Europol receives order from EDPS to erase data concerning individuals with no established link to a criminal activity

On April 2019, the EDPS decided to launch an own-initiative investigation on the processing of large datasets by Europol for purposes of strategic and operational analysis. The evolution of Europol’s personal data processing activities of large datasets raised concerns about compliance with Europol’s data protection rules outlined in Regulation (EU) 2016/794 (hereinafter the Europol Regulation). 

The EDPS ceased the investigation on September 2020 issuing an admonishment to Europol, for the continued storage of large volumes of data with no Data Subject Categorization, which poses a risk to individuals’ fundamental rights. The EDPS has encouraged Europol to take all necessary and suitable measures to reduce the risks to individuals as a result of such personal data activities.

While Europol has taken some measures into consideration since, it has yet to comply with the EDPS’ request to determine an appropriate data retention period to filter and extract the personal data. This means the Agency was keeping the data for a longer time than necessary, contrary to the principles of data minimization and storage limitation.

Given the violation of these principles, the EDPS has decided to impose a 6-month retention period, which forces Europol to erase datasets older than 6 months that are lacking Data Subject Categorization. The EDPS aims to ensure that individuals’ data with no clear link to any criminal activities is not processed in Europol’s databases for an undefined amount of time, therefore minimizing the risks that this involves.

Regarding the datasets already received before this decision, the EDPS has given Europol a 12-month period to comply with the decision. Datasets that have not undergone a Data Subject Categorization by then must be erased.