Serious Privacy

The truth and nothing but the truth: Europol (with Daniel Drewer and Jan Ellerman)

April 19, 2023 Paul Breitbarth and Dr. K Royal, Daniel Drewer and Jan Ellerman Season 4 Episode 13
Serious Privacy
The truth and nothing but the truth: Europol (with Daniel Drewer and Jan Ellerman)
Show Notes Transcript

In this episode of Serious Privacy, Paul Breitbarth of Catawiki and Dr. K Royal of Crawford & Company connected with two key individuals at EuropolDaniel Drewer who is the head of Europol's data protection office and Jan Ellerman, one of the senior experts. Europol isn’t quite the way it is portrayed in the movies, so tune in for the real story.

You can probably imagine the amount of personal data that is needed to make all the crime analysis. Because of that, Europol for a long time already claims to have one of the most robust data protection frameworks in the world of law enforcement. Our guests today are responsible for that framework. Daniel and Jan talk about what it means to protect personal data in a law enforcement context, when every piece of personal data could be the missing piece of the puzzle.

More information on the Eden conference later this year, is available here.

If you have comments or questions, find us on LinkedIn and IG @seriousprivacy @podcastprivacy @euroPaulB @heartofprivacy and email Rate and Review us!

Proudly sponsored by TrustArc. Learn more about NymityAI at

#heartofprivacy #europaulb #seriousprivacy #privacy #dataprotection #cybersecuritylaw #CPO #DPO #CISO


[00:00:00] Paul Breitbarth: If you are a movie fan, you may recall Catherine Zeta Jones playing a Europol agent in Oceans 12 swinging her gun making arrests in the field similar to what an FBI counterpart would do in the United States. But the reality of Europol is quite different. Based in the Hague just a few minutes away from my house, actually, the European Police Agency's main mission is to support the EU member states and selected third countries in preventing and combating all forms of serious international and organized crime, cybercrime and terrorism.

Think for example, about taking down hecker marketplaces, selling stolen identities, or dismantling drug trafficking. You can probably imagine the amount of personal data that is needed to make all the crime analysis. And because of that, Europol for a long time already claims to have one of the most robust data protection frameworks in the world of law enforcement.

Our guest today are responsible for that framework. Daniel dva is the head of juul's Data Protection Office, and Young Element, one of the senior. They talk to us about what it means to protect personal data in a law enforcement context when every piece of personal data could be that one missing piece of the puzzle.

My name is Paul Breitbart.

[00:01:25] K: And I'm Kay Royal and welcome to Sirius Privacy. So I'm on the road and I don't have my book for the unexpected questions, so gentlemen. I'm gonna create an unexpected question, and I wanna ask, if you were gonna be a criminal, what kinda criminal would you be?

[00:01:43] Daniel: That is really, that is really an unexpected question. And but first of all, thank, thanks a lot for having us and you are a fantastic podcast that, 

[00:01:51] K: Oh, thank you. 

[00:01:53] Daniel: y and I, we both enjoy when we listen to it. Yeah. What kind of criminal? I hope somebody that will not create too much damage.

[00:02:02] K: I like it.

[00:02:03] Daniel: yes, that is maybe also bit simple, you know I come from Hamburg and, and also come very much from the north of Germany. And we have at least in the harbor city of Humbold, we have a criminal scene that is very traditional and they have their old code of conduct. I don't know if they apply it still today, but they say we are serious criminals.

But what we will never do, we will never harm women. We will never harm children. We stay in Our network. So probably, of course I don't want to be a criminal, but it, it would be then in, it would be in that direction, but great question. Thanks.

[00:02:44] K: I like having that honor as a criminal. 

[00:02:48] Paul Breitbarth: so Jan, what about you?

[00:02:49] Jan Ellermann: Yeah, I, I subscribe and I guess like in the real world, I would probably then be the deputy of the, of the big boss of the organized criminal network and the guy for the confidential jobs. But I couldn't expand on that here. Of course. So but ethics are very important. And of course we would also fight for full compliance with fundamental rights in that particular role.

[00:03:16] K: I like the honor among criminals. Paul, where are you going with

[00:03:20] Paul Breitbarth: Could I be a thief of hearts?

[00:03:22] Jan Ellermann: You are, I think you are.

[00:03:25] Paul Breitbarth: No. But if I were to be a real criminal, then probably being from the Netherlands, something drugs related would make sense because that's easiest to get into.

