Europol: Delete criminals’ data, but keep watch on the innocent

It is almost impossible to believe, but the European Union Agency for Law Enforcement Cooperation (Europol) simultaneously:

1. has policies that lead to evidence related to possible crimes being deleted (a data indifference regime) and
2. supports laws requiring the data of innocent people to be stored (a data retention regime).

Worse still, most of this is not necessarily Europol’s fault. The contradiction is supported, or more precisely demanded, by the European Commission and some EU Member States.

1. Data indifference regime

Under the Europol Regulation, the agency must “support Member States’ actions in preventing and combating forms of crime” such as terrorism and racism. However, much of the criminality that Europol works on is not harmonised on a EU level. Indeed, Member States have little interest in actually enforcing much of the relevant law. For the sake of being seen to be doing “something”, the EU has given Europol the job of putting pressure on internet companies to delete content that may or may not be illegal. In the absence of an accusation that a crime was committed, everyone can quietly look the other way.

Under the Regulation, Europol is given the task of referring “internet content, by which […] forms of crime are facilitated, promoted or committed, to the online service providers concerned for their voluntary consideration of the compatibility of the referred internet content with their own terms and conditions”. (emphasis added)

Once Europol identifies and refers illegal content associated with serious crime or terrorism to the relevant internet service providers, how many times does this lead to investigations?

The answer is unknown. Neither Europol nor the European Commission knows if any reports are referred to national law enforcement or judicial authorities nor if there are any investigations.

If there are actual investigations, what happens to the evidence associated with the content? Well, when referring content to service providers, Europol confirmed to EDRi in an e-mail that they give no instructions whatsoever to the internet companies as to whether data should be retained for law enforcement purposes. However, they consider whether the associated personal data can be considered to be “sensitive data” from a legal perspective and treat it accordingly. This assessment is not shared with the providers. If the providers feel that it is “sensitive data”, then they would normally be expected to delete all data not needed for business purposes. Indeed, one of the major social media platforms told us that, when they delete accounts on the basis of referrals, all associated data are deleted after 30 days.

That needs to be said again: in the absence of any instructions whatsoever from Europol, data that is allegedly associated with serious crime or terrorism is deleted.

2. Data retention regime

While data related to content where Europol has acted due to potential serious crime or terrorism is not considered interesting, it is busy supporting measures to require the storage to data related to perfectly innocent people. “We don’t want to use the data we have, but we want more” appears to be the message.

They want more data, even if the mandatory storage of the data has already been deemed illegal by the Court of Justice of the European Union (CJEU) . In addition, numerous EU Member States have laws requiring communications companies to store communications data related to every individual within their territory. They have these laws despite two CJEU rulings against this activity. The European Commission failed and continues to fail to take court action against those countries, in breach of its legal obligation to uphold the treaties of the European Union.

Worse still, the European Commission, Member States (represented in the Council of the EU) and Europol are engaged in a “reflection process” that is seeking to implement new mandatory communications data retention rules. The institutions are attempting to bypass the CJEU rulings through exercises of legal sophistry to exploit imaginary loopholes. Europol even prepared a presentation to support this effort to break the law in the name of ostensibly enforcing the law.

In short, Europol, the Commission and Member States are promoting action by private companies with no obligations for their own law enforcement authorities. The European Commission keeps publishing press releases boasting increasingly restrictive demands on what action internet companies can take to prevent and act on crimes. All of this is done, no doubt, in order to give the impression that somebody is doing something, without actually doing what needs to be done.

A good European Commission would confront law enforcement agencies on their failure to cooperate and start looking into solutions to address this. At the very least it would demand that Member States and Europol to publish consistent and reliable statistics. Right now this Commission is acting against its own mandate by hiding unpleasant facts and actively promoting practices that have repeatedly been found in violation of the Charter of Fundamental Rights of the European Union, of which the Commission supposedly is a Guardian.

(Contribution by Joe McNamee, EDRi)