The EU’s data protection watchdog has called for rules effectively legalising the 'irresponsible' handing of data by Europol to be scrapped.
scrapping of new rules that effectively legalise the ‘irresponsible’ handling of data by law enforcement agency Europol.
The fresh complaints come months after the European Data Protection Supervisor (EDPS) ordered the law enforcement agency to delete a huge cache of personal information. It deemed this practice to be a violation of GDPR and human rights law.
Europol ordered to delete huge cache of unlawfully stored data UK gov faces legal action over Test and Trace data retention General Data Protection Regulation (GDPR)
Following the EDPS’ public allegations of data mishandling, made in January, the Court of Justice of the European Union (CJEU) introduced two new provisions to the 2016 Europol Regulation that aimed to, according to the EDPS, “legalise retroactively” Europol’s data practices.
Articles 74a and 74b of the amended Europol Regulation - the provisions most recently added and the ones contested by the EDPS - “undermine” the watchdog's powers, it said.
“The EDPS had to apply for an annulment of articles 74a and 74b of the amended Europol Regulation for two reasons,” the EDPS said. “Firstly, to protect legal certainty for individuals in the highly sensitive field of law enforcement where the processing of personal data implies severe risks for data subjects.
“Secondly, to make sure that the EU legislator cannot unduly ‘move the goalposts’ in the area of privacy and data protection, where the independent character of the exercise of a supervisory authority’s enforcement powers requires legal certainty of the rules being enforced.”
Added to the Europol Regulation in June 2022, the provisions specifically relate to Europol’s retention of data on individuals with no proven link to criminal activity.
Europol is alleged to be holding on to data belonging to individuals far longer than the current regulations allow it to.
The EDPS’ January complaint revealed that Europol was sitting on 4TB of data on at least 250,000 individuals said to be linked with crime. This was collected over a period of six years from a variety of European national law enforcement authorities.
The EU’s data watchdog aimed to impose rules on Europol that the data it collected on people should be assessed within six months and if no criminal link was found, then it should be erased in a timely manner.
Specifically, the supervising authority sought to enforce Data Subject Categorisation for each individual whose data was collected - a stipulation of the Europol Regulation.
Such categorisation seeks to clearly define why a given individual is having their data retained, be it because they are suspected of committing a crime, convicted of a crime, or suspected witnesses of a crime, among other categories.
Privacy experts speaking to IT Pro in January expressed sympathy for Europol given the large amount of data it is required to triage, but also said the amount of data held would be tantamount to “mass surveillance” in the eyes of some.
The EDPS said the provisions “establish a worrying precedent” that threatens the independence of the supervising authority and undermines the legal certainty for people’s personal data.
The situation raises debate around individuals’ right to privacy against the need for national security - one that emerges in so many areas of technology such as consumers’ access to end-to-encrypted messaging services.
It’s difficult to arrive at an absolute conclusion on such matters given the strength of the cases for both sides. Some argue, such as heads of state, that national security must take precedence over an individual’s privacy.
Others disagree and popular arguments often highlight that such an allowance could theoretically spiral towards a green-lit mass surveillance programme, for example. A large proportion of the IT industry also agrees that ending end-to-end encryption would adversely affect society at large
