Europol Ordered to Delete Data Not Tied to InvestigationsEU Law Enforcement Agency Given 6 Months to Review All New Datasets; Seeks More Time
The EU's law enforcement agency, Europol, has been ordered by a watchdog to delete any personal data it stores pertaining to people living in Europe unless it demonstrably pertains to individuals with links to a criminal investigation.
See Also: Case Study: The Road to Zero Trust
The order was issued Jan. 3 by European Data Protection Supervisor Wojciech Wiewiórowski. The EDPS is an independent supervisory authority responsible for monitoring the use of personal data by European institutions, bodies and agencies, including Europol.
Europol has served as Europe's law enforcement agency since 1999, while also facilitating the exchange of intelligence between EU member states. But for how long Europol should keep the data provided to it, and for what purpose, is not clear.
So in April 2019, Europol approached the EDPS "to seek guidance on the processing of large and complex datasets which are collected in lawful, judicial investigations," and furnished to Europol by member states "to help with their processing and analysis." Europol says it has been and continues to follow the guidance being issued by the EDPS.
Per the regulation, "Europol is only allowed to process data about individuals who have a clear, established link to criminal activity - e.g. suspect, witness, etc.," the EDPS says.
Any such link will be specified via a process called "data subject categorization." Europol says "the DSC is the act of identifying in these datasets suspects, potential future criminals, contacts and associates, victims, witnesses and informants linked to criminal activities."
Unless personal data has a DSC, Europol should not retain it, the EDPS says. But the 2016 Europol Regulation does not specify a maximum period for completing the DSC. In addition, one "big data" challenge for Europol is that it must determine the DSC for all information that gets shared by member states.
Europol's "collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analyzed and extracted - a process often lasting years," says Wiewiórowski, a Polish national who was appointed in December 2019 to serve as the EDPS for a five year-term, after serving as the assistant European data protection supervisor for the five years prior.
Now, the EDPS has specified a maximum period that data can be held before the DSC has been determined: six months.
#EDPS orders @Europol to erase data concerning individuals with no established link to a criminal activity
Read Press Release https://t.co/vXWXVKp3w3
Read FAQ https://t.co/XRa3QigVGr
Read decision https://t.co/ncq9YlOT8h pic.twitter.com/tK7vfijOf5— EDPS (@EU_EDPS) January 10, 2022
Specifically, a Jan. 3 decision from the EDPS, published Monday, orders Europol to delete all information it stores pertaining to individuals who reside in the EU - known as "data subjects" - unless the data has the appropriate DSC, after six months.
"Limiting Europol's processing of data avoids exposing other individuals who do not fall into these categories, therefore minimizing the risks associated with having their data processed in Europol's databases," the EDPS says.
Europol Seeks Increased Time to Classify Data
Responding to the order, Europol says the specified maximum timeframe for determining the DSC will undercut its ability to conduct investigations and support member states, with such support often requiring more than six months of analytical work.
"The EDPS decision will impact on Europol's ability to analyze complex and large datasets at the request of EU law enforcement," Europol tells Information Security Media Group. "This concerns data owned by member states and operational partners and provided to Europol in connection with investigations supported within its mandate. It includes: terrorism, cybercrime, international drugs trafficking and child abuse, among others."
Responding to the order, EU Home Affairs Commissioner Ylva Johansson, who oversees law enforcement cooperation and security strategy, says that "law enforcement authorities need the tools, resources and the time to analyze data that is lawfully transmitted to them," noting that "in Europe, Europol is the platform that supports national police authorities with this Herculean task."
Johansson, a Swedish politician who has held her post since 2019, is also calling for Europol to be given more time to process data. "Striking the right balance between the right to protection of personal data and the protection of citizens from serious crime is at the heart of the revision of the Europol Regulation that I proposed last year," she says. "It is now very important to conclude the negotiations swiftly, and adopt and implement the strengthened mandate for Europol."
A European Commission spokesperson tells ISMG that "in our proposal for a revised Europol mandate, we proposed a retention period for the pre-analysis of big data of at least one year with possible extension of one year subject to authorization by the EDPS."
The 2016 regulation to which Europol is subject governs how it handles, protects and processes personal data. "In the light of the fundamental right to the protection of personal data, Europol should not store personal data for longer than is necessary for the performance of its tasks," the regulation states. "The need for continued storage of such data should be reviewed no later than three years after the start of its initial processing."
The regulation also requires that "Europol should ensure that data are processed fairly and lawfully, and are collected and processed for a specific purpose." As a "data controller," it says, Europol should also ensure that data gets "stored no longer than is necessary for that purpose, and processed in a manner that ensures appropriate security of personal data and confidentiality of data processing."
'Big Data' Challenge
The EDPS has no ability to fine Europol. But it can legally order the agency to rectify, erase or destroy data. In addition, EDPS is requiring Europol to provide it with a report every three months for the next year that details its compliance with the order.
Just because Europol is storing personal data that it received from EU member states that does not have a DSC does not mean that the information does or does not pertain to a criminal investigation. One challenge for the law enforcement agency will now be having to review the data it's storing, to determine the DSC to see if it should be retained or not.
"Given the volumes of information contained in the datasets received by EU member states' law enforcement agencies in recent years, it is not possible for Europol to distinguish immediately data related to individuals who have a clear, established link to criminal activity from other data, without carrying out an assessment," the EDPS says.
Given the likely work involved in implementing this, the EDPS is giving Europol 12 months to comply. If the agency has not complied by Jan. 3, 2023, then the watchdog has ordered it to delete all personal data it stores that is more than six months old and lacks a data subject classification.
"The EDPS aims to ensure that individuals' data with no clear link to any crime or criminal activities is not processed in Europol's systems for longer than is necessary," it says.
Again, Europol says that it plans to request a longer period for determining the DSC. "Europol will seek the guidance of its management board and will assess the EDPS decision and its potential consequences for the agency's remit and for ongoing investigations and the possible negative impact on the security for the citizens in the EU," it says.
Data Security Improvements
The EDPS order issued last week follows its September 2020 "admonishment" to Europol, after it found that the law enforcement agency's storage of individuals' personal details - sometimes for years - when they had no demonstrable tie to an investigation or criminal activity violated their rights. At that time, in response to a request from the EDPS, Europol "introduced a number of technical measures" pertaining to the data sets it receives, which include ensuring that they get "stored in a separate and secure environment, therefore minimizing the chances that this raw and unverified data is used for law enforcement analysis, or further shared with other law enforcement bodies," the watchdog says.
But the EDPS says Europol showed "no significant progress" in complying with its September 2020 request that Europol specify for how long it would retain data for which no DSC had yet been determined.
With the order issued last week, the watchdog has now defined what that data retention period must be: Starting Tuesday, all new data sets received by Europol must now undergo data subject categorization within six months and be erased after six months if they lack this categorization. Also, Europol has 12 months to determine the DSC for all existing datasets.
The watchdog says it believes this time period strikes the right balance between facilitating investigations and protecting people's rights. "The EDPS believes that this will enable Europol to extract any critical data it needs from the datasets received for operational purposes, and to provide the necessary support to EU member states' authorities," it says.
"A six-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU member states relying on Europol for technical and analytical support, while minimizing the risks to individuals' rights and freedoms," Wiewiórowski says. "Furthermore, understanding the operational needs of Europol and the amount of data collected so far, I have decided to grant Europol a period of 12 months to ensure compliance with the decision for the datasets already in Europol's possession."