[00:03:33] K: Drugs. I like that. I'm sitting here thinking, you know, the other day the question came up, which I rarely ever admit to, but I'm gonna, right now, what did I want to be when I grew up, I wanted to be a madam and run all the, the prostitutes.

[00:03:49] Paul Breitbarth: Well, that would not be illegal here.

[00:03:51] K: that's right. It might not be a criminal on your side. So on your side, maybe I'll go for speeding. Is that.

[00:03:57] Jan Ellermann: It can be, it depends on your speed, but we assure you would manage. Yeah.

[00:04:01] Paul Breitbarth: with that car of yours, you could certainly manage.

[00:04:04] K: Absolutely. Okay, let's get to the real interesting questions then, which are not the unexpected questions. It's the substantive matter. So Paul, you're up first.

[00:04:15] Paul Breitbarth: Yeah. Well, I think the easiest question to start with is what is Europol? Because a lot of our listeners will not be as familiar with the organization as I am. I mean, I've spent quite a bit of time with the both of you while I was still working for the Dutch dpa. Also part of the joint supervisory body of Europol, which at the time was all the assembled European data protection authorities supervising OL's data process.

[00:04:41] Paul Breitbarth: So I've seen quite a lot from the inside but I think you can, you can better tell what Europol actually is.

[00:04:49] Daniel: Yes. Thank. Thanks, Paul. I, I will, I will try to, to not to use the word Interpol when I describe Europol. But I mean, Paul, you know, I mean, we, we know each other when you were still in joint supervisee body for Europol, and you, you are from the hag. So OL is the EU Learn, enforce some age agency, and it was always in.

In the Netherlands, they're our headquarters. We support EU member states in preventing and combating organist crime, cyber crime, and terrorism. And indeed, Paul, at the start you mentioned I think it was Ocean 11 the movie with Katherine Cita Jones.

[00:05:27] K: Those were criminals,

[00:05:29] Daniel: Those were, that were the, there were the serious criminals.

Yeah. And at that time there were, there was already one mistake in that movie. I mean, there were several mistakes. One mistake was certainly That Euro pole is not in the position to take co measures. So you saw Katherine Cita Jones going around with a gun in Amsterdam. 

Right. And the second mistake were also very important, I guess, for, for, for power is that Euro pole is not in Amsterdam, but in the hac. And it has been always, it has been always on the ha. So so what are we talking about when we talk about Europe as a, as the EU Law Enforcement Agency? So there's thousand 400 plus workforce working here in the Hague. 250 plus liaison offices. So that is actually officers that join us from you national law enforcement authorities.

They are also all in the. So there's 250 liaison officers from the EU member states, and also from the third states. They're with us here in the Hague. Europe follows a multi-agency approach, so it's not that we have only one police force represented here. There are always all police forces. From the national level presented here at Dural.

Just as an example, if I look at the Italian law enforcement landscape, if you want, we have here with us one representative of the cer, another one from the PLI Desto and one from the Gar financier. They work on one corridor with the suites and they work on one corridor with the Dan. So that means police corporation, and you could say Euro pool is a criminal information hub takes place here on our dedicated systems that we have for this, but also by actually crossing the corridor and yet just visit the other country, the office of the other country, and exchange with them information that we need in the, in the fight against organized crime and and terrorism.

we have, more than 2,600 secure lines that go into the EU member states and third states.

And maybe we can talk later a bit more. What are the third states and what are our cloud co, what is our close corporation there? And we connect them with, with a system, with a nice with the name of the, of the town, Siena. So this is our Siena system. Powell actually ex also inspected it in the past, but it grew immensely during the, during the last years. So we talk about two, 2,600 secure. If you are in the Hague and you are close to the international zone and you are back from one of the nice bars in the Hague City Center at three o'clock in the night and you pass the Europa building, you will see that there are four towers

and the tower that is the highest has always delighted on.

On top of it. And there's our operational center with 24 7, colleagues present there in emergency situation that couldn't respond directly to to, to situations that are brought by the member states to us. We have an analysis projects at Euro Poll where we look at different crime phenomena be it drugs, be it terrorism where we process data and analyze data with 100 hundred 50 plus analysts that are working here in the headquarter.

