by Samuel Stolton
Europol, the EU’s law enforcement agency, has defended its record in using large datasets for criminal investigations while putting forward an ‘action plan’, seen by EURACTIV, to appease concerns raised over the agency’s ‘illegal’ data use by the EU’s data protection watchdog.
The European Data Protection Supervisor (EDPS) slammed Europol in September after a probe had unearthed evidence of national law enforcement agencies increasingly transmitting ‘large datasets’ to Europol, as opposed to ‘targeted data’ proportionate to specific criminal investigations, thereby breaching standards set out in the 2016 Europol Regulation.
Moreover, the EDPS had found that as part of the processing of such large datasets, the personal data of individuals who were not in any way connected to criminal activities was also going through Europol’s system.
In response to September’s findings, the EDPS tasked Europol with devising an ‘action plan’ to mitigate some of the data protection concerns.
In the action plan, obtained by EURACTIV, Europol calls for the Commission’s revision of the 2016 Europol Regulation, which lays down strict standards in terms of the agency’s data use, to be revised so as to allow the agency to continue its work.
The recast of the regulation, which the Commission presented in December, provides “a unique opportunity to address the structural legal concerns of the EDPS, in order to ensure that Europol will uphold its ability to comply with its mandate and provide operational support to EU member states in their fight against serious crime and terrorism,” the action plan states.
In addition, the agency also highlighted five actions to ‘enhance’ its data protection standards, including increased labelling of data received as part of the ‘data dumps’ from criminal investigations, limiting access rights to certain categories of data, as well as the appointment of a Data Quality Control Coordinator.
Some lawmakers in the European Parliament believe that Europol’s efforts are not sufficient. Leftist MEP Clare Bury told EURACTIV that she had concerns over the direction of Europol’s emphasis on relying on large, complex datasets in investigations.
“More and more, Europol appears to be determined to pursue a data-driven policing model, crunching huge amounts of data to produce, as they say, ‘operational, strategic or thematic’ analyses,” she said.
“The admonishment of Europol by the EDPS is extremely serious, and Europol’s Action Plan in response is inadequate, but the problems with this data-driven approach go much deeper.”
“The end goal is clearly to use big data for intensive profiling, with AI and machine learning playing a significant role,” Bury added, noting concern at Euroopol’s involvement in a series of EU-funded projects which all seek to develop AI and machine learning-based tools.
On this point, in particular, EDPS Wojciech Wiewiorowski noted that he could foresee certain challenges.
“We agree that machine learning may drive discrimination if done without taking into consideration the whole set of data on which the machine learning [is based],” he said.
Europol has not responded to EURACTIV’s request for comment.
Europol’s ‘decryption platform’
In December last year, it transpired that Europol had launched an ‘innovative decryption platform’, developed alongside the Commission’s Joint Research Centre. The aim of the project is to allow EU national law enforcement authorities to decrypt information lawfully obtained in criminal investigations.
On Monday, Wiewiorowski revealed that the EDPS had pressed Europol to provide more information “on the development and deployment of the new decryption platform,” to which Europol last week issued a dossier on the plans.
“The EDPS will assess the information provided to ensure that the platform has been developed and operated in line with the requirements of the Europol regulation, and adequate measures have been taken to ensure that fundamental rights and the rights of EU citizens are assured,” he said on Monday.
EDPS’s ‘admonishment’
The EDPS’s ‘admonishment’ of Europol’s data practices last year came as part of an investigation launched after Europol’s Executive Director Catherine de Boelle informed the organisation of serious ‘compliance issues,’ in April 2019.
The EDPS’s findings were extensive, honing in on Europol’s techniques of digital forensics and big data analytics to exploit the reading of larger datasets sent to the agencies by national police forces, which the EDPS says “creates risks of loss of technical and factual context and of increased bias.”
Moreover, the EDPS identified cases of personal data being processed “which mainly refer to individuals not linked in any capacity to any criminal activity.”
Such concerns resulted in the EU’s data protection watchdog’s reading that Europol was in violation of the 2016 Europol Regulation.
“Without a proper implementation of the data minimization principle and the specific safeguards contained in the Europol Regulation, data subjects run the risk of wrongfully being linked to a criminal activity across the EU, with all of the potential damage for their personal and family life, freedom of movement and occupation that this entails,” the EDPS’s reading stated.
*first published in: www.euractiv.com