Europol—the government body responsible for quashing organized crime and terrorist activities across the European Union—has long been in the crosshairs of privacy advocates over its judicious use of citizen surveillance. Now, it’s looking like some European authorities are starting to feel the same; the European Data Protection Supervisor (EDPS) announced on Monday that it ordered Europol to delete a huge swath of the data it had compiled on EU citizens. The data free-for-all has prompted many critics to accuse Europol of building the European equivalent of the NSA’s invasive databases.
The EDPS gave Europol one year to filter its database and delete any intel on EU citizens that isn’t linked to any ongoing criminal investigations. While Europol will be able to keep on processing people’s personal data as part of investigations moving forward, data that’s unrelated to crime-doers is now required to be deleted after six months, instead of being detained indefinitely. According to a new Guardian report released the same day as the EDPS’s announcement, Europol had amassed upwards of four petabytes of data from people living across the European Union over the past few years.
“Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation,” the EDPS said in Monday’s announcement. “This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation.”
Europol’s databases get compiled from a slew of sources at law enforcement agencies across the European Union and (shockingly!) the European Parliament, which recently green-lit the creation of a massive biometric database cobbled together from the fingerprints, facial scans, and travel documents processed at border checkpoints. And of course, there’s a network of private industry partners regularly feeding their data into Europol’s systems to aid with investigations.
The EDPS, which functions as a watchdog group to keep EU authorities’ data practices in check, has been on Europol’s case for a while. For the past three years, the group has been investigating Europol’s treatment of sensitive data. In 2019, the agency first found that the massive datasets regularly shared with Europol weren’t being checked to ensure that they actually contained data about criminals, as opposed to innocent civilians. A year later, the EDPS publicly called out Europol for continuing to process these innocent party’s data, despite the fact that doing so could wrongfully link these people with criminal activity.
Docs that were released today detailing the EDPS’s ongoing investigation show some of the details of how Europol pushed back against EDPS’s requests. “Despite requests from the EDPS, Europol continues to refuse to define a maximum data retention period for the processing of datasets,” the EDPS writes, explaining that instead, it insisted on retaining these massive troves of data… well, however long it liked. So instead of continuing to wait around, the EDPS decided to use its “corrective powers” to impose the aforementioned 6-month retention policy.