The agency was found to have amassed much of the data unlawfully by the European Data Protection Supervisor (EDPS), the EU’s data protection watchdog. The agency has been ordered to delete the personal data of individuals who have no established link with criminal activity, concluding an inquiry started in April 2019.
The EU was found to have breached data protection law by including personal data from people with no proven relation to criminal activity and storing it for longer than is strictly necessary.
Wojciech Wiewiórowski of the EDPS said: “There has been no significant progress to address the core concern that Europol continually stores personal data about individuals when it has not established that the processing complies with the limits laid down in the Europol Regulation.”
Data protection advocates, such as French lawyer Robin Binsard, have claimed the volume of data stored by the policing agency amounts to mass surveillance.
According to internal documents seen by the Guardian, Europol was storing at least four petabytes of data – equivalent to three million CDs or a fifth of the entire contents of the US Library of Congress.
Mr Binsard told the newspaper: “Dismantling a whole communication system is like the police searching all the apartments in a block to find the proof of a crime: it violates privacy and it’s simply illegal.”
The agency holds sensitive data on at least a quarter of a million current or former terror and serious crime suspects and their contacts, which have been accumulated from national police authorities over the last six years.
Europol’s mass storage of data is part of an attempt to develop new policing tools and train algorithms.
It added that the agency had worked with the watchdog “to find a balance between keeping the EU secure and its citizens safe while adhering to the highest standards of data protection.”
The European Commission said the EDPS is posing “a serious challenge” to Europol’s ability to do its job.