The European Data Protection Supervisor (EDPS) has given Europol 12 months to erase data it should not be holding on European citizens. The EDPS is concerned about Europol holding personal data on people with no proven links to criminal activity. It is the second time the EDPS has criticised Europol over datasets that lack Data Subject Categorisation (DSC). The first was back in 2020, and it seems little has changed since then.
Wojciech Wiewiórowski, EDPS, said: “Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation.
“Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted – a process often lasting years. A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms.
“Furthermore, understanding the operational needs of Europol and the amount of data collected so far, I have decided to grant Europol a period of 12 months to ensure compliance with the Decision for the datasets already in Europol’s possession.”
What is this about?
The EDPS opened an inquiry into how Europol held data back in 2019. He wanted to look at how big data analytics were used for strategic and operational analysis. His primary concern was that data was being gathered without the right limitation, minimisation and other controls.
In 2020, the EDPS concluded the investigation. Europol was told its processing of large datasets was incompatible with several of its own regulations. Those regulations set no explicit provision on the maximum time to decide on a DSC.
At the time, the EDPS stopped short of ordering all data to be deleted. Instead, it left Europol to introduce remediation measures. It has now decided that Europol Is taking too long. To force Europol to act faster, it has set a period of six months for data to be received, analysed, and then unwanted data deleted.
The 14-page decision makes for interesting reading. It includes the five measures in the Action Plan that the EDPS sent Europol in November 2020. Surprisingly, no EU country has questioned how data is held and managed. Perhaps this points to data collection and retention problems at the country level.
What has Europol said?
Europol has said it would comply but is unhappy. It claims: “The EDPS Decision will impact Europol’s ability to analyse complex and large datasets at the request of EU law enforcement. This concerns data owned by EU Member States and operational partners and provided to Europol in connection with investigations supported within its mandate. It includes terrorism, cybercrime, international drugs trafficking and child abuse, amongst others.
“Europol’s work frequently entails a period longer than six months, as do the police investigations it supports. This is illustrated by some of Europol’s most prominent cases in recent years.”
Europol is to take time to assess the decision and talk to its management board. This will not stop the clock on the EDPS decision, so it will need to act quickly if it wants to challenge the decision. Its biggest concern will be the impact on ongoing investigations, and it is not clear what impact this ruling will have.
It is not just Europol that will be concerned. Nation-states that provide the data to Europol will be equally concerned by this ruling. Many will want to consider if this impacts how they collect and store data. It will be interesting if the EDPS now takes a look at that.
Enterprise Times: What does this mean?
Intelligence in policing has always been about data. The more you have, the better you can do your job. However, as the amount of data grows, so does the complexity of the data challenge. Internal policies are part of that problem, but they can be rewritten.
Technology is also part of the problem, but it can also be part of the solution. Greater use of automation and AI could speed up the analysis. But that would require increased checking of the algorithms and results to avoid errors caused by automation. But that additional checking will take time, which will continue to push the data retention window.
A further challenge is timely access to the data sets. If the investigation is pan-European, all the data needs to be in place for any effective investigation. That might mean Europol asking some countries to hold on to data until everyone is ready to send it.
For now, Europol is working on a solution but can it do so in time to prevent any ongoing investigations from being impacted?