Europol

EU watchdog fights against rules permitting Europol’s ‘unlawful’ data practices

The pushback follows allegations that Europol was allowed to write its own rules when it came to handling sensitive data
Pro
Image: Shutterstock via Future

23 September 2022

The EU’s data protection watchdog has called for rules effectively legalising the ‘irresponsible’ handing of data by Europol to be scrapped.

The fresh complaints come months after the European Data Protection Supervisor (EDPS) ordered the law enforcement agency to delete a huge cache of personal information. It deemed this practice to be a violation of GDPR and human rights law.

Following the EDPS’ public allegations of data mishandling, made in January, the Court of Justice of the European Union (CJEU) introduced two new provisions to the 2016 Europol Regulation that aimed to, according to the EDPS, “legalise retroactively” Europol’s data practices.

Articles 74a and 74b of the amended Europol Regulation – the provisions most recently added and the ones contested by the EDPS – “undermine” the watchdog’s powers, it said.

“The EDPS had to apply for an annulment of articles 74a and 74b of the amended Europol Regulation for two reasons,” the EDPS said. “Firstly, to protect legal certainty for individuals in the highly sensitive field of law enforcement where the processing of personal data implies severe risks for data subjects.

“Secondly, to make sure that the EU legislator cannot unduly ‘move the goalposts’ in the area of privacy and data protection, where the independent character of the exercise of a supervisory authority’s enforcement powers requires legal certainty of the rules being enforced.”

Added to the Europol Regulation in June 2022, the provisions specifically relate to Europol’s retention of data on individuals with no proven link to criminal activity.

Europol is alleged to be holding on to data belonging to individuals far longer than the current regulations allow it to.

The EDPS’ January complaint revealed that Europol was sitting on 4TB of data on at least 250,000 individuals said to be linked with crime. This was collected over a period of six years from a variety of European national law enforcement authorities.

The EU’s data watchdog aimed to impose rules on Europol that the data it collected on people should be assessed within six months and if no criminal link was found, then it should be erased in a timely manner.

Specifically, the supervising authority sought to enforce data subject categorisation for each individual whose data was collected – a stipulation of the Europol Regulation.

Such categorisation seeks to clearly define why a given individual is having their data retained, be it because they are suspected of committing a crime, convicted of a crime, or suspected witnesses of a crime, among other categories.

The situation raises debate around individuals’ right to privacy against the need for national security – one that emerges in so many areas of technology such as consumers’ access to end-to-encrypted messaging services.

It’s difficult to arrive at an absolute conclusion on such matters given the strength of the cases for both sides. Some argue, such as heads of state, that national security must take precedence over an individual’s privacy.

Others disagree and popular arguments often highlight that such an allowance could theoretically spiral towards a green-lit mass surveillance programme, for example. A large proportion of the IT industry also agrees that ending end-to-end encryption would adversely affect society at large.

Future Publishing

Read More:


Back to Top ↑

TechCentral.ie