The European Data Protection Supervisor (EDPS), an independent EU privacy and data protection supervisory authority, has ordered Europol to erase the personal data of individuals who have not been related to criminal activity.
According to the EDPS, the watchdog considers as personal data any identification number, location data or online identifier associated with the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.
Europol has been informed of this order a week ago, January 3, 2022. decision follows an own-initiative inquiry launched on April 30, 2019 into the EU police’s use of Big Data Analytics for personal data processing activities.
The EU data watchdog issued the order after berating Europol in September 2020 for storing large amounts of data on individuals who have not been linked to criminal activity, putting their fundamental rights in jeopardy. danger.
“The EDPS decision concerns the protection of persons whose personal data are included in the datasets transferred to Europol by law enforcement authorities in EU Member States”, said the EDPS today [PDF].
“According to the Europol Regulation, Europol is only allowed to process data on persons with a clear and established link to criminal activity (eg suspect, witness, etc.).
“Limiting the processing of data by Europol avoids exposing other people who do not all fall into these categories, thereby minimizing the risks associated with the processing of their data in Europol databases. “
EDPS imposes a data retention period of six months
Europol did not comply with the obligations under the Europol Regulation to filter and extract information relating to crime from its databases.
Thus, the EDPS has now also imposed a retention period of 6 months on personal information collected by the police force, which means that Europol must erase all unfiltered data within six months from its databases to prevent their treatment longer than necessary.
“Such data collection and processing can represent an enormous volume of information, the precise content of which is often unknown to Europol until the moment it is analyzed and extracted – a process which often lasts for years”, the European Data Protection Supervisor Wojciech Wiewiórowski added in a press release released today.
“A period of 6 months for pre-analysis and filtering of large datasets should allow Europol to respond to operational requests from EU Member States relying on Europol for technical and analytical support, while minimizing risks to the rights and freedoms of individuals. “
Update January 10 at 1:50 p.m. EST: Europol told BleepingComputer that the EDPS ‘decision to impose a six-month data retention period will impact its ability to analyze large data sets provided in ongoing investigations.
You can read the full statement sent by Europol’s media relations officer below.
Committed to upholding the highest standards of data protection, Europol first proactively contacted the EDPS on 1 April 2019 for advice on the handling of large and complex data sets that are collected in the framework. lawful judicial inquiries.
Europol increasingly receives data sets from its Member States collected in the context of lawful criminal investigations to facilitate their processing and analysis.
Since then, Europol has followed the guidance given by the EDPS and informed its Management Board of the progress made.
Today, the European Data Protection Supervisor (EDPS) published its decision on the retention of datasets without categorization of data subjects (DSC) by Europol. DSC is the act of identifying in these datasets suspects, potential future criminals, contacts and associates, victims, witnesses and informants related to the criminal activities contained.
According to the EDPS, Europol should complete the DSC for large and complex data sets within a fixed retention period. In this context, the EDPS underlined that the current Europol Regulation does not contain an explicit provision regarding a maximum time limit for determining the DSC.
In his decision, the EDPS sets this deadline at six months after which he asks Europol to erase the data.
The EDPS decision will have an impact on Europol’s ability to analyze complex and large datasets at the request of EU law enforcement authorities. This concerns data held by Member States and operational partners and provided to Europol in the framework of investigations supported within the framework of its mandate. This includes: terrorism, cybercrime, international drug trafficking and child abuse, among others.
Europol’s support often extends over a period of more than six months, as some of its most prominent cases illustrate.
Europol will seek the opinion of its Management Board and assess the EDPS decision and its potential consequences for the Agency’s mandate and for ongoing investigations, as well as its possible negative impact on the security of EU citizens. .
- Framework Laptop review: The anti-MacBook has arrived
- Analyst predictions 2022: The future of data management
- Activision Blizzard lawsuit: a timeline of key events and everything you need to know
- Europol closes VPN used by cybercriminal groups
- The Most Dangerous Database Threats and How to Prevent Them