Europol ordered to delete huge cache of unlawfully stored data
Crime-fighting agency has failed to implement the necessary data protection measures it was told to make more than a year ago
11 January 2022 | 0
Europol has been accused of unlawfully storing, and ignoring requests to delete, large amounts of data on individuals with no established link to criminal activity.
The European Data Protection Supervisor (EDPS) has ordered Europol to delete the data it has been storing, concluding a years-long inquiry into the crime-fighting agency’s data collection habits.
The order follows the EDPS ‘admonishment’ of Europol more than a year ago in September 2020 when it was first found to be storing large volumes of data with no Data Subject Categorisation – a requirement stipulated by the Europol Regulation.
The EDPS said that while Europol has complied with some requests and implemented “some” technical measures since then, it has not complied with other requests including failing to define an appropriate data retention period.
The measures introduced reduce, but do not remove, the possibility that individuals’ fundamental rights could be put at risk by unlawful analysis of their data by Europol, or by the data being shared with other law enforcement agencies. As such, the data being stored does not ensure compliance with the Europol Regulation, the EDPS said.
It means Europol was keeping this data for longer than was necessary and violated the principles of data minimisation and storage limitation enshrined in the Europol Regulation.
Europol’s bank of data reportedly contains at least 4PB of data on at least 250,000 individuals linked to terror or crime offences, accumulated from national law enforcement authorities over the past six years, according to the Guardian.
As Europol has failed to comply with requests, the EDPS will now exercise its corrective powers and impose a six-month retention period, and all datasets older than six months that have not undergone Data Subject Categorisation must be deleted. Europol has been given a 12-month grace period in which to comply with the EDPS’ decision.
“Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry,” said Wojciech Wiewiórowski, the EDPS. “However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation.
“Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted – a process often lasting years.”
The EDPS he thinks that six months is enough time for Europol to extract all the critical data needed from the datasets and to provide any support to law enforcement authorities in EU member states.
Europol will also be required to submit reports to the EDPS every three months for the next 12 months updating him on the progress of its efforts to implement the necessary measures outlined in this week’s decision.
© Dennis Publishing