On January 3, 2022, Europol, the law enforcement agency of the European Union (EU), was ordered to delete a number of personal data collected from police agencies in member states.

The decision comes from the European Data Protection Supervisor (EDPS).

It is an independent EU privacy and data protection supervisory authority.

“Personal data” means location data or any data relating to an identification number or an online identifier associated with the physical, physiological, genetic, mental, economic, cultural or social identity of an individual.

“The EDPS decision aims to protect individuals whose personal data is included in datasets transferred to Europol by law enforcement authorities of EU member states,” the EDPS said.

What is the volume of data concerned?

With each criminal investigation, the national police authorities of EU countries share data with Europol.

The European police body can thus help them more effectively in their searches and investigations.

According to a


report , the total amount of data stored in Europol's systems is around 4 petabytes, or 1,000,000 gigabytes.

The files are said to relate to at least a quarter of a million people.

A recall order

The order follows an own-initiative inquiry opened on 30 April 2019. The EDPS suspected Europol of carrying out data processing activities going beyond its mandate. Specifically, the controller accuses Europol of having stored large amounts of data on individuals not linked to any criminal activity, thus putting their fundamental rights at risk.

The EDPS had already reprimanded the crime agency two years ago "for the continuous storage of large volumes" of data without categorizing the data subjects.

“Which poses a risk to the fundamental rights of people,” the organization concluded.

Suspects, victims, informants, individuals to be monitored… The controller had asked Europol to clearly classify the persons concerned by the data retrieved.

And therefore, to delete information about "non-criminal" people.

A period of six months

“Although certain measures have been put in place by Europol since then, Europol has not complied with requests from the EDPS to define an appropriate data retention period to filter and extract personal data authorized for analysis under the Europol Regulation", explains the EDPS.

In other words, Europol kept this data longer than necessary.

The body therefore did not comply with the storage limitation principles listed in the Europol Regulation.

The EDPS therefore imposed a new retention period.

In other words, Europol has six months to erase all data that has not been filtered by its services.

The aim is to prevent their treatment in the long term.

In twelve months, the agency will have to prove that the data retained is criminally relevant.

Here is how the body justifies the delay: "A period of six months for the pre-analysis and screening of large datasets should allow Europol to meet the operational demands of EU member states that rely on Europol for a technical and analytical support, while minimizing risks to the rights and freedoms of individuals”.

To which a Europol spokesperson told EURACTIV that "the EDPS decision will have an impact on Europol's ability to analyze complex and large datasets at the request of EU law enforcement authorities".

So far, Europol has refused to establish a fixed timetable, considering it incompatible with its operations.

high tech

Hacking: Europol arrests ten hackers suspected of stealing $100 million in cryptocurrencies

By the Web

Data protection: The Cnil gives formal notice to Web giants for their management of cookies

  • EU

  • Police

  • GDPR

  • high tech

  • Personal data

  • Europe

  • 0 comment

  • 0 share

    • Share on Messenger

    • Share on Facebook

    • Share on Twitter

    • Share on Flipboard

    • Share on Pinterest

    • Share on Linkedin

    • Send by Mail

  • To safeguard

  • A fault ?

  • To print