Europol has a large database with information on hundreds of thousands of people. These include suspects of terrorism and serious crimes or citizens who have been in contact with them. The European Data Protection Supervisor (EDPS) has long questioned the legality of keeping sensitive information on innocent people stored indefinitely, either because their guilt is not proven or because they are recorded in the file for having coincided with some suspect. In 2019, an investigation was launched, the conclusion of which has just been released: the EDPS order establishes that the European police cooperation body will not be able to keep data on individuals not directly linked to a crime for more than six months.
The measure does not affect the information stored on those already convicted, investigated or protected witnesses.
The supervisor grants Europol one year to clean its databases;
After this period, you will have to delete all files related to those who are not involved in criminal acts.
The decision did not sit well with Europol.
"It will affect the ability to analyze large and complex data sets at the request of EU law enforcement agencies," the agency said in a statement, "in relation to investigations supported within its mandate," including terrorism, cybercrime, international drug trafficking and child abuse, among others.
For the supervisor, however, the policy of hosting large amounts of data of European citizens "endangers the fundamental rights of individuals."
It seems the supervisor had reason to be concerned. Or at least that is what emerges from an investigation by the Lighthouse Reports consortium of journalists published by
, which casts serious doubts on the content of the great Europol archive and, above all, on the use it was intended to give it. The database in question, says the British newspaper, contains at least four petabytes of information (the equivalent of three million CD-Roms) accumulated over six years from police reports and the hacking of encrypted telephone services or requests for political asylum of people who never committed crimes.
The tremendous volume of information amassed by Europol can be interpreted as a step towards the implementation of a mass surveillance system comparable to that put in place by the US intelligence services (NSA), whose massive clandestine espionage system was brought to light by Edward Snowden. Wojciech Wiewiórowski himself, who heads the EDPS, compared Europol's practices with those of the NSA in 2021 in a committee of the European Parliament, while the European police body used arguments similar to those of the US agency to defend the need to accumulate so much data without restrictions.
According to a series of documents to which
has had access , Europol was developing in 2020, when the EDPS was already investigating it, its own artificial intelligence and machine learning program to be able to structure the torrent of data it amassed.
Among the information that was handled in these programs could be found data as sensitive as medical history, ethnic origin, sexual orientation or political tendencies of the people screened.
According to this medium, despite not having the green light from the EDPS, Europol decided to go ahead with the development of its tool.
Who watches the watchman
The order issued by the supervisor is the result of a long push and pull within the EU itself.
EDPS, whose powers include ensuring that European institutions and bodies respect the right to privacy and data protection, was haunted by the idea that Europol could retain private information from citizens for an indefinite period of time.
After initiating a first investigation in this regard in 2019, the EDPS reprimanded Europol in September 2020 for "continuously accumulating large amounts of information on people with no proven link to criminal activities".
Although the regulator admits that the police agency has put in place “some measures” to improve the treatment of this data, none of them limits the time it can retain it.
Those who appear in the file "run the risk of being erroneously related to criminal activity in the EU, with the potential damage to their personal and family life, to the freedom of movement and work that this entails," the EDPS warned already in 2020.
“A six-month period for pre-analysis and filtering of large databases should allow Europol to comply with the operational demands of the Member States (...) and at the same time minimize the risks to the rights and freedoms of the individuals ”, Wiewiórowski concludes in a statement.
You can follow EL PAÍS TECNOLOGÍA on
or sign up here to receive our