Members of the European Parliament (MEPs) have written to the European Commission raising concerns over “systematic governance” failures in the European police agency, Europol, and the European Union’s (EU) border and coast guard agency, Frontex.
The letter, signed by 19 MEPs, follows an investigation by Computer Weekly, Solomon and Correctiv that revealed Europol had stored huge volumes of sensitive data on shadow IT systems without adequate governance, auditing or security controls.
The MEPs warn that it has become increasingly clear that Europol and the border agency are processing, storing and transferring data in ways that raise serious concerns under EU data protection law and the fundamental principles of the rule of law.
Supported by left group members, Germany’s Özlem Demirel, Spain’s Estrella Galán, Belgian Green MEP Saskia Bricmont, and other political groups, the letter warns that imminent plans to expand the remit of Europol and Frontex should only go ahead if the agencies are fully compliant with EU law and data protection principles.
MEPs call for robust independent oversight
“These reforms cannot be limited to operational or efficiency considerations … they must be firmly conditioned on full compliance with the EU Charter of Fundamental Rights, strict adherence to data protection principles, and the establishment of robust, independent, and enforceable oversight mechanisms,” the MEPs wrote.
The letter cites investigative reporting from Computer Weekly, Solomon and Correctiv, revealing that Europol ran an internal shadow IT infrastructure where large volumes of sensitive personal data were processed for years “outside of properly governed and auditable systems”.
“These parallel environments appear to have enabled analytical work without sufficient access controls, incomplete logging and, in some instances, circumvention of established internal and external oversight mechanisms,” the MEPs wrote.
The unregulated systems identified include a clandestine intelligence tool – known internally as the “pressure cooker” and built to extract information from the internet – that had been concealed from Europe’s privacy regulator until 2019.
The EU’s top privacy watchdog, the European Data Protection Supervisor that oversees Europol, has confirmed that the available evidence “may point to a broader pattern of uncontrolled data processing than previously acknowledged”.
Frontex transferred tens of thousands of people’s data to Europol
The MEPs have also raised concerns over the transfer of personal data related to tens of thousands of people interviewed by Frontex to Europol without adequate legal safeguards or individual assessments of the necessity and proportionality of sharing the data.
An investigation by Le Monde, El País and Solomon in 2025 revealed that Frontex had collected data from 13,000 people during “debriefing interviews” and had systematically transferred it to Europol between 2019 and 2023.
The data included contact details, social media identifiers and often unverified suspicion-based information. In several cases, the data was used in criminal investigations into migrants and civil society actors.
The automated and bulk data transfers between Frontex and Europol are incompatible with core principles of EU data protection law, including purpose limitation, data minimisation and lawfulness, according to the MEPs.
Taken together, the disclosures about Europol and Frontex suggest a systemic governance failure.
“Data obtained in legally and ethically sensitive contexts is being transferred into institutional environments where compliance with EU requirements on legality, accountability and transparency is not sufficiently guaranteed,” the MEPs wrote. “This undermines not only data protection standards, but also the broader integrity of EU law enforcement cooperation.”
European commissioners urged to act
The letter is addressed to Michael McGrath, commissioner for democracy and justice, Magnus Brunner, commissioner for migration and home affairs, and Henna Virkkune, executive vice-president for tech sovereignty, security and democracy.
It asks whether the European Commission will expand the investigatory and oversight powers of EDPS over Europol and Frontex, and what steps have been taken to hold senior officials to account at the police and border agency for the breaches identified.
“Can Europol and Frontex, in their current institutional and technical configurations, ensure lawful and rights-compliant processing of personal data at all, and how can it be ensured that such data breaches do not happen again?” the MEPs wrote.
They are urging the commission to consider holding back a proportion of Europol’s budget that will only be released when Europol is compliant with data protection and other fundamental rights.
“The upcoming decisions on the future of both agencies therefore constitute a decisive test of the European Union’s credibility as a community governed by the rule of law,” they wrote.
An earlier letter signed by 41 MEPs from four political groups in July 2025, calling for an independent investigation into co-operation between Europol and Frontex, remains unanswered.
