The EU’s police agency, Europol, will be forced to delete the majority of a huge store of personal information that it has been found to have gathered unlawfully by the bloc’s data protection watchdog. The data collected unlawfully includes information from crime reports, hacked from encrypted phone services and sampled from asylum seekers that have never been involved in any crime.
According to internal documents seen by the Guardian, Europol’s cache contains at least 4 petabytes – equivalent to 3m CD-Roms and billions of points of data. Data protection advocates say the volume of information held on Europol’s systems amounts to mass surveillance and is a step on its road to becoming a European counterpart to the US National Security Agency (NSA), the organisation whose clandestine online spying was revealed by whistleblower Edward Snowden.
Among the stacks of unlawfully collected data is the sensitive personal data of at least a quarter of a million current or former terror and serious crime suspects, plus people they have come in contact with. The items have been placed into the ‘data ark’ of Europol by police authorities over the last six years, in large ‘data dumps’, with little thought of what was being placed into the system.
Now, the data watchdog has ordered Europol to delete the data collected unlawfully, plus any held for more than six months and gave it a year to sift through the rest to see what can legally be kept. The confrontation pits the EU data protection watchdog against a powerful security agency being primed to become the centre of machine learning and AI in policing. The ramifications of the standoff between the police organisation and the watchdog are far-reaching and have implications for the future of privacy in Europe.
The EU home affairs commissioner, Ylva Johansson appeared to defend Europol. “Law enforcement authorities need the tools, resources and the time to analyse data that is lawfully transmitted to them,” she said. “In Europe, Europol is the platform that supports national police authorities with this herculean task.”
Europol denies any wrongdoing around the data collected unlawfully, and said the watchdog may be interpreting the current rules in an impractical way: “[The] Europol regulation was not intended by the legislator as a requirement which is impossible to be met by the data controller [ie Europol] in practice.”
Europol had worked with the EDPS “to find a balance between keeping the EU secure and its citizens safe while adhering to the highest standards of data protection”, the agency said.
In theory, Europol is subject to tight regulation over what kinds of personal data it can store and for how long. Incoming records are meant to be strictly categorised and only processed or retained when they have potential relevance to high-value work such as counter-terrorism. But the full contents of what it holds are unknown, in part because of the haphazard way that EDPS found Europol to be treating data.
Thank you for taking the time to read this article, do remember to come back and check The Euro Weekly News website for all your up-to-date local and international news stories and remember, you can also follow us on Facebook and Instagram.