Europol has been told to delete a vast data trove of information on individuals with no link to criminality after previously failing to comply with regulations governing the policing body.
The European Data Protection Supervisor (EDPS) notified Europol of the order on January 3, following an inquiry in 2019. It now has 12 months to filter and extract relevant personal data permitted for analysis under the so-called Europol Regulation.
Any data older than six months on individuals not linked to criminality (known as data subject categorization) must be deleted, the EDPS said.
Europol’s apparent foot-dragging and failure to comply with the principles of data minimization and storage limitation enshrined in the Europol Regulation led to a rare admonishment by the EDPS in September 2020.
“Europol has dealt with several of the data protection risks identified in the EDPS’s initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation,” explained EDPS Wojciech Wiewiórowski.
“Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analyzed and extracted – a process often lasting years.”
In fact, the data trove could be more than four petabytes, according to a report in The Guardian , which claimed the information had been extracted over the past six years from crime reports, hacked phones and screening of asylum seekers never involved in any crime.
Europol hit back yesterday, claiming its binding regulation never specified a maximum time period for determining Data Subject Categorisation. The police agency stated that it was not the EDPS that initiated the inquiry and said it would “assess” the data privacy tsar’s decision.
“The EDPS decision will impact Europol’s ability to analyze complex and large datasets at the request of EU law enforcement. This concerns data owned by EU member states and operational partners and provided to Europol in connection with investigations supported within its mandate. It includes terrorism, cybercrime, international drugs trafficking and child abuse, amongst others,” a statement read.
“Europol’s work frequently entails a period longer than six months, as do the police investigations it supports. This is illustrated by some of Europol’s most prominent cases in recent years.