EU watchdog fights against rules permitting Europol's ‘unlawful’ data practices

Image of a Europol sign affixed to its Amsterdam headquarters
(Image credit: Shutterstock)

The EU’s data protection watchdog has called for rules effectively legalising the 'irresponsible' handing of data by Europol to be scrapped.

scrapping of new rules that effectively legalise the ‘irresponsible’ handling of data by law enforcement agency Europol.

The fresh complaints come months after the European Data Protection Supervisor (EDPS) ordered the law enforcement agency to delete a huge cache of personal information. It deemed this practice to be a violation of GDPR and human rights law.

Following the EDPS’ public allegations of data mishandling, made in January, the Court of Justice of the European Union (CJEU) introduced two new provisions to the 2016 Europol Regulation that aimed to, according to the EDPS, “legalise retroactively” Europol’s data practices.

Articles 74a and 74b of the amended Europol Regulation - the provisions most recently added and the ones contested by the EDPS - “undermine” the watchdog's powers, it said.

“The EDPS had to apply for an annulment of articles 74a and 74b of the amended Europol Regulation for two reasons,” the EDPS said. “Firstly, to protect legal certainty for individuals in the highly sensitive field of law enforcement where the processing of personal data implies severe risks for data subjects.

“Secondly, to make sure that the EU legislator cannot unduly ‘move the goalposts’ in the area of privacy and data protection, where the independent character of the exercise of a supervisory authority’s enforcement powers requires legal certainty of the rules being enforced.”


The data strategy report

What CDOs need to know


Added to the Europol Regulation in June 2022, the provisions specifically relate to Europol’s retention of data on individuals with no proven link to criminal activity.

Europol is alleged to be holding on to data belonging to individuals far longer than the current regulations allow it to.

The EDPS’ January complaint revealed that Europol was sitting on 4TB of data on at least 250,000 individuals said to be linked with crime. This was collected over a period of six years from a variety of European national law enforcement authorities.

The EU’s data watchdog aimed to impose rules on Europol that the data it collected on people should be assessed within six months and if no criminal link was found, then it should be erased in a timely manner.

Specifically, the supervising authority sought to enforce Data Subject Categorisation for each individual whose data was collected - a stipulation of the Europol Regulation.

Such categorisation seeks to clearly define why a given individual is having their data retained, be it because they are suspected of committing a crime, convicted of a crime, or suspected witnesses of a crime, among other categories.

Privacy experts speaking to IT Pro in January expressed sympathy for Europol given the large amount of data it is required to triage, but also said the amount of data held would be tantamount to “mass surveillance” in the eyes of some.

The EDPS said the provisions “establish a worrying precedent” that threatens the independence of the supervising authority and undermines the legal certainty for people’s personal data.

The situation raises debate around individuals’ right to privacy against the need for national security - one that emerges in so many areas of technology such as consumers’ access to end-to-encrypted messaging services.

It’s difficult to arrive at an absolute conclusion on such matters given the strength of the cases for both sides. Some argue, such as heads of state, that national security must take precedence over an individual’s privacy.

Others disagree and popular arguments often highlight that such an allowance could theoretically spiral towards a green-lit mass surveillance programme, for example. A large proportion of the IT industry also agrees that ending end-to-end encryption would adversely affect society at large

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.