European Data Protection Supervisor Orders Europol to Delete Uncategorized Data Older Than Six Months

By David Rosado

On January 3, 2022, the European Data Protection Supervisor (“EDPS”) notified the European Union Agency for Law Enforcement Cooperation (“Europol”) of an order that they must delete data held in their possession of individuals who have no established link to criminal activity six months after having received the data.[1] As a response, Europol has stated that their work takes longer than six months and the EDPS decision will impact their ability to analyze data and cooperate with requests from law enforcement agencies of EU member states.[2]

The European Union has a vast array of agencies that all play a role in regulating, monitoring, and coordinating tasks and policies amongst all member states.[3] Many agencies are “supranational,” having the ability to influence outside of a particular state’s borders, and originate from within the EU itself.[4] These agencies retain a legal status that allows them to act somewhat autonomously.[5] The office of the EDPS was created to protect the rights of people in regards to the processing of their personal data, which is a fundamental right in the EU.[6] The Supervisor is specifically responsible for ensuring that individual’s data protection rights are respected by EU institutions.[7] In line with that purpose, the EDPS has several investigative, corrective, and advisory powers.[8] Notably, the Supervisor has the authority to investigate data controllers and processers, order the erasure of personal data, and even refer matters to the Court of Justice.[9] Of course, the EDPS works under the backdrop of the broad General Data Protection Regulation, which came into force in 2018 and concerns the processing of data of EU citizens or residents.[10]

Europol is the law enforcement agency for the European Union and focuses on providing support to its member states on matters of crime, terrorism, and other forms of serious crime affecting two or more member states.[11] As its purpose is to facilitate cooperation on criminal intelligence, Europol is affirmatively tasked with collecting, storing, processing, analyzing, and exchanging information among member states.[12] At issue in the recent EDPS decision is whether Europol’s use of data without having assigned the data a proper category is in violation of Articles 18(3), 18(5), and Annex II.B of the Europol Regulation.[13] Article 18(3), in relevant part, states that when data is processed for an operational analysis project, “the specific purpose, categories of personal data and categories of data subjects, participants, duration of storage and conditions for access, transfer and use of the data concerned” will be defined and the EDPS will be informed.[14] Further, if data is collected and processed for one purpose and Europol believes the data is relevant for another purpose, they may only process the data for the second purpose if the persons are suspected or convicted of a crime that Europol has the authority to pursue or there is a reasonable belief that the person will commit a crime that Europol has the authority to pursue.[15] Article 18(5) states that categories of personal data that may be collected by Europol is outlined in Annex II of the Europol Regulation.[16] Annex II sets out a broad range of categories that Europol may classify data as that is far too long to include here in its entirety.[17] For example, the categories include personal information such as name and addresses, employment details, financial information such as bank accounts and cash assets, and behavioral data such as places frequented and criminal-related traits.[18] Notably, the EDPS is explicitly given supervisory authority over Europol with regard to the data processing rights of persons.[19]

On April 30, 2019, Europol sent an inquiry on its own to the EDPS with regards to Europol’s Big Data analytics.[20] Specifically, there were questions on the compatibility of Europol’s practices with “the principles of purpose limitation, data minimisation [sic], data accuracy, storage limitation, with the impact of potential data breaches, location of storage, general management and information security.”[21] The EDPS believed that there was a very real risk of negatively impacting data subject’s rights and freedoms and informed Europol that they must implement new measures to mitigate these concerns.[22] Between September 2020 and October 2021, the two agencies engaged in a dialogue on how Europol can better protect the data rights of persons in the EU with a large focus on Europol’s retention of large datasets with no categories.[23]

Ultimately, the EDPS issued an order on January 3, 2022 that Europol must categorize data it received within six months and datasets that have not been categorized in that time must be erased.[24] When Europol receives large datasets, it is very difficult to sift through all of the data and properly identify the category of data each item should be assigned to.[25] Thus, there current practice has been to retain these datasets with no categories for as long as necessary and proportionate to the investigation at hand.[26] Europol argued to the EDPS that it requires this scheme because investigation can take years and new information can be linked to previous data retained but never categorized.[27] Europol specifically pointed out that in the case of criminal networks, it is not uncommon for them to operate for more than ten years.[28]

In any case, the EDPS Decision is clear that data not categorized after six months must be deleted.[29] The Europol Regulation states that personal data is not kept longer than necessary for the purpose for which it is processed, but if there is no initial purpose then there is a clash between the statute controlling the agency and the agency’s action.[30] The EDPS reasoned that because categorization of data is a safeguard to data processing and the Europol Regulation limits what categories of data they may process, Europol may not process any data that it does not have the authority to process.[31] With such large data sets being sent to Europol by member states, there is a very real chance that the data is not limited to specific targets, but instead is just massive amounts of data that impact natural persons data rights.[32] Nonetheless, Europol may appeal the decision to the Court of Justice within two months of the EDPS Decision.[33] In the wake of the Decision, Europol has stated that they “ will seek the guidance of its Management Board and will assess the EDPS Decision and its potential consequences. . .”[34]

[1] European Data Protection Supervisor, EDPS orders Europol to erase data concerning individuals with no established link to a criminal activity, European Union (January 10, 2022), https://edps.europa.eu/data-protection/our-work/publications/investigations/edps-orders-europol-erase-data-concerning_en (last visited January 15, 2022).

[2] Europol, Europol’s Statement on the Decision of the European Data Protection Supervisor, European Union Agency for Law Enforcement Cooperation (January 11, 2022), https://www.europol.europa.eu/media-press/newsroom/news/europol’s-statement-decision-of-european-data-protection-supervisor (last visited January 16, 2022).

[3] Groenleer, M.L.P., The autonomy of European Union Agencies. A comparative study of institutional development 15 (December 17, 2009), https://scholarlypublications.universiteitleiden.nl/access/item%3A2935852/view.

[4] Id. at 18.

[5] Id. at 19.

[6] Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, 2018 O.J. (L 295), https://eur-lex.europa.eu/eli/reg/2018/1725 (last visited January 16, 2022).

[7] Id. at ch. VI, art. 52(2).

[8] Id. at ch. VI, art. 58.

[9] Id. at ch. VI, art. 58(1)(a)-(e), (2)(h), (4).

[10] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 1, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679 (last visited January 16, 2022).  

[11] Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA, 2016 O.J. (L135) 24 [hereinafter “Europol Regulation”], https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1479897160399&uri=CELEX:32016R0794 (last visited January 16, 2022).

[12] Id. at art 4(1)(a).

[13] EDPS Decision on the retention by Europol of datasets lacking Data Subject Categorisation [sic], Cases 2019-0370 & 2021-0699, European Union Data Supervisor (December 21, 2021), https://edps.europa.eu/system/files/2022-01/22-01-10-edps-decision-europol_en.pdf (last visited January 16, 2022).

[14] Europol Regulation, supra note 11 at 18(3)(a).

[15] Id. at art 18(3)(b); 18(2)(a)(i)-(ii).

[16] Id. at art 18(5).

[17] Id. at Annex II.B(2).

[18] Id.

[19] Id. at art 43.

[20] EDPS Decision, supra note 13 at 2.

[21] Id.

[22] Id.

[23] Id. at 2-4, 6.

[24] Id. at 13.

[25] Id. at 6.

[26] EDPS Decision, supra note 13 at 7.

[27] Id.

[28] Id.

[29] Id. at 13.

[30] Id. at 10.

[31] Id. at 8.

[32] EDPS Decision, supra note 13 at 9.

[33] Id. at 13-14.

[34] Europol, supra note 2.