The outgoing EU Ombudsman, Emily O’Reilly, has ruled in response to a complaint by former Pirate Party MEP Patrick Breyer that it constitutes “maladministration” for Europol to have green-lighted an official moving to the chat control tech service provider Thorn without imposing any restrictions, despite potential conflicts of interest. The official was even allowed to continue working in the same role at Europol for two months before the transition. “Europol failed to deal with the above conflict of interest situation, putting at risk the integrity and impartiality of its actions,” the Ombudsman stated in her decision.

The official, Cathal Delaney, had worked on an AI pilot project for CSAM detection at Europol and, after moving to Thorn, was registered as a lobbyist in the German Bundestag. In his new role, he attended a Europol meeting with former colleagues to present a product. Europol has now pledged additional measures to prevent conflicts of interest, including reassignments, changes in duties, and revoking access to sensitive information for employees planning to switch jobs.

Breyer welcomes the outcome: “When a former Europol employee sells their internal knowledge and contacts for the purpose of lobbying personally known EU Commission staff, this is exactly what must be prevented. Since the revelation of ‘Chatcontrol-Gate,’ we know that the EU’s chat control proposal is ultimately a product of lobbying by an international surveillance-industrial complex. To ensure this never happens again, the surveillance lobbying swamp must be drained.”

Note: The decision of the EU Ombudsman is available here. The highly controversial EU chat control proposal remains stalled, as there is neither a qualified majority among EU states to abolish digital confidentiality and break secure encryption nor a majority to remove chat control from the proposal.

My statement concerning the Ombudsman’s inquiry:

Dear Sir/Madam,

thank you for giving me the opportunity to make observations. I note from your report that in the first case, Europol “forgot” to impose restrictions on former staff that were hired by Thorn, and in the second case the former official didn’t even request permission to undergo the assessment, without consequences. Also any requirements imposed on former staff are not being monitored.

Let me start by pointing out that Thorn may formally be a non-governmental organisation, but it is an extraordinary one in multiple respects and is better described, as it described itself, as a “a non-profit start-up”. According to a report, Thorn has made millions of dollars with software sales, pays several employees six-figure salaries and is closely linked with Big Tech. It own shares worth 930,000 US dollars. It spent 600,000 € for lobbying in 2022 alone, including for hiring PR firms. None of this is remotely conceivable for the typical European NGO. It should also be noted that Thorn, even though it is not working for shareholder profit, has a commercial interest in software sales to fund its own activities.

The first thing that strikes me from your meeting report is that when assessing potential conflicts of interest, Europol seems to focus only on direct commercial advantages the new employer may seek (particularly in procurement), and only on protecting Europol’s own integrity. This is far too narrow an understanding. It fails to cover hiring former Europol officials for lobbying purposes, namely for influencing legislation and Commission decisions. For example, Europol is closely liked to DG Home. If a former Europol official uses his internal knowledge and contacts, as well as his former position, to lobby Commission staff (who he may know personally) concerning legislative processes on behalf of a stakeholder with commercial interests, this is precisely what procedures need to prevent, at least for a cool-down period.

In the case of the second staff member who failed to request authorization, has the matter been referred to Europol’s Internal Investigations Service (IIS) to assess, in coordination with OLAF, if there has been a breach of professional obligations, and have disciplinary proceedings under the EUSR been instituted? Without automatic sanctions, one cannot reasonably expect that trust alone will ensure compliance. I don’t see why any discretion would be justified in this process. The IIS should always be asked for an assessment in case of a violation, and disciplinary proceedings should always be instituted. It is in the course of these disciplinary proceedings that all mitigating circumstances can be taken into account.

Where restrictions are imposed on former staff, shouldn’t they be communicated also to their new employer to make sure they are aware?

The restriction imposed in the second case that there may be no contacts with Europol “for commercial purposes” is too narrow and too vague. The fact that Thorn has commercial interests should suffice to exclude any contacts for lobbying purposes, not only with Europol but with any EU entity.

Generally staff should have to notify their intention to take a new post before accepting their offer, given the fact that negotiations concerning a future employment contract could already amount to conflict of interest.

It could help for Europol to elaborate a “Code of best practice for staff members leaving the agency” and make it public.

Europol should publish an “annual report on the activities related to Art. 16 EU Staff Regulations that the agency carries out”, including a list of the cases assessed, the recommendations provided by the Joint Committee and the Reporting Officer, as well as the final decision by the AACC. The report should also include a “post-employment activities summary” (similar to the one that EBA has in its website).

Contrary to the case at hand, all final decisions taken by the AACC should be accompanied by an explanation with the reasons for the decision taken.

It would make sense to elaborate a general “guidance on the criteria for assessing post-employment restrictions or prohibitions” and make it public. It should include general and specific criteria depending on the position/work area (EBA’s guidance could be used as an example).

Importantly, the Joint Parliamentary Scrutiny Group (JPSG), specifically set up to supervise Europol, should be informed whenever there is a potential conflict of interest and about the steps taken by the agency or that the agency intends to take to address it. In the case at hand, no such information has taken place.

patrick-breyer.de/en/chat-cont…