The European Union's data protection watchdog on Monday ordered Europol to delete a vast trove of personal data it obtained pertaining to individuals with no proven links to criminal activity.
"Datasets older than six months that have not undergone this Data Subject Categorisation must be erased," the European Data Protection Supervisor (EDPS) said in a press statement. "This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline."
EDPS' investigation into Europol's handling of sensitive data commenced in April 2019, with the authority noting that the storage of large volumes of data with no Data Subject Categorisation poses a risk to individuals' fundamental rights and amounts to mass surveillance. The cache is said to contain at least four petabytes, according to The Guardian.
In addition, the ruling also imposed a six-month retention period to filter and to extract the personal data, in addition to giving the cross-border law enforcement agency a year to comply and review its databases for potential removal of any information that cannot be linked to a criminal investigation.
"A six-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of E.U. Member States relying on Europol for technical and analytical support, while minimizing the risks to individuals' rights and freedoms," Wojciech Wiewiórowski of EDPS said.
We have reached out to Europol for further comment, and we'll update the story when we hear back.