Rather delete than comply: how Europol snubbed data subject rights

In 2020, Frank van der Linde, described as “a Dutch left-wing activist [involved] in various social media platforms, protests and initiatives against racism and discrimination”, sent a complaint to the EDPS, contesting Europol’s decision that denied his request for access of personal data (made under Article 36(1) of the then Europol Regulation). Van der Linde had become aware that his data were transferred to the European agency and the German federal police by the Dutch authorities in 2018 when he moved to Germany. Wrongly put on terrorists watch lists by the Dutch police before, van der Linde sought to know and to rectify the data Europol had about him. However, in June 2020, Europol refused his request and informed him that “there are no data concerning you at Europol to which you are entitled to have access”.

In its decision, the EDPS assesses that Europol “has not established the necessity” to refuse van der Linde’s access. The grounds for refusal given by Europol were concerns for an ongoing national investigation and the fact that some data had already been deleted from their operational database (Europol’s Analysis System, EAS). However, the EDPS stated that Europol did not provide adequate reasons to justify its confidentiality obligations and failed to explain how the data disclosure would impact Europol’s work. 

More worryingly, the EDPS’s inspection reveals the poor level of communication and the deficient management of sensitive data exchanges among police authorities, as well as their reluctance to comply with data subjects’ access procedures. First, the Dutch authority at the origin of the data transfer failed to correctly inform Europol that it had withdrawn the transfer to both German authorities and Europol and thus, that the data should have long been deleted. 

Second, after receiving van der Linde’s request for access, they suggested to Europol to delete the personal data from the EAS as a “solution to the problem”. In other words, as a way to avoid disclosing the data to the complainant. Europol did delete the data, however not permanently, as it was still possible to retrieve them. This is a clear attempt to obstruct van der Linde’s right of access to personal data enshrined in the Charter of Fundamental Rights. The EDPS clearly warned that “should Europol have erased (permanently deleted) the personal data concerning the complainant, this would constitute a failure to cooperate with the EDPS and a serious infringement of the Europol Regulation.”

This case illustrates how Europol’s opaque operational activities can have very concrete negative impacts on people’s rights and lives. While the agency was recently granted even more data-processing powers in a recently adopted reform of its mandate, individuals will continue to struggle to have their rights respected and enforced. 

Fortunately, the EDPS is taking steps to restore accountability by requesting the Court of Justice of the European Union (CJEU) to annul two provisions of the reform, which came into force on 28 June 2022. The provisions retroactively legalise Europol’s past illegal data processing and cancel the effect of an EDPS deletion order – a measure adopted by EU policymakers that we described as a big blow to the rule of law and to the EDPS’s legitimacy as data protection law enforcer. EDRi will continue to monitor these legal developments and to advocate for a proper evaluation of human rights compliance of Europol’s current missions and practices. 

Contribution by: