Europol, the EU police agency, built and operated secret data analysis platforms, containing vast amounts of sensitive personal information, CORRECTIV, Solomon and Computer Weekly can reveal based on leaked emails, internal documents, and whistleblower accounts.

Ex officials describe the system as a “shadow IT environment”, that worked in parallel to the agency’s official databases. It operated without basic security and data protection safeguards required under EU law.

One of the systems allowed Europol staff to access and analyse highly sensitive data – including phone records, identity documents, financial and geolocation information – also relating to individuals not suspected of a crime.

In practice, it became the agency’s primary environment for large-scale crime analysis, despite lacking proper controls over who accessed or modified the data. According to the EU’s top data protection watchdog, it put innocent citizens at risk of wrongfully being linked to a criminal activity, with all of the potential damage for their personal and family life, freedom of movement and careers.

For the first time, several former high-ranking officials have come forward to reveal this shadow IT. Their accounts are supported by internal Europol documents, acquired by freedom of information requests, and leaked internal emails. According to the material, Europol publicly disclosed some data protection issues. Large parts, including a clandestine intelligence tool known internally as the “Pressure Cooker”, that, according to insiders, allowed Europol analysts to bypass EU laws, appear to have been concealed from EU’s top data protection watchdog EDPS for years. The system could still be in use today.

“They protect the law while breaking it”, said one former senior official. Like the other former insiders we spoke to, the source gave an interview on the condition of anonymity. Their identity has been verified by the reporting team.

Responding to this investigation, a Europol spokesperson said: “Europol has reported to the EDPS about its operational data processing systems and applications in a transparent manner. The allegation that Europol ‘kept hidden’ information about processing environments or systems is a misrepresentation of the facts.”

The findings come at a critical moment: the European Commission is expected to propose new legislation that would expand Europol’s budget and mandate. At the same time, a new executive director will be appointed this year, following Catherine De Bolle whose term ended on May 1.

Pressure to deliver

Europol’s expanding role in European policing – and its shadow IT system – took shape in a moment of crisis.

In November 2015, coordinated terrorist attacks across Paris killed 130 people and injured hundreds more. “We were really expected to step up at that point,” Europol’s then-director, Rob Wainwright, later recalled. “That was the moment where we had to deliver.”

Europol then set up a task force called Fraternité, and member states’ law enforcement authorities began sending large volumes of data to the agency: phone records, police reports, travel information. Europol was expected to turn this flood of information into actionable intelligence.

Subsequently, according to several former Europol officials, the agency’s own European Cybercrime Centre (EC3) seized control over Europol’s Computer Forensic Network, known as CFN. The CFN, established in 2012, had originally been designed to initially process, or filter, the growing amounts of digital material and link it to specific investigations. Data was organized in designated analysis projects. Usually, Europol’s IT department manages and controls such infrastructures.

The CFN was supposed to be managed by EC3 and IT together, and, when confronted with our findings, Europol said this policy was still in force in 2019 “and known to all relevant stakeholders”. So on paper, things were in order – but in practice, several sources confirmed, the system, went out of IT’s reach.

Within a few years, the CFN evolved far beyond its original purpose. One former senior official described it as a “black hole” for unregulated data analysis by Europol’s cybercrime unit EC3.

It became a system that neither properly logged who was accessing nor possibly changing or deleting data, as would later be discovered. By 2019, the CFN held at least 2,000 terabytes of data, almost 420 times bigger than Europol’s official criminal databases at the time.

In 2018, new data protection laws came into effect across Europe. By the following year, the scale of Europol’s non-compliant data practices had become impossible to ignore.

The agency’s own data protection officer, Daniel Drewer, rang the alarm bell in a five-page internal note – which CORRECTIV and its partners obtained via a freedom of information request – to Europol’s three deputy executive directors.

The message was blunt: 99 percent of Europol’s operational data was being stored and processed in the CFN, without basic data protection and security safeguards. Europol analysts were able to sift through vast troves of personal data, including information they were not legally entitled to retain, and repurpose it for criminal analysis.

The data, according to Europol, originated from member states’ law enforcement authorities, other operational partners and was collected by the agency via open source intelligence activities. At least one of the projects, “Focal Point Travellers”, according to Europols websitealso contained data provided by the US Federal Bureau of Investigation (FBI).

Unless Europol overhauled the entire parallel data system, Drewer warned of a possible ban of the CFN, which “might factually come close to a complete shutdown of operational business at Europol”, while “severely affecting trust” by member states.

“Having a parallel processing environment where guardrails cease to exist is cheaper, faster, and more effective,” a former senior Europol official told CORRECTIV and its partners. “But without these, anyone is at the mercy of the guy in front of the screen,” he says. In other words, decisions about how sensitive data is accessed and used were apparently left largely to individual staff, with limited oversight.

When asked, Europol answered that this statement “is a misrepresentation of the facts”. The spokesperson did not answer questions on whether member states and FBI are aware that data they provided ended up in this unregulated environment.

On April 1, 2019, Europol’s executive director, Catherine De Bolle, informed the EU’s data protection watchdog EDPS about Drewer’s findings. The disclosure triggered what became known as the “Big Data Challenge” – a years-long standoff between Europol and the external watchdog, culminating in an order from the EDPS that Europol must delete data it kept in breach of EU law.

