Europol, the police agency of the European Union, was recently ordered to delete vast amounts of personal data collected on individuals not linked to criminal activity.  An inquiry, started in 2019 by the European Data Protection Supervisor (EDPS), focused on a large data cache composed of quadrillions of bytes, dubbed the “big data ark.” Europol held information on millions of citizens, their movements, and communications, sparking grave concerns over the usage of clandestine channels of mass surveillance from one of the world’s largest law enforcement agencies. The EDPS has provided a six-month period for the police to categorise existing data to separate personal information from relevant security data, and a twelve- month period to delete all personal data stored within its reach. 

This does not come as a shock to the European system. In just 2020, the organisation was criticised by the EDPS for holding large amounts of uncategorised data information, which was seen as a potential risk towards individual’s privacy rights. After taking no major measures to change their data protection policy, concerns continued to mount over whether the information stored was done so legally or not. Europol was accused of running the risk of attaching innocent individuals to criminal activity, stalling for time, and most importantly, acting without a legal basis for the sustained retention of personal data. 

Yet what started off as unlawful data retention has been interpreted as the first step towards mass surveillance across the European Union. This case reminded many of the United States’ role in domestic surveillance, in which its National Security Agency (NSA) was revealed in 2013 to have amassed vast stores of personal data of American citizens and over a billion people globally. But, even nine years after the revelations that NSA was storing communications data, wiretapping individuals without a warrant, and tracking people’s movements using metadata, the surveillance by the American agency continued with little congressional oversight. 

None of this is distinct from Europol’s actions. One of the millions under surveillance, Frank van der Linde, a nonviolent political activist from the Netherlands, was listed on a terror watchlist in his home country; after relocating to Berlin, he found out that Dutch police had shared his movement with Europol and their German counterparts. The ease with which non-criminal individuals are being placed on these watchlists is frightening, and the lack of a clear legal infrastructure for Europol’s activity is enough to ring alarm bells. 

But is it better to be safe than sorry? Some have argued that such drastic surveillance measures, although infringing on individuals, could ostensibly lead to a more developed security apparatus and provide a stronger sense of safety in Europe. Especially following the regional uptick in terrorist activity, the discussion regarding more stringent safety protocols on the internet remains. This binary of liberty and security is a dynamic that has been debated for years and has been brought to the forefront during the COVID-19 pandemic, where state imposed lockdowns in the name of health measures have been construed as intruding on individuals liberties. So, are liberty and privacy worth sacrificing to ensure security, and to what extent?

If questioning Europol’s level of surveillance, the answer is no. Within democratic societies, access to privacy has been enshrined as an essential right. In the European Convention on Human Rights (ECHR), respect for one’s “private and family life, his home and his correspondence” are codified explicitly. This raises the question of the circumstances in which privacy could be taken away for collective protection: the same article in the ECHR also specifies that this right is subject to restrictions as long as they are “necessary in a democratic society.” The intertwining of democracy and surveillance is a fragile game: infringements of privacy in the name of security are a valid concern, yet the standard which Europol has set has gone far past a security question and ignores the larger problem at hand. 

Tracking ordinary citizens unattached to crime, keeping this data indefinitely, and simply amassing a vast and clandestine data cache shows the potentially dangerous capabilities public agencies have to abuse their power.  The monopoly of information wielded by Europol has revealed a dark perspective on how without oversight, egregious infringements on ordinary citizens' lives is more than possible, even from one of the largest and well-respected law enforcement institutions on the planet. The EDPS mandate that they delete all nonessential surveillance data is, of course, a step in the right direction, but this episode has shown that we are not as far from state sponsored mass surveillance as we may believe.

 Image courtesy of OSeveno via Wikimedia, ©2015, some rights reserved.