The EU’s own ‘Snowden Scandal’: Europol’s Data Mining

On 3 January 2022, the European Data Protection Supervisor (EDPS), which supervises the processing of personal data by the EU’s law enforcement agency, Europol, ordered Europol to delete data held in its databases on individuals with no established link to criminal activity.

By EDRi · January 19, 2022

The EDPS order was a follow-up from an EDPS inquiry into “the use of Big Data Analytics by Europol for purposes of strategic and operational analysis”. In September 2020, the EDPS had already issued an admonishment to Europol, in which it considered that the massive data, set in question, posed “high risks for data subjects” and have “potentially severe impact on their fundamental’s rights and freedoms” – but in which he still left it to Europol itself “to devise mitigation measures”.

However, the EDPS found the solutions proposed by Europol unacceptable. It, therefore, ordered Europol to carry out “data subject categorisation” (sorting personal data according to categories that Europol is allowed to process and excluding any data it is not allowed to process) of all new data within six months, and of all old data within twelve months. As the press release on the order explains, compliance with the order would mean that:

Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline.”

Mining” bulk data sets to “identify” criminals

The wrestling match between the EDPS and Europol highlights a trend towards predictive policing: the increasing approach by national law enforcement (and national security) agencies towards trying to “identify” individuals who “may be” involved in crime, especially serious crime or terrorism – both rather variably defined.

For example, the EU Schengen Information System (SIS II) allows entering data on so-called “persons of interest”, for which EU Member States’ authorities are invited to carry out “discreet checks, inquiry checks or specific checks”. However, those persons cannot (yet) formally be declared a suspect under criminal procedure law, since there is no real evidence that they have committed or will commit a relevant crime.

For the purpose of identifying potential criminals, part of the EU strategy is to allow for the collection, ‘in a generalised manner’, of vast stores of personal data on innocent people, notably by facilitating bulk access by law enforcement and national intelligence agencies to large-scale databases and data sets held by the private sector. The data sets may include data on electronic communications, financial data and data on people travelling to and in the EU, in particular air passengers

The second element of predictive policing is the analysis of bulk data by means of “pre-determined criteria” (country of origin, gender, etc.), i.e., by AI-based self-learning algorithms to single out suspicious persons. Europol has become increasingly involved in such algorithmic data analysis and in the research underpinning those technologies. However, this kind of processing suffers from inescapable flaws that pose great risks to the rights and freedoms of individuals: false positives, discriminatory outcomes, opaque processes that are impossible to challenge and a crucial lack of scientific testing or auditing.

In other words, it is about mass surveillance of entire populations ‘without any differentiation, limitation or exception being made in the light of the objective of fighting against serious crime’, without regard for the inherent serious dangers and deficiencies in the data mining technologies, and in clear breach of EU law. It is a scandal on a par with the indiscriminate surveillance by the US agencies, exposed nearly a decade ago by Edward Snowden.

A reform to legalise what is unlawful

The indiscriminate bulk data collection and algorithmic analyses of the “uncategorised” data by Europol violates EU data protection law, the EU Charter of Fundamental Rights and the Treaties. However, these activities not only continue in spite of the EDPS strong criticism – the EU institutions try to legalise them under the revised Europol Regulation.

It is clear that Europol has been deliberately procrastinating in its lengthy exchanges with the EDPS, stretching over two years. Europol’s demand that the EDPS defer its order even further, until after the new mandate is in place, is simply an attempt to “save” the dangerous technologies it is wedded to.

For the maintenance of the rule of law and for the protection of the fundamental rights and freedoms of European citizens it is essential that the mass surveillance activities of national law enforcement agencies and of Europol are brought under control.

The judgment of the Court of Justice in the Passenger Name Record case will hopefully send a clear signal that mass surveillance by means of data mining and profiling of bulk datasets is incompatible with the Charter and the Treaties.

Although the Snowden revelations caused widespread, furious denunciations of the USA by European leaders, the Europol data mining scandal shows that the Americans had some justification, when they accused the Europeans of hypocrisy and “double standards”.

The original longer version of this article can be read here.

Image creditsUriel SC / Unsplash

(Contribution by: Douwe Korff, Emeritus Professor of International Law, London Metropolitan University Associate, Oxford Martin School, University of Oxford)