So what more than 150 analysts are looking at. It, it is always difficult to bring numbers with the vast amount of data that we receive from, from member states and as data protection experts. Not all this data is also personal data, but most of the, of the data is personal data. But if you look at UL's information system we have their more than 1.5 million data sets about suspects data about offenses individuals involved linked to criminal offenses. And this European information system is regularly updated if you want to ensure that the data is accurate and available for the police forces amongst the European. I think that is a bit a broad overview that I want, want, want to give, but I think it is important, it's criminal information hub, and it is, it is the focus of the police corporation in the European Union and beyond.

[00:09:58] Jan Ellermann: And, and maybe if, maybe if you just allow one more sentence on what it is not. Danya already mentioned it, like we are not the European fbi. We don't have coercive power. So talking about Zeta Jones in Oceans 12, my favorite scene in the movie really is the one where Zeta Jones also known as agent.

If I'm not mistaking, enter the crime scene in Amster. and she's utterly rude to the local investigator. She's says something like, Agent Keeran Euro Paul. From here on, we take over the investigation, and by the way, I hope you guys haven't contaminated the crime scene. So this is very unpolite of course.

And she could have known better because I happened to be an intern back in 2003 when the rumor was spreading that Zeta Jones would be visiting Europe headquarters to. See what real Europe poor agents look like. And then things even got more out of control when the rumor was that Brad Pitt would be joining her.

So you can imagine that everybody was incredibly excited because we all thought, okay, probably it's gonna be me to explain all of that to her. Ultimately, personally, I know one human being who really met Cita Johnson, that was the then director of Europe, Orbe and there was a picture. In the hallway showing him and Zita Jones, which by the way, was stolen at some point.

So there is a crime ongoing even within the building at times.

[00:11:20] Paul Breitbarth: Very nice. So yeah, I think I, I think that is the biggest misconception. If people see Euro poll in, in, in popular media it is always about being very active in the field, whereas, In my words, it's much more coordinating what is happening in the field, and especially when it comes to the data, making sure that all of that is exchanged, that people know from all the different member states and the third countries.

This is the information that is relevant to this specific informa to this specific investigation.

[00:11:51] Daniel: Yeah. Yeah, indeed. And, and once again, everybody thinks Euro report somewhere in the European human, but nobody knows exactly. I just, yesterday evening, I saw a thriller on tv. And the, the agent there said sh she's now transferred to Europe or to Brussels. I think Paul first as somebody from the Hague.

I don't know how you can tolerate this. , yeah, you, you, you should not know, but, but indeed there's, there's, there's the, I think the more Euro got into the focus of media, the more this fiction stories are around about Europa and we, we see all kind of interesting developments and even taxi drivers.

In in the HAG are sometimes wondering, because I think I was, I was working only for five years or six years at and I came back from a mission and I took the taxi from the, from the Central Station home and then we passed at that time the old European building and the taxi driver, he thought that I'm a tourist and he said, well, here is where Interpol works.

[00:12:55] Daniel: So you see even the people from the hike, they don't know sometimes, but

[00:12:59] Paul Breitbarth: I think by nowaday they recognized the new building with the four towers that you, that you just described Yanu mentioned that you were an intern, intern at Euro Pole. Now you are in the data protection office. How did you end up there?

[00:13:12] Jan Ellermann: That was execution of a master plant to a certain degree. So I, I started with a PhD back in 1999, I believe. Comparing Europe or with the fbi because at that time, it was very popular in Germany to call for exactly that. So it was chancellor Cole, I believe who said Euro poll should be the European fbi.

And then I thought if everybody is talking about that, maybe somebody should take. Closer look, and if you take that closer look you come to the conclusion that of course till this day the FBI is one of the most powerful agencies in the world. But if you study the history, there are also dark chapters, which de definitely we don't want to see repeated at Europe or also from privacy and data.

Protection perspective. So as you guys know, under the lead of J Kava the FBI had hidden files. And for instance, when, Kennedy was president, the F FBI would let him know, you know I think they spoke to his brother. And, and they said something like, if you could just convey to the president that we've come across that little thing with Marilyn Monroe, but don't, don't worry about it.

The information is safe with us. So that was blackmail basically, and was to keep j Ka hova in power which he, which he stayed until his death in 1972, if I remember Well. So that was, I, I came to Europe for from a research angle. I basically kind of blackmailed the organization because at some point I told them, I, I called them and I said, I'm doing a PhD on your organization..

And there are two possibilities. Either you allow me to come in and ask a lot of critical questions. And if you have good answers to these questions, I'm happy to also write them down. Or option twos you say That's not possible, but that will just leave me with what I can read in the academic magazines and journals and publications.

