The European Data Protection Supervisor (EDPS), an EU privacy and data protection independent supervisory authority, has ordered Europol to erase personal data on individuals that haven’t been linked to criminal activity.
According to the EDPS, the watchdog considers personal data any identification number, location data, or online identifier associated with an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.
Europol was notified of this order one week ago, on January 3, 2022. The decision follows an own-initiative inquiry started on April 30, 2019, regarding the EU police body’s use of Big Data Analytics for personal data processing activities.
An order was issued after admonishing Europol in 2020
The EU data watchdog issued this order after admonishing Europol in September 2020 for storing large amounts of data on individuals that haven’t been linked to criminal activity, putting their fundamental rights at risk.
“The EDPS’ Decision is about protecting individuals whose personal data is included in datasets transferred to Europol by EU Member States’ law enforcement authorities,” said the EDPS today [PDF].
“According to the Europol Regulation, Europol is only allowed to process data about individuals who have a clear, established link to criminal activity (e.g. suspect, witness, etc).
“Limiting Europol’s processing of data avoids exposing other individuals who do not all into these categories, therefore minimising the risks associated with having their data processed in Europol’s databases.”
EDPS imposes six months data retention period
Europol failed to comply with obligations under the Europol Regulation to filter and extract crime-related information from its databases.
Thus, the EDPS has now also imposed a 6-month retention period on the personal information collected by the police body, which means that Europol must erase all data not filtered within six months its databases to prevent its processing longer than needed.
“Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted – a process often lasting years,” European Data Protection Supervisor Wojciech Wiewiórowski added in a press release published today.
“A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms.”
More information on EDPS’ order is available on the EU data watchdog’s website and in the decision published on January 3.
Europol didn’t reply to a request for comment when Real InfoSecurity reached out earlier today.
We think you may like, Unauthenticated RCE in H2 Database Console, why not read now?
