EU data watchdog to Europol: You've helped yourself to too much data

Law enforcement agency now has one year to delete any data older than 6 months not related to criminal activity

The European Data Protection Supervisor (EDPS) has ordered European Union law enforcement agency Europol to delete any data it has on individuals that's over six months old, provided there's no link to criminal activity.

EDPS says it probed Europol's collection of large datasets for strategic and operational analysis from April 2019 until September 2020. The investigation concluded the law enforcement agency needed to up its game when it came to data minimisation and retention and encouraged Europol to make necessary changes and then let the EDPS know of its action plan.

According to regulations, "personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which this data is processed," and "personal data processed by Europol shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed."

Which, to be fair, is a vague directive allowing for multiple interpretations.

Indeed the EDPS found Europol's interpretation and subsequent actions to correct the data management inadequate, despite the pan-Europe police body implementing technical measures to separate and secure datasets to minimize chances of data misuse.

One beef the EDPS had was that Europol didn't specify a time limit for its extraction process or a maximum retention period on datasets that didn't include data subject categories. Europol cited [PDF] the nature of long-running criminal investigations as its reason for needing longer retention periods.

EDPS appointee Wojciech Wiewiórowski said in a canned statement:

Europol has dealt with several of the data protection risks identified in the EDPS' initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation.

On January 3rd, after some back and forth between the parties, the watchdog narrowed the room for Europol's interpretation on regulations via directives.

The supervisor said:

…the EDPS has decided to use its corrective powers and to impose a 6-month retention period (to filter and to extract the personal data). Datasets older than 6 months that have not undergone this Data Subject Categorisation must be erased.

This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline. The EDPS has granted a 12-month period for Europol to comply with the Decision for the datasets already received before this decision was notified to Europol.

Europol is also going to have to provide implementation reports every three months for one year. Argh paperwork, right?

The database is an aggregate of several sources of information, both public and private, and includes a swath of information ranging from biometrics to data relating to an individual's work and travel.

"Without putting in place the safeguards provided in the Europol Regulation, individuals run the risk of being wrongfully linked to a criminal activity across the EU, with all the potential damage to their private and professional lives that this entails," said the EDPS in a document. ®

Broader topics

Other stories you might like

  • Microsoft's do-it-all IDE Visual Studio 2022 came out late last year. How good is it really?

    Top request from devs? A Linux version

    Review Visual Studio goes back a long way. Microsoft always had its own programming languages and tools, beginning with Microsoft Basic in 1975 and Microsoft C 1.0 in 1983.

    The Visual Studio idea came from two main sources. In the early days, Windows applications were coded and compiled using MS-DOS, and there was a MS-DOS IDE called Programmer's Workbench (PWB, first released 1989). The company also came up Visual Basic (VB, first released 1991), which unlike Microsoft C++ had a Windows IDE. Perhaps inspired by VB, Microsoft delivered Visual C++ 1.0 in 1993, replacing the little-used PWB. Visual Studio itself was introduced in 1997, though it was more of a bundle of different Windows development tools initially. The first Visual Studio to integrate C++ and Visual Basic (in .NET guise) development into the same IDE was Visual Studio .NET in 2002, 20 years ago, and this perhaps is the true ancestor of today's IDE.

    A big change in VS 2022, released November, is that it is the first version where the IDE itself runs as a 64-bit process. The advantage is that it has access to more than 4GB memory in the devenv process, this being the shell of the IDE, though of course it is still possible to compile 32-bit applications. The main benefit is for large solutions comprising hundreds of projects. Although a substantial change, it is transparent to developers and from what we can tell, has been a beneficial change.

    Continue reading
  • James Webb Space Telescope has arrived at its new home – an orbit almost a million miles from Earth

    Funnily enough, that's where we want to be right now, too

    The James Webb Space Telescope, the largest and most complex space observatory built by NASA, has reached its final destination: L2, the second Sun-Earth Lagrange point, an orbit located about a million miles away.

    Mission control sent instructions to fire the telescope's thrusters at 1400 EST (1900 UTC) on Monday. The small boost increased its speed by about 3.6 miles per hour to send it to L2, where it will orbit the Sun in line with Earth for the foreseeable future. It takes about 180 days to complete an L2 orbit, Amber Straughn, deputy project scientist for Webb Science Communications at NASA's Goddard Space Flight Center, said during a live briefing.

    "Webb, welcome home!" blurted NASA's Administrator Bill Nelson. "Congratulations to the team for all of their hard work ensuring Webb's safe arrival at L2 today. We're one step closer to uncovering the mysteries of the universe. And I can't wait to see Webb's first new views of the universe this summer."

    Continue reading
  • LG promises to make home appliance software upgradeable to take on new tasks

    Kids: empty the dishwasher! We can’t, Dad, it’s updating its OS to handle baked on grime from winter curries

    As the right to repair movement gathers pace, Korea’s LG has decided to make sure that its whitegoods can be upgraded.

    The company today announced a scheme called “Evolving Appliances For You.”

    The plan is sketchy: LG has outlined a scenario in which a customer who moves to a locale with climate markedly different to their previous home could use LG’s ThingQ app to upgrade their clothes dryer with new software that makes the appliance better suited to prevailing conditions and to the kind of fabrics you’d wear in a hotter or colder climes. The drier could also get new hardware to handle its new location. An image distributed by LG shows off the ability to change the tune a dryer plays after it finishes a load.

    Continue reading

Biting the hand that feeds IT © 1998–2022