CIVICUS speaks with Chris Jones, executive director of Statewatch, about the European Union’s (EU) Prüm II regulation and its implications for human rights and civic freedoms.
Statewatch is a UK-registered civil society organisation (CSO) that produces and promotes critical research, policy analysis and investigative journalism to inform public debate and campaigning on civil liberties, human rights and democratic standards.
What’s the Prüm II regulation?
Passed in November 2023, the regulation on automated data exchange for police cooperation, also known as Prüm II, aims to enhance police forces’ cross-border data exchange capabilities. This means fostering connections between different cases and expanding investigations, ultimately leading to more arrests and convictions. The regulation focuses on specific types of biometric data and other information. It requires EU member states to allow cross-border searches of databases containing fingerprint, DNA, vehicle registration and facial image data. Member states lacking such databases are compelled to establish them. They can also voluntarily allow cross-border searches of police records, which are defined as any type of information stored in the national registers of law enforcement authorities.
Similar obligations were imposed by the initial Prüm rules, adopted in 2008. These covered fingerprint, DNA and vehicle registration data and led to Ireland and Luxembourg establishing national DNA databases. The legal framework originated in a treaty among six EU member states in the mid-2000s and was later integrated into EU law through Council decisions in 2007 and 2008, bypassing parliamentary scrutiny. The new legal framework was designed to make it easier to exchange more types of data, and ostensibly to enhance the data protection framework.
What are the most concerning aspects of the new legislation?
The primary objective of the rules is to facilitate the collection and exchange of sensitive personal data – that is, biometric data – along with other information stored by police forces. Several concerns arise from this. For instance, under the regulation, member states without existing police-operated facial image databases are required to establish them. This infrastructure could pave the way for public facial recognition surveillance systems. It is easy to imagine a police force connecting CCTV cameras to its facial image database, if it was technically feasible, although there is no indication that this is being done at the moment.
A more immediate concern pertains to police records. The regulation enables EU states to interconnect their databases on a voluntary basis, although the European Commission is providing financial incentives for this. It is well known that huge amounts of information stored by police forces are incorrect, and that it is often excluded and racialised groups that are over-represented in these kinds of systems. For example, the UK participates in the current Prüm system and will likely be invited to join the updated one, and police forces here have been found to illegally store vast amounts of data on young Black men. This makes it more likely that information on these groups will be searched and exchanged across borders.
Additionally, the regulation empowers Europol, the EU’s law enforcement agency. Europol will manage the police records index system, which will facilitate the interconnection of national police records databases, and will also be allowed to search biometric data received from non-EU states against national databases. This raises accountability and privacy issues, given Europol’s limited transparency and democratic oversight, and the fact that it has a growing number of agreements with police forces around the world that have little respect for basic rights.
The regulation also involves the creation of a central router to facilitate database searches. While seemingly technical and somewhat innocuous, this sets a precedent for integrating and interconnecting various data sources, raising broader privacy and surveillance concerns within the EU and its member states. Under the Prüm II rules, this router will be connected to the Common Identity Repository, a huge new database storing data on non-EU nationals. It is likely this infrastructure will be used to interconnect other data sources in the future.
In sum, the Prüm II regulation falls short of meeting the necessity, proportionality and other fundamental requirements of EU law. However, it contains improvements over the initial proposal, which can be attributed to advocacy efforts by the European Digital Rights Network. For example, data protection impact assessments must be carried out by member states before they interconnect their databases. This was a requirement in the original Prüm rules but did not feature in the Commission’s proposal.
Do you think this will have negative impacts on civic space and civil society?
It definitely will. Social and political context is crucial when considering the implications of implementing such a system. Unfortunately, within the EU, there are governments with minimal regard for civil liberties, and upcoming elections suggest more such governments may come to power. This creates a challenging environment for independent CSOs, many of which are already under significant pressure. For instance, groups helping migrants and refugees often face persecution, a form of repression which has come to be known as the criminalisation of solidarity, resulting in harassment, criminal charges and imprisonment.
Recent responses by European governments to protests against events such as Israel’s attack on Gaza have involved massive limitations or even outright bans on freedom of expression and assembly. We also know that non-violent environmental direct action movements are of interest to the police at a European level. Peaceful protesters are frequently arrested, leading to the creation of police files. The issues this raises for civil liberties are now compounded by the increased ability of police forces to access such information across borders.
An interconnected police records system will facilitate cross-border access to information on protesters and activists. Unlike facial image searches, which require a crime with a minimum one-year sentence for search purposes, no such threshold exists for police records searches under the Prüm II rules. This means vast amounts of potentially irrelevant or unlawfully collected data can be readily accessed by authorities, providing new avenues for monitoring people exercising their rights.
Given these developments, there should be heightened scrutiny from civil society groups and journalists regarding the contents and legality of police systems, as well as the legitimacy of information included.
While these issues may appear technical on the surface, they carry significant ramifications for civil liberties and democratic freedoms. The risk of excluded groups being disproportionately targeted for inclusion in police databases underscores their broader societal implications.
How should the EU balance security with the protection of rights?
I would rather rephrase the question. There is a framing that pits security against rights, implying that sacrificing rights is necessary for ensuring security. This dichotomy is not necessarily accurate or helpful. Security and rights are not inherently opposing concepts.
What truly fosters safety and security is addressing the root causes of insecurity: inequality, lack of opportunity and social exclusion. Access to education, employment, healthcare and community support are essential components of a secure society and they do not require expanded police powers.
By reframing the discussion in this way, we can challenge the dominant narratives and advocate for more holistic approaches to security that prioritise social wellbeing and human rights.
That being said, there are data protection provisions within the law as it stands that will be important for protecting people’s rights, primarily the data protection rules. However, there is often a disconnection between the enactment of laws and the allocation of resources for supervisory authorities. Laws requiring new tasks of data protection authorities are passed frequently, without those authorities being given any more resources. Many data protection authorities are understaffed and underfunded, undermining their ability to effectively oversee compliance with data protection regulations.
If governments are not even willing to fund basic data protection enforcement activities adequately, their commitment to upholding rights is clearly questionable. Even if we take the question at face value, looked at from this angle it is evident that the EU and its member states are failing to balance security and rights.
Get in touch with Statewatch through its website or Facebook page, and follow @StatewatchEU on Twitter.
