A new investigation lays bare the enormity of Europol’s rogue tactics: the agency maintained a ‘shadow IT environment’ parallel to their official databases. Keeping a second set of books is a mob classic to hide from scrutiny. Europol’s case was no different: the parallel database was outside the agency’s legal
Shubham Kaushik
Keeping double books, operating in legally-murky areas to escape scrutiny, influencing governments to change laws so their illegal activities are legalised – these aren’t just plot points from The Sopranos or another mob thriller but seemingly the playbook of EU’s police agency.
Europol might be tasked with dealing with organised crime but that hasn’t stopped it from following similar tactics as those they’re claiming to fight against.
Europol’s shadowy nature is no secret to those who have been paying attention – privacy experts have been calling them out for everything from their links to private companies, lacklustre data protection practices, to their perpetual efforts to undermine end-to-end encryption, a critical feature that secures our private messages from being mass surveillance fodder.
Go rogue to catch rogues?
A new investigation in May 2025 yet again laid bare the enormity of Europol’s rogue tactics: the agency maintained a ‘shadow IT environment’ parallel to their official databases.
At one point, this secret second database became the main way for Europol to do large-scale crime analysis and hosted over 95 per cent of data they had collected. It was 420 times larger than their official databases.
Keeping a second set of books is a mob classic to hide from scrutiny and escape accountability. Europol’s case was no different: the parallel database was outside the agency’s legal framework with almost no safeguards and limited oversight. It did not even comply with basic IT security and data protection norms.
There are no innocent explanations about the existence of a secret parallel database: its existence was known to the upper echelons of Europol, and was deliberately concealed until an inquiry by the European Data Protection Supervisor (EDPS) in 2019.
One would think that there would be some consequences after these explosive revelations about severe breaches of EU’s own laws by the police agency. Not really.
In fact, the EU has let Europol get away with murder before.
In 2019, after being admonished by the EDPS for unlawfully storing huge amounts of data, Europol faced no repercussion. Instead, in 2022, the EU rewrote the law to legalise the illegal data processing practices Europol was indulging in, thus allowing them to continue acting with impunity.
The same thing is set to happen again this year.
Next week, on 24 June, the European Commission is expected to propose an overhaul of Europol’s mandate which will substantially expand its powers and more than double its (already huge) annual budget by 2034, to €444m annually.
The reform will also likely aim to remove the last few data protection safeguards, weaken the oversight powers that the EDPS has over the agency, while extending the scope of crimes for which Europol is competent and more than doubling its staff.
The impunity with which Europol operates shows that laws are suggestions at best, or an inconvenience at worst, if you have the right levers of influence to make rules bend your way – not a very different operating principle compared to the criminals targeted by the agency.
What’s worse is the creeping ideological corruption in EU policy-makers who, rather than demanding accountability, rush to protect the actions of a rogue entity.
The reality of Europe’s police agency is far from the neutral coordination body that it portrays itself as. Europol is playing an increasingly active role in police activities and operations.
This includes the processing of data on political activities, travel passengers, as well as non-EU nationals. This has intensified surveillance and repression of people and organisations at the European level through the extensive daily exchange of data between Europol and several European and non-European police and migration forces.
The impact of this is considerable and manifold: restriction on the right to free movement, bank account freezes, increased surveillance, more frequent identity checks, and the possibility of arrest and detention.
Moreover, affected people are rarely informed that their data was transmitted to Europol and foreign authorities.
Social movements and protests
Europol is also insidiously contributing to increasing criminalisation of social movements, protests and community organising in Europe.
As it relies on data mainly provided by national authorities, it integrates their policing objectives, thus perpetrating abusive surveillance practices, like targeting of social justice activists, and reproducing discriminatory bias through the use of data processing technologies.
Europol frequently tries to associate legitimate political activities, like protest tactics, as acts of terrorism and violent extremism, like in their 2023 ‘Terrorism Situation and Trend Report’.
The ever expanding powers of Europol, coupled with their evident tendency to criminalise dissent, and blatant disregard for any rules or fundamental rights should be setting off alarm bells in EU institutions and anyone who cares about justice, accountability and safety.
