This article was updated with a comment from Europol.
The European Data Protection Supervisor (EDPS) instructed the law enforcement agency Europol to delete the personal data of individuals who have no established link with criminal activity, concluding an inquiry started in April 2019.
The EDPS initiated the inquiry based on concerns that Europol’s data processing activities were going beyond its mandate and breaching its data protection rules.
These concerns were confirmed as the Supervisor concluded its investigation in September 2020, admonishing Europol to address the outstanding structural issues. For the supervisory authority, the EU agency went against the data minimisation principle by including personal data from people with no proven relation to criminal activity.
Moreover, the EDPS deemed that these data processing practices went against the principle of storage limitation, which decrees that data will only be maintained for as long as strictly necessary. The privacy watchdog considers that Europol has failed to make necessary changes to ensure compliance in both cases.
“Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation,” said EDPS’ Wojciech Wiewiórowski.
The EDPS probe
Europol’s scope is collecting data on cross-border cases and making it available to national authorities to support their investigations. However, in recent years the agency has become specialised in processing vast amounts of data to develop new policing tools and train algorithms.
As a result, the EDPS unveiled that the agency was no longer processing data only relevant for specific investigations but crunching large datasets from national law enforcement authorities. These datasets resulted from an unknown number of criminal investigations and might include data from suspects of serious crimes and anyone who interacted with them.
“It is extremely important that Law Enforcement Agencies, in pursuing effective big data-driven models, will find a way to obey to these [data protection] principles while still meeting the operational demands of EU Member States,” Paolo Balboni, privacy professor at Maastricht University, told EURACTIV.
According to the Guardian, Europol would currently have 1,000,000 gigabytes worth of data.
“Data protection and fundamental rights must be upheld, it is of crucial importance especially for a law enforcement agency,” said Green MEP Saskia Bricmont.
In its action plan to address the results of the admonishment, Europol called on the European Commission to revise its mandate, in what privacy stakeholders criticised as an attempt to legalise unlawful practices.
By contrast, security advocates argue that these data-driven tools have become necessary for law enforcement agencies to keep up with the new threats due to digital technologies.
“For us, it is clear that law enforcement cannot effectively fight crime if it cannot process large data. This data processing requires a considerable amount of time,” a European Commission spokesperson told EURACTIV.
The Commission representative referenced the case of the EntroChat operation, for which in August 2020, Europol supported the French and Dutch authorities to hack into the encrypted messaging service. The operation led to thousands of arrests across Europe, including drug trafficking, corruption and violent crimes.
The European Commission put forth a recast mandate for the agency in December 2020, presenting it as part of a broader strategy to reinforce border controls and prevent terrorism.
The EU co-legislators have finalised their position on the new mandate and are currently engaged in interinstitutional negotiations. According to a source informed on the matter and to recently leaked internal documents, the EU institutions have agreed on most issues and might finalise a deal in the coming weeks.
“Europol has been acting outside the law for too long, which is unacceptable. The decision sends a much-needed message to the European Parliament: beware of the powers given to Europol in the ongoing reform as every loophole will be exploited at the detriment of people’s data protection rights,” said Chloé Berthélémy, policy advisor at the European Digital Rights (EDRi).
For Javier Zarzalejos, the MEP representing the EU Parliament in the negotiations, “the Parliament’s position has striven to an adequate balance between the operational requirements of Europol in its task of supporting the Member States and tighter safeguards on data protection.”
Consequences of the decision
Europol will have 12 months to prove that the data is criminally relevant or delete it for current datasets. Until now, Europol refused to set a fixed timeline, seeing one as incompatible with its operations.
The EDPS gave the agency six months for new datasets to assess their relevance. That timeline would be expanded to 3 years with the new mandate, subject to confirmation during the trilogue negotiations.
“The EDPS Decision will impact on Europol’s ability to analyse complex and large datasets at the request of EU law enforcement,” a Europol spokesperson told EURACTIV.
[Edited by Nathalie Weatherald]