Vice President for Promoting our European Way of Life Margaritis Schinas, stated at the time of the adoption of Europol’s amendment that “Europol is a true example of where EU action helps protect us all. Today’s agreement will give Europol the right tools and safeguard to support police forces in analysing big data to investigate crime and in developing pioneering methods to tackle cybercrime.” While some characterized the changes as an achievement for the adaptability and operational role of Europol, others argued that it undermines fundamental rights and weakens data protection. This paper analyses the amendments made to the Regulation and explores Europol’s increasing role of in national investigations and the associated dangers of it. The paper starts with a historical analysis of Europol’s legal framework and role in national criminal investigations, before diving into the core of the Regulation. After 2022, Europol supports Member States’ investigations in many ways. First, through the continuous retention of large and complex datasets, which was strongly criticized by NGOs and the EDPS. Second, through the transformation of Europol into the information hub and broker for the exchanges of data with private parties. Third, more indirectly, through Europol’s support of research and innovation projects, for national authorities to use and explore new technologies in their work. However, these amendments are not without dangers. The Regulation of 2022 pushes the boundaries of Europol’s competences further, by circumventing existing limits and questioning the legality of the operations. The stronger role of Europol lacks sufficient safeguards and efficient oversight. This is highly problematic considering the impact Europol may have on national investigations, and as a result on the situation of individuals.

Current technological developments fuel the need and opportunities for data-driven policing that criminal enforcement authorities are eager to employ. Data-driven policing implies a combined use of data collected through various methods and for various purposes and begs the question on the limits to be set for the re-use of data for criminal investigation and intelligence purposes. The purpose limitation principle as enshrined in the Law Enforcement Directive (LED) provides those limits. Looking at data-driven policing through the lens of the principle of purpose limitation, particularly two problems are visible. First, there is an inherent tension between data-driven policing and the principle of purpose limitation. In essence, one of the goals of purpose limitation is limiting the aggregation and re-use of personal data, whereas this aggregation and re-use of personal data is one of the main reasons for criminal law enforcement authorities to use data-driven policing methods. Second, the meaning of the principle of purpose limitation and the conditions for its application in criminal investigations are not clearly defined and the precise implications for national implementation of this principle are ambiguous. The paper aims to contribute to the debate on how the principle of purpose limitation can be implemented in national jurisdictions in a way that balances its important safeguarding function and the needs of law enforcement authorities. This is done by examining the meaning and rationale of the principle of purpose limitation within the legal framework of the LED as well as what guidance can be drawn from human rights case law from the ECtHR and the CJEU, as it is widely acknowledged the rationale of purpose limitation is rooted in the need to protect the individuals’ rights to privacy and to prevent abuse of power by the authorities.