Tag: Europol
30. June 2022
On June, 27, 2022, the European Data Protection Supervisor (EDPS), an independent supervisory authority responsible for the monitoring of the processing of personal data by EU institutions and bodies, published a press release on its website criticizing the amended Europol Regulation that entered into force on June 28, 2022.
Unlike in the case for other EU institutions and bodies, Europol operates within an autonomous data protection framework included in the Europol Regulation. This means that only administrative personal data processed by Europol falls under the scope of the otherwise applicable regulation 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data.
In general, Europol is equipped with broad and far-reaching competencies to process personal data. This is because Europol works closely with several actors, such as other EU Agencies, national Law Enforcement Agencies, third countries, and Interpol.
In a journal article, Teresa Quintel points out that “(…) Europol could theoretically retain all data in one single repository and carry out data mining for different types of LE-purposes, which provides Europol with a remarkably broad mandate to process personal data”
Amendments to the Europol Regulation newly in force include the processing of large datasets as well as cooperation with private parties meaning that Europol can receive personal data from these third parties.
The EDPS also points to the fact that the amended regulation allows Europol to create and process large datasets of individuals who have no criminal link. This amendment contradicts an EDPS decision from December 2021 that ordered Europol to delete that data. As a consequence, this order is being made obsolete. The Kinast privacy ticker blogged about this matter earlier this year.
The press release further reads: “The EDPS regrets that the expansion of Europol’s mandate has not been compensated with strong data protection safeguards that would allow the effective supervision of the Agency’s new powers.”
13. January 2022
Shortly after the European Data Protection Supervisor (EDPS) had notified EU’s Agency for Law Enforcement Cooperation (Europol) of the order restricting data collection practices, the agency strongly objected. We have already reported on the decision setting a retention period of six months for all datasets submitted to the agency.
Europol is concerned that the order will harm investigations, as the agency typically needs to retain data for longer than six months to effectively fight against evils such as terrorism and child abuse. It was precisely the past practices that also enabled the EU arresting numerous of drug traffickers and suspected criminals.
EU’s Commissioner for Home Affairs, Ylva Johansson, agreed with the concern, arguing that it would jeopardize criminal investigations if law enforcement agencies have to start disposing of the data they have collected. She stated that
the potential risk of the decision is huge. If a member state or national police cannot use Europol to help with the analysis of big data … then they will be blind because a lot of national police forces do not have the capacity to deal with this big data.
According to critical comment, law enforcement and security agencies should be given better access to citizens’ data. Johansson advocates this as well. Europol’s powers to process large datasets could soon be strengthened as part of a reform of its mandate. However, this intention also meets with criticism, as Chloé Berthélémy of the European Digital Rights NGO expresses:
The EDPS has taken a critical step today to finally end Europol’s unlawful processing of data … Unfortunately, the reform of Europol to be adopted soon … will reverse all these efforts as it is set to legalize the very same practices that undermine data protection and fair trial rights.
12. January 2022
On January 3rd, 2022, the European Data Protection Supervisor (EDPS) notified the EU’s Agency for Law Enforcement Cooperation (Europol) of an order to delete data of individuals who have not been linked to a crime or a criminal activity. This decision, dated December 21st, 2021, marks the conclusion of EDPS’ investigation launched in 2019.
The own-initiative inquiry concerned Europol’s processing of personal data in large datasets for the purpose of strategic and operational analysis (referred to as Europol’s Big Data Challenge). The investigation revealed non-compliance with the data protection rules laid down in the Europol Regulation (ER), especially the principles of data minimization (Article 28 (1) (c) ER) and data retention (Article 28 (1) (e) ER).
Article 18 (2) (b), (c), (5) and Annex II. B. (1), (3) ER limit the categories of data subjects about whom Europol can process data for the aforementioned purposes to ‘suspects’, ‘potential future criminals’, ‘contacts and associates’, ‘victims’, ‘witnesses’ and ‘informants’. To meet this requirement, large datasets must undergo a process of filtering and extraction called Data Subject Categorization (DSC). Therefore, processing of datasets lacking the DSC should be limited to the shortest time necessary to materially proceed to such categorization. This is important to ensure that processing of data of persons, whose link to crimes has not been established, ceases as soon as possible. It is justified by the fact that in particular the continued storage poses a risk to fundamental rights of these individuals.
EDPS then admonished Europol and urged it to take all necessary and appropriate measures to mitigate the risks for individuals arising from such data processing activities. For this purpose, Europol was also advised to establish an action plan and inform EDPS thereof.
Although Europol has taken some action since then, it has not established an appropriate retention period for the datasets without DSC. As a consequence, the EDPS has decided to impose a retention period of 6 months for all datasets submitted to Europol by EU Member States as of January 4th, 2022, which should allow the filtering and extraction of the permitted personal data. Datasets that do not undergo DSC during this period must be deleted. The EDPS has also given Europol a period of 12 months to comply with the decision for the datasets previously received. Should this period elapse before the datasets undergo DSC, they must be deleted as well.
