Europol
Complaint urges ban on ‘unlawful’ Europol processing of personal data
Migration campaign group Front-Lex has filed a complaint to Europe’s data protection watchdog, calling for a ban on Europol’s data processing operations that do not comply with EU law, following an investigation by Computer Weekly, Solomon and Correctiv
A human rights organisation has filed a complaint to Europe’s data protection regulator, calling for it to ban the European police agency, Europol, from conducting data processing operations on “shadow IT” environments that are not compliant with European law.
The non-profit organisation, Front-Lex, which campaigns on European Union (EU) migration and borders, filed the complaint on behalf of three named human rights defenders (see box below), alleging that Europol unlawfully stored and processed sensitive personal information about the activists on unregulated IT environments in breach of EU law.
Front-Lex is pressing the European Data Protection Supervisor (EDPS) to halt Europol’s use of all unlawful parallel IT environments, and says it will take the case to the Court of Justice of the European Union (CJEU) within three months if the EDPS does not respond.
The same non-profit won a landmark legal victory in a case involving the European border agency, Frontex, last year, which opens the way for the current legal challenge. The European Court of Justice found in the case of Hamoudi v Frontex (see box below) that it was enough for asylum seekers to provide prima facie evidence, rather than conclusive proof, when alleging unlawful contact by the border agency, creating a precedent that applies to other European institutions.
The complaint filed today builds on an investigation by Computer Weekly, Correctiv and Solomon that revealed Europol unlawfully stored huge volumes of sensitive personal data on “shadow IT” systems – which fell outside the normal data protection and security controls deployed by the agency – for years.
A former senior Europol official told the investigation that one of the complainants, Dutch activist Frank van der Linde, had his data processed through one of these parallel IT environments, known internally as the “pressure cooker”. According to the complaint, Europol deliberately concealed the activity from the EDPS.
The three human rights activists behind the complaint
Frank van der Linde
Frank van der Linde, a Dutch left-wing political activist, has been attempting to access his data stored by Europol for six years.
He submitted his first data subject access request after learning that Dutch police had alerted German police and Europol that Linde would be travelling to Berlin for medical treatment. The Dutch subsequently cancelled the message, but due to an error, did not cancel the copy to Europol.
That was the start of a long and continuing battle by van der Linde to obtain data held on him by Europol, including information from his Twitter account downloaded from his mobile phone.
The European Data Protection Supervisor subsequently revealed that Europol had attempted to delete van der Linde’s data to try to avoid complying with a data subject access request.
Van der Linde’s lawyers have begun legal action against Europol for damages at the European Court of Justice.
Natalie Gruber
Natalie Gruber, an Austrian human rights defender, found that Greece had launched several investigations into her work monitoring and reporting “pushback” operations – to force migrants back across borders – conducted by Frontex and Greece.
In one of the investigations, Greece passed on data about Gruber to Europol, which, according to Front-Lex, Europol continues to store, even though it falls outside Europol’s remit.
According to Front-Lex, the vagueness of Europol’s response to Gruber’s data subject access requests, and Europol’s lack of legal authority to access and process her data, suggests it may have been stored in parallel environments.
David Yambio
David Yambio, a refugee, was granted protection in Italy in 2022. He co-founded NGO Refugees in Libya, an organisation that defends the rights of refugees.
He suspects that Frontex has been sharing information about him and his organisation with Europol, which may have been stored in Europol’s parallel systems.
Yambio was targeted by spyware, allegedly originating from Italy, after criticising Italy and the EU’s collaboration with the Libyan Coast Guard.
If member states shared Europol datasets extracted from his mobile phone with Europol, Yambio believes they would have required the high-volume forensic processing capabilities of Europol’s Computer Forensic Network, which did not comply with Europol’s own data protection or security standards.
Parallel IT environments
The complaint states that Europol ran IT environments that lacked basic controls for accessing, logging or processing personal data, in parallel to Europol’s main IT system, known as the Operational Network (OPS NET).
Internal reports from 2019 seen by Computer Weekly and its partners in the investigation identified serious security failures with Europol’s Computer Forensic Network, which had been used to store almost all of the agency’s operational data.
Front-Lex also argues that the parallel networks allowed Europol to secretly process and store personal data, including data about individuals who were not suspected of any criminal offence, which the agency could not lawfully store on its regular network.
The campaign group also alleges that Europol submitted a “prior consultation” to the EDPS on the proposed and future use of parallel IT environments to retrospectively validate systems that had been in use for years and had been concealed from the data protection regulator.
It claims the EDPS failed in its duty to exercise due diligence over the “prior consultation” and failed to assess whether Europol was storing data on individuals lawfully and accurately. “This resulted in the EDPS’s failure to uncover those parallel systems and to identify the scales of Europol’s unlawful contact in those cases,” Front-Lex said.
The lack of control over who accesses data and what they can do with it in Europol’s parallel environments meant that any information stored about a person could be modified or kept in another form, without any explanation of how it was produced, “rendering futile” any request by individuals to access the data Europol holds on them.
It argues that individuals’ right of access to data held by Europol will remain “deprived of any practical effect” if EDPS fails to issue a temporary or permanent ban on Europol’s use of parallel shadow IT environments.
