Europol has been storing troves of personal data of Europeans with no proven link to crime. The European Data Protection Supervisor has ordered Europol to erase it. But given the EU Commission’s efforts to legalize its practices, it may never have to.
BY:
Andrea Nicci
Legal Affairs Reporter
PROJECT COUNSEL MEDIA
12 January 2022 – Earlier this week the European Data Protection Supervisor (EDPS) ordered law enforcement agency Europol to erase data concerning individuals who have no established link to crime. The order comes after the EDPS in September 2020 said Europol was likely to have mishandled troves of personal data in breach of the agency’s own rules. A redacted version was made public, although a full version quickly circulated. There was a “high likelihood” the EU’s law enforcement agency was processing data on people for whom it did not have the right to do so, the EDPS said at the time.
NOTE: founded as a coordinating body for national police forces in the EU and headquartered in The Hague, Europol has been pushed by some member states as a solution to terrorism concerns in the wake of the 2015 Bataclan attacks and encouraged to harvest data on multiple fronts. In theory, Europol is subject to tight regulation over what kinds of personal data it can store and for how long. Incoming records are meant to be strictly categorised and only processed or retained when they have potential relevance to high-value work such as counter-terrorism. But the full contents of what it holds are unknown, in part because of the haphazard way that EDPS found Europol to be treating data.
Now, the EDPS, which oversees EU institutions’ data handling practices, says it’s not satisfied with Europol’s response to the letter. The EDPS said Europol has not complied with its requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis, meaning the law enforcement agency was keeping this data for longer than allowed:
“Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation.
Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted — a process often lasting years”.
Under the EDPS’ order, Europol will not be able to hold on to data of people who haven’t been linked to a crime for longer than six months. Reading through the decision and the accompanying press releases, EDPS said it probed Europol’s collection of large datasets for strategic and operational analysis from April 2019 until September 2020 (note: the database is an aggregate of several sources of information, both public and private, and includes a swath of information ranging from biometrics to data relating to an individual’s work and travel). The investigation concluded the law enforcement agency needed to up its game when it came to data minimisation and retention and encouraged Europol to make necessary changes and then let the EDPS know of its action plan. It said that, according to regulations:
“personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which this data is processed and personal data processed by Europol shall be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed.”
Which, to be fair, is a vague directive allowing for multiple interpretations. Europol was also quick to respond. A spokesperson for Europol played down the breach, saying:
“the issue is not about a ‘misuse of the data’ but relates to the restrictions of the use of large datasets based on the current Europol Regulation. Europol is in a position to devise mitigation measures that can both reduce further the risks for data subjects and ensure that Europol can meet the expected operational demand from Member States”.
Europol, which is set to have its mandate expanded under EU proposals, has a year to comply with this order.
Well, kind of. Given the EU Commission’s efforts to legalize its practices, it may never have to. The Commission backed Europol in a quick response. Home Affairs Commissioner Ylva Johansson said she was in contact with EU capitals to propose a new law that would legalize this kind of data storage:
“I’m worried the potential risk of the decision by EDPS to delete the illegal data is huge. If a member state or national police cannot use Europol to help with the analysis of big data when they have national cases, then they will be blind.”
Yes, there are reports of truly kafkaesque cases have led lawyers and EU parliamentarians to call for stricter controls on the agency. Der Spiegel cites the case of a lawyer whose private communications with clients Europol is apparently refusing to delete. In another case I read, a Dutch activist was removed from a surveillance list by his government, but information remained stored at Europol, which refused to answer his requests for disclosure of what personal info it held.
To the EDPS we are dealing with dystopian dimensions. Said EDPS head Wojciech Wiewiórowski Monday in a statement accompanying the decision:
“Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted — a process often lasting years”.
And there are some bad precedents. In 2019, the EDPS warned there was a “high likelihood” the EU’s law enforcement agency was processing data on people for whom it did not have the right to do so. Lawyers compared the practice to searching the apartments of an entire neighborhood for evidence of a crime.
But almost every “law enforcement” organisation in the EU supports the EU Commission stance and what the Europol data base to stay, as is. Spooks gonna spook.
Oh, and how quickly everybody forgets. It was just in 2020 that Europol was being trumpeted for its involvement together with French and Dutch police in hacking the encrypted phone service EncroChat, unleashing a torrent of personal data into the ark. When the secret operation was revealed by Europol and its judicial counterpart, Eurojust, it was hailed as one of the biggest successes in battling organised crime in Europe’s history. In the UK alone, about 2,600 people were taken into custody by August 2021 and Nikki Holland, the director of investigations at the UK National Crime Agency, compared the hack to “having an inside person in every top organised crime group in the country”.
Europol copied the data extracted from 120m EncroChat messages and tens of millions of call recordings, pictures and notes, then parcelled it out to national police forces. The flood of evidence of drug trafficking and other offences drowned out qualms about the implications of the operation. The hacking operation that turned EncroChat phones into mobile spies acting against their users has important similarities with surveillance malware such as Pegasus.
Right now a big part of this EDPS decision and the response is that Europol is trying to kick the can down the road in order for some potential legislation to get through the EU parliament that absolves them of a lot of the privacy requirements, or the Commission absolves them.
And the political pressure on the EDPS will be high. As we noted last year, EU law enforcement agencies have some pretty interesting files on politicians. Plus, as we also noted last year, the Commission and Europol have quietly put forth the notion that Europol has an aspiration to become Europe’s NSA in terms of mass surveillance of its citizens. Security must trump privacy. We saw an example of this last year when Europol’s boss, previously Belgium’s top cop, co-wrote an op-ed in July 2021 which argued that the needs of law enforcement agencies to extract evidence from smartphones should trump privacy considerations.
Plus, irony abounds. Europol is using similar arguments to those used by the NSA to defend bulk data collection operations and mass surveillance as revealed by Snowden. What the NSA said to Europeans after the Prism scandal started was that they are not processing the data, they are just collecting it and they will process it only in case it is necessary for the investigation they are doing.
BOTTOM LINE: the confrontation pits the EU data protection watchdog against a most powerful security agency that has been being primed to become the centre of machine learning and AI in policing. Europol has developed its own machine learning and AI programs, which include facial recognition tools, even as the EU data watchdog was snapping at its heels. Finding itself with a growing cache of data, the agency turned to algorithms to make sense of it all.
Get out your 🍿