And that is rather, rather, and then it took like a week or something and they got back to me and said, well, you are in, you can come and you can ask your questions, and we are happy to answer them. And when I then joined Oi indeed back in 2003. I met a lot of very committed colleagues, and to be honest, already at that point the idea grew in my head that someday I wanted to be part of this which then happened in 2007.

And since I'm working with Daniel to get it right, that's safe.

[00:15:37] K: let me jump in here because I'm gonna have to jump off a little bit here soon. But let me just ask, so when you talk about, you know, the worst case secret in the FBI with Marilyn Monroe, that's one thing, but When you look at this criticism that the US is undergoing with a massive government surveillance, knowing that y'all have the fundamental right to privacy in Europe, what are your thoughts on that? Because we know that all governments have to have surveillance for terrorist threats and you know, bad crimes that are going on.

What are your thoughts?

[00:16:08] Daniel: Yeah, thank thanks.

[00:16:10] K: Or is that a question I shouldn't be asking?

[00:16:12] Daniel: No, no, no, no. About that. I mean, that is that is a question to be expected, But of course if, if, if you have an organization like Europe that is processing a vast amount of data, although I always say it's true that. Law enforcement processes more data than 10 years ago.

But isn't this true for all areas of the society? I mean, look at insurance companies. Look at internet companies. Look at your iPhone that you have. 10 years ago it looked completely different. That had less storage capacity. Still, still, of course, processing of personal data or processing of information by the police is always, in my personal view also a litmus test for democracy.

if you want to know how does, yeah, how, how is, how is police actually towards its citizen, towards the citizen in the society? One of good tests that you can do is actually to see how do they process the personal data in, in the law enforcement environment. And so you see the same question comes all over again when we talk about Europe's corporation with.

One of the key questions as always, how is the third state complying with human rights, but also do they have a data protection system in place that is comparable to the system that national law enforcement in the EU has? I see young that is very keen to answer. That is the question that you, you had.

And so I, I would like to leave it up to him because actually I can also reveal this on that topic that you asked. We actually wrote an article that is not yet published, but will be published soon, but maybe

[00:17:51] Jan Ellermann: No. Yeah, no. Just to compliment because I think it's a very valid and a very good question. I think let's say the concerns regarding mass surveillance by governments are Understandable. And our job is really to listen carefully and to also stay in touch with all those activists and NGOs who are out there with a very legitimate aim to prevent a 1984 Orwellian mass surveillance state.

And I fully, I fully support that. Yeah. Sorry. Kay. Yeah.

[00:18:23] K: was just agreeing with you because, one of the things that very much comes up is the big brother, the, the government oversight from that. But we all know that terrorism and major crime is a huge split to all areas of the world. And how else is the government supposed to keep their people and their country safe unless they are doing some sort of surveillance to find. but I, I have one specific question then. So if you are doing, like, I'm going back to the movies, the wiretaps. If you're doing the wiretaps and you're intercepting phone calls or communications or a communication construct like using what is it, WeChat or Snapchat or things like that, what do you do about the incidental, oh, sorry, another plane.

[00:19:03] Jan Ellermann: But, but it's good. The airplane interrupts you because there, I need to correct you. Europe Poll doesn't do anywhere perhaps, so we don't, we don't do that. That's for national law enforcement authorities to do that and then to share the information with us for crime analysis, just to.

[00:19:19] Paul Breitbarth: big difference. Yeah.

Yeah, absolutely.

[00:19:21] Jan Ellermann: Yeah. Because for us, it's not at our discretion to say we find this or that interesting. And hence we tap into the communications. All these are coercive measures in the legal sense, and they are subject to national sovereign. Allow me just, Two more sentences on the dialogue with let's say critics and activists and NGOs and so on and so forth.

We're investing into that. And we understand that this is important because at law as law enforcement, we also need to be aware of the concerns out there. And this is where we have founded something which is called Euro Protection Experts Networks. So under the nice abbreviation, Eden, And Eden is there to keep in touch and to talk about things because we all benefit.

If we listen carefully to those who are very concerned about mass surveillance, we can learn a lot, but it also works the other way around because we also need to explain as as members of Euro post's data protection function, what is driving our operational colleagues and kind of translated. Into the privacy and data protection bubble.

