Challenge Europol Data Transfers to Third Countries

Europol has established operational cooperation agreements with a number of countries outside the European Union, commonly referred to as third countries. These agreements allow Europol to share personal data — including data about suspects, associates, and persons of interest — with law enforcement authorities in those countries.

Current Europol cooperation partners with data transfer agreements include the United States, Australia, Canada, Switzerland, Norway, Iceland, Liechtenstein, North Macedonia, Albania, Montenegro, Bosnia and Herzegovina, Serbia, Moldova, Georgia, Ukraine, Colombia, and Israel, among others.

For individuals, these transfers can have profound consequences. Data that originates in EU criminal proceedings — even where no conviction has been obtained — can end up in the hands of law enforcement agencies in countries that may have very different standards for fair trial, data protection, and human rights.

Article 25 of EU Regulation 2016/794 sets out the conditions under which Europol may transfer personal data to third countries. These conditions require either a formal adequacy decision by the European Commission finding that the third country provides an adequate level of data protection, an appropriate safeguards agreement between Europol and the third country, or the application of derogations for specific situations.

The adequacy standard under the Europol Regulation is high — and many of Europol’s current cooperation partners have not been the subject of adequacy decisions covering their law enforcement data processing. This means that in practice, some transfers rely on safeguards agreements whose adequacy is open to challenge.

The European Data Protection Supervisor (EDPS) actively monitors Europol’s data transfers to third countries and has, on a number of occasions, questioned the adequacy of the legal basis for specific transfers. This creates a meaningful opportunity for individuals to challenge transfers that may lack adequate justification.

Third-country data transfers present particular risks for certain categories of individuals:

• Nationals of countries that have cooperation agreements with Europol — data about you may be shared with your home country’s authorities, creating extradition or arrest risks
• Individuals subject to proceedings in any EU member state — data may be transmitted to authorities in your country of residence or citizenship
• Business executives whose companies are under investigation — financial intelligence data may be shared with regulatory authorities in the USA or other partners
• Persons subject to EU or UN sanctions — asset freeze data and supporting intelligence may be transferred to partner countries
• Individuals who have fled politically motivated prosecution in their home country — data may re-enter that country’s law enforcement systems via Europol’s cooperation network

To challenge a third-country transfer, it is first necessary to establish that the transfer has taken place or is anticipated. This typically requires filing an access request under Article 36 of the Europol Regulation to identify what data Europol holds and the nature of any transfers.

Once the transfer is identified, a deletion or restriction request can be filed, arguing that the transfer lacks adequate legal basis — whether because the receiving country does not have adequate data protection standards, because the transfer agreement does not meet Article 25 requirements, or because the transfer violates fundamental rights.

If Europol refuses to restrict or halt the transfer, an EDPS complaint provides an additional avenue. The EDPS has specific powers to investigate the adequacy of Europol’s international data transfer arrangements and to order remedial action.

In urgent situations — for example, where a transfer to a third country creates an imminent extradition or arrest risk — emergency measures can be sought to restrict processing on an interim basis while the substantive challenge is being pursued.