For years, the European Union has presented itself as a global defender of privacy and personal data rights. But a joint investigation by media outlets in the UK, Germany, and Greece claims that Europol, the EU police agency based in The Hague, operated parallel systems for storing and analysing data for years. Those systems allegedly contained huge amounts of personal information, including data on citizens with no criminal record or proven connection to criminal activity.
The issue highlights a growing tension inside the EU itself: the push for stronger preventive security based on mass data collection, alongside repeated promises to protect fundamental rights and personal privacy.
At the centre of the investigation is a system known as the Computer Forensic Network (CFN). Created in 2012, it was designed to process large amounts of digital material linked to criminal investigations. Its original role was relatively limited: storing and filtering information before transferring it into Europol’s official systems.
But the November 2015 terrorist attacks in Paris changed the situation dramatically.
After the attacks, which killed 130 people and injured hundreds more, political pressure on Europol increased sharply. National authorities began sending vast quantities of information, including phone records, travel data, police reports, and material from counterterrorism investigations.
The expectation was simple: Europol was supposed to turn that flood of information into useful intelligence.
According to internal documents revealed by the investigation, the CFN soon expanded far beyond its original role. By 2019, it reportedly stored two petabytes of information, around 420 times larger than Europol’s official databases.
The issue was not simply the amount of data being stored, but what kind of information was being collected and why.
That same year, Europol’s internal data protection officer, Daniel Drewer, warned the agency’s leadership that 99% of operational data was being stored and processed within the CFN without proper safeguards. His report said the platform had effectively become Europol’s main criminal analysis system.
The problems identified were serious: weak access controls, poor record-keeping over who viewed or changed information, and limited oversight of administrative permissions.
The stored information reportedly included phone records, identity documents, location data, and financial information. Some files also contained details about people with no direct link to criminal activity. Simply appearing in a contact list, sharing a social circle, or having indirect contact with a suspect was enough for a person’s information to be retained.
The European Data Protection Supervisor had already warned for years about this kind of expansion. Its dispute with Europol eventually led to what became known as the “Big Data Challenge,” a confrontation that ended with orders to delete large amounts of data stored outside legal limits and introduce stricter retention rules.
What followed exposed a deeper contradiction. While EU privacy regulators were demanding tighter limits and stronger safeguards, Brussels itself was simultaneously pushing to expand Europol’s powers. The EU appeared to be strengthening the same surveillance structures its own watchdogs were warning about.
The European Commission is now considering giving the agency even greater powers, with more funding and a broader operational role. Commissioner Magnus Brunner has publicly suggested doubling Europol’s budget and staff to turn it into a more active policing body.
The investigation also describes an internal environment known as “Pressure Cooker.” Former officials claim it functioned as a parallel space where certain types of analysis could be carried out with fewer procedural restrictions. Europol denies that interpretation and says the allegations misrepresent the situation.
The bigger issue may be broader than Europol itself. The case reflects a pattern seen repeatedly after terrorist attacks and major crises: surveillance powers introduced as emergency measures often become permanent.
Temporary powers have a habit of lasting long after the original emergency has passed.
