On Friday, I reported on Germany considering entirely doing away with data retention. More out of Europe on that topic. Quoting from the Record:
Today, Europol, the law enforcement agency of the European Union (EU), has been ordered to delete its massive database of information on EU citizens that it collected in recent years if the agency did not link subjects to any ongoing criminal activity.
The decision was announced today by the European Data Protection Supervisor, an EU-independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection.
The EDPS said that Europol has one year to comply with its decision, during which time the law enforcement agency must filter its database and delete any information on EU citizens that are not part of criminal investigations.
Europol will be allowed to process personal information as part of investigations, but the data on those not linked to crimes must be erased after six months.
Why do we care?
This is another step towards a “Don’t retain if you don’t need it” model. The story from Friday was a theoretical version… and this is a specific actual implementation.
Data retention techniques and strategies are changing and certainly much faster in Europe. There’s a cybersecurity upside here, too, with a lot fewer data to be extorted for. In my mind, savvy providers will be looking at data management offerings that deliver this far before the regulations require them to, and I believe customers will reward that… and it has the upside of denying criminals data to hold for ransom.