While the European Parliament has discovered that the EU was violating its own regulations with a website that had hired an external company and that collected data from us related to Covid-19, other news has agitated Brussels in matters of private information.
Europol, the European Police Office (Europol), the EU law enforcement agency, will have to remove massive amounts of data from citizens that we are not related to any crime, by order of the European Data Protection Supervisor (EDPS).
The serious thing about this matter is that there are defenders of Data Protection who warn that the European police agency had such a quantity of data that could have become an NSA-style spy agency in the United States, as published by The Guardian, which has had information on documents handled by Europol.
An investigation since 2019
The Data Protection authority has ordered Europol to erase 4 petabytes of information on EU citizens. Specifically, the information of all those people who have no link with any criminal activity. This decision concludes an EDPS investigation that started in 2019.
This is an unprecedented decision. The European Data Protection Supervisor (EDPS) says that this sensitive data have been drawn from crime reports, encrypted phone services have been hacked and samples taken from asylum seekers never involved in any crime. The data protection watchdog concludes that this personal information has been accumulated without following the rules.
According to internal documents seen by The Guardian, the Europol cache contains at least 4 petabytes, which equates to 3 million CD-Roms or one-fifth of all content in the United States Library of Congress.
Data to be deleted
Among the quadrillion bytes stored are sensitive data on at least 250,000 current or former terrorism and serious crime suspects, as well as a multitude of people they came in contact with. Have accumulated thanks to information provided by national police authorities for the past six years.
It should be said that in the context of his investigation, the EDPS had already admonished Europol in September 2020 for the continued storage of large volumes of data without categorization of data subjects. This translates to a “risk to the fundamental rights of people”.
In the words of the authorities, although Europol had implemented some measures since then, it has not complied with the EDPS’s requests to define a suitable data retention period for filtering and extract personal data permitted for analysis in accordance with the Law. This means that Europol was keeping this data for longer than necessary.
The EDPS has imposed a storage period of 6 months (to filter and extract personal data). Data sets that the organization has kept for more than six months and that are from people who are not related to any crime should be erased. Therefore, from now on Europol will no longer be able to keep the data of people who are not linked to a crime or criminal activity for long periods of time. The EDPS has granted a period of 12 months for Europol to comply with this decision.
Niovi Vavoula, a law expert at Queen Mary University of London, has said that “the European Commission has spent years attempting to rectify the illegal data retention a posteriori. But remember that these measures that are put in place now do not resolve, in legal terms, the previous illegal conduct.
Europol and the European Interior Minister say otherwise
The Minister of the Interior of the European Union, Ylva Johansson, has been upset with the decision: “The police authorities need tools, resources and time to analyze the data that are transmitted to them legally, “he said.
Europol issued a statement this morning explaining its point of view. It considers that “the EDPS Decision will have an impact on Europol’s capacity to analyze large and complex data sets at the request of EU law enforcement services. “