Privacy Talk with Daniel Drewer, Data Protection Officer at Europol: How does Europol and EDPS work together?
“This interview recorded on 16th October 2023 is talking about data protection and police organization.”
Kohei is having great time discussing data protection and police organization.
This interview outline:
- How does Europol and EDPS work together?
- What is the meaning independent role of Data Protection Officer at Europol?
- Message to listeners
- How does Europol and EDPS work together?
Daniel: Thank you for this Kohei, I think you said the key word you said already before and that close cooperation actually between Europol and external supervision.
So Europol is supervised by on the one side the European data protection supervisor and the European data protection supervisor is again in cooperation with the national data protection authorities, which is important because if we look how information travels in today’s society then you will see the information that’s collected somewhere is then processed is then transferred, then again processed and transfer back..
So it is necessary that the supervisory authorities are working together to supervise actually the complete lifecycle of information as well as the Data Protection Officers need to work together.
Because otherwise you have personal data that is protected from one moment on and later not any more protected and that of course needs to be avoided.
Europol has very powerful Supervisory Authorities since 2017. So the European Data Protection Supervisor has a whole cataloge of powers that he or she can use when it comes to the supervision of Europol and Europol has full respect towards the data protection supervisor.
And indeed, as you said, Kohei. I think it is important that data protection can only work if you have a full cooperation between the supervision and the one supervised always in full respect of the roles of the different roles and the full respect to the role of the external super advisor authority.
EDPS is on the one side, of course, inspecting Europol, on the other side also provides us consultancy.
Some areas where we have our doubts and then we contact the colleagues of the European data protection supervisor for their guidance ornery specific data protection matters.
The EDPS comes to inspect us at least once per year. And these are , days of inspection so we’re not talking about one day, sometimes it’s three days, sometimes it’s two days.
And they do this together with national data protection authorities in a joint inspection, and I would like to be very clear on this. The fact that a police force is inspected doesn’t mean that there is a kind of mistrust towards the police force or that there’s a lack of trust between the supervision and the agency.
It is simply necessary and I think it is part of a democratic society of checks and balances that these inspections take place. And then there are inspection reports. There’s also an annual report of the European data protection supervisory on his activities.
Also with regard to Europol and last but not least, I think the role of the data protection supervisor is in particular important in the area of police, law enforcement.
Because at the end, this in some areas, the supervisor also provides indirect access to police information for citizens that are concerned about processing of personal data by the police.
So I think they have a very, very important role. And most important is that the system functions and that there is cooperation.
And where I’m very proud of is at Europol full transparency also called the supervision because that comes together on one side cooperation, but you need the cooperation, whether it’s the full transparency of getting the process in operation, and this is how we understand the system here at Europol.
- What is the meaning independent role of Data Protection Officer at Europol?
Kohei: Thank you for sharing those kinds of collaboration. It is very important to be transparent to the societies and citizens how the data is being used for the police networks, which is very informative.
Thank you for sharing. Next question is that your role is very unique because of your independent role in the organization. So as independent practices, so what does it actually the your work and also the How can you act independent and be at the same of the Europol for the for the future?
Daniel: Okay, thanks. Kohei. I think that is a very important question. And I think it is not only important for the Data Protection Officer at Europol. But I think in general for Data Protection Officers, but of course, I’m the Data Protection Officer at the Europol. I will try to give you more insight regarding my function that I have .
And I think it is important that the independence of the Data Protection Officer doesn’t mean that you can do whatever you want as a Data Protection Officer. You are an integral part of an organization and you’re an internal adviser to management of the organization.
(Image: Daniel Drewer Data Protection)
And that allows you to shape compliance from the inside of the organization. We have an external supervisory authority, but we also need somebody who is an internal adviser to the controller and say you have to address this and it’s important that you take this into account.
My advice would be to design the system in the following way. So of course, there is the question about independence. And then if you are an integral part or like me, I’m the head of a function here at Europol so I’m also part of the agency’s hierarchy and so on.
Then the question is, how do you actually safeguard the independence of that function, in particular in law enforcement hierarchy, courses, it’s important. For me, it is very important that the Data Protection Officer of Europol has and had always full access to top management.
There is no question that if the Data Protection Officer would like to communicate with top management and one wants to bring forward concerns that he or she has full access to top management, which is the executors director, but also the management of Europol.
And the Data Protection Officer role is highly respected at Europol, not only because it’s written in the Europol regulations, but also because the controller would like to rely on an independent advisor within the agency in order then to progress on processing operations.
And the fact that the Data Protection Officer is an internal function allows me also to have an impact as soon as possible on the processing operation. So when actually ideas are developed and systems are designed.
Then the risks for data subjects are still rather low. Because the processing operations didn’t take place yet. And there the advantage then as an internal, independent, assurance provider is that you can advise the controller very early already in the process and also make concerns clear.
