The European Union Agency for Law Enforcement Cooperation (Europol) has been ordered to erase data concerning individuals with no established link to criminal activity, the European Data Protection Supervisor (EDPS) said on January 10 in a press release. EDPS is the EU's independent data protection authority responsible for supervising the processing of personal data by European institutions, bodies, and agencies. The order sheds light on the powers EU privacy laws and privacy regulators have irrespective of who is collecting the data, which is in stark contrast to the overbroad exemptions that India's Data Protection Bill, 2021, affords government and law enforcement agencies. What led to this order? EDPS launches investigation: In April 2019, EDPS launched an investigation into Europol's personal data processing activities after noting that there were several concerns linked to Europol's compliance with the applicable data protection framework laid out in the Europol Regulation, specifically with regards to the principles of purpose limitation, data minimisation, data accuracy, and storage limitation. The Europol receives huge troves of data from law enforcement agencies of EU Member States, but according to the Europol Regulation, it is only allowed to process data about individuals who have a clear, established link to criminal activity. EDPS finds significant risk to individuals' fundamental rights: In September 2020, EDPS concluded its investigation and found that Europol is storing large volumes of data likely involving individuals with no established link to criminal activity, posing a significant risk to individuals' fundamental rights. The process of establishing a link is known as Data Subject Categorisation and…
