European Data Protection Supervisor orders Europol to erase data concerning individuals with no established link to a criminal activity

On 3 January 2022, the European Data Protection Supervisor (EDPS) notified Europol of an order to delete data concerning individuals with no established link to a criminal activity (Data Subject Categorisation). This Decision concludes the EDPS’ inquiry launched in 2019.

In the context of its inquiry, the EDPS admonished Europol in September 2020 for the continued storage of large volumes of data with no Data Subject Categorisation, which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation. This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation.  

In light of the above, the EDPS has decided to use its corrective powers and to impose a 6-month retention period (to filter and to extract the personal data). Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased. This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. The EDPS has granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.

Wojciech Wiewiórowski, EDPS, said: “Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation. Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted - a process often lasting years. A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms. Furthermore, understanding the operational needs of Europol and the amount of data collected so far, I have decided to grant Europol a period of 12 months to ensure compliance with the Decision for the datasets already in Europol’s possession.”

The EDPS is confident that the order will ensure Europol’s compliance with its obligations under the Europol Regulation while maintaining its operational capabilities.

For more information, read the EDPS Decision and the "Frequently Asked Questions" document on the EDPS website. 

(edps.europa.eu / freepik.com)

Comments

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Intellectual property: the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)

Daily Mail publisher wins case against ‘success fees’ paid to lawyers (ECtHR)

European Ombudsman asks Commission to publish details of its handling of senior staff move to law firm

European Data Protection Board clarifies rules for data sharing with third country authorities and approves EU Data Protection Seal certification