And this sometimes resides in really, really interesting discussions. Yeah. Most of the times, a bit like the one we have right now with you guys.

[00:20:28] Paul Breitbarth: I love it and I wish more people here in the US government would listen, but , that's a whole nother podcast.

[00:20:35] Paul Breitbarth: Well, I mean, they can start by listening to this episode and then we'll learn from there. But there are good relations between Europol and also the US counterparts. Right.

[00:20:44] Daniel: exactly. And then, and maybe I like always the, the description, what Jan already mentioned that this, that the information that we get is actually the, the chosen information is selected information. From member states. So I, I mentioned the 1.5 million data sets in, in the Europa Information System.

But this is handpicked information that is information that third states and the U member states decided to share with Europe. Cause they believe Europe needs this information for its mission. So I know, of course in the, when, when we talk about government surveillance, we all say, well there's this haystack.

And, and you, you, you, you, you look for the needle in the haystack if you want. What we have at durable, we have a haystack, but full of needles cause the information is already selected and there is no site information that is given. Butch doesn't fit into our mandate because then we simply cannot accept it.

If we get this kind of information, we would say, sorry, it doesn't fit into. Legal framework and we are not allowed to accept it.

[00:21:50] Paul Breitbarth: So when you have so much data and so much personal data, because you mentioned most of these files relate to individuals, how do you go about data protection? Because that, I think OL is one of the few law enforcement agencies that was actually created at the time when data protection already started to be an issue.

So you could probably take a bit of a privacy by design approach.

[00:22:16] Daniel: Exactly the why there are, we have to say that, that Europa started activities already in, in 1999, and if you look at the the first legal framework that Europe got, the Europa Convention, then you see already there are two chapters only on data. Only on instructions actually for ol and also the member states how to process data.

The DOE and don'ts were already in the first framework and what we saw over the years. So I joined OL in 2003. That the, the, the, frameworks that we got after the UL convention got even more sophisticated when it comes to data protection. The, the rules became more strict, but I have to say on the one side, more strict on the other side, also, UL had more possibilities.

To extend on its operational activities, like for example, when, when I started at Yopu, we had not operational centers like we have now with the European Cyber Crime Center. And YoPo is also, by the way, because the legislator and the parliament. Especially trust ol in being good in data protection in this particular sensitive field for police corporation.

While the, the legislator always decided already with a Dan protocol to the, to the European Council decision, always decided to give ol more possibility with a more sophisticated and also more restrictive data protection framework to follow. 

[00:23:50] Paul Breitbarth: So it was a bit of a quit pro quo. 

[00:23:52] Daniel: Yes, exactly. That's why at you could, you could say, well, there was data production was there from day.

And the data protection rules were there from day one. But then over the years more than two decades, the data protection culture developed. The data protection framework developed The relation between data protection and information security and conf confidentiality developed to have one integrated data management framework for the processing of law enforcement and information and all.

We got the Data protection Officer in 2010. Yeah, it was the the, when, when became an U agency. Before we were an international organization. When we became an U agency, there was also the requirement then to have one of the first data protection officers in this particular area. So that's why data protection is extremely important.

And every one of our colleagues that joins us at dupo. Cannot start actually with the processing of police information here and this organization without having undergone a training that includes fundamental rights, but also includes in particular, the processing of operational data, which is most of the cases personal data.

And we are quite proud of this, I have to say. Because the, the colleagues that join. Go certainly through a development when it comes to learn how pro police corporation functions, but they also have the possibility to learn more about data protection. And then they go back into the national police forces and take this idea about how Euro Pole operates quite sophisticated data protection rules in in information process.

[00:25:43] Jan Ellermann: No, I, I was just Danya just mentioned it briefly, but I think I would like to emphasize that because it's a bit of history made here. So Danya, you said data Protection Officer was introduced back in 2010. Well, that is significant because the requirement for national law enforcement authorities to have a D P O, as we all know, was only introduced years later by means of the law enforcement director which was kind of mirroring the gdpr to a certain degree.

So I would. , even in that context, go as far as saying, well, we've pioneered law enforcement or data protection, law enforcement to a certain degree by setting up an organization or cultivating a culture where this is an integral part of our operational business. Years before the legislator said no, this.

Your discretion to set it up like this. It's a legal requirement to respect fundamental rights. And in the case of Europe, of course, evidently first and foremost, the right to data protection.

