The European Data Protection Supervisor (EDPS) has ordered Europol to delete the majority of personal data it has collected, claiming that most of it is from individuals “with no established link” to crime.
The EDPS informed the EU policing body on January 3 of the watchdog’s order to delete the personal data of individuals who have not been linked to criminal activity, according to a press release from the agency on Monday.
The order came after an inquiry was launched in 2019 into Europol’s data-handling policies over concerns that the multinational police force was at risk of violating the rights of European citizens.
On foot of its investigation, the EDPS chastised Europol in September 2020 for continuing to store large volumes of data with no Data Subject Categorisation. Since then, Europol has been accused by the data protection agency of not complying with requests to define the data under existing regulations and of keeping information for longer than justified.
“Europol has dealt with several of the data protection risks identified in the EDPS’ initial inquiry,” European Data Protection Supervisor Wojciech Wiewiórowski said. “However, there has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation.”
The January 3 order gives Europol 12 months to comply with the deletion request, erasing any information not placed into Data Subject Categories and removing personal data not related to a crime or criminal activity.
In response to the concerns raised by the EDPS, Europol said it was working with the agency “to find a balance between keeping the EU secure and its citizens safe while adhering to the highest standards of data protection.”