Wed. Jan 15th, 2025

Brussels, 8 January 2025

The European Data Protection Supervisor (EDPS) reprimands Frontex, the European Border and Coast Guard Agency, for not complying with Regulation (EU) 2019/1896 (“Frontex Regulation”), when transmitting personal data of suspects of cross-border crimes to Europol, the EU’s agency for law enforcement cooperation.

In October 2022, the EDPS carried out an audit on Frontex’s activities when assisting Member States at the EU external borders in joint operations.  In particular, the EDPS focused on debriefing interviews by Frontex of individuals intercepted while crossing external borders and the Agency’s further use of the information collected in this context.

During his audit, the EDPS found that during these debriefing interviews, Frontex was collecting information on suspects of cross-border crime based on interviewees’ testimony. Frontex was then sharing this information systematically and proactively with Europol without performing any kind of assessment of the necessity of such sharing, contrary to what is required by Frontex Regulation.  Considering the high risks that this implies for individuals reported as suspects, should that information prove unreliable or inaccurate, the EDPS decided to open an investigation.

Wojciech Wiewiórowski, EDPS, said:

It is Frontex responsibility to comply with the specific safeguards imposed by the law to prevent that individuals, who may not be of interest for Europol, would nevertheless end up in their systems. The processing of data in an EU law enforcement database can have profound consequences on those involved.  Individuals run the risk of wrongfully being linked to a criminal activity across the EU, with all of the potential damage for their personal and family life, freedom of movement and occupation that this entails

The EDPS found that Frontex has infringed Regulation (EU) 2019/1896 (Frontex Regulation) as Frontex was not assessing whether the sharing of information with Europol about individuals reported as suspects of cross-border crime was strictly necessary for Europol to perform its mandate as required by Article 90 (2) (a) of that Regulation.

While this constitutes a severe breach of Frontex Regulation, the EDPS has nevertheless decided to limit the exercise of his powers to the issuance of a reprimand taking into account that five days after the adoption of the EDPS audit report in May 2023, Frontex interrupted its sharing of information with Europol.  Since then, only once, Frontex has shared with Europol personal data on suspects of cross border crime, after an individual, precise and specific assessment that this information was strictly necessary for Europol to perform its mandate. Frontex has also engaged in discussions with Europol to define criteria to assess whether the information collected is strictly necessary for Europol to perform its mandate and detailed rules for the sharing of such information, before the exchanges resume.

Background information

The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.

About the EDPS

The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.

Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.

About the EDPS’ investigation into the Commission’s use of Microsoft 365

This investigation was opened in May 2021 following the Schrems II judgment. Its aim was to verify the Commission’s compliance with the Recommendations previously issued by the EDPS on the use of Microsoft’s products and services by EU institutions and bodies. This investigation is part of the EDPS’ actions in the context of the EDPS’ participation in the 2022 Coordinated Enforcement Action of the EDPB. For more information, please read the EDPB Report on the 2022 Coordinated Enforcement Action. In March 2024, the EDPS issued its decision on the Commission’s use of Microsoft 365.

About EDPS Investigations: For more information on the EDPS’ investigation process, please find the EDPS Investigation PolicyEDPS Investigation Factsheet, on the EDPS Website.

Source: EDPS reprimands Frontex for non-compliance with Regulation (EU) 2019/1896

 

Forward to your friends