The European Union's in-house privacy watchdog has sued lawmakers over legislation that would effectively wipe out its previous enforcement against Europol, the bloc’s law enforcement agency.
In January, the European Data Protection Supervisor ordered Europol to erase data concerning individuals who have no established link to a crime, after finding that the law enforcement agency was likely to have mishandled troves of personal data.
But in June, MEPs and national governments enacted a reform of the regulation governing Europol that would have the effect of retroactively legalizing the very data-handling practices that the EDPS had ruled unlawful.
The proposal to allow Europol to sidestep the EDPS order — introduced by the French presidency of the Council of the EU — caused an uproar at the time, especially as the new mandate also expanded the agency’s ability to exchange data with private companies and develop its own artificial intelligence tools.
Now, in a first for the watchdog, the EDPS has gone a step further, filing a legal challenge with the Court of Justice of the EU.
“The contested provisions establish a worrying precedent,” said an EDPS statement announcing the legal action, seen by POLITICO. The watchdog said it was asking the court to roll back the provisions because they put the “rule of law and EDPS independence under threat.”
The EDPS said it was necessary to take legal action to safeguard protections for individuals in the “highly sensitive field of law enforcement,” where the processing of personal data carries considerable risks for people.
Neither the European Council nor the Parliament provided a response to the legal filing after POLITICO sent a request outside of usual office hours.
The legal action comes just days after the EDPS ordered Europol to approve Dutch activist Frank van der Linde's access request to the data it holds on him, topping off a torrid week for the law enforcement agency even as it hosts its renowned annual EDEN conference, where it convenes privacy experts from around the world to talk about data protection in law enforcement.
Van der Linde, who has no link to criminal activity, had asked Europol for access to his data two years ago. But the agency responded to the request by deleting the data and denying the Dutchman access to it, according to the decision, obtained by POLITICO.
The EDPS investigation found that Europol thought that deleting his data could be a solution to the problem of his access request. But in a broadside to that logic, the regulator ordered the agency to retrieve the data and send it to van der Linde, adding that an irretrievable erasure of the file after the Dutchman had demanded access to it would have constituted a serious breach of data protection requirements.
Van der Linde said he had asked for access to his data to see whether any of it needed rectifying. It’s become a habit of his after finding himself on terror lists, even though he’s been involved in only mild skirmishes with the police due to his left-wing activism.
“I’m the tip of the iceberg,” van der Linde said. “I think there are hundreds or even thousands of people in Europol’s database where their data is not correct. But almost nobody has asked for it.”
For privacy campaigners, the episode highlights lapses in the way Europol handles people's information — and the dangers of empowering it to expand those activities.
“Van der Linde's case shows how Europol and national authorities poorly handle data exchanges among themselves and neglect key data protection rules," said Chloé Berthélémy of digital rights NGO EDRi. "With the recently approved reform of Europol's mandate granting the agency more data processing powers, things can only get worse.”