Europol will have to delete a vast store of personal data that it has alleged to have amassed unlawfully by the European Data Protection Supervisor (EDPS). This is being called the “big data ark” as it contains billions of points of information. The data also includes sensitive information drawn from crime reports, hacked from encrypted phone services and sampled from asylum seekers.
Europol’s cache contains at least 4 petabytes of data, which is equivalent to 3m CD-Roms or a fifth of the entire contents of the US Library of Congress. The information held on EU’s police agency amounts to mass surveillance.
There is sensitive data on at least a quarter of a million current or former terror and serious crime suspects and a multitude of other people with whom they came into contact with. The data has been accumulated from national police authorities over the last six years. The EDPS ordered Europol to erase data held for more than six months and gave it a year to sort out what could be lawfully kept. As such, the bloc’s data protection watchdog has found itself against one of the world’s very powerful security agency. Europol is primed to become the centre of machine learning and AI in policing.
However, experts say the order exposes deep political divisions among Europe’s decision-makerson the trade-offs between security and privacy. This could have implications for the future of privacy in Europe and beyond. Defending the Europol, EU home affairs commissioner Ylva Johansson said law enforcement authorities need the tools, resources and the time to analyze data that is lawfully transmitted to them. “In Europe, Europol is the platform that supports national police authorities with this herculean task.”
The commission stated that EDPS has raised a serious challenge for Europol’s ability to fulfill its duties. In 2021, it had proposed sweeping changes to the regulation underpinning the EU’s police agency’s powers. Experts say that if this is made into law, it could in effect retrospectively legalize the data cache and preserve its contents as a testing ground for new AI and machine learning tools.
On its part, the Europol has denied any wrongdoing. It said the EDPS may be interpreting the current rules in an impractical way. “The Europol regulation was not intended by the legislator as a requirement which is impossible to be met by the data controller in practice.”
The agency said Europol had worked with the EDPS to find a balance between keeping the EU secure and its citizens safe while adhering to the highest standards of data protection.