Europol urged to delete petabytes of data not clearly linked to crime
Europol, the law enforcement agency of the European Union, has been ordered to delete a huge amount of personal data gleaned from police services in EU member states over the past six years . The removal order comes from the European Data Protection Supervisor (EDPS), a supervisory body that monitors EU institutions’ compliance with privacy and data protection legislation.
The EDPS has given Europol a year to review its databases and then delete all data that cannot be linked to a criminal investigation.
The total volume of data stored in Europol’s systems amounts to around 4 petabytes according to reports in The Guardian – equivalent to hundreds of billions of pages of printed text – and includes data on at least a quarter of a million current or former terrorism and serious crime suspects, as well as others in its contact networks. The data was drawn from criminal investigations carried out by national law enforcement authorities in EU countries, which were then shared with Europol.
In the text of the decision, the EDPS cites a first investigation into Europol’s processing of sensitive data in 2019, which concluded that Europol was storing personal data on crime and terrorism suspects without adequately checking whether surveillance of reported individuals was warranted. A year later, the EDPS sent a reprimand notice to Europol for failing to comply with data regulations and putting EU residents at risk of being wrongly linked to criminal activity.
“Although certain measures have been put in place by Europol since then, Europol has not responded to requests from the EDPS to define an appropriate data retention period to filter and extract personal data authorized for analysis purposes under of the Europol Regulation “, wrote the EDPS. in a press release accompanying the decision.
In the absence of a clear course of action, the EDPS has now intervened with more force, giving Europol a year to sort through existing data in order to find out what can be legally stored, and ordering it to delete all data. newly collected that are not classified in six months.
‘It is not clear exactly what types of data Europol is so keen on keeping, but we do know that these are large data sets made up at least in part of data on people that Europol does not currently think it can classify. among ‘suspects’, ‘a potential future criminals’, ‘contacts and associates’, ‘victims’, ‘witnesses’ and ‘informants’, ”said Michael Veale, associate professor of digital rights and regulation at the Law School of University College London.
This range of categories was already extremely wide, Veale said, so the storage of data that does not fall under these categories has raised concerns that Europol is conducting unwarranted surveillance on groups stereotyped as “suspect” or “dangerous”.
What seems clear is that the EDPS decision will spark a heated debate on where the EU should draw the line between privacy and security. Some senior European officials were quick to react: one, the European Commissioner for Home Affairs, Ylva Johansson, expressed her dissatisfaction shortly after the announcement of the decision.
“Law enforcement authorities need the tools, resources and time to analyze the data legally transmitted to them,” Johansson said. The Guardian. “In Europe, Europol is the platform that supports national police authorities in this Herculean task. “
Johansson clarified his concerns at EU policy, suggesting that smaller national police services would be unable to make sense of big data without relying on Europol’s expertise.
But other privacy activists hailed the move, which was celebrated as a respect for the digital rights of EU citizens.
“This decision (…) shows once again that in the EU, rights to privacy and data protection are fundamental rights and are protected as such, even when the pressure exerted on these rights comes from the police, ”said Gabriela Zanfir-Fortuna, vice president. for Global Privacy at the Future of Privacy Forum think tank.
“In a rule of law, police activities must respect the legal framework. Police that do not respect fundamental rights ultimately cannot be effective, ”said Zanfir-Fortuna.