Europol Ran Shadow Data Repository for Years, Storing Sensitive Personal Information Beyond Legal Scope

Europol, the European Union's law enforcement agency, operated a "shadow IT environment" for years that stored vast quantities of sensitive personal data—including phone records, identity documents, and geolocation information—far beyond its legal mandate, according to internal documents and whistleblower accounts obtained by Solomon, Correctiv, and Computer Weekly. The unauthorized repository, described by former officials as lacking basic security and data protection safeguards required under EU law, contained detailed information on individuals who were not suspected of any crime, raising fundamental questions about the agency's adherence to legal boundaries.

The investigation, drawing on leaked emails, internal reports, and testimonies from former high-ranking officials, reveals that this shadow system evolved into Europol's primary environment for large-scale data analysis. Despite processing highly sensitive personal information, the repository operated without essential controls governing who could access or modify the data. Multiple former senior officials have now come forward for the first time in the agency's history, exposing the scale and duration of an operation that appears to have circumvented the oversight mechanisms designed to constrain European police powers.

The disclosures place Europol under significant pressure over its compliance with EU data protection frameworks and the legal safeguards governing how European law enforcement agencies handle personal information. The existence of a parallel data infrastructure operating outside established legal channels could trigger regulatory intervention and demands for institutional reform from EU bodies and civil liberties organizations. The case underscores persistent tensions between the data ambitions of modern policing and the legal protections meant to shield European citizens from unaccountable surveillance systems.