Europol must delete data from non-suspect people after six months

Europol now has to delete the data it talks about non-suspect citizens after six months. This has been ordered by the European privacy supervisor EDPS. Europol will be given 12 months to comply.

The European Data Protection Supervisor makes this judgment as part of an investigation launched in 2019. The privacy supervisor writes that Europol will now have six months to filter data sets. Uncategorized datasets should be deleted after that period. In practice, according to the EDPS, this means that Europol is no longer allowed to keep indefinitely the data of people who have not been associated with criminal activities. Europol will have 12 months to filter existing uncategorized datasets for relevant data and delete the rest.

Under the existing rules, Europol is allowed to process and store the data of persons who have been linked to criminal activities. The organization receives such data from European police forces. However, the organization receives so much data that it is not possible to directly distinguish the data of people suspected of criminal activities from other data, the EDPS writes in an additional PDF document. As a result, Europol cannot guarantee that it does not store data on citizens unrelated to crime in its systems. The EDPS is of the opinion that this is contrary to the Europol Regulation.

The EDPS writes that Europol has already received a warning in September 2020 because it ‘stores large amounts of data’ of people, without being categorized. Europol has since taken “some measures”, according to the regulator, but the European police organization had not yet complied with the EDPS requirement to determine an appropriate retention period for collected data so that it can be filtered and categorized. This was followed by the new ruling, which was passed this week.