The most in-depth investigation to date of the EU police agency uncovers years of unlawful retention of personal data
The EU’s police agency, Europol, is being groomed to be a centre of machine learning and AI in Europe. It is set to roam far beyond its origins as a clearing house for information sharing among European police forces into an operational agency with a significant say in the future of policing on the continent.
What does this data-driven policing look like in practice and what does the example of Europol have to tell us about the trade-offs that EU agencies are making between privacy and security? The EU has set out its stall to offer a safe haven of digital rights in a world in which personal data is increasingly harvested and processed in ways that people struggle to understand, let alone control.
Are we on a path towards EU-led mass surveillance, as some experts warn? Europol’s case deserves investigation and its approach to personal data has been called into question by the EU’s own data and privacy watchdog, the European Data Protection Supervisor (EDPS).
From a previous investigation into the activities of US tech company Palantir it was clear that any investigation into Europol would rely on freedom of information laws. It would require well-targeted FOI requests to the agency as well as the EDPS, which has carried out several inspections and publicly admonished Europol.
Part of the team that investigated Palantir was supported by a grant from IJ4EU to spend the time it would take to unravel up to six years of unlawful amassing of potentially sensitive data.
Europol’s activities, including its approach to data collection, storage and processing, are governed by the agency’s own regulation. Europol has been receiving increasingly large data dumps from member state investigations and the Europol regulation dictates what kinds of information are sensitive, what can be kept and what must be deleted.
This process of data subject categorisation means that incoming records are meant to be strictly categorised and only processed or retained when they have potential relevance to high-value work such as counter-terrorism.
But in practice this deletion was not happening. The painstaking FOI work was supported by reporting from more than five countries that dug into the operations, from screening of refugees to hacking operations against encrypted phone networks.
What the team found amounted to what our media partners called a “data black hole” and “datagate” which saw the EU watchdog order Europol to delete vast amounts of the data it has been storing. The findings prompted comparisons between Europol and an early stage version of the US surveillance agency, the NSA, whose wholesale spying was revealed by Edward Snowden.
The reporting also served to illuminate what is at stake as EU decision makers enter negotiations over new rules for the police agency in the first half of 2022.
To keep up to date with Lighthouse investigations sign up for our monthly newsletter