13. January 2022
Shortly after the European Data Protection Supervisor (EDPS) had notified EU’s Agency for Law Enforcement Cooperation (Europol) of the order restricting data collection practices, the agency strongly objected. We have already reported on the decision setting a retention period of six months for all datasets submitted to the agency.
Europol is concerned that the order will harm investigations, as the agency typically needs to retain data for longer than six months to effectively fight against evils such as terrorism and child abuse. It was precisely the past practices that also enabled the EU arresting numerous of drug traffickers and suspected criminals.
EU’s Commissioner for Home Affairs, Ylva Johansson, agreed with the concern, arguing that it would jeopardize criminal investigations if law enforcement agencies have to start disposing of the data they have collected. She stated that
the potential risk of the decision is huge. If a member state or national police cannot use Europol to help with the analysis of big data … then they will be blind because a lot of national police forces do not have the capacity to deal with this big data.
According to critical comment, law enforcement and security agencies should be given better access to citizens’ data. Johansson advocates this as well. Europol’s powers to process large datasets could soon be strengthened as part of a reform of its mandate. However, this intention also meets with criticism, as Chloé Berthélémy of the European Digital Rights NGO expresses:
The EDPS has taken a critical step today to finally end Europol’s unlawful processing of data … Unfortunately, the reform of Europol to be adopted soon … will reverse all these efforts as it is set to legalize the very same practices that undermine data protection and fair trial rights.
12. January 2022
On January 3rd, 2022, the European Data Protection Supervisor (EDPS) notified the EU’s Agency for Law Enforcement Cooperation (Europol) of an order to delete data of individuals who have not been linked to a crime or a criminal activity. This decision, dated December 21st, 2021, marks the conclusion of EDPS’ investigation launched in 2019.
The own-initiative inquiry concerned Europol’s processing of personal data in large datasets for the purpose of strategic and operational analysis (referred to as Europol’s Big Data Challenge). The investigation revealed non-compliance with the data protection rules laid down in the Europol Regulation (ER), especially the principles of data minimization (Article 28 (1) (c) ER) and data retention (Article 28 (1) (e) ER).
Article 18 (2) (b), (c), (5) and Annex II. B. (1), (3) ER limit the categories of data subjects about whom Europol can process data for the aforementioned purposes to ‘suspects’, ‘potential future criminals’, ‘contacts and associates’, ‘victims’, ‘witnesses’ and ‘informants’. To meet this requirement, large datasets must undergo a process of filtering and extraction called Data Subject Categorization (DSC). Therefore, processing of datasets lacking the DSC should be limited to the shortest time necessary to materially proceed to such categorization. This is important to ensure that processing of data of persons, whose link to crimes has not been established, ceases as soon as possible. It is justified by the fact that in particular the continued storage poses a risk to fundamental rights of these individuals.
EDPS then admonished Europol and urged it to take all necessary and appropriate measures to mitigate the risks for individuals arising from such data processing activities. For this purpose, Europol was also advised to establish an action plan and inform EDPS thereof.
Although Europol has taken some action since then, it has not established an appropriate retention period for the datasets without DSC. As a consequence, the EDPS has decided to impose a retention period of 6 months for all datasets submitted to Europol by EU Member States as of January 4th, 2022, which should allow the filtering and extraction of the permitted personal data. Datasets that do not undergo DSC during this period must be deleted. The EDPS has also given Europol a period of 12 months to comply with the decision for the datasets previously received. Should this period elapse before the datasets undergo DSC, they must be deleted as well.
