At the end of November 2023, a draft Regulation that aims to enhance police cooperation for the prevention, detection and investigation of migrant smuggling and trafficking in human beings, as well as to enhance the role of Europol for combating such crimes was proposed (COM(2023) 754 final). This draft Regulation is part of a package of measures that includes also a draft Directive aiming to harmonise rules on investigation and penalties with regards to migrant smuggling (COM(2023) 755 final), as well as a call to Action for Global Alliance against migrant smuggling.
Aims
The main aims of the proposed Regulation are:
- to strengthen coordination of the fight against migrant smuggling and trafficking of human beings at EU level. For this purpose, the tasks of the European Centre Against Migrant Smuggling (the Centre) at Europol are reinforced. Apart monitoring trends in migrant smuggling and trafficking in human beings, the Centre will prepare strategic analyses, threat assessments and situational updates. It will also support investigative and operational actions;
- to improve information sharing between Member States, Europol and other Union agencies. This information sharing includes biometric data. Furthermore, as the Centre will be tasked to identify cases of migrant smuggling that may require cooperation with non-EU countries, the cooperation and the sharing of data will take place also with third countries, on a case-by-case basis;
- to reinforce Member States’ resources by designating specialised services for combating migrant smuggling and trafficking in human beings, and task the Centre to act as a network of specialised services;
- to reinforce the role of Europol in supporting Member States to conduct joint, coordinated and prioritised criminal intelligence activities and investigations. Furthermore, the proposal gives Europol the power to apply “non-coercive investigative measures” during joint operations with national authorities.
For reaching these aims, the Explanatory Memorandum points out that more data analysts as well as OSINT and Social Media monitoring specialists are needed at Member State level. They would provide open source and social media monitoring analysis to support Member States’ fight against migrant smuggling and trafficking of human beings.
Furthermore, Europol is required to have capacities to promote the real-time and high-quality processing of the information collected online during the implementation of Member States investigative measures. These include an increase in the number of forensics, decryption and data specialists to ensure extraction and processing of large and complex data sets collected from the countries of origin, transit and destination, including both Member States and third countries. Real-time and high-quality data access and processing as well as the related data science expertise needs to be ensured for the use of lawfully collected biometric data and for creating new models to analyse complex data, which more often than before originate from outside the EU.
Legal and Ethical Challenges
In its Opinion 4/2024, the European Data Protection Supervisor (EDPS) identifies four main areas of concern that the draft Regulation presents from a fundamental rights perspective:
- the increased processing of biometric data, including facial recognition;
- the role of the European Border and Coast Guard Agency (Frontex);
- the transfers of data by Europol to third countries based on derogations; and
- the execution of investigative non-coercive measures related to data processing by Europol.
In light of the EDPS recommendations and based on research already conducted in the framework of the CRiTERIA project, below we briefly discuss three of the above concerns that are closely linked with the application of the European data protection legal framework.
Increased Processing of Biometric Data
The increased processing of biometric data, including facial recognition needs to be discussed from a data protection and ethical perspective. Biometric data are qualified as sensitive data in the EU and their processing is in general prohibited since it presents risks for discriminating data subjects. Processing of this data is not allowed under the GDPR unless certain conditions are met (art 9(2)), or it is allowed under the Law Enforcement Directive (LED) only when strictly necessary (art 10).
Specific conditions for processing biometric data are laid down also in Article 30(2) Europol Regulation. This article states that processing of biometric data is allowed: “only where strictly necessary and proportionate for the purposes of research and innovation projects […] and for operational purposes, within Europol’s objectives, and only for preventing or combating crime that falls within Europol’s objectives. Such processing shall also be subject to appropriate safeguards laid down in [Europol] Regulation with regard to the rights and freedoms of the data subject”.
It is important that the ‘strictly necessary and proportionate’ criterion is properly understood and implemented. This criterion is relevant for ensuring that technological solutions comply with the data protection principles and it covers not only to the collection and internal processing of biometric data by Europol but is also of relevance for the sharing of these data between Member States, other EU agencies and third countries.
