The European Data Protection Supervisor has been on the heels of Europol over the data retention practices of the law enforcement agency for a few years. The chase came to an end earlier this month when Europol was ordered to delete data concerning individuals with no established link to criminal activity. The EDPS imposed a six month retention period for Europol to filter and extract personal data from its massive storehouse. A twelve month period was granted for compliance regarding datasets that were received before Europol was notified of the decision. The order has again sparked the tired controversy between privacy hawks and state security advocates.

1. Introduction

The European Union Agency for Law Enforcement Cooperation (Europol) is the police agency of the European Union established in 1998 to process criminal intelligence, and combat organized crime and terrorism, through cooperation of EU member states. The agency does not have executive powers and may only arrest suspects with the prior approval of the responsible authorities in member states. (here) The European Cybercrime Centre is the unit of Europol that assists member states in disrupting and dismantling organized cybercrime groups engaged in activities such as economic crime, terrorism, and drug and firearm trafficking. (here) Europol is headquartered in The Hague, The Netherlands.

The European Data Protection Supervisor (EDPS) is the European Union’s independent data protection authority responsible for supervising the processing of personal data by European institutions, bodies and agencies. (here) The EDPS monitors Europol’s processing of personal data to ensure it is lawful according to Article 43 of Regulation (EU) 2016/794 (Europol Regulation). (here) The EDPS may initiate inquiries and monitor Europol’s compliance in relation to a specific topic. The EDPS may also use “corrective powers” to ensure compliance with the Europol Regulation. Corrective powers may include destruction of personal data processed in breach of the Europol Regulation.

On April 30, 2019, the EDPS initiated an inquiry into the processing of large datasets by Europol for the purposes of strategic and operational analysis. The evolution of Europol’s practices had raised concerns over the agency’s compliance with data protection rules contained in the Europol Regulation including principles of purpose limitation, data minimization, storage limitation and the impact of potential data breaches. (here) On September 17, 2020, the EDPS completed the investigation and issued an admonishment to Europol regarding compliance with the principles of data minimization and retention. Europol was urged to implement measures to mitigate deficiencies and risks. But Europol dragged its feet.

2. Retention of Datasets by Europol

On January 3, 2022, the EDPS notified Europol of an order titled EDPS Decision on the retention by Europol of datasets lacking Data Subject Categorisation. (here) The order requires Europol to erase data concerning individuals with no established link to criminal activity (referred to as data without “Data Subject Categorisation”). There are two aspects of the order that require some elaboration in this instance for anyone unfamiliar with data processing vocabulary. Large datasets are defined as those which, “due to the volume, nature or format of the data they contain”, cannot be processed in the Europol Operational Network. Large datasets lacking a “Data Subject Categorisation” (DSC) refer to those which did not undergo the data classification process “because of their characteristics and notably their size” as provided for in the Europol Regulation.

The protection of individuals whose personal data is included in datasets transferred to Europol by the law enforcement agencies of EU member states lies at the core of the decision. According to the Europol Regulation, the agency is only permitted to process data about individuals who have a clear link to criminal activity. Limiting Europol’s processing of data avoids exposing other individuals who do not fall into this category but are swept up in the data transfers to Europol by EU member states. The requirement of a DSC minimizes the risks associated with processing in Europol’s databases.

The technological problem is that the data received by Europol from EU member states is so vast that it is not possible for Europol to immediately distinguish data related to individuals who have a clear link to criminal activity from other data without carrying out an assessment. Europol has therefore been housing these datasets in its systems for lengthy periods of time – even years. By ordering Europol to erase datasets older than six months, the EDPS has aimed to ensure that the data of individuals with no clear link to criminal activity is not processed in Europol’s systems any longer than necessary.

In an article titled A data ‘black hole’: Europol ordered to delete vast store of personal data published in The Guardian edition of January 10, 2022, free lance researcher Apostolis Fotiadis and his team discussed what privacy experts call the “big data ark” containing billions of points of information. “Sensitive data in the ark,” they said, “has been drawn from crime reports, hacked from encrypted phone services and sampled from asylum seekers never involved in any crime.” (here) According to internal documents seen by The Guardian, and to put the immensity of the trove into perspective, Europol’s cache contains at least “4 petabytes – equivalent to 3m CD-Roms or a fifth of the entire contents of the US Library of Congress.” It is little wonder Europol can’t process it effectively.

