into the technical design of AI systems (‘defence rights by design’) and strengthening existing EU procedural safeguards through legislative reform. Safeguarding defence rights in the age of AI necessitates both technological and legal adaptations to address the inherent opacity of the technology, power imbalances, and the scale/extent of automated decision-making. These findings, which can be transferred to other domains, e.g. migration management, become all the more pressing considering that the Digital Omnibus proposal for AI already aims to downgrade some of the protections of the AI Act[14] and the fact that in any case law enforcement is a field where more discretion is afforded to Member States.

The future of EU digitalised law enforcement is characterised by reinforced roles for the private sector coupled by the equipment of both public and private actors with technologically novel – yet controversial – tools. Both parts of this Special Section have highlighted that elaborate framework and complex tools need reinforce legal certainty and a strong commitment towards the protection of fundamental rights and the rule of law, which is not always the case. In the meantime, the burden falls on supervisory authorities, such as the national data protection authorities and the European Data Protection Supervisor (EDPS), to safeguard not only the right to personal data protection, but increasingly other connected rights as well, on national administrations in implementing correctly the relevant rules and on the European and national courts, who will for sure be called on interpreting the maze of EU digitalised law enforcement.