The EDPS continued to monitor the system in the years that followed. As of late 2023, the watchdog found that it was still not always possible to determine whether specific personal data had been accessed or modified. In February 2026, the EDPS informed the Joint Parliamentary Scrutiny Group – an oversight committee of European and national parliamentarians – that it would close its monitoring of the CFN after nearly a decade of exchanges with Europol – even though 15 out of 150 recommendations had not been implemented. Those outstanding issues, the watchdog noted, concerned “issues of particular importance”, including core security safeguards.

The massive scale of irregular practices, unveiled by this investigation, has remained unknown to the public as well as policy makers tasked with scrutinising the agency, until today.

Even after Europol formally disclosed some data protection issues, internal warnings suggest that parts of the shadow-IT remained in place. EDPS only got to see elements of the black hole, obtained documents show.

Alarm over the Pressure Cooker

On October 5, 2022, a Europol staff member sent an email marked “Importance: High” to the inboxes of senior officials. It warned that EDPS might soon become aware of the “irregular situation with the Pressure Cooker”.

According to former insiders, the Pressure Cooker was understood within parts of the agency as a space where operational data could be stored and analysed quickly without constraints of EU law. In the email, the staffer states that Pressure Cooker is the name that operational units use for a network where “they develop some of their activities without proper ICT controls”.

“We flagged multiple times the importance of eliminating the Pressure Cooker”, the staffer wrote in his email. According to him, the IT department pushed management to transform the systems into one “with proper designs, controls, etc.”.

In response to questions for this investigation, Europol claims that “Pressure Cooker” was simply the internal name for its Internet Facing Operational Environment (IFOE) and that it operates in accordance with EU law. The EDPS said that it became aware of the term “Pressure Cooker” when it appeared in Europol’s ICT work plan for 2022, where it was used as a shorthand for a proposed interim internet facing environment.

However, internal memos and statements from former high-ranking officials suggest that in fact it was already running as an unregulated system. One Europol apparently kept hidden from EDPS for years.

Internal warnings about the irregular system were issued as early as 2019. “What you call ‘IFOE’ is an environment prepared in emergency mode under the ‘pressure cooker’ agreement”, a member of IT wrote in an email to an operational unit, stating that this evironment was being managed “in its entirety” by the operational unit.

Europol further claims that it consults EDPS in line with the Europol Regulation on the developments of the IFOE and did not keep information about processing systems hidden. But this only appears to apply to the official system, not the parallel IT infrastructure.

A former senior Europol official has an explanation for how the irregular system could have been kept from EDPS even during inspections. “When we say inspection”, he says, “we don’t mean a raid with IT experts monitoring systems and confiscating servers. We are talking about a polite conversation.”

Oversight, he explains, relied largely on information provided by the agency itself. Systems that were not clearly identified or formally presented might not be examined.

This raises questions about what stays in the shadows even today.

In 2025, Europol had officially consulted the EDPS on a proposed system named IFOE-Quick Response Area. According to Europol, this was because IFOE components were updated “to modernise them in line with technological developments” and thus under the Europol regulation, consultation with EDPS was necessary.

To the EDPS, Europol presented it as a future tool. The watchdog reviewed it and concluded: If implemented as described, it would risk becoming “a full-fledged parallel environment to Europol’s regular operational environment”. Asked by our team, EPDS said it sees a risk of Europol staff going on “fishing expeditions” that infringe upon fundamental rights, by collecting personal data without relevance to any ongoing criminal investigations.

However, according to a a former high ranking Europol official, what was presented to EDPS is not a new tool at all – but the attempt to formalise the Pressure Cooker.

Europol responded to the allegation of EDPS “of Europol seeking to collect information without relevance to criminal investigations outside the scope of its tasks under the Europol Regulation is a misrepresentation of the facts.”

The new warning by EDPS points to a broader concern: Even as Europol moves to formalise some parts of its parallel data infrastructure, there’s a risk that the issues of limited oversight persist.

While at least one email concerning the Pressure Cooker also reached Europol’s deputy directors, it remains unclear to what extent the systems described in internal documents, were known to the agency’s respective executive director – Rob Wainwright, and after 2018, Catherine de Bolle. When asked, Wainwright answered that he does “not recall any specific discussions on this matter during my time.” He added that he did recall “working very closely” with Europol’s data protection officer Daniel Drewer and that the establishment and promotion of a strong data protection framework “was an essential part of Europol’s mission and a core strategic priority.”

An expanding mandate

Europol’s transition is in full swing.

The European Commission is expected to propose new legislation that would double the agency’s budget and staff as part of a broader effort to turn Europol into a “truly operational police agency”.

The proposed changes would significantly expand the agency’s powers. But they would do so against a backdrop of unresolved questions about whether those powers have been exercised responsibly in the past– and what remains hidden.

“Europol’s decisions need to be trusted and able to withstand intense legal scrutiny.” Jim Killock, executive director of the UK-based digital rights organisation Open Rights Group told our team. “As a matter of urgency, Europol need to explain how deep these problems go, and whether they extend to questions of evidential integrity”.

Executive Director De Bolle, who left Europol after the end of her term on 1 May, declined to be interviewed for this investigation.

“We always try to find a solution”, she characterized her organisation in a podcast in 2024 celebrating Europol’s 25th anniversary. “And I think that this is in the DNA of Europol, we are a creative organization working on security on a daily basis.”

---

• Reporting and Investigation: Lydia Emmanouilidou, Apostolis Fotiadis, Bill Goodwin, Sebastian Klovig Skelton, Luděk Stavinoha, Frida Thurm, Giacomo Zandonini
• Editing: Till Eckert, Justus von Daniels
• Factcheck: Till Eckert
• Art Direction: Mohammed Anwar

Published: 05. May 2026