EU orders Europol to delete data on citizens who have not committed crimes
Image: The Record, Europol
Catalin Cimpanu January 10, 2022

EU orders Europol to delete data on citizens who have not committed crimes

EU orders Europol to delete data on citizens who have not committed crimes

Europol, the law enforcement agency of the European Union (EU), has been ordered today to delete its massive database of information on EU citizens that it collected in recent years if the agency did not link subjects to any ongoing criminal activity.

The decision was announced today by the European Data Protection Supervisor, an EU-independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection.

The EDPS said that Europol has one year to comply with its decision, during which time the law enforcement agency must filter its database and delete any information on EU citizens that are not part of criminal investigations.

Europol will be allowed to process personal information as part of investigations, but the data on those not linked to crimes must be erased after six months.

“This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline,” the EDPS said in a press release today.

In documents released today detailing its investigation, the EDPS said they’ve tried to negotiate with Europol on a common strategy of dealing with its massive data collection and storage procedures, but the two agencies have not managed to reach a common point of view, and the EDPS decided to “use its corrective powers and to impose a 6-month retention period.”

Investigation began in 2019

The EDPS has been investigating Europol since April 2019 and issued a preliminary report in September 2020, admonishing Europol for its dragnet data collection practices, which the EDPS described as “a significant risk to individuals’ fundamental rights.”

The data protection agency said that Europol introduced “a number of technical measures” to ensure that the collected data was stored securely, but they argued that the unfettered and secretive data collection mechanism needed to be narrowed down.

“A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms,” said Wojciech Wiewiórowski, the current European Data Protection Supervisor said today.

Europol’s database was compiled using information provided by national law enforcement agencies, private industry partners, and the EU itself, and included everything from personal details to biometrics and work and travel information.

The decision today will reignite conversations about the efficacy of law enforcement investigations when agencies are restricted to accessing information in due time.

When news broke in September 2020 about Europol’s database and data retention policies, the agency was accused of trying to build an NSA-like mass surveillance program.

The Record has asked Europol to comment on today’s ruling.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.