Big Data challenge facing Europol

The agency has been given two months to come up with an “action plan” to fix the problem – but in the meantime, despite the serious risks to individual rights identified by the EDPS, it says Europol will continue using the techniques.

The problem is that Europol has what it refers to as a “Big Data challenge” – how to process vast datasets without breaking its own data protection rules? According to EDPS, the challenge has so far proven too much for the agency.

Europol receives vast quantities of data from national law enforcement agencies and elsewhere, and to try to make sense of that data for criminal investigations it has adopted means and methods that do not comply with the legislation governing it, says the EDPS.

“The nature of the data collected at national level in the context of criminal investigations and criminal intelligence operations is not limited any more to targeted data collection but also increasingly includes the collection of large datasets,” says the report, and the agency makes use of “digital forensics and Big Data… to exploit these larger volumes of information.”

Europol’s 2019 annual report gives an example of the quantity of data sought and received by the agency – in relation to counter-terrorism, it notes, “the volume and complexity of the data per contribution increased considerably as big data dumps of multiple terabytes per investigation are becoming the standard procedure.”

Europol analysts process all the data they receive from the Member States and make multiple copies of it as they further refine the datasets. To counter the risks posed by this refining process – such as “loss of technical and factual context and of increased bias in the analysis” – the EDPS report says that Europol maintains “the continuous storage of datasets until the investigation is concluded, and in particular beyond the process of entity extraction”.

This, according to the EDPS, is where Europol’s actions have run into legal problems. The 2016 Regulation governing the agency sets out relatively strict rules on how it may process data on various categories of persons. For example, the agency can process far more types of data on suspects than it can on victims or witnesses – but the EDPS’ inquiry has shown that “it is not possible for Europol, from the outset, when receiving large data sets to ascertain that all the information contained in these large datasets comply with these limitations”.

The result, says the EDPS, is “a situation where large amounts of personal data for which it is uncertain that they comply with the requirements set up by… the Europol Regulation, are stored on Europol systems for several years. As such, the continued storage of personal data that might go beyond the limits contained in these articles undermines the principle of data minimisation”.

The report underlines that Europol is likely unlawfully processing the personal data of a vast – in fact, unknowable – number of people: “…there is a high likelihood that Europol continually processes personal data on individuals for whom it is not allowed to do so and retain categories of personal data that go beyond the restrictive list provided in… the Europol Regulation. While the exact amount cannot be quantified, the increase in the use of the […] observed for the last years clearly shows that the amount of large datasets shared by MS with Europol is rapidly growing.”

The report goes on to set out what this means for individuals: “The processing of data about individuals in an EU law enforcement database can have deep consequences on those involved. Without a proper implementation of the data minimisation principle and the specific safeguards contained in the Europol Regulation, data subjects run the risk of wrongfully being linked to a criminal activity across the EU, with all of the potential damage for their personal and family life, freedom of movement and occupation that this entails.”

The EDPS report concludes by issuing a formal “admonishment” to Europol, inviting it “to inform of the action plan to address this within two months and of the measures taken within six months”.

Despite noting that “the risks for data subjects are high and the impact on their fundamental rights and freedoms is severe,” the EDPS concludes that Europol is best placed to find a solution to the problem – for the EDPS to make its proposals, impose an erasure order or ban the unlawful activities “is not proportionate,” says the report.

However, finding a solution may not be straightforward – the EDPS notes that the “legal concerns identified [are] structural as they relate to Europol’s core working methods”.

The EDPS’ investigation into Europol’s use of Big Data was sparked by Catherine de Boelle, Europol’s executive director since May 2018. On April 1, 2019, she “informed the EDPS of major compliance issues with the Europol Regulation in relation to the processing of personal data”.

A series of meetings and inspections then took place, leading to the report. However, the EDPS has been responsible for supervising Europol since May 2017, and Europol has been receiving increasing amounts of data from Member States – and elsewhere – for years. For example, following the terrorist attacks in Paris and Brussels in 2015, it received more than 16.7 terabytes of data.

To read the full article from ‘Statewatch’, visit https://www.statewatch.org/news/2020/ october/europol-unlawfully-processing-personal-data-of-vast-numbers-of-innocent-people-says-report/