Sunday, October 13, 2024

Europol Ordered To Erase Data On Those Not Linked To Crime

The European Data Protection Supervisor (EDPS), an EU privacy and data protection independent supervisory authority, has ordered Europol to erase personal data on individuals that haven’t been linked to criminal activity.

According to the EDPS, the watchdog considers personal data any identification number, location data, or online identifier associated with an individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.

Europol was notified of this order one week ago, on January 3, 2022. The decision follows an own-initiative inquiry started on April 30, 2019, regarding the EU police body’s use of Big Data Analytics for personal data processing activities.

An order was issued after admonishing Europol in 2020

The EU data watchdog issued this order after admonishing Europol in September 2020 for storing large amounts of data on individuals that haven’t been linked to criminal activity, putting their fundamental rights at risk.

“The EDPS’ Decision is about protecting individuals whose personal data is included in datasets transferred to Europol by EU Member States’ law enforcement authorities,” said the EDPS today [PDF].

“According to the Europol Regulation, Europol is only allowed to process data about individuals who have a clear, established link to criminal activity (e.g. suspect, witness, etc).

“Limiting Europol’s processing of data avoids exposing other individuals who do not all into these categories, therefore minimising the risks associated with having their data processed in Europol’s databases.”

EDPS imposes six months data retention period

Europol failed to comply with obligations under the Europol Regulation to filter and extract crime-related information from its databases.

Recommended:  WordPress 5.8.3 security update fixes SQL injection, XSS flaws

Thus, the EDPS has now also imposed a 6-month retention period on the personal information collected by the police body, which means that Europol must erase all data not filtered within six months its databases to prevent its processing longer than needed.

“Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted – a process often lasting years,” European Data Protection Supervisor Wojciech Wiewiórowski added in a press release published today.

“A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms.”

More information on EDPS’ order is available on the EU data watchdog’s website and in the decision published on January 3.

Europol didn’t reply to a request for comment when Real InfoSecurity reached out earlier today.

We think you may like, Unauthenticated RCE in H2 Database Console, why not read now?

Bookmark
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security