Europol must delete data collected illegal from individuals

Sicherheit (Pexels, allgemeine Nutzung)[German]The EU police agency Europol has amassed a huge collection of personal data of individuals collected somewhere in the course of investigations, crime reports or hacked messenger services, as well as asylum seekers. This data collection has been done unlawfully, according to the EDPS. Europol was therefore ordered to delete the data of individuals who were never involved in any crime.


The EDPS therefore issued an order to Europol on January 3, 2022, to delete data on individuals who have not been proven to be linked to any criminal activity (Data Subject Categorization). This is according to this notification from the DPO.

The Guardian writes here,  that the data collection is at least 4 petabytes. This corresponds to a quantity of 3 million CD-ROMs. Experts see in the data collection the danger that the European police agency Europol is on the same path to mass surveillance of citizens as the US National Security Agency (NSA).

The order stems from an investigation launched by the EDPS already in 2019, which now ends with this deletion decision. But already in September 2020, Europol was admonished by the EDPS as part of this investigation for continuing to store large amounts of data without categorizing the data subjects. The DPO considered this a risk to the fundamental rights of data subjects.

Although Europol has since taken some measures, Europol has not complied with the EDPS' request to establish a reasonable data retention period to filter and extract the personal data that are allowed for analysis under the Europol Regulation. This means that Europol has kept these data longer than necessary, in violation of the principles of data minimization and retention limitation enshrined in the Europol Regulation. 

In view of this, the EDPS has decided to use his powers to impose a 6-month retention period (to filter and extract the personal data). Records older than 6 months that have not been subjected to this categorization of data subjects must be deleted. This means that Europol will no longer be allowed to keep data on individuals who are not associated with a crime or criminal activity for long periods of time without a fixed deadline. Wojciech Wiewiórowski, EDPS, said:

Europol has dealt with several of the data protection risks identified in the EDPS' initial inquiry. However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation. Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted – a process often lasting years. A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals' rights and freedoms. Furthermore, understanding the operational needs of Europol and the amount of data collected so far, I have decided to grant Europol a period of 12 months to ensure compliance with the Decision for the datasets already in Europol's possession

The EDPS has granted Europol the mentioned period of 12 months to comply with the Decision for the data sets already received before this Decision was notified to Europol.


Cookies helps to fund this blog: Cookie settings


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *