The European Data Protection Supervisory Authority (EDPS), the supervisory authority of the European data protection institutions, filed a lawsuit to annul the new Interpol rules in front of the Court of Justice of the European Union on 16 September. He believes that two provisions, articles 74 bis and 74 ter, raise questions from the point of view of the protection of personal data.
In particular, these articles retroactively legalize controversial data storage practices by a European agency specializing in combating international crime and terrorism. They allow you to store the personal data of people who do not have an established connection with criminal activity. This is a violation of the General Data Protection Regulation (GDPR), according to the EDPS in its complaint.
Therefore, Controller Wojciech Wewerowski asks for these articles to be repealed in order to “protect the legal certainty of persons in a very sensitive area of law enforcement where the processing of personal data involves serious risks for data subjects” and “to ensure that the European legislator cannot unreasonably “move the gates” in the field of privacy and data protection (…)”.
Previously banned system
In practice, articles 74 bis and 74 ter establish a system previously criticized by the EDPS. Indeed, in an injunction issued in January 2022, he ordered Europol to sort and then delete personal data contained in one of its databases that concerned information on 250,000 people “suspected of current or past links to terrorism.”
However, the creation of such a database does not comply with certain fundamental principles of the rules on personal data and the protection of privacy. “This data collection and processing can represent a huge amount of information, the content of which is often unknown to Europol until it is analyzed and extracted – a process that takes years,” Wojciech Wiewowski explained.
Therefore, EDPS asked Europol to check within six months whether the person whose data was stored had a connection with criminal activity. Otherwise, this data should have been deleted no later than January 4, 2023. However, the new regulation allows Europol to continue processing them.