Appendices

A4. The fight against cybercrime through the lens of a data protection believer – a commentary

Personal data is the new commodity driving much of today's cybercrime. It can be reasonably argued that data protection and the fight against cybercrime go hand in hand. Due protection of information relating to identified or identifiable natural persons is a prerequisite for avoiding identity theft and other forms of cybercrime.

However, efforts of law enforcement to prevent and combat cybercrime are sometimes also regarded with suspicion. In this context data protection principles serve as a safeguard against undue and disproportionate forms of government surveillance.

Europol's data protection regime as a law enforcement gold standard

Europol is proud to have one of the most robust data protection frameworks in the world of law enforcement. This is an asset, and at the same time a responsibility, as the legal regime needs to be put into practice and applied in day-to-day operations.

Prominent features of Europol's solid data protection framework are independent data protection supervision, Europol's secure information exchange capabilities, data protection compliant outreach to the private sector and – most importantly - clearly defined purpose specifications for processing operations upon personal data in Europol's databases.

Europol receives information from Member States obtained in the course of investigations on individual criminals or organised criminal groups. Contributions are tailored and respect the purpose limitation principle. They are used in specifically defined analysis projects subject to strict data retention regimes.

The Data Protection Office of Europol has the task of ensuring that the applicable data protection legal framework is duly complied with. This is done – inter alia – by providing advice, guidance and best practice on personal data processing.

External supervision is carried out by the Joint Supervisory Body (JSB) which comprises experts from all 28 Member States with particular expertise in the area of law enforcement. Also, any form of future supervision under the regime of a Europol Regulation will certainly build on the elements of independency, transparency and expertise. [324]

The particular role of EC3 and the future Europol Regulation

EC3 remains the centre within the Operations Department of Europol which runs the highest number of projects deserving careful consideration from a data protection perspective. This is due to their innovative nature which reflects the fact that cybercrime as such is a particularly dynamic field. The success of EC3 is also based on the fact that no major data protection issues have occurred.

An organisation like Europol is dependent on a good data protection reputation also because it cannot conduct its own investigations. Europol's role is limited to supporting the EU Member States and facilitating their actions. This is why it is crucial that national authorities trust Europol and consequently provide the organisation with data they have lawfully obtained at national level

As far as citizens are concerned it is important to stress that European law enforcement agencies in general, and Europol in particular, do not engage in any form of mass surveillance as discussed in the context of the Snowden revelations. The debate on a good balance between security and privacy is, however, of utmost relevance also to the European Police Office (Europol) including EC3. This is last but not least with a view to the ongoing legislation on a future Europol Regulation. Europol needs the tools to effectively prevent and combat serious crime and terrorism.

In particular, the ever increasing threat posed by cybercrime calls for an open discussion on what law enforcement should be allowed to do online and where the boundaries need to be drawn. Rules on public-private partnership need to be reviewed in order to make cooperation between companies and law enforcement more efficient. As a matter of fact it is not only the security services taking advantage of the Internet and our modern means of communication – cybercriminals do the same with far worse intentions.

The broader perspective

The current debate on the relationship between data protection and the fight against cybercrime certainly goes well beyond the scope of EC3 operations or the future Europol Regulation. An example is the recent landmark ruling by the European Court of Justice (ECJ) issued on 8 April 2014. It demonstrates that processing of bulk data for law enforcement purposes remains a very sensitive issue. In this ruling the court declared Directive 2006/24/EC - better known as the Data Retention Directive - to be invalid. The court found that the directive entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary.

It is interesting to note that the ECJ clearly acknowledged that the fight against serious crime constitutes an objective of general interest and that the Charter of Fundamental Rights of the European Union not only lays down the right of any person to liberty but also to security. The court held that the retention of data for the purpose of allowing the competent national authorities to have possible access genuinely satisfies an objective of general interest. However, the ECJ ruled that, by adopting the Directive as it stands today, the EU legislature has exceeded the limits imposed by compliance with the principle of proportionality. [325] In the end this ruling is just another effort to strike the right balance between freedom and security by playing the ball back into the field of the European legislator.

The present iOCTA provides a comprehensive overview on cybercrime related developments as well as on inherent challenges for law enforcement. It may hence serve as an important contribution to the necessary broader societal discussion on where to draw the lines.

At Europol we have a track record of implementing data protection in a way which respects both operational business needs and fundamental rights of individuals. We will do our best to keep it like this and, yes – we are pretty proud of this!