The European police agency has retained several petabytes of data for the purpose of data mining, which it would be legally required to delete. The French presidency is taking action against the EU data protection commissioner’s deletion order.
Before the start of the trilogue negotiations to finalize the new Europol regulation, the controversy between the European Data Protection Supervisor and Europol is coming to a head. At the beginning of January, the data protection commissioner ordered Europol to clean up its excessive data collection.
Update 31. 1. 10:30
In the following two paragraphs on the composition of the data volumes in question, corrections have been made, especially with regard to the weighting of the individual main components.
The tracker demands the deletion of personal data records in the petabyte range that have no connection to specific criminal acts. Europol had been analyzing these huge data sets for years using software from the data mining company Palantir according to unknown criteria. The French Council Presidency still wants to bring down this deletion order in the trialogue with an exemption regulation.
Only the introduction to this document from the French Presidency, published by the British civil rights organization Statewatch, is in French. This is about the new Article 74a proposed by France and how it could be used in combination with Article 18a formulated by the EU Parliament to undermine the EU Data Protection Supervisor’s deletion order. The actual text is a so-called four-column version in English, with the text versions of the Commission, Council of Ministers and Parliament side by side. The fourth column contains the solutions proposed by the Council Presidency. The document itself is dated 24. January, so quite fresh.
Unspecified data volumes
The French Council Presidency attracted attention right at the start by integrating a tracker from a French data trading company into its official website.
The order of the EU Data Protection Supervisor, Wojciech Wiewiorowski, concerns large data sets generated by Europol in the framework of police investigations. Most of this bulk data comes from the national police data collections of EU member states, since Europol is a service provider for European police authorities in the area of databases and information systems. This includes data from all sorts of "third parties", namely from companies and financial systems. Data sets from third countries also make up a considerable part, as they are mentioned several times in the text of the Council Presidency.
All these are unspecified data volumes, which are almost exclusively composed of personal data of uninvolved persons, which have no connection to any criminal offences. And these vast amounts of data records, which cannot be assigned to a specific crime, are permanently stored at Europol. The only time criterion for this data retention, according to Europol, is "as long as it is necessary and proportionate to support a specific investigation".
From the EU Data Protection Supervisor’s order to Europol. All data records that cannot be assigned to a specific crime within six months – that’s what’s meant by "data subject categorization" – must be deleted, says da.
No criteria, no controls
This is exactly where the data protection commissioner comes in. Europol does not set a time limit for the evaluation of these data, it says in its statement, only when the evaluation is completed and no assignment to a concrete crime has been found, they are deleted according to Europol. "The lack of a deadline for this means, in principle, that the evaluation process can take years," it is noted, as well as the lack of a definition of the criteria for the need to store these data. This means that Europol alone can determine what is stored for how long and according to which criteria it is evaluated.
This data processing is therefore without any possibility of control by supervisory bodies such as the data protection commissioner, because where criteria are missing, their compliance cannot be controlled. In this respect, Europol resembles a kind of system that imposes its own data processing criteria, making the respective decisions incomprehensible to outsiders. Such a system is structurally much more like a secret service than a police authority, but Europol is defined as such.
This telling passage also comes from the DPO’s letter to Europol and raises more questions than it answers. Whichever new technical solution is hidden behind the black bars in the screenshot above, it can be assumed that instead of Palantir, a different company or software is being used here. Product name stands. Why, of all things, does the Union’s Data Protection Supervisor classify this information as unsuitable for a wider audience?
Data miners and data protectors
Among the Commission’s security requirements for EU-funded Big Data projects including "artificial intelligence", secrecy is paramount.
From the screenshot above it is quite clear what else happens with these immense data sets at Europol besides targeted, criminal investigations. Until the end of 2021, software from the company "Palantir" was used, which is the flagship of the group of Dot.com billionaire Peter Thiel in the field of "Big Data" . That is, it merges differently structured with unstructured data sets and analyzes them through AI applications. In other words, algorithms have been unleashed on a motley assortment of massive data sets to search for previously unknown correlations and constellations. And for that it needs first of all the "Big Data" itself and dіe Europol has accumulated for this purpose over the years.
This exuberant data collection and analysis of non-categorized records using algorithms violates the EU’s General Data Protection Regulation and Charter of Fundamental Rights, writes Douwe Korff, professor emeritus of international law at London Metropolitan University, in his analysis for European Digital Rights, the umbrella organization of European civil liberties organizations. "It is now clear that Europol has deliberately delayed the exchange process with the EDPS, which has been ongoing for two years now. Now they are asking for yet another delay until the new Europol regulation is in place," Korff said. The fear now is that the EU institutions will try to legalize these procedures in the upcoming regulation.
The RSS feed to this blog. Relevant information, metacriticism et al. are to be submitted encrypted and anonymously to the author via this form. If you want an answer, please provide a contact information.