[00:26:44] Paul Breitbarth: So how does OL's current data protection framework compare to the GDPR or the law enforcement directive?

[00:26:53] Daniel: That, that's a good question. But Paul, can, can I come back to, to the point that young mentioned about the developments that we had? So I'm just wanted to say, I think we were also the first law enforcement agency that celebrated data protection Day on 28th of January.

[00:27:06] Paul Breitbarth: Very good. Very nice. 

[00:27:09] Daniel: And I, I, I still remember, I think it was 2008 or 2009.

We, at that time and young, I think you just joined. We had the, the first time a data protection. We had always kind of something for the data protection day, but then we said, okay, we need also kind of gimmicks, so kind of a giveaway for Europa stuff on the data direction day. And I remember at that time we gave little bottles with sun to Europe stuff, you know, in January in the Ha and we say, well, you know what? Privacy is about protecting yourself. And here, please, this is for the Data Protection Day, sun cream for you little bottles of sun cream. Yeah. Already for the summer. If there's summer in, in the,

[00:27:52] Jan Ellermann: Dan Daniel, you, you forgot to mention my my idea was always to distribute condoms to to predict your more sensitive personal data, but that was heavily objected by the boss, so it always remained an idea, but

[00:28:04] Daniel: Well, it was, it was not I mean it was a budget issue at that time.

[00:28:11] Jan Ellermann: course,

[00:28:12] Daniel: sun cream was cheaper,

[00:28:13] Jan Ellermann: Yeah. Agree.

[00:28:15] Paul Breitbarth: So coming back to the earlier question on, on GDPR and the law enforcement directive, how do you, how do you measure your own framework against what everybody is familiar with?

[00:28:26] Daniel: Yes. So for, for us, we have the, I now we have the Euro regulation with with two, two chapters with data protection provisions. And what I always say is the fact that RuPaul has a tailor made data protection f. for us, it's not a burden, but it's a privilege actually because the, the framework that we that is now has been amended in June last year.

So we have now demanded Europe regulation foresees restrictions of course to the processing of personal data, but also foresees except. For law enforcement. So for example, when we talk up at the narrowly tailored exceptions for data subject access requests, where in comparison with the gdpr provisions PLE has the possibility when we have a citizen request.

and the citizen request for access to his or her data results in a hit in our systems has the possibility by using narrowly tailored exceptions to not to inform the citizen whether he or she is in our systems or not. This is in my, this, this is my opinion privilege that the police has in order that we are able to fulfill our.

but it comes with the burden, which means, for example, that for the 700 data subject access request we get per year, we invest resources in this. We the data subject access request are handed by the data protection unit, so I handled actually by my office. , which is considering that the data protection officer is in independent in his judgment at Euro Pole and in the activity of the, of the Data Protection Unit, which is an an assurance safeguard also.

For citizens that asked access. Because what will happen is the following, if I can go there and, because I think data subject access requests a good example to show what is the difference G P R, law Enforcement Directive and, and Europe regulation. If we come to the conclusion that. For example, a suspect in a terrorism case should not get information that he or she is processed by EuroPro.

We could use one of the exceptions, but we have to put the reasoning on paper 

Right. Okay. Okay.

when this decision is made, nor we cannot allow access to this information. And by the way, a lot of the request from Citizen come not anymore. when I started at Euro Pole, just as a comparison, we had in 2013, we had in 2003 we had like 10 or 11 requests per year. And now we have 700 requests.

[00:31:10] Paul Breitbarth: a, that's a big

[00:31:11] Daniel: And of the 700 and that shows also the development, a bit of euro oil and the 700 request that we get. They're, they're partly coming from defense lawyers on behalf of their clients and partly come from the citizen themselves. We don't make a distinction in there because ev, it doesn't matter if the grandmother ask for access or the prime suspect in a financial crime case, everyone gets every request is handled according to the same process that we have in place.

So Europe will invests, in the, in the handling of this request. We have three months to. To the request, and in most of the cases we are able to answer within three months. The reason, actually why sometimes there's a delay is that PLE has also an obligation to talk actually with all involved member states and data contributor about this specific data item.

And we take this very serious and. The executive director of Europa uses one of the exceptions to not provide access to the data. That must be on the basis of the recent decision, which by, by the way, can be always overruled by the European data Objection supervisor. If the data subject decides to go into appeal, but I, instead of overruling the decision, I think more important.

