The European Data Protection Supervisor (EDPS)—an EU-independent supervisory authority that monitors European institutions and bodies to see if they respect citizens’ rights to privacy and data protection rules—has filed a lawsuit [PDF] with the European Court of Justice against the European Union and Europol.
Earlier this year, in January, the EDPS published the results of a three-year investigation and said that it found that Europol, the law enforcement agency of the European Union (EU), had secretly collected large troves of personal information on EU citizens dating back years, even if those persons had not committed any crimes or were under any investigation.
The EDPS used its regulatory powers to order Europol to sift through its database and delete any information on EU citizens that had not committed any crimes over the past six months. It ordered Europol to scrub its database by January 2023.
But in its lawsuit filed this week, the EDPS said that EU lawmakers went behind its back and passed new legislation in June (articles 74a and 74b) that allowed Europol to retroactively keep all its previously collected information.
In a statement published in June, the EDPS said it had “strong doubts as to the legality of this retroactive authorization.”
Now, the EDPS says that this new development actively subverts its independence and authority and wants the court to invalidate the new amendments and stay its decision.
EDPS takes legal action @EUCourtPress as new @Europol Regulation puts rule of law and EDPS independence under threat – read our Press Release https://t.co/CPdbojwpw4 pic.twitter.com/KZpmEMVKa6
— EDPS (@EU_EDPS) September 22, 2022
This EDPS investigation (and the current lawsuit) is a highly controversial topic among law enforcement officials. In an official response in January, Europol said that deleting this data will impact its “ability to analyze complex and large datasets at the request of EU law enforcement,” which will hinder the EU’s ability to detect and respond to many threats, such as terrorism, cybercrime, international drugs trafficking, child abuse, and others, many of which involve trans-national investigations at a very large scale.
In honesty, this is one of those situations where both parties are right at the same time. You can’t fight crime in the XXI century without some serious ML and data analysis, but you also can’t leave a giant database of PII data without any safeguards from institutional abuse. Sure, it’s Europol. We’re not talking about China or Russia, so the possibility of abuse is low. But it’s also not zero, as there’s always that rogue insider in every government agency.
