Europol ordered to delete data concerning individuals with no criminal link
EU police agency accused of hoovering up data indiscriminately to create tools and algorithms
The European Data Protection Supervisor (EDPS), a watchdog that oversees EU institutions' adherence to privacy and data protection legislation, has directed Europol to delete personal data of individuals who have no established link to criminal activity.
The order comes following an inquiry started by EDPS in April 2019 over concerns that the data processing activities of the European police agency were going beyond its mandate and violating data protection rules.
While Europol is allowed to collect data on cross-border crimes and make it available to national authorities to aid investigations, it appears that the agency has been analysing large volumes of data to develop new enforcement tools and train algorithms. Critics have compared this to the activities of the US NSA.
The EDPS has concluded that Europol was no longer processing data that was exclusively relevant to specific investigations, but was instead processing massive datasets shared with Europol by national law enforcement agencies in EU countries.
This data results from an unknown number of criminal probes and may contain information from serious crime suspects and anyone who interacted with them.
The EDPS said that it sent a notice of admonishment to Europol in September 2020 for the "continued storage of large volumes of data with no Data Subject Categorisation, which poses a risk to individuals' fundamental rights".
While Europol has put in place some measures since September 2020, the agency has not complied with the EDPS's requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation, the watchdog added.
"This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation.
"In light of the above, the EDPS has decided to use its corrective powers and to impose a 6-month retention period (to filter and to extract the personal data). Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased."
The watchdog has granted Europol a 12-month period to review its databases and erase any material that cannot be linked directly to a criminal investigation.
According to The Guardian, the entire volume of data held in Europol's servers is roughly 4 petabytes, which is comparable to hundreds of billions of pages of printed text or nearly three million CDs. It contains information on at least a million current or former terror and serious crime suspects, as well as others in their contact networks.
In a statement to The Guardian, Europol denied any wrongdoing, stating that the EDPS may be interpreting the current rules in an impractical way.
"[The] Europol regulation was not intended by the legislator as a requirement which is impossible to be met by the data controller [i.e. Europol] in practice," Europol noted.
It added that the agency had worked with the EDPS "to find a balance between keeping the EU secure and its citizens safe while adhering to the highest standards of data protection".