Europol told to hand over personal data to Dutch activist labelled "terrorist" by Dutch police

Topic
Country/Region
EU

Europol has been admonished by the European Data Protection Supervisor for the second time this year, for failing to comply with a request from a Dutch political activist to access the data held on him by the policing agency. The European Data Protection Supervisor's investigation found a series of failings by the agency to comply with the law, at a time when its powers to gather and process data have been vastly increased by a recent legal reform.

Press release published by Frank van der Linde, Romain Lanneau and Fair Trials on 14 September 2022.

Europol told to hand over personal data to Dutch activist

Europol “has not demonstrated the necessity” to refuse Dutch activist Frank van der Linde access to the personal data the agency holds on him, according to a formal decision of the European Data Protection Supervisor (EDPS), the supervisory authority for Europol with regard to data protection, which also reveals that Europol tried to delete van der Linde’s data to try to avoid complying with the request.

Europol had previously denied van der Linde access to his data, saying that some had been deleted from their operational database and some could not be shared because of confidentiality requirements over national security concerns. However, after a two-year investigation, the EDPS has ordered Europol to provide van der Linde with the “full set of information which he is entitled to receive” according to the law governing Europol.[1]

The EDPS decision comes at a time when there are increasing concerns[2] about Europol’s lack of respect for the protection of the fundamental rights to data protection in its operations, and with the agency now able to wield new data-processing powers thanks to a recent legal reform[3].

Frank van der Linde responded to the decision:

“Discovering that data has been sent to Europol labelled crime area terrorism is a nightmare. Finding out that Europol deleted my file after I asked for it, is real horror. And how do I know now if Europol told the truth to the EDPS?”      

Legal Director (Europe) of Fair Trials, Laure Baudrihaye Gérard said:

“This decision is welcome but Mr van der Linde should not have had to appeal to the EDPS or endure such a lengthy investigation. Europol cannot be allowed to operate without accountability or oversight. For too long, Europe’s institutions have turned a blind eye to its mass surveillance.  We need proper oversight and regulation, as well as redress for those who are caught up in Europol’s mass data collection.”

Background

Frank van der Linde is a Dutch left-wing activist involved “in various social media platforms, protests and initiatives against racism and discrimination,” according to a description by the EDPS of a message sent by the Dutch Police to Europol. Despite having no criminal records he was put under surveillance by the Dutch police and listed as a potential terrorist suspect.

After a series of access requests to the Dutch police, van der Linde was made aware that his personal information had been sent to Europol. In 2019, he asked Europol if it held his personal data. In June 2020, he was informed that: “there are no data concerning you at Europol to which you are entitled to have access”.

Legal complaint

To exercise his right of access to personal data, and in particular to rectify any incorrect information kept by the European police agency, van der Linde contested the decision of Europol to the EDPS.

Investigation by the EDPS

Previous investigations by the EDPS have taken up to seven months,[4] but Europol’s lack of cooperation meant it took two years.

Initially, when the EDPS asked Europol to review van der Linde’s personal data processed by the agency, they were told that it had been deleted. Only when two Europol officers travelled in person with a secure laptop to Brussels was the EDPS able to consult the data. 

The investigation found that there have been two sets of personal data stored about the complainant. The Dutch Police sent personal data to Europol, which they asked the agency to delete after van der Linde made an access request. Europol also stored information on the Twitter account of van der Linde linked to an ongoing investigation on a person of interest in the Netherlands.

EDPS findings

The EDPS rebutted Europol justifications for not disclosing Frank’s personal data.

  1. On the exemption for confidentiality reasons over Europol operation

The right of access can be restricted to guarantee that Europol fulfil its tasks properly (Article 36.6, Europol Regulation). However, this exemption cannot be invoked in all cases and without justifications.

The EDPS called out Europol for restraining van der Linde’s right of access while failing to produce an internal assessment describing how disclosure would impact the operations of the European Police Agency.

  1. On the deletion of personal data following an access request

As soon as van der Linde submitted his request, they attempted to clear out all evidence that the agency had indeed received and stored his personal data. The EDPS investigation shows that the Dutch Police and Europol thought that deleting the data from Europol’s operational database” could be a solution to the problem”[5]. This is a clear attempt to obstruct van der Linde’s fundamental data protection right of access. Van der Linde’s right to know what data was shared with Europol and made available to other law enforcement authorities in Europe was clearly undermined.

The EDPS warned that “should Europol have erased (permanently deleted) the personal data concerning the complainant, this would constitute a failure to cooperate with the EDPS and a serious infringement of the Europol Regulation.”

What’s next:

Europol and  van der Linde can bring new elements within one month from the decision to revise the decision of the EDPS. Any action against the decision can be brought to the Court of Justice of the European Union within two months.

The EDPS neither gave a timeline for Europol to comply with its decision nor imposed any sanction (fine for example) in case of non-compliance.

Notes to Editors

Contact Romain Lanneau, Legal Advisor for Frank van der Linde, romainlanneau [at] proton.com to access the full decision by the EDPS.

Find out more about Frank van der Linde: Website, Twitter

Notes

[1] There have been two previous decisions by the EDPS concerning individuals contesting a decision of Europol on their right to have access to their personal data. The most recent decision (accessed through a freedom of information request) took four months and two pages. In comparison, van der Linde waited 1 year and 11 months and the decision goes runs to 26 pages in length. The EDPS admonished Europol in January this year for breaking the law in its mass gathering and processing of personal data.

[2] The Dutch counter terrorism-unit asked Europol to “let them know whether the deletion could be a solution to the problem” Case 2020-0908, 2.7.

[3] Article 36 (and in particular Article 36(5)) of the Europol Regulation: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0794#d1e2959-53-1

[4] European Digital Rights, Europol’s ever-increasing mandate: European Parliament failed to stand up for fundamental rights (5 May 2022) https://edri.org/our-work/europols-ever-increasing-mandate-european-parliament-failed-to-stand-up-for-fundamental-rights/

[5] EDPS, Press Release, Amended Europol Regulation weakens data protection supervision (27 June 2022) https://edps.europa.eu/press-publications/press-news/press-releases/2022/amended-europol-regulation-weakens-data_en


Image: Roel Winants, CC BY NC 2.0

 

Spotted an error? If you've spotted a problem with this page, just click once to let us know.

Report error