EDPS orders Europol to erase personal data not related to crime

The European Data Protection Supervisor (EDPS) issued a decision directing the European Union Agency for Law Enforcement Cooperation (Europol) to erase datasets uncategorized within six months, as these may contain data on individuals with no link to criminal activity.

This decision is a conclusion of the EDPS inquiry started in 2019. The EDPS found that Europol did not comply with the data minimisation principle (by including personal data from people with no proven relation to criminal activity) or with the principle of storage limitation (by keeping data longer than strictly necessary).

The EDPS has now imposed a six month retention period for Europol to filter and extract personal data, after which personal data with no established link to criminal activity must be deleted. Europol has 12 months to comply with the EDPS’s decision for data already in its possession.

In its reply, the Europol stated that ‘the current Europol Regulation does not contain an explicit provision regarding a maximum time period to determine the data set categorisation’, that Europol complied with previous EDPS guidance. Additionally, Europol pointed out that the deletion of data after the expiry of the six month retention period required by the EDPS will impact Europol’s ability to analyse complex and large datasets, in particular related to terrorism, cybercrime, international drugs trafficking, child abuse, and others.