Intelligence gathered outside the law. Evidence built on shaky ground. And an agency set to grow more powerful.
The case that never existed — until it did
Imagine defending a client whose name appears in a European intelligence database. Not because they committed a crime. Not because they were ever charged. But because their phone number was in someone else’s phone, which was seized in a terrorism investigation years ago, and that data was stored, cross-referenced, and analysed in a system that operated outside EU law — with no log of who accessed it, when, or why.
That is not a hypothetical. That is what a major investigation by CORRECTIV, Solomon and Computer Weekly has now documented at the heart of Europol.
What the investigation found
Europol — the EU’s flagship law enforcement agency — built and operated secret data analysis platforms containing vast amounts of sensitive personal information: phone records, identity documents, financial data, geolocation data. The system operated in parallel to the agency’s official databases, without the security and data protection safeguards required under EU law.
Former senior officials describe it as a “shadow IT environment”. By 2019, this unofficial infrastructure held at least 2,000 terabytes of data — almost 420 times larger than Europol’s official criminal databases at the time.
Europol’s own data protection officer warned, in an internal note obtained by the investigators, that 99% of the agency’s operational data was being stored and processed in this unregulated environment. Analysts could access — and potentially modify or delete — sensitive information about individuals, including people with no connection to any crime, with no reliable audit trail.
The EU’s top data protection watchdog, the EDPS, confirmed the risk in plain terms: innocent citizens faced the prospect of being wrongfully linked to criminal activity, with consequences for their personal life, freedom of movement, and careers.
As of late 2023, it was still not always possible to determine whether specific personal data had been accessed or modified.
The “Pressure Cooker”: a law-free zone for intelligence
Perhaps the most troubling element uncovered is a system known internally as the “Pressure Cooker” — described by insiders as a space where operational data could be stored and analysed without the constraints of EU law. Internal emails from 2019 describe it as a network where staff “develop some of their activities without proper ICT controls.”
Europol insists this was simply an internal name for a legitimate internet-facing operational environment. Former high-ranking officials tell a very different story.
What is clear from the documents is this: when the EDPS conducted oversight inspections, the shadow infrastructure may have gone largely unexamined. As one former senior official explained, oversight “relied largely on information provided by the agency itself.” Systems not formally presented might never be reviewed.
In 2025, Europol consulted the EDPS on a proposed new system. The EDPS warned it risked becoming “a full-fledged parallel environment” to Europol’s regular operations — enabling what it called “fishing expeditions” that infringe upon fundamental rights. A former high-ranking official suggests this is not a new tool at all, but an attempt to formalise the Pressure Cooker retroactively.
Why defence lawyers must pay attention
This is not a data governance story. This is a fair trial story.
When intelligence gathered through unregulated systems flows into criminal proceedings — directly or indirectly — it raises profound questions:
On evidential integrity. If data was accessed, modified, or deleted without an audit trail, how can the accuracy or completeness of any intelligence product derived from that environment be verified? Defence teams routinely challenge the chain of custody for physical evidence. The same rigour must apply to digital intelligence originating from Europol-linked databases.
On the right to know. Article 6 ECHR and the EU Charter of Fundamental Rights guarantee the right to adversarial proceedings. That right is undermined when the source, provenance, and processing history of intelligence cannot be disclosed or examined. If Europol cannot itself demonstrate clean data lineage, how can a prosecuting authority do so in court?
On proportionality and purpose limitation. EU data protection law — and the Europol Regulation itself — require that data be collected for specific purposes and not repurposed beyond them. A system operating outside those constraints is, by definition, a system operating outside the law. Intelligence derived from it may be tainted at source.
On disclosure obligations. In cross-border criminal matters, national prosecutors often rely on Europol intelligence assessments without detailed knowledge of how they were generated. Defence counsel must now ask harder questions about the provenance of any Europol-sourced material, and prosecutors must be in a position to answer them.
An expanding mandate, unresolved problems
The timing of this investigation is significant. The European Commission is preparing legislation that would double Europol’s budget and staff, and grant it substantially expanded powers. The agency is simultaneously transitioning to new leadership following the departure of its outgoing executive director on 1 May 2026.
That expansion is being proposed against a backdrop of unresolved questions. As Jim Killock of the Open Rights Group put it directly: “Europol’s decisions need to be trusted and able to withstand intense legal scrutiny.”
The EDPS closed its monitoring of the CFN in February 2026 — but not before noting that 15 of its 150 recommendations remained unimplemented, including ones it described as concerning “issues of particular importance”, among them core security safeguards.
What defence practitioners should do now
If you are handling a matter in which Europol has played any role — whether through intelligence sharing, data analysis, or operational support — this investigation should prompt a careful review of disclosure requests and challenge strategy.
Specifically:
- Request full disclosure of the source databases and analytical environments from which any Europol intelligence product was derived.
- Challenge any refusal to disclose on grounds that the processing environment may itself have been operating outside the legal framework.
- Consider whether the EDPS’s findings — and Europol’s own internal warnings — constitute relevant material for challenging admissibility or weight of Europol-linked evidence.
- In EncroChat-type or large-scale telecommunications intercept cases, pay particular attention to whether data passed through the CFN or related environments.
- Raise questions about data integrity where no reliable access logs exist — the absence of an audit trail is itself a forensic fact.
The principle at stake
A criminal justice system that tolerates intelligence gathered outside the law — even in pursuit of genuine and serious criminals — corrodes the very foundation it claims to defend.
Defence lawyers exist precisely for this moment: not to obstruct justice, but to insist that justice means something.
As one former Europol official put it with quiet precision: “They protect the law while breaking it.”
That sentence belongs in every challenge brief where Europol’s data is at issue.
Alexis Anagnostakis is a criminal defence barrister registered with the Athens Bar Association, practising European criminal law, human rights, and extradition. He serves as Human Rights Officer and Chair of the Human Rights Committee of the European Criminal Bar Association (ECBA), and is a member of the ICC List of Counsel and the CCBE Criminal Law and Human Rights Committees.
