The European Council extends Europol’s powers over personal data
![Image Europol Head of Operations discusses [dismantling of LockBit]](https://incyber.org//wp-content/uploads/2023/12/incyber-news-water-cybersecurite-cybersecurity-885x690.jpg)
Less than a month after the EDPS demanded that Europol delete personal data retained beyond the legal period of 6 months, the European Council proposes to extend this period to 3 years.
At the beginning of January, the European Data Protection Supervisor (EDPS) gave Europol 12 months to delete all the personal data that the police agency had kept for more than 6 months and that did not concern suspects, witnesses, or certain victims—as stipulated by EU law. Europol defended itself by pointing out that the vast majority of its investigations last more than 6 months, and that it was often impossible to categorise the data collected so quickly.
On 1 February 2022, the European Council and the European Parliament published a « provisional agreement » on a new Europol mandate that would give the agency « a legal basis for storing and processing large amounts of personal data, ending a controversy. »
In particular, this agreement gives Europol 3 years—instead of the 6 months defended by the EDPS—to categorise the persons identified in the data, i.e. to assess whether the data is criminally relevant or should be deleted.
The agreement also extends Europol’s powers to collect and share data. The European Council’s communiqué states that « the draft regulation extends the possibilities for Europol to cooperate with third countries » and that it introduces the possibility to exchange personal data « with countries where appropriate safeguards are provided for in a legally binding instrument or exist according to the self-assessment carried out in the framework of Europol. »
The draft regulation also provides for Europol to offer technical assistance to EU Member States that do not have the capacity to process large data sets in the course of their investigations.
In addition, Europol will be able to « receive personal data directly from private actors. » The agency will thus become a contact point to legally share data sets from several authorities. « Europol will then be able to analyse these data sets to identify the Member States concerned and forward the information to national authorities, » the statement said.
European Digital Rights (EDRi)—the umbrella organisation for civil rights NGOs in Europe—was highly critical of the agreement: « Put simply, the new regulation would legalise data practices that were so far prohibited and confirm the use of predictive policing in European law enforcement. Europol would no longer be required to delete datasets containing data of innocent people it receives from national investigative authorities—to the contrary, it would be encouraged to exploit them. »