MEPs Urge European Commission to Take Action over Europol’s Shadow IT

The recent revelations about Europol’s shadow‑IT infrastructure have reignited a long‑standing debate over digital governance within EU law‑enforcement agencies. Investigations by Computer Weekly, Solomon and Correctiv showed that large datasets—including personal identifiers and investigative notes—were processed on parallel systems that escaped the agency’s standard security controls and audit mechanisms. This breach of the General Data Protection Regulation (GDPR) not only contravenes the EU Charter of Fundamental Rights but also creates a blind spot for the European Data Protection Supervisor, whose oversight powers have historically been limited in the security sector.

Compounding the issue, Frontex’s bulk transfer of data on roughly 13,000 individuals—collected during debriefing interviews between 2019 and 2023—was carried out without individual necessity assessments or proportionality checks. The transferred records contained contact details, social‑media handles and unverified suspicion‑based information, which were later used in criminal investigations against migrants and civil‑society actors. Such practices run afoul of core GDPR principles of purpose limitation and data minimisation, raising the specter of unlawful surveillance and potential legal challenges in national courts.

In response, a coalition of 19 MEPs from across the political spectrum is pressing the European Commission to tighten oversight and link funding to compliance milestones. By proposing that a portion of Europol’s budget be withheld until robust, independent monitoring mechanisms are in place, the parliament signals a willingness to leverage financial levers to enforce data‑protection standards. The episode underscores a broader test for the EU: maintaining the delicate balance between effective cross‑border policing and the protection of fundamental rights, a balance that is central to the Union’s credibility on the global stage.