Europol, the law enforcement agency of the European Union, has been ordered to delete a huge store of personal data gleaned from police agencies in EU member states over the past six years. The deletion order comes from the European Data Protection Supervisor (EDPS), a watchdog body overseeing EU institutions’ compliance with privacy and data protection legislation.

EDPS has given Europol a year to review its databases and then remove any data that cannot be linked to a criminal investigation.

The total volume of data stored in Europol’s systems amounts to around 4 petabytes according to reporting in The Guardian — equivalent to hundreds of billions of pages of printed text — and includes data on at least a quarter of a million current or former terror and serious crime suspects, along with other people in its contact networks. The data has been drawn from criminal investigations conducted by national police authorities in EU countries, which were then shared with Europol.

In the text of the decision, the EDPS cites an initial investigation into Europol’s handling of sensitive data in 2019, which concluded that Europol was storing personal data on crime and terrorism suspects without adequate checks on whether monitoring of flagged individuals was justified. A year later EDPS sent a notice of admonishment to Europol for failing to comply with data regulations and putting EU residents at risk of being wrongfully linked to criminal activity.

“While some measures have been put in place by Europol since then, Europol has not complied with the EDPS’ requests to define an appropriate data retention period to filter and to extract the personal data permitted for analysis under the Europol Regulation,” the EDPS wrote in a press release accompanying the decision.

In the absence of a clear course of action, EDPS has now stepped in more forcefully, giving Europol a year to sort through existing data to find out what can be lawfully kept, and ordering it to delete any newly collected data that is not categorized within six months.

“It’s unclear the precise types of data Europol want to hold onto so keenly, but we do know they are large datasets consisting at least in part of data about people who Europol do not currently feel they can categorise within ‘suspects’, ‘potential future criminals’, ‘contacts and associates’, ‘victims’, ‘witnesses’ and ‘informants’,” said Michael Veale, associate professor in digital rights and regulation at the University College London Faculty of Laws.

That array of categories was already extremely broad, Veale said, so storing data that falls outside of these categories raised concerns that Europol was conducting unjustified surveillance on groups stereotyped as being “suspicious” or “dangerous.”

What seems clear is that the decision from EDPS will provoke fierce debate over where the EU should draw the line between privacy and security. Some senior European officials were quick to respond: one, EU Home Affairs Comissioner Ylva Johansson, expressed her displeasure shortly after the decision was announced.

“Law enforcement authorities need the tools, resources and the time to analyse data that is lawfully transmitted to them,” Johansson told The Guardian. “In Europe, Europol is the platform that supports national police authorities with this herculean task.”

Johansson clarified her concerns to PoliticoEU, suggesting that smaller national police departments would be unable to make sense of big data without drawing on Europol’s expertise.

But other privacy campaigners have welcomed the ruling, which has been celebrated as an upholding of EU citizens’ digital rights.

“This decision ... shows once again that in the EU the rights to privacy and to data protection are fundamental rights and are protected as such, even when the pressure on these rights comes from policing,” said Gabriela Zanfir-Fortuna, vice president for global privacy at the Future of Privacy Forum think tank.

“In a rule of law, policing activities need to follow the legal framework. Policing that does not respect fundamental rights cannot ultimately be effective,” Zanfir-Fortuna said.