On Monday 10 January, the European Data Protection Supervisor (EDPS) asked the police cooperation agency Europol to delete data on individuals who have no established link to criminal activity, asking that they comply with a previous request made in September 2020, the EDPS said in a statement.
“In the context of its enquiry, the EDPS admonished Europol in September 2020 for the continued storage of large volumes of data with no Data Subject Categorisation (e.g. by categories of offences, editor’s note), which poses a risk to individuals’ fundamental rights. While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation”, says the EDPS.
“This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation”. The EDPS has imposed a retention period of 6 months and datasets older than 6 months “that have not undergone this Data Subject Categorisation must be erased. This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline”.
Europol will have 12 months to comply with this decision.
The Commission took note of the decision, “which recognises the need for Europol to process big data to help Member States combat serious crime and terrorism and the fact that Europol therefore needs time to process such big data”, said the institution by way of reaction to this.
The EDPS decision recognises the need for prior analysis of big data sets that have already been received.
“The Commission welcomes the fact that the EDPS decision grants Europol, by way of derogation, a period of 12 months to pre-analyse the big data that the Agency has previously received from Member States and other partners before the decision was notified. This will allow sufficient time for Europol to deal with the backlog of existing big data and for the European Parliament and the EU Council to provide an appropriate solution and legal clarity with regard to the big data processed by Europol".
The European Commission notes that the new Europol mandate, which is currently under discussion, precisely addresses this issue of the maximum time limit for processing personal data without categorisation of data subjects.
Link to the decision: https://bit.ly/3r0kL16 (Original version in French by Solenn Paulic)
“This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation”. The EDPS has imposed a retention period of 6 months and datasets older than 6 months “that have not undergone this Data Subject Categorisation must be erased. This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline”.
Europol will have 12 months to comply with this decision.
The Commission took note of the decision, “which recognises the need for Europol to process metadata to help Member States combat serious crime and terrorism and the fact that Europol therefore needs time to process such metadata”, said the institution by way of reaction to this.
The EDPS decision recognises the need for prior analysis of metadata sets that have already been received.
“The Commission welcomes the fact that the EDPS decision grants Europol, by way of derogation, a period of 12 months to pre-analyse the metadata that the Agency has previously received from Member States and other partners before the decision was notified. This will allow sufficient time for Europol to deal with the backlog of existing metadata and for the European Parliament and the EU Council to provide an appropriate solution and legal clarity with regard to the metadata processed by Europol “.
The European Commission notes that the new Europol mandate, which is currently under discussion, precisely addresses this issue of the maximum time limit for processing personal data without categorisation of data subjects.
Link to the decision: https://bit.ly/3r0kL16 (Original version in French by Solenn Paulic)