Europol ordered to delete personal data of people not linked to crime

The European Data Protection Supervisor (EDPS) ordered Europol to delete huge amounts of personal data which belongs to people not tied to criminal activity.

The EDPS began its investigation into Europol’s data storage activities back in 2019. Already in 2020, Europol was warned about keeping information with no Data Subject Categorisation, which was deemed a risk to individuals’ rights, according to the report.

Despite the warning, limited measures were adopted in response. The existing regulations on data minimization prevent Europol from holding on to peoples’ data for longer than necessary, but they did so anyway, failing to establish a data retention period to process information required for analysis.

“There has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation. Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted - a process often lasting years,” Wojciech Wiewiórowski, the head of the EDPS, said in a statement.

According to the Guardian’s insights into internal documents, Europol’s cache contains at least 4 petabytes. This data has been accumulated over the last six years, and includes information on a quarter of a million crime suspects (both current and former) as well as a pool of people they’ve been in contact with.

As a result, the EDPS enforced a 6-month retention period for filtering and extracting the necessary data. All information older than the established period should be deleted, meaning that if no criminal ties are found, data will no longer be stored.

“A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimizing the risks to individuals’ rights and freedoms,” Wiewiórowski added.

While some experts supported the decision to prevent taking the route towards mass surveillance, others saw it as a serious security issue.

“The potential risk of the decision is huge. If a member state or national police cannot use Europol to help with the analysis of big data...then they will be blind because a lot of national police forces do not have the capacity to deal with this big data,” Ylva Johansson, the European commissioner for home affairs, told Politico.

Europol, in turn, suggested that they have been cooperating with the EDPS to strike a balance between individual rights and national security, but the authority’s views on the existing laws put them in a tough position.

“[The] Europol regulation was not intended by the legislator as a requirement which is impossible to be met by the data controller [Europol] in practice,” Europol suggested, the Guardian reports.

More from CyberNews:

Hackers steal $18.7 million from Animoca Brands' sports NFT platform

KCodes NetUSB vulnerability: millions of routers exposed to RCE attacks

Privacy in the metaverse: dead on arrival?

Nervos integrates with Pastel Network to protect from NFT scams and hacks

Novel scam employs QR codes and crypto ATMs

Subscribe to our newsletter