Apostolis Fotiadis, Ludek Stavinoha, Giacomo Zandonini, and Daniel Howden report:
The EU’s police agency, Europol, will be forced to delete much of a vast store of personal data that it has been found to have amassed unlawfully by the bloc’s data protection watchdog. The unprecedented finding from the European Data Protection Supervisor (EDPS) targets what privacy experts are calling a “big data ark” containing billions of points of information. Sensitive data in the ark has been drawn from crime reports, hacked from encrypted phone services and sampled from asylum seekers never involved in any crime.
The watchdog ordered Europol to erase data held for more than six months and gave it a year to sort out what could be lawfully kept.
Today, Europol issued a statement in response. Here is their full statement:
Committed to the highest standards of data protection, Europol first reached out proactively to the European Data Protection Supervisor (EDPS) on 1 of April 2019 to seek guidance on the processing of large and complex datasets which are collected in lawful, judicial investigations. Europol is increasingly receiving from its Member States datasets to help with their processing and analysis.
Since then, Europol has followed the guidance given by the EDPS and has kept its Management Board updated on the progress achieved.
Yesterday, the EDPS published his Decision on the retention of datasets without Data Subject Categorisation (DSC) by Europol. The DSC is the act of identifying in these datasets suspects, potential future criminals, contacts and associates, victims, witnesses and informants linked to criminal activities.
According to the EDPS, Europol should complete the DSC for large and complex datasets within a fixed retention timeline. In this context, the EDPS has highlighted that the current Europol Regulation does not contain an explicit provision regarding a maximum time period to determine the DSC.
In his decision the EDPS sets that this period must be of six months, at the expiry of which he requests Europol to erase the data.
The EDPS Decision will impact Europol’s ability to analyse complex and large datasets at the request of EU law enforcement. This concerns data owned by EU Member States and operational partners and provided to Europol in connection with investigations supported within its mandate. It includes terrorism, cybercrime, international drugs trafficking and child abuse, amongst others.
Europol’s work frequently entails a period longer than six months, as do the police investigations it supports. This is illustrated by some of Europol’s most prominent cases in recent years.
Europol will seek the guidance of its Management Board and will assess the EDPS Decision and its potential consequences for the Agency’s remit, for ongoing investigations as well as the possible negative impact on the security for EU citizens.