According to the Fotiadis team, only a handful of Europeans are aware of their data being stored by Europol and “none is known to have been able to force disclosure.” Political activist Frank van der Linde, who was placed on a terror watchlist in The Netherlands and later removed, “is one of the rare visible threads in an otherwise unseen mesh.” His only serious encounter with the police resulted when he broke a window “to gain entrance to a building and create a squat for homeless people”. Prior to being removed from the watchlist in 2019, he moved to Berlin which prompted Dutch authorities to share his data with their German counterparts and Europol. He discovered his “entanglement with Europol” when he saw a partly declassified file at Amsterdam city hall.

3. Statement by Europol

On January 11, 2022, Europol issued a press release titled Europol’s Statement on the Decision of the European Data Protection Supervisor. (here) The agency said investigations in cases such as terrorism, cybercrime and child abuse frequently involve a period longer than six months. It will be assessing the impact of the decision and its potential consequences for “ongoing investigations as well as the possible negative impact on the security for EU citizens.” The Europol statement also briefly referred to “Data Subject Categorisation” that it described as “the act of identifying in these datasets suspects, potential future criminals, contacts and associates, victims, witnesses and informants linked to criminal activities.” It is the retention of datasets to identify potential future criminals that I will single out because it sounds a lot like predictive policing.

Predictive policing involves the use of algorithms to analyze massive amounts of information in order to predict and, theoretically, prevent future crimes. Location-based analysis uses preexisting crime data to identify places and times that have a high risk of crime. Person-based analysis attempts to identify individuals or groups likely to commit a crime by analyzing risk factors such as past arrests. Person-based analysis has also been used to identify individuals likely to be a victim of a crime. (here) Although proponents of predictive policing argue that predictive analytics can help predict crime more accurately than traditional police methods, the technique has been widely criticized as a self-fulfilling prophesy that perpetuates racial inequality. (here)

4. The Tired Controversy

The decision drew immediate responses from the privacy and security camps about where to draw the line although it is confounding that the debate persists. The European Union’s Commissioner for Home Affairs, Ylva Johansson, was quick to criticize the decision. “Law enforcement authorities need the tools, resources and the time to analyze data that is lawfully transmitted to them,” she told The Guardian. “In Europe, Europol is the platform that supports national police authorities with this herculean task.” Ms. Johansson suggested that smaller police agencies are unable to make sense of big data without relying on Europol’s expertise. Privacy advocates, however, welcomed the ruling as an affirmation of the digital rights of all EU citizens. “This decision shows once again that in the EU the rights to privacy and to data protection are fundamental rights and are protected as such, even when the pressure on these rights comes from policing,” said Gabriela Zanfir-Fortuna of the Future of Privacy Forum think tank based in Washington, D.C. (here)

The privacy interest of EU citizens in their personal data, and others swept up in Europol’s systems with them, cannot be overstated. Not unlike the U.S. National Security Agency, data is collected by Europol from a wide variety of sources used by law enforcement agencies across the European Union. We may now add to that a biometric database containing fingerprints, facial scans and travel information recently given the go-ahead by the European Parliament. The data provided to Europol by law enforcement agencies includes information provided by private citizens, corporations and other institutions to aid with investigations. The volume of data stored in Europol’s systems, four petabytes, has been estimated to amount to “hundreds of billions of pages of printed text”. The heart of the decision, then, is this. Europol cannot collect personal data and only process it when it is necessary for an investigation. As Wojciech Wiewiorowski, the data protection supervisor, said to The Guardian: “This is something that doesn’t comply with the European approach to processing personal data.”

5. Conclusion

Let me step back and restate the rule set down by the decision. It is a narrow rule based on necessity and proportionality. Europol must erase datasets older than six months that are lacking Data Subject Categorisation. The six month retention period should achieve two things. First, it should give Europol sufficient time to extract critical data and provide support to the authorities of EU member states. Second, it should protect the rights of EU citizens and other individuals whose data is in Europol’s databases. As the EDPS said: “Without putting in place the safeguards provided in the Europol Regulation, individuals run the risk of being wrongfully linked to a criminal activity across the EU, with all the potential damage to their private and professional lives that this entails.”