On this page
Europol told to hand over personal data to Dutch activist
- European Data Protection Supervisor (EDPS) admonishes Europol’s violation of activist Frank van der Linde’s right of access to personal data.
- Europol previously said data had been deleted or couldn’t be accessed because of security concerns.
- The EDPS has now ordered Europol to comply with van der Linde’s request.
Fair Trials welcomes a decision by the European Data Protection Supervisor (EDPS), ordering Europol to hand over personal data to Dutch activist Frank van der Linde. The decision is the result of a two-year investigation by the EDPS into Europol’s possession and storage of van der Linde’s personal data. The EDPS found that Europol “has not demonstrated the necessity” to refuse van der Linde access to personal data it holds on him. The decision also revealed that Europol had tried to delete van der Linde’s data to try to avoid complying with the request.
The decision comes at a time when there are increasing concerns about Europol’s lack of respect for the protection of the fundamental right to data protection in its operations. In May, MEPs voted to extend Europol’s mandate, giving the agency powers to collect data without sufficient democratic accountability, oversight and safeguards.
Fair Trials’ Legal Director (Europe), Laure Baudrihaye-Gérard said:
“This decision is welcome but Mr van der Linde should not have had to appeal to the EDPS or endure such a lengthy investigation. Europol cannot be allowed to operate without accountability or oversight.
“For too long, Europe’s institutions have turned a blind eye to mass surveillance. This case highlights why we need proper oversight and regulation, as well as redress for those who are caught up in Europol’s mass data collection.
“Instead, the EU has decided to increase Europol’s data collection powers despite the serious threat to fundamental rights, including the right to a fair trial, to privacy and data protection, to non-discrimination, and to freedom of expression.”
Frank van der Linde responded to the decision: “Discovering that data has been sent to Europol labelled crime area terrorism is a nightmare. Finding out that Europol deleted my file after I asked for it, is real horror. And how do I know now if Europol told the truth to the EDPS?”
Frank van der Linde is a Dutch left-wing activist involved “in various social media platforms, protests and initiatives against racism and discrimination”. Despite having no criminal records at the time (he has since been prosecuted for breaking the window of an apartment in which he was squatting) he was put under surveillance by the Dutch police and listed as a potential terrorist suspect. After a series of subject access requests to the Dutch police, van der Linde was made aware that his personal information had been sent to Europol. In 2020, he asked Europol if the European agency stored his personal data but in June 2020 was informed that: “there are no data concerning you at Europol to which you are entitled to have access”. In response, van der Linde contested the decision of Europol to the supervisory authority of the agency, the EDPS.
Investigation by the EDPS
Previous investigations by the EDPS have taken up to seven months, but Europol’s lack of cooperation meant it took two years.
Initially, when the EDPS asked Europol for van der Linde’s personal data, they were told that it had been deleted. Only when two Europol officers travelled in person with a secure laptop to Brussels was the EDPS able to consult the data recorded about van der Linde.
The investigation found that there have been two sets of personal data stored about van der Linde. The Dutch authority sent information to Europol, which they asked the agency to delete after van der Linde made an access request. Europol also stored information on the Twitter account of van der Linde that related to an ongoing investigation on a person of interest in the Netherlands.
The EDPS told Europol that it “has not demonstrated the necessity” to refuse van der Linde access to personal data held by the agency and ordered Europol to provide van der Linde with the “full set of information which he is entitled to receive under Article 36(2) of the Europol Regulation”.
The EDPS also rebutted Europol’s justifications for not disclosing Frank’s personal data:
On the exemption for confidentiality reason over Europol operation
The right of access can be restricted to guarantee that Europol can fulfil its tasks properly (Article 36.6, Europol Regulation). This exemption can however, not be levied in all cases and without reasons.
The EDPS called out Europol for restraining the right of van der Linde without documenting an internal assessment preceding its decision, describing how disclosure would impact the operations of the European Police Agency.
On the deletion of personal data following an access request
As soon as van der Linde asked to know if his personal data were stored by the agency, they tried to delete the evidence as if, removing all information from the operational database of Europol would be “a solution to the problem”. Van der Linde’s interest in knowing what data was shared with Europol and made available to other law enforcement authorities in Europe, was ignored.
The EDPS clearly warned that “should Europol have erased (permanently deleted) the personal data concerning the complainant, this would constitute a failure to cooperate with the EDPS and a serious infringement of the Europol Regulation”.
Europol and Mr. van der Linde have one month to bring new elements to revise the decision of the EDPS. Any action against the decision can be brought to the Court of Justice of the European Union within two months.
The EDPS did not indicate a timeline for Europol to comply with its decision or outline any sanctions if the agency does not comply with the decision.