The European Union’s internal privacy watchdog has sued lawmakers over legislation that would effectively eliminate its previous enforcement against Europol, the bloc’s law enforcement agency.
In January, the European Data Protection Supervisor ordered Europol to erase data on people with no established link to a crime, after finding that the law enforcement agency was likely of mishandling treasure troves of personal data.
But in June, MEPs and national governments adopted a reform of the regulation governing Europol that would have the effect of retroactively legalizing data processing practices that the EDPS had found to be illegal.
The proposal to allow Europol to circumvent the EDPS order — introduced by the French Presidency of the Council of the EU — caused an outcry at the time, especially as the new mandate also expanded the capacity of the agency to exchange data with private companies and to develop its own artificial intelligence tools.
Today, in a first for the watchdog, the EDPS went further by filing a legal challenge with the Court of Justice of the EU.
“The contested provisions set a worrying precedent,” said an EDPS statement announcing the legal action, seen by POLITICO. The watchdog said it was asking the court to strike down the provisions because they put “the rule of law and the independence of the EDPS at risk”.
The EDPS said that legal action was necessary to ensure the protection of individuals in the “highly sensitive area of law enforcement”, where the processing of personal data entails considerable risks for the people.
Neither the European Council nor the Parliament provided a response to the legal deposit after POLITICO sent a request outside normal office hours.
The legal action comes just days after the EDPS ordered Europol to approve Dutch activist Frank van der Linde’s request for access to data he holds on him, capping a torrid week for the law enforcement agency even as it hosts its famous annual EDEN Conference, where it brings together privacy experts from around the world to talk about data protection in law enforcement.
Van der Linde, who has no connection to any criminal activity, had asked Europol for access to his data two years ago. But the agency responded to the request by deleting the data and denying the Dutchman access to it, according to the decision, obtained by POLITICO.
The EDPS investigation revealed that Europol believed that the deletion of its data could be a solution to the problem of its access request. But following that logic, the regulator ordered the agency to retrieve the data and send it to van der Linde, adding that irretrievably erasing the file after the Dutchman had requested access would have been a serious breach of data protection. terms.
Van der Linde said he requested access to his data to see if any of it needed to be rectified. It has become a habit for him after ending up on terrorist lists, although he has only been involved in minor skirmishes with the police due to his left-wing activism.
“I’m just the tip of the iceberg,” van der Linde said. “I think there are hundreds or even thousands of people in the Europol database whose data is not correct. But hardly anyone asked for it.
For privacy campaigners, the episode highlights shortcomings in the way Europol handles people’s information – and the dangers of empowering it to expand those activities.
“Van der Linde’s case shows how Europol and national authorities mismanage data exchanges between themselves and neglect essential data protection rules,” said Chloé Berthélémy of digital rights NGO EDRi. , things can only get worse.
This article is part of POLITICO Pro
The one-stop solution for policy professionals fusing the depth of POLITICO journalism with the power of technology
Exclusive and never-before-seen scoops and ideas
Personalized Policy Intelligence Platform
A high-level public affairs network