Accused of serious breaches of European regulations on personal data, the Europol agency has one year to delete a large part of the information accumulated and stored illegally.
The European Data Protection Supervisor (EDPS) announced on Monday January 10 that he had sent Europol, the European agency specializing in the suppression of international crime (organized fraud, counterfeiting, money laundering, etc.) and terrorism , an order asking him to delete personal information relating to people with no established connection to criminal activity. The EDPS legally leaves Europol one year to comply with the decision, which is enforceable. We are talking about the deletion of billions of personal data, 4.2 million GB or 4.29×109 Mo more precisely.
Europol has already been warned for the first time in 2020, without ceasing its illegal practices
The investigation started on April 30, 2019. After long months of preliminary investigations, the European gendarme had pinned Europol for the first time, on September 17, 2020. He criticized the agency based in The Hague (Netherlands) on continuous storage of particularly large volumes of data. It should be noted that these data did not concern individuals linked to criminal cases depending on his skills. The EDPS therefore informed Europol of the risk that such practices posed to the fundamental rights of data subjects. It was a first warning in order for the agency, which claims to help on more than 40,000 international investigations each year.
Except that Europol, which had put in place certain measures, was unable to meet the expectations of the EDPS. The latter had asked him to define a retention period for personal data that complies with the regulations in force. The principle is that Europol cannot hold data beyond a certain period. This period should be used for pre-analysis and filtering of the data. The deadline, which is sufficiently long at the outset, should allow it to respond to any requests from its 27 Member States, which can then request technical and analytical support.
“ Europol kept this data longer than necessary », Indicates the European controller. The agency is therefore against its own regulation, which consecrates the principles of data minimization and limitation of storage over time. This is where the EDPS imposed on Europol to respect a 6 month deadline to filter and extract personal information. Beyond that, the data of people unrelated to a criminal case within its jurisdiction must be purely and simply erased.
The EDPS has decided to give Europol 12 months, starting from 3 January 2022, to comply with the decision. The European controller seems ” convinced that the ordinance will ensure that Europol meets its obligations under the Europol Regulation, while maintaining its operational capacities “. In addition, the decision states that Europol will have to submit a report on the implementation of the decision to the EDPS every three months. This document must detail the categorization of the data and their deletion.
Multiple data retention, on a rare scale, comparable to mass surveillance
To date, the billions of data still retained by Europol are plural. Our colleagues from Tea Guardian have had access to additional internal documents from which it appears that Europol’s cache would therefore contain 4 petabytes, or millions of gigabytes, as we said earlier, or a fifth of the content of the Library of Congress American. Data protection advocates liken the case to mass surveillance and make Europol the designated European counterpart to the NSA, the US national security agency.
The data accumulated over the last six years relate to more than 250,000 current or past suspects of criminal or terrorist acts as well as all the persons with whom they were in contact. And the drifts have gone even further, since other internal documents report on the development by Europol, in 2020, of a tool supported by AI and the machine learning (machine learning) using in particular facial recognition.
The algorithms would not be used to recover sensitive data (health, ethnic origin, political or sexual orientation, etc.), but Europol has admitted that this data would be processed by its tools and that their processing would comply with its regulation, and therefore to its missions.
Behind the scenes, there is also a game of cat and mouse between the controller and the agency. To date, Europol has reportedly slowed down on this machine learning program. But a recent campaign to recruit experts in the development of artificial intelligence and data mining worries about Europol’s ability to aspire and then use the information collected over the long term.
Europol may still not apply the EDPS decision. The agency has two months to bring this order before the Court of Justice of the European Union, which will then rule definitively. It is, at this stage, unlikely that we will arrive there, given the seriousness of the grievances.
On the same subject :
The extra cookie: the CNIL pins Google and Facebook to the tune of 150 and 60 million euros
Sources: EDPS
(Decision), The Guardian
10