AML Intelligence
Business Intelligence on AML and Financial Crime for Executive Leaders

EU/Europe, Regulatory

Data watchdog finds that Europol may have mishandled vast quantities of personal information

By Stephen Rae

Europol may have mishandled huge amounts of personal data – breaching its own rules, Europe’s data watchdog has found.

The European Data Protection Supervisor (EDPS) has written there was a “high likelihood that Europol continually processes personal data on individuals for whom it is not allowed to do so.”

The EDPS has been probing the matter for more than one year and now believes the sheer volume of data that Europol handled from its member countries made it impossible to determine whether the agency was complying with the Europol Regulation – which covers police agencies.

“The risks for [citizens] are high and the impact on their fundamental rights and freedoms is severe,” wrote EDPS chief Wojciech Wiewiórowski.

Under scope is a database which in 2019 stored more than 2 million gigabytes of data.

A spokesperson for Europol played down the likely breach, saying “the issue is not about a ‘misuse of the data’ but relates to the restrictions of the use of large datasets based on the current Europol Regulation. Europol is in a position to devise mitigation measures that can both reduce further the risks for data subjects and ensure that Europol can meet the expected operational demand from Member States.”

German MEP Patrick Breyer, a vocal digital rights champion said of Europol revelations: “It’s clearly illegal to retain data on non-suspects … we can’t accept bulk collection of data on innocent citizens.”

The Euro data watchdog concludes there was a risk that supra-national police agency was processing data beyond its remit, violating the requirement to only process data on “suspects, potential future criminals, contacts and associates, victims, witnesses and informants.” The watchdog also found Europol was likely to have breached the rule that says it must minimize the amount of personal information it processes.

Now EDPS has given Europol four weeks to submit a plan on how it will remedy the situation.

“Without a proper implementation of … specific safeguards contained in the Europol Regulation, data subjects run the risk of wrongfully being linked to a criminal activity across the EU, with all of the potential damage for their personal and family life, freedom of movement and occupation that this entails,” the EDPS said, adding that individuals could face “deep consequences.”

Share this article:

Follow us: