Europol built and operated secret data analysis platforms stuffed with passport photos, phone records, financial transactions, and geolocation data belonging to people never suspected of any crime.
The systems ran for years without the security or data protection safeguards EU law requires, and the agency concealed parts of them from its own privacy regulator.
A joint investigation by CORRECTIV, Solomon, and Computer Weekly, based on leaked emails, internal documents, and whistleblower testimony, reveals that these parallel platforms became the backbone of Europol’s analytical work. “They protect the law while breaking it,” one former senior official said.
The main system, called the Computer Forensic Network (CFN), was set up in 2012 to handle digital evidence. After the 2015 Paris attacks, Europol’s cybercrime unit EC3 repurposed it into a mass analysis platform operating outside IT controls.
More: Europol’s Embarrassing Data Breach Exposes Flaws in Its Anti-Encryption Stance
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
By 2019 it held two petabytes of data, roughly 420 times larger than Europol’s official databases. The agency’s own data protection officer found that 99 percent of operational data sat in this unregulated environment, with no adequate logging of who accessed or modified anything.
Alongside the CFN, a second covert system called the “Pressure Cooker” let staff store and analyze operational data without the constraints of EU law. A leaked 2022 email marked “Importance: High” warned that the regulator might discover the “irregular situation with the Pressure Cooker.” Europol claims it was just an internal nickname for a lawful system. Former officials say it was a separate platform hidden from the EU’s data protection watchdog for years.
The EU’s privacy regulator, the EDPS, spent nearly a decade trying to bring Europol into compliance, then closed its monitoring in February 2026 with 15 out of 150 recommendations still unimplemented, including core security safeguards.
British Conservative MP David Davis said the findings, “if true, point to serious failures of oversight, legality and data protection.”
He demanded the UK Home Office explain “whether any personal data of entirely innocent British citizens is being stored in Europol’s systems and, if so, why it is being stored and why the UK government is allowing it to be stored.”
The European Commission is now preparing legislation to double Europol’s budget and expand its mandate. It wants to hand broader surveillance powers to an agency that ran an unaccountable data warehouse for the better part of a decade and still can’t guarantee the personal data of innocent people inside its systems hasn’t been tampered with.
