The European Data Protection Supervisor (EDPS) has ordered European Union law enforcement agency Europol to delete any data it has on individuals that’s over six months old, provided there’s no link to criminal activity.
EDPS says it probed Europol’s collection of large datasets for strategic and operational analysis from April 2019 until September 2020. The investigation concluded the law enforcement agency needed to up its game when it came to data minimisation and retention and encouraged Europol to make necessary changes and then let the EDPS know of its action plan.
According to regulations, “personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which this data is processed,” and “personal data processed by Europol shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.”
Which, to be fair, is a vague directive allowing for multiple interpretations.
Indeed the EDPS found Europol’s interpretation and subsequent actions to correct the data management inadequate, despite the pan-Europe police body implementing technical measures to separate and secure datasets to minimize chances of data misuse.
One beef the EDPS had was that Europol didn’t specify a time limit for its extraction process or a maximum retention period on datasets that didn’t include data subject categories. Europol cited [PDF] the nature of long-running criminal investigations as its reason for needing longer retention periods.
EDPS appointee Wojciech Wiewiórowski said in a canned statement:
On January 3rd, after some back and forth between the parties, the watchdog narrowed the room for Europol’s interpretation on regulations via directives.
The supervisor said:
Europol is also going to have to provide implementation reports every three months for one year. Argh paperwork, right?
The database is an aggregate of several sources of information, both public and private, and includes a swath of information ranging from biometrics to data relating to an individual’s work and travel.
“Without putting in place the safeguards provided in the Europol Regulation, individuals run the risk of being wrongfully linked to a criminal activity across the EU, with all the potential damage to their private and professional lives that this entails,” said the EDPS in a document. ®