16 September 2022
Europol has been admonished by the European Data Protection Supervisor for the second time this year, for failing to comply with a request from a Dutch political activist to access the data held on him by the policing agency. The European Data Protection Supervisor's investigation found a series of failings by the agency to comply with the law, at a time when its powers to gather and process data have been vastly increased by a recent legal reform.
Press release published by Frank van der Linde, Romain Lanneau and Fair Trials on 14 September 2022.
Europol told to hand over personal data to Dutch activist
Europol “has not demonstrated the necessity” to refuse Dutch activist Frank van der Linde access to the personal data the agency holds on him, according to a formal decision of the European Data Protection Supervisor (EDPS), the supervisory authority for Europol with regard to data protection, which also reveals that Europol tried to delete van der Linde’s data to try to avoid complying with the request.
Europol had previously denied van der Linde access to his data, saying that some had been deleted from their operational database and some could not be shared because of confidentiality requirements over national security concerns. However, after a two-year investigation, the EDPS has ordered Europol to provide van der Linde with the “full set of information which he is entitled to receive” according to the law governing Europol.
The EDPS decision comes at a time when there are increasing concerns about Europol’s lack of respect for the protection of the fundamental rights to data protection in its operations, and with the agency now able to wield new data-processing powers thanks to a recent legal reform.
Frank van der Linde responded to the decision:
“Discovering that data has been sent to Europol labelled crime area terrorism is a nightmare. Finding out that Europol deleted my file after I asked for it, is real horror. And how do I know now if Europol told the truth to the EDPS?”
Legal Director (Europe) of Fair Trials, Laure Baudrihaye Gérard said:
“This decision is welcome but Mr van der Linde should not have had to appeal to the EDPS or endure such a lengthy investigation. Europol cannot be allowed to operate without accountability or oversight. For too long, Europe’s institutions have turned a blind eye to its mass surveillance. We need proper oversight and regulation, as well as redress for those who are caught up in Europol’s mass data collection.”
Frank van der Linde is a Dutch left-wing activist involved “in various social media platforms, protests and initiatives against racism and discrimination,” according to a description by the EDPS of a message sent by the Dutch Police to Europol. Despite having no criminal records he was put under surveillance by the Dutch police and listed as a potential terrorist suspect.
After a series of access requests to the Dutch police, van der Linde was made aware that his personal information had been sent to Europol. In 2019, he asked Europol if it held his personal data. In June 2020, he was informed that: “there are no data concerning you at Europol to which you are entitled to have access”.
To exercise his right of access to personal data, and in particular to rectify any incorrect information kept by the European police agency, van der Linde contested the decision of Europol to the EDPS.
Investigation by the EDPS
Previous investigations by the EDPS have taken up to seven months, but Europol’s lack of cooperation meant it took two years.
Initially, when the EDPS asked Europol to review van der Linde’s personal data processed by the agency, they were told that it had been deleted. Only when two Europol officers travelled in person with a secure laptop to Brussels was the EDPS able to consult the data.
The investigation found that there have been two sets of personal data stored about the complainant. The Dutch Police sent personal data to Europol, which they asked the agency to delete after van der Linde made an access request. Europol also stored information on the Twitter account of van der Linde linked to an ongoing investigation on a person of interest in the Netherlands.
The EDPS rebutted Europol justifications for not disclosing Frank’s personal data.
The right of access can be restricted to guarantee that Europol fulfil its tasks properly (Article 36.6, Europol Regulation). However, this exemption cannot be invoked in all cases and without justifications.
The EDPS called out Europol for restraining van der Linde’s right of access while failing to produce an internal assessment describing how disclosure would impact the operations of the European Police Agency.
As soon as van der Linde submitted his request, they attempted to clear out all evidence that the agency had indeed received and stored his personal data. The EDPS investigation shows that the Dutch Police and Europol thought that deleting the data from Europol’s operational database” could be a solution to the problem”. This is a clear attempt to obstruct van der Linde’s fundamental data protection right of access. Van der Linde’s right to know what data was shared with Europol and made available to other law enforcement authorities in Europe was clearly undermined.
The EDPS warned that “should Europol have erased (permanently deleted) the personal data concerning the complainant, this would constitute a failure to cooperate with the EDPS and a serious infringement of the Europol Regulation.”
Europol and van der Linde can bring new elements within one month from the decision to revise the decision of the EDPS. Any action against the decision can be brought to the Court of Justice of the European Union within two months.
The EDPS neither gave a timeline for Europol to comply with its decision nor imposed any sanction (fine for example) in case of non-compliance.
Notes to Editors
Contact Romain Lanneau, Legal Advisor for Frank van der Linde, romainlanneau [at] proton.com to access the full decision by the EDPS.
 There have been two previous decisions by the EDPS concerning individuals contesting a decision of Europol on their right to have access to their personal data. The most recent decision (accessed through a freedom of information request) took four months and two pages. In comparison, van der Linde waited 1 year and 11 months and the decision goes runs to 26 pages in length. The EDPS admonished Europol in January this year for breaking the law in its mass gathering and processing of personal data.
 The Dutch counter terrorism-unit asked Europol to “let them know whether the deletion could be a solution to the problem” Case 2020-0908, 2.7.
 Article 36 (and in particular Article 36(5)) of the Europol Regulation: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0794#d1e2959-53-1
 European Digital Rights, Europol’s ever-increasing mandate: European Parliament failed to stand up for fundamental rights (5 May 2022) https://edri.org/our-work/europols-ever-increasing-mandate-european-parliament-failed-to-stand-up-for-fundamental-rights/
 EDPS, Press Release, Amended Europol Regulation weakens data protection supervision (27 June 2022) https://edps.europa.eu/press-publications/press-news/press-releases/2022/amended-europol-regulation-weakens-data_en
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.