There seems to be a strong likelihood that European hypocrisy over personal data privacy might continue indefinitely
The European Data Protection Supervisor’s instruction to Europol to delete all stored data not related to a person with a known link to crime is just the tip of a European hypocritical surveillance iceberg.
The issue is discussed in a report by Douwe Korff (Emeritus Professor of International Law, London Metropolitan University and Associate at the Oxford Martin School, University of Oxford) titled The EU’s own ‘Snowden scandal’: illegal mass surveillance and bulk data mining by Europol and the member states (PDF).
Edward Snowden’s revelations on NSA and GCHQ mass surveillance operations directly led to the development of the European General Data Protection Regulation (GDPR) which is now used around the world as the blueprint and gold standard for personal privacy protection.
GDPR is a production of the European Parliament (EP). EP members are elected by the people. European political power, however, largely rests with the European Commission (EC) whose members are nominated by the member state governments. There is an inherent and ongoing conflict of interest between people and governments in European politics. With GDPR, the people won – but Americans largely looked on and thought: ‘hypocrites’.
This inherent hypocrisy is now fully revealed by Europol’s mass collection of personal data of European residents contrary to the principles of GDPR (which by definition includes both natural citizens and incoming migrants). Hypocritical irony is added to the mix with the ECJ’s Schrems II judgment which makes EU to U.S. data transfers difficult and largely illegal. Schrems II is based on the incompatibility of GDPR and FISA 720, the latter giving the U.S. government access to European PII – yet here is Europol doing largely the same thing on European personal data.
Europol is separately regulated by Regulation (EU) 2016/794 on the European Union Agency for Law Enforcement Cooperation (the Europol Regulation), but still subject to supervision by the EDPS (article 43). The EDPS has been examining Europol’s use of stored data (provided by the various member law enforcement authorities) since opening an enquiry in 2019. It is estimated (unconfirmed by Europol) that the size of its data lake exceeds four petabytes of data.
“This is about the desire of Europol and EU Member States to collect, ‘in a generalized manner’, vast stores of personal data on overwhelmingly innocent people,” writes Douwe Korff. The purpose is to use machine learning AI algorithms to detect or infer the possibility of criminal behavior – in other words, predictive law enforcement that isn’t based on any known personal criminal action.
This is done, he adds, “without regard for the inherent serious dangers and deficiencies in the data mining technologies, and in clear breach of EU law.”
Predictive law enforcement using AI
The EDPS ruling is primarily about illegal data storage; that is, too much for too long with no legal reason. Europol must first categorize the data subjects. This will separate those genuine suspects from ‘the rest’. The rest must be deleted – but until that categorization is complete, the EDPS ruling states, “no personal data in the contributions can undergo any form of processing by Europol other than that strictly necessary to proceed to such categorization.”
Korff’s concern is that ‘any form of processing’ involves predictive law enforcement based on machine learning algorithms – in which he has little faith. These algorithms are intended to find data subjects who might become involved in criminality, even if they haven’t been in the past and there is no current evidence against them.
According to a report in the Guardian dated January 10, 2022, Europol began to develop an AI program for its data pool in spring 2020 (after the EDPS started its investigation). In February 2021, Europol told the Guardian, it “has not made use of own machine learning models for operational analysis and has also not carried out ‘training’ of machine learning.” But the Guardian notes that Europol has now “started a recruitment round for experts to help with the development of AI and data mining.”
At this point it is worth noting that GDPR prohibits the use of AI to profile data subjects. Article 22 states, “The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.” Europol has no such inhibition within the Europol Regulation.
Korff’s belief is that AI-based data mining and profiling “suffers from fundamental, inescapable flaws that pose great risks to the rights and freedoms of individuals.” He has four primary concerns:
● The combination of a large dataset with a low number of ‘serious criminals’ will lead to “tens of thousands of ‘false positives’” involving innocent people
● Rules and laws will not protect individuals concerned from discriminatory outcomes of the profiling
● It is impossible to challenge the outcomes of such processing since the algorithms are continuously and dynamically changed by their machine learning nature
● The outcomes of the profiling and data mining are not, and probably never will be, subject to scientific testing and auditing.
European hypocrisy
The parallels between Snowden’s revelations on NSA and GCHQ surveillance and Europol’s current behavior are not lost on Korff. “It has become clear through subsequent investigations and exposures,” he writes, “that the hoovering up of data (especially e-communications data) in bulk, by the US National Security Agency, NSA, working closely with its UK counterpart, the UK Government Communications Headquarters, GCHQ, was precisely for the above purposes: to analyze and filter the massive data sets in order to try and seek out – ‘identify’ – individuals who ‘might be’ involved in nefarious activities (or who just ‘might be’ ‘of interest’ for political or other purposes).”
The Guardian put it more succinctly: “While Europol lags behind the US in terms of technological capacity, it is on the same path as the NSA.”
In a separate study by Korff and Ian Brown (visiting CyberBRICS professor at Fundação Getulio Vargas (FGV) Law School in Rio de Janeiro, Brazil), commissioned by the European Parliament , the authors wrote, “A more pertinent claim of hypocrisy can be laid against the EU and the EU Member States in relation to actual compliance with either the ECtHR or the CJEU standards… the surveillance laws and practices in many EU Member States would clearly fail the tests applied to the laws and practices of the USA in Schrems II.”
What next?
The EDPS has made its ruling and Europol will have to dismantle parts of its data lake and control the rest. “Any action against a decision of the EDPS can be brought before the Court of Justice of the European Union within two months,” notes the EDPS ruling. That would appear to be final. Problem solved.
But is it? From the beginning of the EDPS investigation, Europol has prevaricated, asked for time extensions, and delayed matters. The likelihood is that it hopes to delay activating the EDPS ruling.
The Guardian quotes the EU home affairs commissioner, Ylva Johansson: “Law enforcement authorities need the tools, resources and the time to analyze data that is lawfully transmitted to them,” she said. “In Europe, Europol is the platform that supports national police authorities with this herculean task.”
The Guardian adds, “Last year, [the European Commission] proposed sweeping changes to the regulation underpinning Europol’s powers. If made law, the proposals could in effect retrospectively legalize the data cache and preserve its contents as a testing ground for new AI and machine learning tools.”
If Europol can delay things long enough, it may find that its currently illegal activities have suddenly become legal, and it can carry on as it wishes. Remember that the European Commission is the center of European political power, and its members are nominated by member state governments who do not wish to curtail predictive law enforcement, whatever the cost to personal privacy.
There seems to be a strong likelihood that European hypocrisy over personal data privacy might continue indefinitely.
Related: GDPR Fines Surged Sevenfold to $1.25 Billion in 2021: Study
Related: European Police Pounce After Cracking Crime Chat Network
Related: Facebook, GDPR and Max Schrems – Under the Hood of GDPR Legal Processes
Related: Austrian Regulator Says Google Analytics Contravenes GDPR
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Tags:
