Privacy watchdog steps up fight against Europol's hoarding of personal data

An EU watchdog says rules that allow Europol cops to retain personal data on individuals with no links to criminal activity go against Europe's own data privacy protections, not to mention undermining the regulator's powers and role.

As such, the European Data Protection Supervisor (EDPS) has asked Europe's top court to toss out two amendments to the Europol Regulation that took effect on June 28 enabling this data hoarding by the police.

In court documents filed this month, EDPS claimed the new provisions retroactively legalize Europol's practice of storing personal data on people not linked to criminal activity — a practice the watchdog has sanctioned the law enforcement agency for in the past, and in January ordered Europol to delete such information.

So in summary, EDPS told the police at the start of the year to not hoard these records, and then months later European lawmakers authorized the practice by updating the rules, leading to the supervisor challenging the amendments.

The regulator's order to delete people's data stemmed from an investigation that took place between April 2019 and September 2020, and concluded Europol harvested and retained too much information on too many individuals for far too long.

To remedy this, the order required the European cops to check to see if an individual was linked to criminal activity within six months of collecting their personal data. If those folks had no nefarious ties, then the law enforcement agency was supposed to erase the private information.

"A six-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimizing the risks to individuals' rights and freedoms," EDPS head Wojciech Wiewiorowski said in a statement earlier this year.

The pan-Europe police, for its part, cited [PDF] the nature of long-running criminal investigations as its reason for needing longer retention periods.

• EU data watchdog to Europol: You've helped yourself to too much data
• Look who's fallen foul of Europe's data retention rules. France and Germany
• San Francisco cops can use private cameras to live-monitor 'significant events'
• Federal agencies buying Americans' internet data challenged by US senators

And this is where EDPS' legal maneuvering comes into play. The data watchdog agency has asked the Court of Justice of the European Union to throw out the amended rules for two reasons, Wiewiorowski said.

"Firstly, to protect legal certainty for individuals in the highly sensitive field of law enforcement, where the processing of personal data implies risk for data subjects," Wiewiorowski said in a statement on Thursday. 

"Secondly, to make sure that the EU legislator cannot unduly 'move the goalposts' in the area of privacy and data protection, where the independent character of the exercise of a supervisory authority's enforcement powers requires legal certainty of the rules being enforced," he added.

The amendments also set a "worrying precedent" that data protection, and the agency tasked with enforcing this, will be subject to "political will," EDPS argued.

This, of course, never (cough) happens in modern-day politics. ®