The Institute of Indirect Access for the citizen, because on the basis of the, of the appeal, the supervisor authority has then the possibility to actually, and you did it in the past, yourself, power to actually check what kind of information on behalf of the citizen is in the database, and then make a check on the reasoning of Euro Poll provided, and then actually decide whether the, the Europol answer responded to the data subject in the right way. So that is on one side privilege, I have to say. But comes with the burden or what I think Jan always says. What was it again? Great power comes with huge responsibility or

[00:33:10] Jan Ellermann: That's Spiderman who said that? But I quote Spiderman sometimes.


[00:33:16] Daniel: Okay, here we go. 

[00:33:18] Paul Breitbarth: But contrary to, contrary to popular belief, it is not that you receive an excess request. You see it's from a criminal and you say, oh no, we're not gonna say anything. So access denied. You actually do. Verification to see if maybe parts of the request can be, can be fulfilled. If you can share something if you can can confirm, yes, we do process personal data, but we cannot share the details.

[00:33:41] Paul Breitbarth: Or sometimes indeed you just don't say anything 

[00:33:43] Daniel: Exactly.

[00:33:44] Paul Breitbarth: tell them that you

[00:33:44] Paul Breitbarth: cannot say anything.

[00:33:45] Daniel: Exactly. And I, I'm not going now into the details, but the, the resource investment, the resource investment of Europol is, significant. But I think it's also justified because it is important that is citizens have the possibility to to, to ask first of all, law enforcement for ex access or to whether data is processed by law enforcement, but then also in, in a response in, in, in line with the, with the rules, applic.

[00:34:13] Paul Breitbarth: Which is the part that you are most proud of? If you look at at Euro Paul's data protection.

[00:34:18] Jan Ellermann: Well, I think that we have established a culture here whereby our operational colleagues understand how important data protection is. So we can really rely on the overwhelming majority of our operational colleagues to proactively approach us if they have questions. . So we are available let's say, and it's not like we would be bound to accessing databases behind their backs and snooping and, and this kind of stuff would, but we've established the data protection function of OI as an entity where also our operational colleagues understand, okay, there's added value for them because they want to do the right.

They don't want to go into unlawful data processing. But this is an investment which you have to make because I think for many data protection officers seem to be, let's say, the long arm of external supervision. And if you talk to the D P O, then you can also immediately hang yourself because the, the external debt protection supervisor authority is gonna slam this and so on and so forth.

So this. And this is to my firm opinion, not how it works, but you we have a kind of mediation role on the one hand to convey the guidance by external supervisory authorities into the operational domain. And on the other hand, also when we debate things and when we have our regular meetings with E D P S colleagues to try to make, let's say the daily challenge, which our operational colleagues have in fighting serious crime and terrorism, to translate that, let's say in a way that the date protection perspective becomes tangible and understandable.

And that's something I'm proud of.

[00:35:57] Paul Breitbarth: So Daniel, When I recall my time supervising your whole data processing, and that's already quite a couple of years ago that I, that I did an inspection for the last time. But I also recall the conversations about your audits and the way you do inspections internally. and I always thought that was fascinating to see.

How do you go about actually monitoring that data protection compliance exists in an organization with almost 200, 2000 people working there with 1.5 million files. Can you talk a bit about that?

[00:36:33] Daniel: Yes. And I think you mentioned it yourself. auditors, of course what we know, is done by auditors. And if we then talk about the data protection officer at , this is a function of this, an assurance provider to management. So Our main task is actually to inform management about the health situation and data protection, compliance of the processing operation.

And in this regard, we have to do checks, of course. We have to have a look to the, to the information processing operation. And this we do regularly. And we are not just looking at it. We also document our checks that we make, but I. It is important. I think two, two points are here in particular important.

The first point is we do the checks always with the intention and with the mission to make the data processing operations better. If we find something where we think this is not in line with the legal f. , we support the controller to bring it into data, into data protection, compliance as soon as possible.

So we are not going through the organization and doing on behalf of the supervision, the checks. We go through the organization where we believe. It is worth to make the checks to invest resources in, in this regard. Cause resources are all everywhere. Scout, although I have to say the data protection function of Europe, I think is, is still the biggest data protection unit of oil EU public service.

