LONDON (Guardian) -- The EU’s police agency, Europol, will be forced to delete much of a vast store of personal data that it has been found to have amassed unlawfully by the bloc’s data protection watchdog. The unprecedented finding from the European Data Protection Supervisor (EDPS) targets what privacy experts are calling a “big data ark” containing billions of points of information. Sensitive data in the ark has been drawn from crime reports, hacked from encrypted phone services and sampled from asylum seekers never involved in any crime.
According to internal documents seen by the Guardian, Europol’s cache contains at least 4 petabytes – equivalent to 3m CD-Roms or a fifth of the entire contents of the U.S. Library of Congress. Data protection advocates say the volume of information held on Europol’s systems amounts to mass surveillance and is a step on its road to becoming a European counterpart to the U.S. National Security Agency (NSA), the organization whose clandestine online spying was revealed by whistleblower Edward Snowden.
Among the quadrillions of bytes held are sensitive data on at least a quarter of a million current or former terror and serious crime suspects and a multitude of other people with whom they came into contact. It has been accumulated from national police authorities over the last six years, in a series of data dumps from an unknown number of criminal investigations.
The watchdog ordered Europol to erase data held for more than six months and gave it a year to sort out what could be lawfully kept.
The confrontation pits the EU data protection watchdog against a powerful security agency being primed to become the centre of machine learning and AI in policing.
The ruling also exposes deep political divisions among Europe’s decision-makers on the trade-offs between security and privacy. The eventual outcome of their face-off has implications for the future of privacy in Europe and beyond.
Founded as a coordinating body for national police forces in the EU and headquartered in The Hague, Europol has been pushed by some member states as a solution to terrorism concerns in the wake of the 2015 Bataclan attacks and encouraged to harvest data on multiple fronts.
In theory, Europol is subject to tight regulation over what kinds of personal data it can store and for how long. Incoming records are meant to be strictly categorized and only processed or retained when they have potential relevance to high-value work such as counter-terrorism. But the full contents of what it holds are unknown, in part because of the haphazard way that EDPS found Europol to be treating data.
Only a handful of Europeans have become aware that their own data is being stored and none is known to have been able to force disclosure. Frank van der Linde, who was placed on a terror watchlist in his native Netherlands and later removed, is one of the rare visible threads in an otherwise unseen mesh.
The political activist, whose only serious run-ins with police amount to breaking a window to gain entrance to a building and create a squat for homeless people, was removed from the Dutch watchlist by authorities in 2019. But a year prior to this removal he had moved to Berlin, which unknown to Van der Linde at the time prompted Dutch police to share his data with German counterparts and Europol. The activist discovered his entanglement with Europol only when he saw a partially declassified file at Amsterdam city hall.
To get his personal data removed from any international databases he turned to Europol. He was surprised when in June 2020 it responded saying it had nothing he was “entitled to have access to”. The activist took his complaint to the EDPS. “I don’t know if they deleted the data after Dutch authorities updated them [that] they don’t consider me an extremist … Europol is a black box.”
“The ease of getting on such a list is horrific,” Van der Linde said. “It’s shocking how easily police share information over borders, and it’s terrifying how difficult it is to manage to delete yourself from these lists.”
The emerging shape of Europol is alarming some MEPs such as Belgium’s Saskia Bricmont. “In the name of the fight against criminality and terrorism we have an evolution of an agency, which performs very important missions, but they are not executed in the right manner. This will lead to problems,” she said.
Chloé Berthélémy, an expert with the European Digital Rights network of NGOs, said that while Europol lags behind the U.S. in terms of technological capacity, it is on the same path as the NSA.
“Europol’s capacity to hoover up huge amounts of data and accumulate it, in what could be called a big data ark, after which it is almost impossible to know what they are used for, makes it a black hole.”