European Data Protection Supervisor (EDPS) Wojciech Wiewiórowski notified an order Monday directing the European Union Agency for Law Enforcement Cooperation (Europol) to erase datasets uncategorized within six months, since they could potentially contain data on individuals with no link to criminal activity.
Annex II.B and Articles 18(3) and 28(1) of the Europol Regulation allow Europol to extract and process personal data only on subjects in certain categories, like suspects, victims, witnesses and informants of a crime, as well as “potential future criminals” and their contacts.
In an inquiry conducted in 2019, the EDPS found that large datasets collected and used by Europol for big data analytics could not undergo data subject categorization due to their size, leading to data being extracted from it beyond these permitted categories. Hence, he issued an admonition to Europol in 2020 stating its use of big data analytics did not comply with the principles of data minimization and storage limitation under the regulation. He urged Europol to implement measures to mitigate the high risk of privacy breaches and of wrongfully linking people to criminal activity.
Europol, however, maintained it would retain datasets “as long as is necessary and proportionate” for investigation and fix no time limit for the retention of datasets as suggested by the EDPS. It claimed the provisional six-month limit set by the EDPS in response was insufficient given the “large and complex” nature of datasets and lengthy nature of criminal investigations.
The EDPS found that Europol often retained data for over three years, magnifying privacy risks. He decided that since categorization of large datasets could not happen without first processing all personal data, including of people not covered by Annex II.B, setting a time limit would allow for categorization while preventing risks.
Accordingly, he ordered that data subject categorization be completed within six months of reception for new datasets and 12 months for existing datasets, at the expiry of which they should be erased if categorization is not complete. Before categorization, no data can be processed apart from as strictly necessary for categorization itself.
On Tuesday, Europol responded to the EDPS decision.