And I think that should be also mentioned. But of course we cannot be with eight colleagues. We cannot be every. And I also don't think it's even necessary to be everywhere. Looking at the, the, the, the accountability shift of the controller in the EU data protection reform package. But we are in the best position to look there where we think it's absolutely necessary now to have a closer look and then immediately afterwards together with the controller look at improvement.

of course, there might be cases where we have a look and we say, well, this is absolutely not possible. And then there's the possibility to escalate and if you want to, to, to, to, in a very clear language to say, this has to stop now.

[00:38:48] Paul Breitbarth: Mm-hmm.

[00:38:49] Daniel: Because this is not in, in our opinion, the, the agency takes risks and they are we have to warn in this regard.

And then the data protection officer has the possibility also to escalate it. But I think, is important that the controller, and in this case a duple, the police officers see the data protection function. As a companion actually to achieve data protection compliance in the law enforcement environment.

So if you ask me what I'm proud of, e especially in the development of Europa over the last two decades, is I think you can now ask any Euro official about his work. , anyone will say to you yes, I'm, I'm fighting organized crime and terrorism and I do this with police corporation and with analysis, but there is data protection part of the package.

If data protection is not part of this product, it's not a good product. I can probably not use. Later on in front in a judicial proceeding. So I think there's a data protection culture that developed over the years and the good thing is that the executive director of Europol decided some years ago to say, well, I think what the work of the data protection office at OL is something that can lead as an example also to other data protection officers in the.

Environment on national level. And therefore she decided to establish a working group of the data protection officers of the national police forces right here at Juul, where there's actually no difference anymore if you have the experts on synthetic drugs meeting in the Hague and talk. The fight against production of synthetic drugs or the data protection officers of the National Police forces meeting at Dupo and discussing operational matters that are important when we talk about data protection compliance, and this is something we enjoy.

And I think it's a very important. . But this is ris as we talk now about the last two years or briefly before Covid we started and this develops, and that is, I think the important part. It is sensitive work that we are doing in the law, law enforcement environment. It is somehow also considering the changes in the legal framework, sometimes work and pro.

Like it is in all other areas of the society when we talk about data protection, but in particular in the area of law enforcement that simply has to be recognized sometimes is work on progress. And we are working very hard to, to, to get there. And if we are able also to share our expertise with national Data Protection Officers and allow.

To have a platform where they, they, they can help each other and support each other. That's very good because, you know, power yourself, you're also data protection officer. Data protection officer is, it doesn't matter where you work. Sometimes quite a lonely 

[00:41:55] Paul Breitbarth: Of course it can always be. 

[00:41:56] Daniel: Yeah.

[00:41:57] Paul Breitbarth: that's that's for 

[00:41:58] Daniel: Yes. Yeah. So you look to the left and the right and all in a sudden, when, when situation gets critical, then there's nobody anymore.

Luckily for me, not because I have and all the other colleagues in my unit that are, that stand with me together, but this is, it is important that that protection officer exchange, in particular, in the area of, of police, it is important that they have this platform here, here at Jupa and we are very happy to, to sponsor.

[00:42:23] Paul Breitbarth: So we are at the end of our recording time. Is there anything that you really had wanted to, to bring across that we haven't covered yet? Because I, I still have dozens of questions that people could be interesting in. We do not have the time for that today, but if there are any issues that you would have wanted to raise, then please feel free to do so.

[00:42:42] Daniel: I think it should be Eden. You mentioned

[00:42:44] Jan Ellermann: I mentioned Eden, but indeed I would cease the opportunity to invite a you Paul, but also all the people who may listen to your podcast to join us in Madrid for the next upcoming Eden conference. Whisper us of contrast. It's called 18th and 19th of September. So they say the weather is gonna be amazing, so matter is the best place on the planet on that particular day.

And if you like, let's say the kind of debate we are having here at the Eden Conference is full of that with really inspiring speakers and yeah, that would maybe be something could still have to mention.

[00:43:20] Daniel: And, and Paul, if I may also mention something we had at Europe, we had in 20 22 an escape room challenge where all units of Europe were allowed to participate. And I just wanted to mention a data protection unit of Yu won this challenge with a huge advance to the other. , I think has also to be said.

[00:43:41] Paul Breitbarth: Very good. Well, on that happy note, we'll end another episode of Serious Privacy. Thank you both for joining us this week. If you like these episodes, like and subscribe to the podcast in your favorite app or on your favorite podcast platform, join the conversation on LinkedIn. Find us under serious privacy. You'll find K on social media as hard of privacy and myself as your Paul b Until next week.

[00:44:06] K: Bye y’all