10 January 2022
On 3 January 2022, the EDPS notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation). This Decision concludes the EDPS’ inquiry launched in 2019.
In the context of its inquiry, the EDPS admonished Europol in September 2020 for the continued storage of large volumes of data with no Data Subject Categorisation, which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation. This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation.
In light of the above, the EDPS has decided to use its corrective powers and to impose a 6-month retention period (to filter and to extract the personal data). Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased. This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. The EDPS has granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.
Wojciech Wiewiórowski, EDPS, said:
“Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation. Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted – a process often lasting years. A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms. Furthermore, understanding the operational needs of Europol and the amount of data collected so far, I have decided to grant Europol a period of 12 months to ensure compliance with the Decision for the datasets already in Europol’s possession.”
The EDPS is confident that the order will ensure Europol’s compliance with its obligations under the Europol Regulation while maintaining its operational capabilities.
The rules for data protection applicable to the EU’s Agency for Law Enforcement Cooperation (Europol), as well as the supervisory tasks of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2016/794 (Europol Regulation). The powers of the EDPS over Europol are laid down in Article 43 of Regulation (EU) 2016/794.
About the EDPS Inquiry and admonishment on Europol’s Big Data Challenge:
On 30 April 2019, the EDPS decided to open an own-initiative inquiry on the processing of large datasets by Europol for purposes of strategic and operational analysis. The evolution of Europol’s personal data processing activities of large datasets raised concerns linked to the compliance with Europol’s data protection rules as laid down in the Europol Regulation, in particular with the principles of purpose limitation, data minimisation, data accuracy, storage limitation, the impact of potential data breaches, location of storage, general management and information security. On 17 September 2020, the EDPS concluded his investigation and issued an admonishment to Europol as structural issues remained, in particular with regard to complying with the principles of data minimisation (compliance with Annex II B of the Europol Regulation) and data retention. The EDPS urged Europol to implement all necessary and appropriate measures to mitigate the risks to individuals as a result of such personal data processing activities. Europol was also invited to inform the EDPS of its action plan to address this admonishment.
Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
Personal data: see EDPS Glossary
Processing personal data: see EDPS Glossary
Principle of data minimisation: According to Article 28(1)(c) of Regulation No2016/794, personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which this data is processed.
Principle of storage limitation: According to Article 28(1)(e) of Regulation No2016/794, personal data processed by Europol shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.