The Court of Justice of the EU has clarified in a recent case that the criterion must be interpreted as establishing strengthened conditions for lawful processing of sensitive data. Moreover, the fact that the necessity for processing sensitive data is an ‘absolute’ one, means that also the principle of data minimisations needs to be assessed strictly. (C-205/21 Ministerstvo na vatreshnite raboti). This clarification shall help to ensure that strict rules are followed when processing biometric data and that, also once the Regulation is adopted, this processing is kept in any case limited to absolute necessity in compliance with the principle of data minimisation.
Transferral of Data to Third Countries Based on Derogations
The transfers of data by Europol to third countries based on derogations, as mentioned in recital 8 of the draft Regulation, is of importance. The general rule in the EU with regards to data transfers to third countries or international organisations is that: one needs to check first the presence of an adequacy decision (art 45 GDPR); in the absence of such decision, data might be transferred on the basis of adequate safeguards (art 46 GDPR); and, only in exceptional situations, special derogations to the general rules could apply (art 49 GDPR). These special derogations can be used only if the transfer is not repetitive, concerns a limited number of data subjects and is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.
A similar rule is provided also in art 25 of the Europol Regulation. This provision lays down the possibility for derogation from the general legal rules for transfer of personal data to third countries and international organisations in specific cases, e.g. when necessary in order to protect the vital interests of the data subject or of another person; or it is essential for the prevention of an immediate and serious threat to the public security; or is necessary in individual cases for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal sanctions; and others.
The last subparagraph of art 25 Europol Regulation states that: “derogations may not be applicable to systematic, massive or structural transfers.” Thus, regular and systemic use of derogations for transfer of data to third countries and international organisations cannot be the norm and the new Regulation cannot be interpreted as allowing them.
Data Processing by Europol
The investigative powers of Europol, in relation also to data processing are of relevance. In this framework, Europol supports the Member States in their investigations but also facilitates the sharing of data. Member States might have access to data that other Member States have made available to Europol. Thus, a situation when there is not just one data controller but there are various controllers involving different actors (States and EU agencies) might emerge.
In data protection law, joint controllers are recognised (art 26 GDPR, art 21 LED). On the one side these jointly determine the purposes and means of processing personal data and on the other side, they respond in full for any damages suffered by data subjects. Thus, for better safeguarding the rights of data subjects as well as for legal certainty purposes, it becomes important to clearly share the responsibilities between various actors involved in processing personal data in the Europol framework.
In conclusion it can be stated that while the new Regulation will provide better collaboration and coordination between EU agencies, Member States and third countries for the fight against migrant smuggling and trafficking of human being, special attention must be paid to the legal and ethical framework. Increased collaboration and use of open-source data bring forward old and new challenges for the protection of the rights of individuals.
The Role of CRiTERIA
The research conducted in the CRiTERIA project is very relevant in this framework. On one side, the CRiTERIA technological solutions could aid the work of data analysts at national and at EU level. The CRiTERIA consortium is developing innovative and effective Information Technology (IT) and Artificial Intelligence (AI) methods in support of the approach for risk, vulnerability and threat analysis. With employment of open-source data from social and traditional media, this technology may assist border agencies in better understanding contemporary security threats connected to migration and to predict and detect risks from both controlled and uncontrolled border crossings.
On the other side, the legal and ethical analysis conducted in the framework of CRiTERIA is also very relevant. Lamentably, the current draft Regulation, even though it states that the fundamental rights will be respected when processing personal data, lacks an impact assessment of the potential risks that the reinforced investigatory tasks of EU agencies as well as the sharing of data between Member States, EU agencies and third countries, might create for individuals. CRiTERIA has designed strong and robust legal and ethical guidelines to respond to the challenges presented to the fundamental rights of individuals when open data from social and traditional media are processed. Furthermore, the developed methodology for an AI, Data protection and Ethics impact assessment becomes even more relevant for assessing the use of AI and IT solutions in combatting migrant smuggling and trafficking of human beings at the EU borders.
Dr Jonida Milaj-Weishaar
Dr Jonida Milaj-Weishaar is Assistant Professor in Technology Law and Human Rights at the University of Groningen (the Netherlands) and a member of the Security, Technology and e-Privacy (STeP) research group. Her main research focus is on the challenges that technology creates for the protection of fundamental rights of individuals. She is a research fellow at the Information Society Law Center of the University of Milan (Italy) and a visiting lecturer at the Central University of Political Science and Law in Beijing (China).
Banner image by Gerd Altmann from Pixabay.
