Cybercrime
,
Fraud Management & Cybercrime
,
Geo-Specific
Privacy Advocates Raised Objections of Bystander Data Being Swept Up in Police Net
The European Commission has proposed significant reforms for Europol intended to strengthen the law enforcement cooperation agency’s ability to fight crime, including digital extortion – but civil liberties campaigners are not happy about the privacy implications.
See Also: Why Firms Need to Invest in Security as Response Strategy
Proposing the reforms on Wednesday, commission Executive Vice President Henna Virkkunen said the idea was “to strengthen Europol’s mandate by enhancing information exchange, embedding cutting-edge technology at the heart of its operations, deepening support to” member states, and reinforcing cooperation with European Union agencies and international partners.
The proposed regulation would boost cooperation between the Europol-hosted European Cybercrime Centre and ENISA, the EU agency for cybersecurity, “in relation to cybersecurity, cyber threats and cyber incidents of suspected criminal origin, with a particular focus on ransomware incidents, including through ENISA’s ransomware helpdesk.”
The European Cybercrime Centre would support member states in fighting cybercrime and responding to cyberattacks, and would even get an expanded research and development remit so it can help to develop and deploy “specialized technical capabilities, in particular in the areas of digital forensics, lawful access, and the processing and analysis of encrypted data.”
“Cybercrime costs our economy trillions of euros every year,” Virkkunen warned. “If cybercrime were a country, it would have the third-largest economy in the world.”
With excellent timing, Europol also on Wednesday hailed its role in the latest Operation Endgame takedown of cybercriminal infrastructure. It played a coordinating role in the targeting of the “assembly lines” that were being used to launch ransomware and critical infrastructure attacks, as well as malware such as SocGholish. The Dutch police had announced the same operation nearly a week previously (see: Cybercrime Initial Access Service SocGholish Disrupted).
A key element of the commission’s proposal covers sharing data between national law enforcement agencies. To move beyond the currently allowed system of bilateral, ad hoc data exchanges, Europol would set up a secure cloud infrastructure and a “police shared data space” that could be used by national agencies for transnational investigations.
Per the proposal, this would correct “a growing structural imbalance between the scale and technological sophistication of criminal networks and the collective capabilities available to EU law enforcement authorities,” by allowing Europol to “fully act as the EU-level capability hub needed to reduce fragmentation, pool resources and provide member states with the advanced operational and technological support needed to respond to the evolving threat environment.”
Crucially – and this is where the privacy concerns come in – the commission is proposing to weaken Europol’s current data protection limitations.
As things stand, the agency is only supposed to process the personal data of suspected criminals, victims, witnesses and other relevant people. That necessarily means categorizing the data before Europol gets its hands on it, a practice reform backers say is disconnected from “the operational reality of modern law enforcement where the extraction of information from large and unstructured datasets constitutes a core operational task of law enforcement authorities, and hence also of Europol in support of national authorities.”
To allow Europol to handle unstructured data, the bill gives the agency the ability to handle the personal data of people outside of the usual categories – in other words, anyone – as long as doing so is “necessary and proportionate for the performance of Europol’s tasks.”
The article also says Europol would have to have safeguards in place. It would have to immediately delete the data of non-relevant people “once the purpose of processing it fulfilled,” it would have to tell its in-house data protection officer about what happened, and it would have to “keep such data functionally separate from “categorized” data.”
Civil liberties campaigners are not convinced. Protect Not Surveil – a coalition of rights groups that want to defund Europol – said the proposal would “surely increase the number of people whose personal data is unlawfully accessed by Europol.”
“The new mandate grants the rogue agency all its wildest wishes and continues its transformation into a data black hole – swallowing our fundamental rights, and undermining justice, safety and accountability,” said Chloé Berthélémy, a senior policy adviser at coalition member European Digital Rights.
The proposal would also weaken the oversight capabilities of the European Data Protection Supervisor, the EU data protection authority for the bloc’s political institutions and agencies. Europol would gain the ability to process sensitive data without the EDPS’s prior approval in some cases, and much of the EDPS’s oversight role would be transferred to Europol’s data protection officer.
All of this follows a pattern. In 2022, the EDPS tried to crack down on Europol over its retention of vast unstructured datasets that naturally included the personal data of many people who had nothing to do with criminal investigations. In response, the European Commission approved Europol reforms that effectively retroactively legalized what Europol was doing, to an extent. The EDPS challenged the new rules but the General Court ruled for the commission).
A spokesperson for the EDPS told ISMG on Thursday that the data protection authority would publish its opinion on the commission’s new proposal after August 15.
Click Here For The Original Source.
