08 October 2020
Europol is unlawfully processing the personal data of a vast number of innocent people, says a report by the European Data Protection Supervisor (EDPS). The agency has been given two months to come up with an “action plan” to fix the problem – but in the meantime, despite the serious risks to individual rights identified by the EDPS, the agency is allowed to continue using the techniques.
The “big data challenge”
Europol has what it refers to as a “big data challenge” – how to process vast datasets without breaking its own data protection rules? According to an EDPS report published in redacted form this week (pdf), the challenge has so far proven too much for the agency.
Europol receives vast quantities of data from national law enforcement agencies and elsewhere, and to try to make sense of that data for criminal investigations it has adopted means and methods that do not comply with the legislation governing the agency, says the EDPS, which has issued it with a formal “admonishment”.
“The nature of the data collected at national level in the context of criminal investigations and criminal intelligence operations is not limited anymore to targeted data collection but also increasingly includes the collection of large datasets,” says the report, and the agency makes use of “digital forensics and big data… to exploit these larger volumes of information.”
Europol’s 2019 annual report (pdf) gives an example of the quantity of data sought and received by the agency – in relation to counter-terrorism, it notes, “the volume and complexity of the data per contribution increased considerably as big data dumps of multiple terabytes per investigation are becoming the standard procedure.”
Europol analysts process all the data they receive from the member states and make multiple copies of it as they further refine the datasets. To counter the risks posed by this refining process – such as “loss of technical and factual context and of increased bias in the analysis” – the EDPS report says that Europol maintains “the continuous storage of datasets until the investigation is concluded, and in particular beyond the process of entity extraction.”
This is where Europol’s actions have run into legal problems. The 2016 Regulation governing the agency sets out relatively strict rules on how the agency may process data on various categories of persons. For example, the agency can process far more types of data on suspects than it can on victims or witnesses – but the EDPS’ inquiry has shown that “it is not possible for Europol, from the outset, when receiving large data sets to ascertain that all the information contained in these large datasets comply with these limitations.”
The result, says the EDPS, is:
“…a situation where large amounts of personal data for which it is uncertain that they comply with the requirements set up by… the Europol Regulation, are stored on Europol systems for several years. As such, the continued storage of personal data that might go beyond the limits contained in these articles undermines the principle of data minimisation…”
The report underlines that Europol is likely unlawfully processing the personal data of a vast – in fact, unknowable – number of people:
“…there is a high likelihood that Europol continually processes personal data on individuals for whom it is not allowed to do so and retain categories of personal data that go beyond the restrictive list provided in… the Europol Regulation. While the exact amount cannot be quantified, the increase in the use of the [...] observed for the last years clearly shows that the amount of large datasets shared by MS with Europol is rapidly growing.”
The report goes on to set out what this means for individuals:
“The processing of data about individuals in an EU law enforcement database can have deep consequences on those involved. Without a proper implementation of the data minimisation principle and the specific safeguards contained in the Europol Regulation, data subjects run the risk of wrongfully being linked to a criminal activity across the EU, with all of the potential damage for their personal and family life, freedom of movement and occupation that this entails.” (emphasis added)
A slap on the wrist
The EDPS report concludes by issuing a formal “admonishment” to Europol, and “invites Europol to inform of the action plan to address this admonishment within two months and of the measures taken within six months since the date of this Decision.”
Despite noting that “the risks for data subjects are high and the impact on their fundamental’s [sic] rights and freedoms is severe,” the EDPS concludes that Europol is best placed to find a solution to the problem – for the EDPS to make its proposals, impose an erasure order or ban the unlawful activities, “is not proportionate,” says the report.
However, finding a solution may not be straightforward – the EDPS notes that the “legal concerns identified [are] structural as they relate to Europol’s core working methods.”
The EDPS’ investigation into Europol’s use of big data has been ongoing for some time, and was in fact sparked by Catherine de Boelle, Europol’s Executive Director since May 2018. On 1 April 2019, she “informed the EDPS of major compliance issues with the Europol Regulation in relation to the processing of personal data” – in an information system whose name is redacted through the EDPS report – an issue that is “also referred to as ‘Europol’s big data challenge’.”
A series of meetings and inspections then took place, leading to this week’s report. However, the EDPS has been responsible for supervising Europol since May 2017, and Europol has been receiving increasing amounts of data from member states – and elsewhere – for years.
For example, following the terrorist attacks in Paris and Brussels in 2015, it received over 16.7 terabytes of data. The agency may have faced up to its “big data challenge”, but how long has it been avoiding it for?
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: 10 Queen Street Place, London EC4R 1BE. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.