"Pressure Cooker": Europol's secret data processing without supervision

Europol is once again facing criticism for its extensive data collection. An investigation by Correctiv, the Greek editorial team Solomon, and the British magazine Computer Weekly sheds more light on a dark chapter of law enforcement. According to the reports, the agency operated a kind of “shadow IT environment” for years, which was largely outside the legally required security and data protection measures.

Externally, Europol presents itself as a guardian of law and order. The internal processes that have now come to light suggest that the office has undermined these standards internally. Former employees describe a system that existed parallel to the official infrastructure and was partly deliberately kept secret from the EU data protection officer, Wojciech Wiewiórowski.

The extent of the non-transparent data processing is considerable. According to a previously confidential internal report from 2019, which Europol released after a freedom of information request, employees at times stored and processed 99 percent of the agency's total operational data on one of these platforms. It was therefore likely the core of criminal analysis.

A known problem in a new light

Through these systems, employees had access to highly sensitive information such as location and connection data, financial transactions, and identity documents. In fact, in 2022, EU lawmakers granted Europol the authority to process extensive and complex datasets and to support member states in their fight against serious crime and terrorism with such big data analyses. The agency is therefore also allowed to evaluate data of innocent individuals on a large scale. Now it turns out: Proper logging of who accessed or modified which data and when apparently did not take place.

Wiewiórowski already reprimanded in 2020 that Europol collects too much information for big data analyses and is involved in a biometric eavesdropping system. In 2022, he sued against the agency's license for mass surveillance to keep the data of innocent individuals out of scope. The documents now obtained suggest for the first time the extent of internal obfuscation tactics and the existence of concrete shadow systems.

Post-hoc whitewashing instead of reappraisal?

Internal emails point to a database with the telling name “Pressure Cooker.” In a message classified as highly urgent from October 2022, an employee warned the agency's management about an “irregular situation.” It was feared that Wiewiórowski might learn of the existence of this network, where operational units developed activities without any IT control. Europol's IT department reportedly urged multiple times internally to shut down this “pressure cooker” or transfer it to a regular, controlled system. However, according to reports, they achieved little.

Europol rejects the accusations and emphasizes that it has always reported transparently to the data protection officer about all systems. The assertion that information was deliberately hidden is false. A high-ranking former insider told reporters, however, that the agency is currently trying to legitimize the questionable instrument retroactively. Under the designation “IFOE-QRA,” it is being presented to Wiewiórowski as a planned novelty.

In general, police databases, even in Germany at the federal and state level, are considered an almost unresolvable tangle, which is to be unified with “Polizei 2020.” Observers have been criticizing Europol, headquartered in The Hague, as a “data laundering facility” for decades, as information that national agencies would not be allowed to process on their own also ends up there.

(olb)