Privacy concerns mount over Europol data collection
When it emerged last month that EU law enforcement agency Europol had hoovered up quadrillions of bytes of sensitive data , including on people with no links to any crime or criminal history, there were flurries of concern from privacy advocates.
Now the EU data watchdog is doubling down on those concerns, and warning that Europol could continue the same practice under new rules intended to empower the police body.
Join EUobserver today
Become an expert on Europe
Get instant access to all articles — and 20 years of archives. 14-day free trial.
Choose your plan
... or subscribe as a group
Already a member?
"We start to make more and more exclusions," for Europol, Wojciech Wiewiórowski, the EU's data protection supervisor, or EDPS, told reporters in Brussels on Thursday (17 February).
The resulting lack of supervision "is something that concerns me a lot because of the things that were treated as extraordinary, as exceptional, they start almost to be a default," he said.
Last month, Wiewiórowski told Europol that all datasets received after and until its new mandate comes into force must be deleted within six months, if they have not been properly screened. Wiewiórowskialso gave Europol, based in the Hague, one year to sift through anything else it could lawfully keep.
But rights activists say a new Europol mandate agreed at the political level by EU member states and the European Parliament in February scuppers those demands, making Wiewiórowski's recommendations and a years-long investigation into Europol on the collection of sensitive data irrelevant.
"Basically, you're just wiping out all the powers of EDPS," said Chloé Berthélémy from the Brussels-based European Digital Rights, an organisation working to defend and advance digital rights.
After being flagged of the abuse some two years ago, the EDPS triggered an investigation into Europol leading to accusations the agency was carrying out mass surveillance-like activities.
While the EDPS probe dragged on, the European Commission started drafting new rules that would allow Europol to retain the data anyway.
EU institutions agreed those rules in February, allowing the agency to retain data for much longer and demand sensitive information from private firms.
"It's giving them [Europol] a blank cheque to basically say we're gonna process data of an innocent person who has no link to crime," said Berthélémy. The commission was "creating a loophole in the current rules," she said.
Applied retrospectively?
Privacy campaigners grew particularly concerned when the French EU presidency further tweaked the new rules to make it retroactive, effectively giving Europol the right to keep previously collected data, if the rules are formally adopted in their current form.
"I find some of the rules to be strange for me," said Wiewiórowski, citing the retroactive measures.
For its part, the commission says the political agreement on the new Europol mandate would help it fight serious crime and terrorism.
It also said the changes come with a reinforced data protection framework, with more parliamentary oversight and with accountability.
The European Parliament plenary is set to vote on it later this year, possibly May.