Concluding its 2019 enquiry, the European Data Protection Supervisor (EDPS) has ordered Europol to delete all data concerning individuals with no established link to criminal activity.
The EDPS had opened an own-initiative enquiry on April 30, 2019, to investigate Europol’s processing of large datasets for strategic and operational analysis. As per the data watchdog, Europol has to delete any data kept for longer than six months and has a year to sort out what data it can lawfully keep. For all data the Europol collects, it now has six months to filter and extract personal data. Any data older than six months that have not undergone this data subject categorisation must be erased.
According to The Guardian, Europol’s cache currently has four petabytes of data. Data protection advocates say this amounts to mass surveillance and puts Europol on track to becoming NSA, an agency whose online spying antics were revealed by whistleblower Edward Snowden.
Free the data, free the people?
The order from the EDPS means that Europol will no longer be able to retain data to people who aren’t linked to criminal activity for extended periods and have no deadline.
The decision also orders Europol to provide implementation reports every three months for 12 months from the day of notification of the decision. Additionally, should Europol fail to categorise older data in the 12 months period allowed by the EDPS, the data should be deleted nonetheless.
According to its own regulations, Europol can only process data about individuals who have a clear, established link to criminal activity. Limited data processing capabilities help avoid exposing innocent individuals and minimising the risk associated with having their data processed in Europol’s databases.
Europol had previously implemented technical measures to help ensure that collected datasets are stored in a separate and secure environment based upon previous requests from the EDPS. However, the European policing agency did not comply with EDPS’ request to define an appropriate data retention period.