Brussels (Brussels Morning) The European Union’s institutions are currently in the process of revising Europol’s powers with a view to giving the agency the ability to collect and process the data of completely innocent people, as well as to get data from online service providers like Google and Facebook without a court order.
The revision will also give Europol free rein to develop highly controversial artificial intelligence applications for use by law enforcement agencies all over Europe. Added together, this spells a huge change for the powers that this most opaque of organisations can wield over European citizens’ lives, and it’s frightening that all of it is happening without any public attention or debate.
Europol’s data breach
Last September, Europe’s data protection supervisor, the EDPS, issued what’s called an ‘admonishment’ to Europol for having systematically processed and retained information on innocent people, despite it being completely illegal for them to do so.
An admonishment mightn’t seem like much, but in the genteel world of European politics this was a very big deal indeed. As is its wont, the EDPS was very diplomatic in its language, but its criticisms were stark, and the finding that Europol had been flagrantly breaking the law would, you’d have thought, led to a serious reckoning – and at the very least a review of all of Europol’s operations, their legality, their effectiveness, and so on.
But no such thing took place. Instead, the Commission’s response was to issue a proposal for the revision of Europol’s mandate which will legalise all the illegal things they were doing. You couldn’t make it up.
After the data breach… A pat on the back
Specifically, Europol will now have a legal basis for accepting and processing the data of completely innocent European citizens – people who have zero links to crime. This data will be by-catch from mobile phones, computers, and so on that are seized as part of investigations. When it comes to what Europol calls ‘large and complex datasets’, very few questions are asked about where the data has come from – it’s enough that it was on a phone or a computer seized as part of some investigation somewhere.
That means that my private exchanges with family members, for example, could end up sitting on a server in the Hague, waiting for a Europol analyst to go through them in case they can be used to link me to crime. Quite apart from the invasiveness and disproportionality of this, such bulk data collection and retention runs the very real risk of innocent people ending up being wrongfully suspected of having committed a crime, because Europol’s systems draw unjustified or wrongful inferences from the links that exist between people.
I compared this to the mass surveillance carried out by the American National Security Agency (NSA) in an exchange with the EDPS recently, and he described the comparison as a good one. There’s a huge irony here in that Europe’s data sharing arrangement with the United States, called Privacy Shield, was recently struck down by the Court of Justice of the European Union on the basis that the Court couldn’t accept the NSA snooping on the data of innocent Europeans when it was sent to the States by American internet companies for processing.
You have to wonder, then, on what grounds the Commission thinks it’s OK to empower a European agency to do almost exactly the same thing?
This bulk collection of innocent people’s data isn’t the only problem. The mandate revision also proposes that Europol should be able to get people’s data directly from private providers like internet companies. The basic legal principle when it comes to law enforcement agencies getting their hands on private data from private companies is that it should only happen with the express permission of a judge or other judicial authority who has the knowledge and experience to decide if what the police want is necessary for their investigation, and isn’t a disproportionate interference in anyone’s right to keep their private information private. But the Commission wants to give Europol the power to circumvent this need for judicial authorisation – the service providers can just ‘voluntarily’ hand it over to Europol.
Europol are supposed to only process this data in order to figure out which Member State has jurisdiction over it, but there’s a loophole here – once Europol has figured out the jurisdiction and sent it on to the Member State concerned, they have much broader powers to process it if the Member State resubmits it to them. In this way, both Europol and Member States can get around the pesky restrictions on getting their hands on vast amounts of data imposed by the principle that judges in most cases need to OK the transfer of data from private providers to the police. Europe is much-preoccupied with rule of law breaches by states like Poland and Hungary at the moment – so it’s the ultimate hypocrisy that the Commission is proposing this kind of sneaky end run around basic rule of law principles for one of Europe’s own agencies.
Bypassing the law
Apart from these troubling efforts to bypass basic rule of law principles, the Europol mandate revision as a whole adds up to a deeply worrying turn to mass surveillance, bulk data collection and policing by algorithm as the first port of call for European policing. This increased reliance on hoovering up vast amounts of data and snooping on people’s private lives over things like community engagement by police, over things like building relationships with people who are at risk of falling into crime, with victims, and with citizens at large isn’t just problematic from an abstract rights perspective.
It will also, without any question, undermine Europol’s legitimacy, and ultimately the legitimacy of policing all over Europe, and people’s trust in policing institutions. Undermining legitimacy and trust will, in turn, make people less likely to cooperate with police, and less likely to share valuable information with them – and thus make it less likely that police will actually be able to solve or prevent crimes.
It will increase marginalised communities’ sense of marginalisation, it will increase discrimination (data-driven policing by algorithm is notoriously discriminatory), and kill off whatever vestiges of the principle of ‘policing by consent’ remain in Europe after years of neoliberal cutbacks to community policing. All of this is very bad news, and what makes it all worse is that it’s happening without most of Europe’s citizens knowing anything about it.
We need to have a broad, deep, and thorough public debate on how we want the police to use new technologies; and on how we want them to handle our data – if we want them to handle it at all. The Commission’s – and the Parliament’s – zeal for pushing through this revision before that debate has taken place will not just undermine citizens’ rights – it will fatally undermine policing in Europe more broadly.