The EDPS mandates Europol to remove stored data unrelated to crimes

February 7, 2022
EDPS Mandate Policy Enforcement Europol Stored Personal Data Crimes

A European data protection and privacy independent supervisory authority called EDPS (European Data Protection Supervisor) has instructed Europol to remove personal data on people that have not been affiliated with any heinous criminal acts.

The EDPS considers identification number, location details, or online identifier alongside an individual’s genetic, mental, economic, physical, physiological, social, or cultural identity as personal data.

The law enforcement agency was advised of this order in the early week of January 2022. The verdict follows an own-initiative inquiry initiated in April 2019 about the EU police body’s use of Big Data Analytics for non-professional work data processing acts.

The EDPS watchdog released this order after reprimanding the agency two years ago for keeping a massive amount of data on people that have not been connected to criminal activity, putting their fundamental rights in danger.

According to the EDPS, their decision is about safeguarding the people whose data is included in datasets moved to Europol by EU Member States’ authorities. Moreover, they added that the agency is only allowed to use data of individuals who have a reputation of being affiliated with criminal groups such as suspects, witnesses, convicts, etc.

Therefore, limiting the agency’s data processing avoids leaking other people who do not fall into the earlier categories. The law enforcement agency will lessen the risks associated with processing data in their databases.

 

Europol was given six months by EDPS to erase all their non-qualified data.

 

Europol was previously unsuccessful in complying with the obligations given by their regulatory board. According to the regulatory sector, the agency has failed to filter and extract crime-related information from non-crime-related data.

For this reason, the EDPS has imposed a 6-month retention period on the personal information gathered by Europol. That means that the law enforcement agency must wipe all data not filtered within six months of its databases to avoid its processing more extensively than provided.

The mandate also allows the agency to erase an overload of data within six months to avoid any innocent personal information being compromised. That is why the EDPS has given them time to fix the issue since there is more data at risk every time the law enforcement agency processes them.

About the author