For six years, Europol has illegally collected large data sets. The European Data Protection Supervisor (EDPS) gives the criminal police agency 12 months to comply with the law.
It is described as a “data black hole”, and Europol (European Police Office) is compared to an emerging NSA. British daily The Guardian reveals that the European Data Protection Supervisor (EDPS) has discovered what privacy experts are calling a “Big data arch”. This data, extracted from crime reports, hacked from encrypted telephone services and sampled from asylum seekers who have never been involved in any crime, would form a cluster of at least four petabytes of data and would be available to people. ‘Europol, the European criminal police agency which supports national police forces in numerous investigations.
According to the media, this sensitive data concerns at least 250,000 suspects, current or past, of acts of terrorism or serious crimes, as well as a multitude of other people with whom they came into contact. This collection has been spread over the last six years, in a series of data collection from an unknown number of criminal investigations. The investigations of the European Data Protection Supervisor began in 2019.
Europe calls for data cleaning
The rule of the game is, however, the following: Europol legally has six months after receipt of data to establish the link with criminal activity. From this period, they must be deleted. Thus, the European data protection gendarme announced, on Monday January 10, 2022, to have ordered Europol to delete data concerning people with no established link to criminal activity.
“As part of his investigation, the EDPS reprimanded Europol in September 2020 for the continuous storage of large volumes of data without categorization of data subjects, which poses a risk to the fundamental rights of individuals, explains the EDPS. Although certain measures have been put in place by Europol since then, the agency has not responded to requests from the EDPS to define an appropriate data retention period to filter and extract authorized personal data for the purposes of analysis under the Europol regulation. This means that Europol kept this data longer than necessary, contrary to the principles of data minimization and storage limitation, enshrined in the Europol regulation ”.
The EDPS therefore decided to use his powers and impose on the European Police Office a retention period of six months to filter and extract personal data. All data older than six months that has not undergone this categorization of data subjects must be erased. The authority gave the European police agency 12 months to comply.
Busy years for Europol
Can these Europol practices explain some of the agency’s successes? In 2020, the European police officer was involved in a huge crackdown, that of the hacking of the EncroChat encrypted telephone service. The operation extracted data from 120 million messages and tens of millions of call records, images and notes. This data has in part led to thousands of arrests around the world.
In June 2021, Europol also revealed its participation in the Anom project. The data of 27 million messages exchanged on Anom by nearly 11,000 smartphones scattered in 100 countries passed through the hands of European police and the FBI, in particular, before the operations led to more than 700 searches, more than 800 arrests. and the seizure of drugs, weapons and crypto-assets.