Europol logo on side of building showing EU privacy watchdog suing over data practices

EU Privacy Watchdog Suing Over Proposed Changes to Europol Data Practices

Previous actions taken against Europol’s data practices have been reversed by a reform of the laws that govern the agency, and the EU’s lead privacy watchdog is suing to stop it.

In early 2022 the European Data Protection Supervisor (EDPS) took action against a Europol practice of retaining the data of individuals not linked to any crime, ordering the law enforcement agency to delete these files. But a mid-2022 reform of Europol’s governing regulations retroactively legalized this practice. EDPS is now suing not only to uphold the earlier order, but to curb new powers granted to the agency to access and develop private surveillance tools.

EU privacy watchdog takes on Europol surveillance practices

The privacy watchdog opened 2022 with an order to Europol to delete stored data on persons not connected to or involved with a crime, the culmination of an investigation that began in 2019. The EDPS had previously admonished Europol in September 2020 for storing large quantities of data without the required Data Subject Categorisation; data sets that do not have this were supposed to be deleted after six months under the existing 2016 Europol Regulation’s rules regarding data practices.

The privacy watchdog gave Europol 12 months, or until just after the start of 2023, to comply with this decision. Instead, Europol almost immediately went to member states and the European Parliament to strike a deal for a Europol Regulation amendment that not only retroactively sanctioned its data practices but also expanded its ability to command data directly from major platforms such as Facebook and Twitter. The amendment went into effect in July.

The proposal of expansion of powers and the hasty negotiations behind closed doors raised major controversy with privacy advocates, drawing comparisons to the indiscriminate “bulk collection” data practices revealed by the Snowden leaks. Europol’s data sets are said to contain millions of messages from people not involved in crimes swept up in dragnets, such as the Encrochat operation that saw law enforcement compromise an encrypted messaging service.

The case now moves to the Court of Justice of the EU as the privacy watchdog has filed a legal challenge. The EDPS is asking the court to roll back the Europol Regulation amendment in the interest of maintaining its independence and ability to rein in abuses by government entities throughout the bloc. The privacy watchdog argues that Europol’s data practices could set a precedent of placing these agencies above the rules and regulations that are supposed to apply to them.

The privacy watchdog has also ordered Europol to approve a request by Dutch activist Frank van der Linde to access the data collected on him by bulk surveillance actions. van der Linde is not connected to any criminal investigations and made the request to see if the organization had any incorrect information and to draw attention to alleged indiscriminate surveillance by Europol. He first made the request two years ago, and Europol responded by denying it and deleting his data to put it beyond his reach. EDPS has ordered Europol to recover the data and supply it to van der Linde.

Regulation of law enforcement data practices in the balance in EU as court case plays out

EDPS head Wojciech Wiewiorowski has said that storage of data for six months should be adequate time for pre-analysis and filtering. Europol has responded by arguing that criminal investigations can run longer than this and that six months is not always an adequate amount of time.

Previous reporting by The Guardian indicates that Europol has a total of about four petabytes of data in its possession, with tens of millions of these records thought to concern individuals not involved with or suspected of crimes. These individuals tend to get caught up in very broad searches of contacts of parties under investigation. There have been at least a handful of cases in which innocent parties have ended up on terrorism “watch lists” as a result of these sweeping data practices, something that the van der Linde complaint seeks to specifically address. Individuals presently have a very hard time gaining access to these records to see if false or incorrect information is in them and contributing to their being errantly flagged by law enforcement systems.

The privacy watchdog has also recently complained about budget cuts making it difficult for it to perform its regulatory functions, asking for its 2023 funding to be reviewed in light of an increasing workload. In addition to internal policing of government agencies the privacy watchdog plays a role in establishing cross-border data flow agreements, addresses data processing issues specific to certain industries, and advises the EU’s assorted legislative bodies on policy related to data practices. The agency is also tasked with promoting a consistent approach to data protection among the various privacy watchdog agencies of each nation.