Europol ordered to delete petabytes of data not clearly linked to crime

The image is by Alex Castro.

The European Union's law enforcement agency, Europol, has been ordered to destroy a huge store of personal data from police agencies in EU member states over the past six years. The deletion order came from the European Data Protection Supervisor.

Europol has a year to review its databases and remove any data that cannot be linked to a criminal investigation.

According to a report in The Guardian, Europol has a total volume of data that is equivalent to hundreds of billions of pages of printed text and includes data on at least a quarter of a million current or former terror and serious crime suspects. National police authorities in EU countries shared the data from their criminal investigations with Europol.

Europol did not comply with the requests of the EDPS to define an appropriate data retention period.

The initial investigation into Europol's handling of sensitive data concluded that it was storing personal data on crime and terrorism suspects without adequate checks on whether they were justified. The notice of admonishment was sent to Europol for failing to comply with data regulations and putting EU residents at risk of being wrongly linked to criminal activity.

Europol has put in place some measures since then, but has not complied with the requests of the EDPS to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation.

In the absence of a clear course of action, the EDPS has given Europol a year to sort through existing data to find out what can be legally kept, and ordered it to destroy any newly collected data that is not categorized within six months.

It is unclear the precise types of data Europol want to hold onto, but we know they are large datasets consisting of at least part of data about people who Europol do not currently feel they can categorise.

Veale said that storing data that falls outside of certain categories raised concerns that Europol was conducting unwarranted surveillance on groups that were stereotyped as being suspicious or dangerous.

The decision from EDPS will cause a lot of debate over where the EU should draw the line between privacy and security. The EU Home Affairs Comissioner, Ylva Johansson, expressed her displeasure shortly after the decision was announced.

Law enforcement authorities need the tools, resources, and time to analyse data that is lawful, according to Johansson. Europol is the platform that supports national police authorities.

Smaller national police departments would not be able to make sense of big data without using Europol's expertise, as suggested by Johansson.

It is not possible for policing that does not respect fundamental rights to be effective.

The ruling was celebrated as an uphold of EU citizens' digital rights.

The Future of Privacy Forum thinks that the rights to privacy and to data protection are fundamental rights and are protected even when the pressure on these rights comes from policing.

Police activities need to follow the legal framework. The effectiveness of policing that does not respect fundamental rights can't be determined.