Read more about Europol
- EU proposes tech-backed expansion of Europol policing agency: Enhanced powers to collect and share data are at the heart of EU plans to expand Europol, putting it at loggerheads with human rights groups.
- ‘They protect the law while breaking it’ – inside Europol’s shadow IT system: Under pressure to deliver in the fight against serious cross-border crime, Europol built and operated a shadow data analysis platform containing large volumes of sensitive information, which operated without key legal and technical safeguards.
- MEPs call for greater scrutiny of Europol following concerns over shadow IT: Expansion of Europol’s mandate should be paused while allegations are investigated, say MEPs.
- MEPs urge European Commission to take action over Europol’s shadow IT: MEPs have written to the European Commission calling for action following revelations that Europol and Frontex processed, stored and transferred personal data in ways that raise serious concerns about compliance with EU law.
- The EU’s law enforcement agency has been quietly amassing data to feed an ambitious but secretive AI development programme that could have far-reaching privacy implications.
- Europol wants examples of police investigations hampered by end-to-end encryption as it pressures tech companies to provide law enforcement access to encrypted messages.
Innovative legal move
Iftach Cohen, lawyer and co-director of Front-Lex, described the case, which builds on the legal precedent set by Hamoudi v Frontex, as a “highly innovative” legal move. “When there is a structural imbalance in terms of collecting evidence, the judges are obliged to order the competent institution to disclose all relevant evidence,” he said.
A competent European Data Protection Supervisor would not have waited for Front-Lex to submit a complaint, but would have connected the dots and begun its own investigation, he added.
The investigation by Computer Weekly, Correctiv and Solomon revealed that Europol operated a shadow data repository containing vast amounts of sensitive personal information and used it for years beyond its lawful scope, according to internal documents and whistleblower accounts.
The police agency stored petabytes of crime-related data on a network that operated for years without scrutiny from regulators, despite significant privacy and security flaws, the investigation revealed.
Europol held data on human rights activists
The named complainants include Dutch activist Frank van de Linde; Natalie Gruber, an Austrian human rights defender who campaigned for the rights of migrants; and David Yambio, president of the Italian campaign group Refugees in Libya.
They are part of a larger group, including asylum seekers, migrants and human rights defenders, who are affected by the clandestine operation of Europol’s “parallel shadow environments” and by the EDPS’s continuing failure to monitor and ensure the agency’s compliance with EU data protection law, according to Front-Lex.
Yambio said he suspects that Europe’s border agency, Frontex, has been sharing information about him and his organisation with Europol. He believes that the information, which may include downloads of data from his mobile phone, may have been stored in Europol’s parallel systems.
Yambio said that personal data had been hacked from his phone following a spyware attack, which he attributes to Italy, and that information about him had been obtained unlawfully by Frontex from asylum seekers it “debriefed” when they arrived on the coast of Sicily.
“For as long as the EDPS allows these unlawful systems to remain in place, I remain exposed not only to further intimidation and attempts to criminalise me, but also unable to exercise my right of access to the information Europol is processing about me,” he said.
Gruber said she had lived with the consequences of a criminal investigation that never should have been brought. When the investigation collapsed, she says she was met with years of secrecy, delays and incomplete answers after trying to obtain her data from Europol.
“The revelations about Europol’s parallel data-processing systems only reinforced my concern that the agency has been shielding not only unlawful practices by member states, but also its own unlawful processing, from meaningful oversight,” she said.
Van der Linde said: “Constantly finding out that there is more data being processed about me frightens me a lot. Hopefully, the EDPS acts fast now, and the illegal data processing stops.”
EU plans to boost Europol data sharing
The complaint comes as the European Commission has unveiled plans to double Europol’s budget, develop advanced technological capabilities and give it new powers to collect and share personal data.
The proposals also include plans to rewrite Europol’s mandate to give it greater freedom to collect and share personal data, including data on people who have not been suspected of a crime.
The case of Hamoudi v Frontex
Alaa Hamoudi, a Syrian national, arrived with 21 others on a boat to the Greek Island of Samos to seek asylum in April 2020.
According to Hamoudi’s account, the Greek authorities confiscated the asylum-seekers’ mobile phones and took them back out to sea without allowing them to apply for asylum.
The next day, they were picked up by the Turkish Coast Guard and transferred to Turkey. During the operation, a surveillance aircraft operating for Frontex flew over several times.
Hamoudi argued that he had been the victim of a summary return (“pushback”) and that his fundamental rights, including the right to seek asylum, had been violated.
The General Court of the European Union dismissed his claim against Frontex on the grounds that there was no conclusive evidence of his presence and the alleged “pushback” operation.
In a landmark decision, the Court of Justice of the European Union overturned the decision on the grounds that victims would have no protection if they were required to prove that they had been the subject of summary return, given that it is difficult or impossible for them to do so.
The court found that Frontex is likely to hold information proving the existence of summary returns, given its task of collecting operational data and its obligation to ensure respect for fundamental rights during its operations.
The court concluded it was enough for victims to provide prima facie evidence, which, in Hamoudi’s case, consisted of a written statement and a press article, and that the General Court had a duty to investigate the claims.
