Europol, lower thresholds for biometric data even for those not suspected

On June 24, the European Commission presented a legislative package that redesigns Europol, aiming to transform it from a support agency for national police into an operational police force with an expanded mandate. The text proposes a budget nearly doubled, around 3 billion euros in the next multiannual financial framework 2028-2034, and lowers the thresholds for the processing of biometric data, extending its use even to individuals not connected to crimes. This is stated in the Commission's official proposal, which includes two new regulations, a revision of the European Investigation Order, and amendments to the regulation on the protection of data for EU institutions.

The package implements the internal security strategy ProtectEU, which we discussed last year, which had already promised an ambitious enhancement of Europol's mandate.

What changes in the mandate

The new mandate introduces the automatic and rapid sharing of information between national police and Europol, designed for real-time collaboration on investigations. Europol Support Offices will be established in member states, staffed by agency officers to strengthen operational support to local authorities. On the technical side, Europol will have a sovereign cloud infrastructure and a Police Shared Data Space that will allow investigators from multiple countries to work remotely on the same cases, while a new technology and innovation hub will map the technological needs of law enforcement at the European level and coordinate joint investments in research and development.

The point that is causing debate concerns the data. The text lowers the thresholds for the processing of biometrics in the Europol Analytical Environment, opening up to the analysis of information related to individuals not linked to any crime. This is a significant change because it directly impacts who can end up in the agency's databases. The package also concurrently strengthens Eurojust, which will be able to act on its own initiative to identify connections between cases, will see its mandate extended to cybercrime and gender violence, and will adopt more agile decision-making processes. Moreover, a European Remote Participation Order will allow defendants, accused persons, and victims to participate remotely in criminal hearings in another member state.

Criticism on fundamental rights

Against the reform, EDRi and the Protect Not Surveil coalition have positioned themselves, accusing the Commission of expanding the agency's powers with insufficient safeguards, granting access to vast databases of personal data without proportional accountability. In their statement, the judgment is clear: the Commission, they write, is once again rewarding Europol's misconduct by doubling its budget and normalizing its illegal data practices, while the new mandate grants the agency all its wildest desires and continues its transformation into a black hole of data that swallows fundamental rights and undermines justice, security, and accountability.

The reference to past conduct has concrete foundations: the European Data Protection Supervisor (EDPS) had already warned Europol for the improper management of personal data, including a case related to the retention of information on individuals never linked to crimes. We have already focused on the issue of the relationship between Europol, encryption, and user rights in the past.

The proposal now follows the ordinary procedure between the European Parliament and the Council, and the EDPS must express an opinion before the conclusion of the negotiations. It is at that stage that it will be measured how much of the objections on biometrics and data access will find space in the final text.