Europol's Data Odyssey: Unraveling the Interplay of Big Data, Human Rights, and EU Legislative Intervention

Over the last couple of years there have been fierce discussions between Europol and the European Data Protection Supervisor (EDPS) over the processing of uncategorized data. The 1987 Recommendation on the use of personal data in the police sector already required law enforcement to foresee in Data Subject Categorization (DSC), i.e. the process of subdividing persons, data subjects, into categories, such as suspect, victim, witness, associate, informant and others. In 2016, both Europol and national law enforcement authorities for the processing of data, including operational data, were given a new legal framework, through respectively a Regulation and a Directive. In 2018, the European Union legislators agreed on a new legislative framework for the processing of data by institutions, agencies and bodies. Each one of these instruments refers, directly or indirectly, to the need to categorise data in the sphere of law enforcement, justice or border protection. 

However, the reference foreseen in the Europol Regulation has caused some turmoil. According to the EDPS, Europol could process non-DSC data, but more data protection measures were in order and even a retention period of six months was imposed. Whilst criticism on the Europol was widespread, the question was never answered whether the EDPS' view on the Europol Regulation was correct. 

This presentation argues that Europol could perform DSC for several reasons, but also argues that Europol, contrary to the conclusion of the EDPS, could process non-DSC data for as long as necessary. The line of argumentation is threefold. As the legislator intervened, and did not require Europol to seek redress before the CJEU, it will remain in doubt whether the CJEU would have agreed with the EDPS or with Europol. However, history has, at least for now, made clear that the EDPS cannot seek the annulment of specific provisions (Articles 74a and 74b of the consolidated Europol Regulation) touching upon it decision ordering Europol to delete non-DSC data after six months of processing. The General Court declared the case inadmissible, but the EDPS could still seek redress before the Court of Justice, where in case of admissibility, the line of reasoning included in this presentation could prove value.