The European Data Protection Supervisor (EDPS) has ordered European Union law enforcement agency Europol to delete any data it has on individuals that's over six months old, provided there's no link to criminal activity.
EDPS says it probed Europol's collection of large datasets for strategic and operational analysis from April 2019 until September 2020. The investigation concluded the law enforcement agency needed to up its game when it came to data minimisation and retention and encouraged Europol to make necessary changes and then let the EDPS know of its action plan.
According to regulations, "personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which this data is processed," and "personal data processed by Europol shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed."
Which, to be fair, is a vague directive allowing for multiple interpretations.
Indeed the EDPS found Europol's interpretation and subsequent actions to correct the data management inadequate, despite the pan-Europe police body implementing technical measures to separate and secure datasets to minimize chances of data misuse.
One beef the EDPS had was that Europol didn't specify a time limit for its extraction process or a maximum retention period on datasets that didn't include data subject categories. Europol cited [PDF] the nature of long-running criminal investigations as its reason for needing longer retention periods.
- Canon: Chip supplies are so bad that our ink cartridges will look as though they're fakes
- The James Webb Space Telescope has only gone and deployed its primary mirror
- BeOS rebuild / Haiku has a new feature / that runs Windows apps
EDPS appointee Wojciech Wiewiórowski said in a canned statement:
Europol has dealt with several of the data protection risks identified in the EDPS' initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation.
On January 3rd, after some back and forth between the parties, the watchdog narrowed the room for Europol's interpretation on regulations via directives.
The supervisor said:
…the EDPS has decided to use its corrective powers and to impose a 6-month retention period (to filter and to extract the personal data). Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased.
This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. The EDPS has granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.
Europol is also going to have to provide implementation reports every three months for one year. Argh paperwork, right?
The database is an aggregate of several sources of information, both public and private, and includes a swath of information ranging from biometrics to data relating to an individual's work and travel.
"Without putting in place the safeguards provided in the Europol Regulation, individuals run the risk of being wrongfully linked to a criminal activity across the EU, with all the potential damage to their private and professional lives that this entails," said the EDPS in a document. ®
- Czech Republic
- San Marino
- United Kingdom