The European Data Protection Supervisor has given a 12-month ultimatum to Europol to implement the EDPS' data protection measures, with deleting the vast pile of unlawfully held personal information being the priority.
In the past six years, Europol has accumulated over four petabytes of data relating to at least 250,000 individuals, most of which don't have any established link to criminal activities. The European Data Protection Supervisor (EDPS) has decided to put an end to this abusive practice.
Another Snowden scenario
This is not the first time that the EDPS has issued a warning to Europol. The situation escalated because Europol has made no noteworthy improvements in over a year since the EDPS first discovered that Europol was unlawfully storing this data. The most alarming part, however, is that Europol has not conducted any Data Subject Categorisation in over six years, and it kept most of the data for far longer than was necessary – violating the basic principles of minimization of data storage enshrined in the Europol Regulations.
The information retained includes not only data on a quarter of a million crime suspects, but also of other people with whom the suspects came in contact. The quadrillions of bytes of data have been accumulated from national criminal investigations in the past six years. Basically, anyone living in Europe could be on these lists and not even know it.
Privacy advocates all over the world are infuriated with Europol's practice of hoarding such exorbitant amounts of data and its reluctance to erase it more than a year after the EDPS' warning. Some already compare this case of massive data abuse by Europol to the NSA's mass surveillance scheme revealed by Edward Snowden in 2013.
Seeing that Europol has failed to comply with the initial requests set in September 2020, the EDPS took more strict corrective measures to ensure that European Union's law enforcement agency makes the mandatory adjustments this time. For example, each file older than six months that doesn't undergo Data Subject Categorisation has to be erased. Europol will also have to submit regular reports to the EDPS with detailed updates on the progress of implementing these measures. These reports are to be submitted every quarter over the next 12 months (within the grace period given to Europol to complete the corrections).
Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analyzed and extracted - a process often lasting years.
Selecting and categorizing such a tremendous quantity of data in such a short period certainly won't be a simple job. Still, the EDPS insists that it's time Europol adheres to the data protection legislation. Finally, the EDPS reiterated that six months is a big enough time frame for Europol to extract the crucial information from datasets when helping the law enforcement authorities in the EU.
Privacy vs. security
The EDPS findings and warnings have reignited the debate about which should be given priority in a free society – protection of the individual's rights to privacy or protection of national security. However, even the most adamant advocates of the second can't ignore the fact that, in this instance, the agency that was supposed to enforce the law has breached some of the most important EU legislation.
Besides, the size of the databases, and the use of mass surveillance they imply, are something one would expect to see in totalitarian regimes and dictatorships, not the EU. Finally, the idea that we can't trust our law enforcement bodies to properly handle the collection, categorization, and retention of data during investigations is utterly disheartening. Europol has an important task to complete, and to complete it quickly, if it wants to preserve what's left of its dignity and integrity.