Thursday, 29 April 2021
European Union Regulation: Motion
I join colleagues in congratulating the Minister, Deputy McEntee, and her husband on the birth of their son. None of us is surprised that the new baby has arrived but we are all a bit surprised that it seemed to happen so soon after the commencement of the Minister's maternity leave. I wish her and her family the very best.
On the regulation we are discussing, we share the view that there is a need for co-operation in dealing with crime. However, we have significant and serious misgivings in regard to certain aspects of the provisions, which I hope the Minister of State will take on board. In considering this proposal to expand the data collection remit of Europol, it is important to take account of the reasons it has been put forward. In September last year, the European Data Protection Supervisor, EDPS, released an absolutely scathing report on Europol's handling of large databases or data sets. It found that national law enforcement agencies from various member states were increasingly transmitting very large data sets to Europol, rather than targeted data, to allow for criminal investigations to take place, and this breached the standards in the 2016 Europol regulation. These data sets contained vast amounts of personal data, concerning nobody knows how many individuals. They are too large to be adequately examined and this makes the regulation less effective.
The EDPS also found that personal information about innocent individuals who had no connection to the crimes in question was being processed through Europol's system. Its report stated that Europol had not properly implemented the data minimisation principle and the significant safeguards in the 2016 Europol regulation. That is a big red flag. The EDPS further noted that, as a result, data subjects run the risk of being linked wrongfully to criminal activity right across the European Union.
We need to look at the companies responsible for the software that deals with digital forensics. Technology companies and the products they create are not politically neutral or free from bias. Their founders and key employees create the software through the prism of their own viewpoint, values and moral philosophy. Europol uses the Gotham software developed by Palantir Technologies to conduct data analysis. That company, run by Peter Thiel, is known to be one of the controversial private technology firms, with an involvement in Cambridge Analytica and, in the US, the National Security Agency, Immigration and Customs Enforcement and the CIA. Palantir Technologies has become increasingly active across Europe, especially during the initial stages of the pandemic, and it sees Europe as a key focus for its activities. The EDPS report raises concerns that the Gotham system was not designed to make it clear how people's data enter the system, which led to the problem of being unable to distinguish without doubt whether someone was a suspect, informant, witness or victim of crime.
The EDPS raised concerns about the decision to use this specific company. There are real dangers for the EU in relying on particular technology companies that are based outside the European jurisdiction, especially when they are involved in matters of domestic security. The proposal will see the scope of Europol's data-gathering powers massively expanded. The current limits on the categories of people on whom the agency can gather data, such as criminal witnesses and victims, could be circumvented to legalise the large data sets that will be transferred to the agency. I also have concerns about a report published by the European Network Against Racism, ENAR, on migrant and minority communities across Europe. Specifically, there is a concern that particular views may be reinforced into a technical approach. That has to be avoided.
I wish there was more time to speak on these proposals. There is no doubt that we need co-operation to fight crime across jurisdictions. However, it must be done as safely as possible.
I have concerns about some of the issues the data supervisor flagged. If we are to endorse this, then at a minimum we have to flag the significant and reasonable concerns highlighted by the EDPS.