Europol ordered to delete huge cache of unlawfully stored data

Europol has been accused of unlawfully storing, and ignoring requests to delete, large amounts of data on individuals with no established link to criminal activity.

The European Data Protection Supervisor (EDPS) has ordered Europol to delete the data it has been storing, concluding a years-long inquiry into the crime-fighting agency's data collection habits.

The order follows the EDPS 'admonishment' of Europol more than a year ago in September 2020 when it was first found to be storing large volumes of data with no Data Subject Categorisation - a requirement stipulated by the Europol Regulation.

The EDPS said that while Europol has complied with some requests and implemented "some" technical measures since then, it has not complied with other requests including failing to define an appropriate data retention period.

The measures introduced reduce, but do not remove, the possibility that individuals' fundamental rights could be put at risk by unlawful analysis of their data by Europol, or by the data being shared with other law enforcement agencies. As such, the data being stored does not ensure compliance with the Europol Regulation, the EDPS said.

It means Europol was keeping this data for longer than was necessary and violated the principles of data minimisation and storage limitation enshrined in the Europol Regulation.

Europol's bank of data reportedly contains at least four petabytes of data on at least 250,000 individuals linked to terror or crime offences, accumulated from national law enforcement authorities over the past six years, according to the Guardian.

Privacy advocates have told IT Pro that Europol's hoarding of data is "hugely concerning" and have been exacerbated by the law enforcement agency's reluctance to delete the data after being told to do so a year ago. The amount of data that was reportedly being stored by Europol could even be likened to the NSA's mass surveillance revealed by Edward Snowden.

"Admittedly, sorting through 4 petabytes of data could not have been an easy task for Europol," said Hannah Hart, privacy expert at ProPrivacy. "Such a vast quantity of data, which is roughly a fifth of the US Library of Congress, is even tantamount to mass surveillance in the eyes of many a privacy advocate. The stockpiling of this information – as well as the secrecy of its existence – has led to chilling comparisons to America’s infamous NSA, which conducted widespread telephone surveillance before its exposure by Edward Snowden."

"Law enforcement bodies are given enhanced rights to collect and process personal data to perform their security functions," said Ed Hayes, partner at UK law firm TLT to IT Pro. "Citizens have a reasonable expectation that those organisations will be doing everything possible to ensure they comply with the law when exercising those extensive rights. When they fail to do so, it reduces trust, and that has knock-on effects.

“Law enforcement bodies are often at the forefront of deploying new technologies like AI and facial recognition," he added. "If they can’t be trusted to get the basics of data protection right – things like having proper data categorisation, storage and retention arrangements – it calls into question whether they should be trusted with deploying potentially far-reaching and intrusive new technologies.”

As Europol has failed to comply with requests, the EDPS will now exercise its corrective powers and impose a six-month retention period, and all datasets older than six months that have not undergone Data Subject Categorisation must be deleted. Europol has been given a 12-month grace period in which to comply with the EDPS' decision.

"Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry," said Wojciech Wiewiórowski, the EDPS. "However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation.

"Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted - a process often lasting years."

The EDPS thinks that six months is enough time for Europol to extract all the critical data needed from the datasets and to provide any support to law enforcement authorities in EU member states.

Europol will also be required to submit reports to the EDPS every three months for the next 12 months updating him on the progress of its efforts to implement the necessary measures outlined in this week's decision.

Security vs. Privacy concerns

The news of Europol storing this large amount of data has led many to be concerned with the level of risk to individuals' rights but the EDPS decision also raises a debate around the balance between protecting an individual's right to privacy against the need to protect national security.

"This is a great example of the central dilemma of an open society – the need for privacy versus the need for security," said Edmund Probert, Commercial, IT Contracts and Intellectual Property Partner at international law firm Spencer West to IT Pro. "Clearly Europol, with which the UK has a co-operation agreement, has been trying to hold data for far too long in the view of the European Data Protection Supervisor. As a result, he has thrown all the toys out of the pram."

"Given the size of the databases, this amounted to the sort of mass surveillance the like of which we expect from dictatorships and totalitarian countries – not the EU. While the decision is couched in diplomatic terms, it is a damming report – and in simple terms, this is a ‘final warning’ with performance monitoring."

"Europe’s data protection regime relies on data controllers taking their legal obligations seriously, and that’s especially the case for public authorities operating in the law and order space," said Hayes of TLT. "Europol’s failure to comply with previous clear directions from the EDPS is so concerning precisely because it brings into question in what other ways it is ignoring the data protection law that should govern its actions."