The Sky elliptic-curve cryptography (Sky ECC) operation is a prime example of a data driven investigation. The collection of approximately 1 billion messages from 70,000 phones paved the way for hundreds of criminal investigations, resulting in numerous convictions in the Netherlands and Belgium alone. This article addresses how the Sky ECC operation interferes with the right to privacy and the right to a fair trial. We examine whether or not, and on what terms, there is a future for data driven criminal investigations. Our main research question is therefore how data driven criminal investigations can be (better) regulated in order to be in line with case law of the European Court of Human Rights. To answer the research question, the main characteristics and legal criteria for data driven investigation are identified. These criteria derived from the right to privacy and the right to a fair trial. Finally, we examine the impact of a violation of these criteria for the use of evidence in criminal proceedings. The research uncovers a disconnection between data protection regulations and criminal procedural law. It highlights that practitioners concentrate primarily on the collection phase, governed by criminal procedural law, whereas the most urgent questions relate to the respect of data protection law and the right to a fair trial. This finding suggests an ongoing discourse relating to the transparency of data driven criminal operations like Sky ECC and the need to address concerns regarding the reliability of evidence.

Vice President for Promoting our European Way of Life Margaritis Schinas, stated at the time of the adoption of Europol’s amendment that “Europol is a true example of where EU action helps protect us all. Today’s agreement will give Europol the right tools and safeguard to support police forces in analysing big data to investigate crime and in developing pioneering methods to tackle cybercrime.” While some characterized the changes as an achievement for the adaptability and operational role of Europol, others argued that it undermines fundamental rights and weakens data protection. This paper analyses the amendments made to the Regulation and explores Europol’s increasing role of in national investigations and the associated dangers of it. The paper starts with a historical analysis of Europol’s legal framework and role in national criminal investigations, before diving into the core of the Regulation. After 2022, Europol supports Member States’ investigations in many ways. First, through the continuous retention of large and complex datasets, which was strongly criticized by NGOs and the EDPS. Second, through the transformation of Europol into the information hub and broker for the exchanges of data with private parties. Third, more indirectly, through Europol’s support of research and innovation projects, for national authorities to use and explore new technologies in their work. However, these amendments are not without dangers. The Regulation of 2022 pushes the boundaries of Europol’s competences further, by circumventing existing limits and questioning the legality of the operations. The stronger role of Europol lacks sufficient safeguards and efficient oversight. This is highly problematic considering the impact Europol may have on national investigations, and as a result on the situation of individuals.

Current technological developments fuel the need and opportunities for data-driven policing that criminal enforcement authorities are eager to employ. Data-driven policing implies a combined use of data collected through various methods and for various purposes and begs the question on the limits to be set for the re-use of data for criminal investigation and intelligence purposes. The purpose limitation principle as enshrined in the Law Enforcement Directive (LED) provides those limits. Looking at data-driven policing through the lens of the principle of purpose limitation, particularly two problems are visible. First, there is an inherent tension between data-driven policing and the principle of purpose limitation. In essence, one of the goals of purpose limitation is limiting the aggregation and re-use of personal data, whereas this aggregation and re-use of personal data is one of the main reasons for criminal law enforcement authorities to use data-driven policing methods. Second, the meaning of the principle of purpose limitation and the conditions for its application in criminal investigations are not clearly defined and the precise implications for national implementation of this principle are ambiguous. The paper aims to contribute to the debate on how the principle of purpose limitation can be implemented in national jurisdictions in a way that balances its important safeguarding function and the needs of law enforcement authorities. This is done by examining the meaning and rationale of the principle of purpose limitation within the legal framework of the LED as well as what guidance can be drawn from human rights case law from the ECtHR and the CJEU, as it is widely acknowledged the rationale of purpose limitation is rooted in the need to protect the individuals’ rights to privacy and to prevent abuse of power by the authorities.