Collision of trains within the European Union at the expense of the protection of personal information. The European Data Protection Supervisor, responsible for ensuring compliance with the Data Protection Directive in the Community institutions, has instructed Europol, the European Union Agency for Police Cooperation, delete a huge amount of personal information that has been stored in recent years by individuals with no established link to criminal activity, as reported by the European body in a note.

It appears that Europol has been storing unclassified personal information from crime reports, wiretaps and asylum requests from individuals who have not been involved in any crime for the past six years. The amount of data stored, according to The Guardian, would exceed 4 petabytes.

At this time, Europol should have leaked the information and extracted the personal data that the regulations allow it to keep in order to ensure the security of the EU without violating the protection of personal data. The European Supervisor explains that storing a large amount of unclassified personal information poses a significant risk to the fundamental rights of individuals, especially considering that in the above cases it has not been proved that the individuals have committed any crime.

Europol is subject to strict regulation on the type of data it can store and for how long. All information must be categorised and processed within a given period of time, at the latest three years after it has been obtained, and only information which is of particular relevance to the security of the European Union, for example in cases of counter-terrorism, can be retained.

The error of the European Police Agency has therefore been not to screen these data and to store them without categorization for a period longer than that established. “Europol kept this data for longer than necessary, contrary to the principles of data minimisation and storage limitation”, explains the European Supervisor.

The Community Data Protection Agency has thus given Europol 12 months to filter and extract data that it can legally retain and delete the rest. Failing to do so in time, the European Police Agency will be obliged to remove all non-classified personal information older than six months.

The European Police Agency, however, considers that it has acted appropriately and considers that the Community Personal Privacy Control Body is interpreting the rules in an impractical way and that it may hinder the exercise of its functions, according to The Guardian. The case is therefore not closed and there are likely to be further developments in this regard in the coming months.

The data that can be stored by Europol
The rule governing the operation of Europol states that “in the light of the fundamental rights of personal data protection, Europol should not retain personal data longer than is necessary for the performance of its tasks. At the latest three years after the start of the initial processing of these personal data, the need to prolong their storage shall be verified”.

Furthermore, the above-mentioned rule provides that the police agency may only collect and process personal data from persons who, in accordance with the national law of the Member State concerned, are suspected of having committed or participated in a crime within the jurisdiction of Europol, or have been convicted of such a crime.

También puede almacenar información de individuos de los que existan indicios concretos o razonables, de acuerdo a los criterios de las normas nacionales, para pensar que cometerán delitos que son competencias de la Europol.

Esa información sólo puede contener, además de las referencias a los delitos, las siguientes categorías de datos: apellidos, nombre, alias o nombre falso utilizado; fecha y lugar de nacimiento; nacionalidad; sexo; lugar de residencia, profesión y paradero; números de documentos de identificación oficiales; y, en la medida en que sea necesario, otras características útiles para su identificación como rasgos físicos específicos, objetivos y permanentes, como las huellas dactilares o el perfil de ADN.