Europol unlawfully processing personal data of vast numbers of innocent people, says report

Europol is unlawfully processing the personal data of a vast number of innocent people, says a report by the European Data Protection Supervisor (EDPS). The agency has been given two months to come up with an “action plan” to fix the problem – but in the meantime, despite the serious risks to individual rights identified by the EDPS, the agency is allowed to continue using the techniques.


The “big data challenge”

Europol has what it refers to as a “big data challenge” – how to process vast datasets without breaking its own data protection rules? According to an EDPS report published in redacted form this week (pdf), the challenge has so far proven too much for the agency.

Europol receives vast quantities of data from national law enforcement agencies and elsewhere, and to try to make sense of that data for criminal investigations it has adopted means and methods that do not comply with the legislation governing the agency, says the EDPS, which has issued it with a formal “admonishment”.

“The nature of the data collected at national level in the context of criminal investigations and criminal intelligence operations is not limited anymore to targeted data collection but also increasingly includes the collection of large datasets,” says the report, and the agency makes use of “digital forensics and big data… to exploit these larger volumes of information.”

Europol’s 2019 annual report (pdf) gives an example of the quantity of data sought and received by the agency – in relation to counter-terrorism, it notes, “the volume and complexity of the data per contribution increased considerably as big data dumps of multiple terabytes per investigation are becoming the standard procedure.”

Europol analysts process all the data they receive from the member states and make multiple copies of it as they further refine the datasets. To counter the risks posed by this refining process – such as “loss of technical and factual context and of increased bias in the analysis” – the EDPS report says that Europol maintains “the continuous storage of datasets until the investigation is concluded, and in particular beyond the process of entity extraction.”

Unlawful activities

This is where Europol’s actions have run into legal problems. The 2016 Regulation governing the agency sets out relatively strict rules on how the agency may process data on various categories of persons. For example, the agency can process far more types of data on suspects than it can on victims or witnesses – but the EDPS’ inquiry has shown that “it is not possible for Europol, from the outset, when receiving large data sets to ascertain that all the information contained in these large datasets comply with these limitations.”

The result, says the EDPS, is:

“…a situation where large amounts of personal data for which it is uncertain that they comply with the requirements set up by… the Europol Regulation, are stored on Europol systems for several years. As such, the continued storage of personal data that might go beyond the limits contained in these articles undermines the principle of data minimisation…”

The report underlines that Europol is likely unlawfully processing the personal data of a vast – in fact, unknowable – number of people:

“…there is a high likelihood that Europol continually processes personal data on individuals for whom it is not allowed to do so and retain categories of personal data that go beyond the restrictive list provided in… the Europol Regulation. While the exact amount cannot be quantified, the increase in the use of the [...] observed for the last years clearly shows that the amount of large datasets shared by MS with Europol is rapidly growing.”

The report goes on to set out what this means for individuals:

“The processing of data about individuals in an EU law enforcement database can have deep consequences on those involved. Without a proper implementation of the data minimisation principle and the specific safeguards contained in the Europol Regulation, data subjects run the risk of wrongfully being linked to a criminal activity across the EU, with all of the potential damage for their personal and family life, freedom of movement and occupation that this entails.” (emphasis added)

A slap on the wrist

The EDPS report concludes by issuing a formal “admonishment” to Europol, and “invites Europol to inform of the action plan to address this admonishment within two months and of the measures taken within six months since the date of this Decision.”

Despite noting that “the risks for data subjects are high and the impact on their fundamental’s [sic] rights and freedoms is severe,” the EDPS concludes that Europol is best placed to find a solution to the problem – for the EDPS to make its proposals, impose an erasure order or ban the unlawful activities, “is not proportionate,” says the report.

However, finding a solution may not be straightforward – the EDPS notes that the “legal concerns identified [are] structural as they relate to Europol’s core working methods.”

The EDPS’ investigation into Europol’s use of big data has been ongoing for some time, and was in fact sparked by Catherine de Boelle, Europol’s Executive Director since May 2018. On 1 April 2019, she “informed the EDPS of major compliance issues with the Europol Regulation in relation to the processing of personal data” – in an information system whose name is redacted through the EDPS report – an issue that is “also referred to as ‘Europol’s big data challenge’.”

A series of meetings and inspections then took place, leading to this week’s report. However, the EDPS has been responsible for supervising Europol since May 2017, and Europol has been receiving increasing amounts of data from member states – and elsewhere – for years.

For example, following the terrorist attacks in Paris and Brussels in 2015, it received over 16.7 terabytes of data. The agency may have faced up to its “big data challenge”, but how long has it been avoiding it for?

Documentation

Find more of our coverage of Europol in the Statewatch database

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error