The European Data Protection Supervisor (EDPS), an EU privacy and data protection independent supervisory authority, has ordered Europol to erase personal data on individuals that haven’t been linked to criminal activity.
According to the EDPS, the watchdog considers personal data any identification number, location data, or online identifier associated with an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.
Europol was notified of this order one week ago, on January 3, 2022. The decision follows an own-initiative inquiry started on April 30, 2019, regarding the EU police body’s use of Big Data Analytics for personal data processing activities.
The EU data watchdog issued this order after admonishing Europol in September 2020 for storing large amounts of data on individuals that haven’t been linked to criminal activity, putting their fundamental rights at risk.
“The EDPS’ Decision is about protecting individuals whose personal data is included in datasets transferred to Europol by EU Member States’ law enforcement authorities,” said the EDPS today [PDF].
“According to the Europol Regulation, Europol is only allowed to process data about individuals who have a clear, established link to criminal activity (e.g. suspect,witness, etc).
“Limiting Europol’s processing of data avoids exposing other individuals who do not all into these categories, therefore minimising the risks associated with having their data processed in Europol’s databases.”
EDPS imposes six months data retention period
Europol failed to comply with obligations under the Europol Regulation to filter and extract crime-related information from its databases.
Thus, the EDPS has now also imposed a 6-month retention period on the personal information collected by the police body, which means that Europol must erase all data not filtered within six months its databases to prevent its processing longer than needed.
“Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted – a process often lasting years,” European Data Protection Supervisor Wojciech Wiewiórowski added in a press release published today.
“A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms.”
Update January 10, 13:50 EST: Europol told BleepingComputer that EDPS’ decision to impose a six months data retention period will impact its ability to analyze large datasets provided in connection with ongoing investigations.
You can read the full statement sent by Europol’s Head of Media Relations below.
Committed to the highest standards of data protection, Europol first reached out proactively to the EDPS on the 1st of April 2019 to seek guidance on the processing of large and complex datasets which are collected in lawful, judicial investigations.
Europol is increasingly receiving from its Member States datasets collected in lawful, judicial investigations to help with their processing and analysis.
Since then, Europol has followed the guidance given by the EDPS and has updated its Management Board about the progress achieved.
Today, the European Data Protection Supervisor (EDPS) published his Decision on the retention of datasets without Data Subject Categorisation (DSC) by Europol. The DSC is the act of identifying in these datasets suspects, potential future criminals, contacts and associates, victims, witnesses and informants linked to criminal activities contained.
According to the EDPS, Europol should complete the DSC for large and complex datasets within a fixed retention timeline. In this context, the EDPS has highlighted that the current Europol Regulation does not contain an explicit provision regarding a maximum time period to determine the DSC.
In his decision the EDPS sets that this period must be of six months at the expiry of which, he requests Europol to erase the data.
The EDPS Decision will impact on Europol’s ability to analyse complex and large datasets at the request of EU law enforcement. This concerns data owned by Member States and operational partners and provided to Europol in connection with investigations supported within its mandate. It includes: terrorism, cybercrime, international drugs trafficking, and child abuse among others.
Europol’s support frequently entails a period longer than six months as illustrated by some of its most prominent cases.
Europol will seek the guidance of its Management Board and will assess the EDPS Decision and its potential consequences for the Agency’s remit and for ongoing investigations and the possible negative impact on the security for the citizens in the EU.