The European Union’s data protection watchdog – the European Data Protection Supervisor (EDPS) – has ordered Europol, the same Union’s police agency, to delete much of a vast storage of personal data related to individuals who have not been found guilty of any crime.
Notified on 3 January, following an inquiry in 2019, the EDPS has given the agency a year to review its databases and remove data that cannot be linked to criminal investigations. Europol was ordered to delete data that did not comply with safeguards on the length of time that sensitive information can be stored. Data cannot be held for more than six months if no criminal activity is proven.
According to an investigation by The Guardian earlier this month, the cache contains at least 4 petabytes of data, which is “equivalent to 3 million CD-roms.”
Their report quoted data protection lawyers as saying that this volume of information held on Europol’s systems “amounts to mass surveillance”, and that the findings from the EDPS targets what privacy experts are calling a “big data ark” that contains billions of points of information that has been drawn from crime reports, hacked from encrypted phone services and samples from asylum seekers never involved in any crime.
The store of data includes sensitive data on at least a quarter of a million current or former terror and serious crime suspects and people with whom they were in contact.
Besides the ethically-questionable storage of such data, the ruling is also expected to expose political divisions among the Union’s decision makers.
“The ruling also exposes deep political divisions among Europe’s decision-makers on the trade-offs between security and privacy. The eventual outcome of their face-off has implications for the future of privacy in Europe and beyond,” the investigative report said.
In a statement following the order, Europol said the EDPS decision “will have an impact on (their) ability to analyse large and complex datasets at the request of law enforcement.” It added that data sets for major cases of cybercrime, terrorism, or international drug trafficking are “frequently” longer than six months.