What exactly is the concern, but also to support the controller by saying well, maybe we can design the process of operation in this way, which provides you with a much more solid documentation regarding the respect to fundamental rights of data protection and as there are two other very important safeguards for the independence of the Data Protection Officer at Europol.
I think the first one is the Europol Data Protection Officer is that I think it’s the only Data Protection Officer in the EU Public Service who has an obligation to provide an annual report of this activity to the management board and to the EDPS at the same time. This is in my view a safeguard for the independence of the Data Protection Officer.
And the second strong safeguard is legal safeguard, that Data Protection Officer has the possibility to escalate matters up to the highest body if you want within Europol, which is the management board.
Then even to the European Data Protection Supervisor as a final step of this escalation scale. And whenever the Data Protection Officer finds that data protection compliance is not according to the legal provisions, that is another very strong safeguard for the independence of the Data Protection Officer.
But apart from this legal safeguards, I think it is most important is that the Data Protection Officer is the trusted Internaladvisor and that is good for data protection.
And, that it’s good for the whole system. Because the system is indeed you have the controller, then you have a Data Protection Officer as a so-called second line assurance provider.
And you have the Data Protection Supervisory Authority which has done an external data protection supervision, an extra additional most important layer for compliance with data protection rules.
And that makes the function interesting. A bit like an internal auditor if you want access to these things because Data Protection Officer has a strong task in providing awareness on data protection, providing training, providing consultancy as well to the to the controller, which means that as a Data Protection Officer you have to be always on top of developments and the controlloractually has a legal obligation to inform you about developments in process operations.
As such this obligation again is in fact also supporting the independent assurance function of the Data Protection Officer.
- Message to listeners
Kohei: That’s absolutely interesting. Maybe as an independent, all you can do as the primary things are internal operations and advice with practitioners to teach about data protection.
And also they’re very important notice for the fundamental rights, though that’s been very respectful. So as a final topic, I’m happy to ask you about the message for listeners because you have many of the great experiences and also the commitments such as the community making. Could you share your message Daniel?
Daniel: Thanks, Kohei. So, my final message, maybe I have different final messages if you allow me, so one of my final messages to the Data Protection Officers and the supervision actually, those that provide assurance on protection matters.
And would be that I think we have to understand that they have a very crucial role. And the crucial role is actually to provide legal certainty and assurance in an area that is highly regulated and because it is multidisciplinary, also quite sophisticated.
And I think the controller needs assurance and the controller doesn’t actually need grey areas, the controller needs legal certainty where you can invest the resources and can go forward.
And I think that the Data Protection Officers and also the supervisor has a crucial role and that’s for the controller. So that would be my final message to the Data Protection Officer colleagues: clear up the gray areas and provide the certainty for the controller that is what we are therefore.
When I talk and when I hope that our law enforcement officers as well that watching your video Kohei, but I think for the law enforcement officers, I would say you know, during the last 20 years police laws at least in the European Union, but I’m sure it’s the same in Japan got bigger and bigger, bigger.
So they started quite slim, and now they’re huge and part of it is that There are a lot of data protection rules added for the activities of the police and they are tailor-made and I always say don’t consider these tailor-made rules as obstacles.
I think it’s a privilege for law enforcement to operate on the basis of rules that are made specifically for them. Because that also again shapes more legal clarity, for the work of law enforcement.
And indeed the work of law enforcement is distinct from the rest of the public service. So in my view this is a privilege that the legislature considers law enforcement as special. Therefore they get special tailor-made rules and it is not an obstacle for the work.
In my really very last final message would be to all the listeners by saying if you’re interested in police, law enforcement and data protection compliance within the police join Europol’s Data Protection Expert Network.
It doesn’t matter whether you are within the EU or outside of the EU. If you work in that area and you have a particular interest in that area. Join us for the conference. Or even join the network as a member, yourself Kohei, you joined us recently so thank you for this.
But I think it’s worth it to work in this special interest group. That’s true, but quite crucial when it comes to the protection of the fundamental right of data protection on one side and another side also allowing law enforcement to fulfill its mandate.
Kohei: Thank you for your message. It’s been very important to the Data Protection community to engage with the police network to share the resources and the experiences, we can create for the future, which is a very important commitment to each other and community the network as a gateway for all the data protection experts to join and share the experiences to encourage each other.
So that’s a very important message for future collaborations. So again, thank you for having a great time with Daniel. And let’s engage and enhance together for this discussion.
Daniel: Thanks a lot Kohei, for inviting me and giving me the time to talk about law enforcement and data protection.
Kohei: Thank you.
Thank you for reading and please contact me if you want to join interview together.
Privacy Talk is the global community with diversified expert, and contact me below Linkedin if we can work together!
