The European Union Agency for Law Enforcement Cooperation (Europol) has been ordered to erase data concerning individuals with no established link to criminal activity, the European Data Protection Supervisor (EDPS) said on January 10 in a press release.
EDPS is the EU’s independent data protection authority responsible for supervising the processing of personal data by European institutions, bodies, and agencies.
The order sheds light on the powers EU privacy laws and privacy regulators have irrespective of who is collecting the data, which is in stark contrast to the overbroad exemptions that India’s Data Protection Bill, 2021, affords government and law enforcement agencies.
What led to this order?
- EDPS launches investigation: In April 2019, EDPS launched an investigation into Europol’s personal data processing activities after noting that there were several concerns linked to Europol’s compliance with the applicable data protection framework laid out in the Europol Regulation, specifically with regards to the principles of purpose limitation, data minimisation, data accuracy, and storage limitation. The Europol receives huge troves of data from law enforcement agencies of EU Member States, but according to the Europol Regulation, it is only allowed to process data about individuals who have a clear, established link to criminal activity.
- EDPS finds significant risk to individuals’ fundamental rights: In September 2020, EDPS concluded its investigation and found that Europol is storing large volumes of data likely involving individuals with no established link to criminal activity, posing a significant risk to individuals’ fundamental rights. The process of establishing a link is known as Data Subject Categorisation and is specified by the Europol Regulation.
- EDPS gives Europol an opportunity to address concerns: EDPS then issued an admonishment to Europol and gave it an opportunity to address concerns, following which, Europol presented an Action Plan and introduced technical measures to secure data.
- EDPS is not satisfied with Europol response: However, EDPS noted that the measures proposed by Europol did remove the risk posed to individuals’ fundamental rights and do not ensure compliance with the Europol Regulation. “While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation. This means that Europol was keeping this data for longer than necessary, contrary to the principles of data minimisation and storage limitation, enshrined in the Europol Regulation,” EDPS said.
- EDPS passes order: The EDPS on January 3 notified the Europol that going forward it must erase datasets older than 6 months that are lacking Data Subject Categorisation, which means the filtering and extraction of personal data must be done within 6 months from when the agency receives data from the Member States. For existing data sets, EDPS has given Europol 12 months to perform Data Subject Categorisation.
“A 6-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States relying on Europol for technical and analytical support, while minimising the risks to individuals’ rights and freedoms.” – Wojciech Wiewiórowski, EDPS
How does India’s Data Protection Bill deal with data collected by law enforcement agencies?
After nearly two years of deliberations, the Joint Parliamentary Committee (JPC) on the Personal Data Protection (PDP) Bill presented its report on December 16 2021 bringing us one step closer to India’s first data protection law, but the latest Bill gives the central government the ability to exempt any government body from the provisions of the bill by merely citing “just, fair, reasonable and proportionate procedure” and absolute power over the Data Protection Authority (DPA).
“In terms of application of the Bill, it means that an agency like the Delhi Police can be exempted from all provisions of the Bill, citing security of the State or public order,” a speaker said at a MediaNama event.
The insufficient safeguards against government access to data might also make it harder for India to achieve adequacy with the EU, European Commission Deputy Head of International Data Flows & Protection Ralf Sauer indicated at PrivacyNama 2021.
- Data Protection Bill 2021: What Powers Does The Government Have And How Will Its Offences Be Handled?
- Exclusive: J&K Police Wants To Blacklist ‘Suspects’ Based On Facial Recognition And Artificial Intelligence
- Legal Notice To Hyderabad Police Seeks Action Against Cops Searching Citizens’ Phones
- Exclusive: A Look At Chennai Police’s Proposed GIS Mapping Of Crime Zones And Its Dangers
- Hyderabad Police Again Conducting Facial Recognition Scans Of ‘Suspects’ During Patrolling
Have something to add? Subscribe to MediaNama here and post your comment.