By: Jørgen Larsen, Ludovica Lot, Stefania Squillante & Patrycja Wirkowska
In Minority Report, a specialised police unit attempts to prevent crimes before they happen by relying on predictions based on large amounts of personal data. While Europol’s work does not involve pre-crime scenarios or Tom Cruise chasing future criminals, the increasing use of large datasets in criminal investigations should make us wonder: how far can data processing go before it challenges fundamental rights safeguards? In order to not have to find out the hard way, preventative measures are required. We therefore believe it is necessary to establish joint controllership over data with regional units and the ability for those responsible for oversight to proactively scrutinize Europol’s actions.
Supervision protocol
Over the past decade, Europol has evolved from a coordination platform for national police forces into the European Union’s central information hub for criminal intelligence. The Agency’s digital tools and databases enable it to dismantle criminal networks, support Member States investigations, coordinate operations, and shape EU policy.
This growing role has raised important regulatory questions, especially concerning the processing of large datasets containing personal data. Under the 2016 Europol Regulation, the processing of personal data can be permitted only in relation to persons suspected of having committed a criminal offence within Europol’s competence, individuals convicted of such offences, or persons for whom there were factual indications or reasonable grounds to believe they would commit them.
The EDPS, short for European Data Protection Supervisor, is the independent authority responsible for monitoring the processing of personal data by EU institutions and agencies. In 2022 the EDPS started an investigation at the end of which it found that Europol had not been compliant with its own Regulation.
Findings pointed to an increasing use of personal data not linked to criminal activity that had been sent to Europol by Member States for intelligence purposes. The EDPS was concerned about the principles of data minimization, proportionality and necessity. As a consequence, the authority ordered Europol to delete all personal data that did not show the required link with criminal activity.
Despite this order, the 2022 Europol Regulation legalised the disputed practice, effectively overriding the EDPS instructions. The new legislation allows Europol to process personal data of individuals not linked to criminal activity when Member States request its support and the processing is considered necessary for investigations. The EDPS challenged these provisions before the General Court in Case T-578/22 (EDPS v Parliament and Council). However, the action was declared inadmissible, as the Court found that the amended regulation did not directly affect the EDPS. As a result, the EDPS was considered not to have standing to bring the case.
This episode reveals a significant gap in the supervision of Europol’s expanding data-processing powers: by declaring the action inadmissible, the Court significantly limited the judicial oversight of Europol’s processing operations, raising pressing questions about who controls Europol and how effective that supervision is.
Expansion: Possible?
Curtailing the ability to scrutinize the agency is a surprising and shocking development, especially so in the light of the agency’s constant expansion into the data processing sphere. Europol has expanded many times already, developing and creating new teams and tools to meet the challenges that are faced by law enforcement. In May 2025, a new proposal to strengthen Europol’s mandate was filed by the European Commission.
For the most part, the proposal boils down to the European Commission having the desire to double the agency’s staff and have it turn into an (autonomous) operational agency. Whereas at this moment Europol essentially requires complete Member State cooperation for most of its activities, giving them increased autonomy would take away that requirement and subsequently also remove any safeguards involved at a Member State level.
Alternatively, doubling the agency’s staff would almost certainly mean significantly higher productivity – bringing with it the ability to harvest significantly more data. The evolution of Europol from a coordination body into an intelligence-fueled operational agency reflects a deliberate policy choice to respond to the growing sophistication of transnational organised crime and terrorism. However, this institutional trajectory creates a structural tension, specifically in relation to data protection.
Although the reform proposal is unlikely to pass as is, the continued push to grow highlights the Commission’s resolve to keep building up the agency. Any such growth in mandate needs to be met with equally robust measures to keep the agency in line and on target, just like the EDPS suggested. After all, as Europol’s data processing capabilities expand, the legal architecture governing those capabilities risks falling behind. Increased operational capacity is not inherently a bad thing. In fact, it is necessary. What is bad however is the absence of a simultaneously evolving oversight framework that can ensure efficiency does not infringe upon the rule of law.
The reckoning of reforms. Proportionality threshold for data processing
The current oversight architecture for Europol can be considered fragmented, since it is distributed across actors with differing mandates, varying degrees of institutional independence, and uneven access to operational information. This “problem of many eyes” on the forum side often results in a multiple accountabilities deficit, where the shift of power to the EU level is not accompanied by a corresponding shift in oversight. A coherent reform framework must therefore address accountability at multiple levels simultaneously to prevent disassembled accountability. This is where mechanisms are disconnected from the actual use of data. A two-level model, encompassing parliamentary and expert layers, offers the most coherent response to this deficiency.
At the parliamentary level, the role of the Joint Parliamentary Scrutiny Group (JPSG) requires substantive reinforcement. The JPSG currently exercises a form of political oversight that lacks the instruments necessary to translate scrutiny into accountability. It cannot veto operational priorities, nor can it compel Europol to produce transparency reports on specific data processing activities. This renders the parliamentary layer largely reactive. It is capable of raising concerns ex post, but limited by information asymmetries in its ability to shape conduct before harm materialises. Reform must therefore extend the JPSG’s mandate to include not merely the right of inquiry, but a power to direct the scope of transparency obligations.
At the expert and administrative level, the EDPS must be repositioned from a supervisory monitor into a watchdog. Under the current framework, the EDPS has the authority to investigate and issue recommendations, but its role remains predominantly advisory. The vulnerability of the current model was exposed when the legislator ignored an EDPS order to delete data lacking subject categorisation, instead retroactively legalising the practice. Elevating the EDPS to a watchdog, tasked with giving prior authorisation for high-risk data processing, would introduce a meaningful and demonstrable compliance with fundamental rights standards.
The theoretical foundation for this reform is rooted in McCubbins and Schwartz’s distinction between “fire alarm” and “police patrol” oversight. This framework captures the structural deficiency currently facing Europol. A fire alarm is reactive and decentralised, relying on external actors to signal failures. In contrast, police patrol oversight involves proactive and systematic monitoring by the legislature itself. While McCubbins and Schwartz argue that legislators prefer “fire alarms” for its cost-efficiency, this model assumes a level of transparency that Europol, given its operational nature, frequently lacks. Because the agency operates in domains where “fires” are often invisible to the public until harm has occurred, the reliance on reactive measures is not sufficient.
Following its mandate expansions, Europol’s discretionary scope has grown faster than the mechanisms designed to contain it. The current framework still relies heavily on “fire alarm” measures, including parliamentary questions prompted by media, EDPS investigations triggered by complaints, and judicial review initiated by affected individuals. These instruments do not constitute a system of proportionate control over an agency with the data processing scope that Europol now has. Thus, the reform proposal outlined above is premised on a transition toward police patrol oversight, institutionalising proactive scrutiny at each layer. In this sense, proportionality in Europol’s data processing is not only a matter of data protection law. It is, more fundamentally, a question of institutional design
Joint controllership framework for Europol and national units
As it stands, responsibility is fragmented whenever Europol processes data jointly with a Member State’s national unit. Europol has its own separate special regime when it comes to data processing, contained in the Europol Regulation. That said, Article 3 and Chapter IX of the general regulation EUDPR still apply to operational personal data unless the Europol Regulation provides otherwise.
Because of this special regime, Europol is supervised by the EDPS while national units fall under their national data protection authorities. Cooperation between the EDPS and the national authorities is institutionalised by a Cooperation Board. This board was established to ensure consistent levels of data protection union-wide. The 2022 EDPS case exposed the gaps created by this system, as the Member States were caught sending data to Europol – an infringement over which no single authority had been allocated oversight responsibilities.
Differing national laws, uneven sources and the exclusively advisory nature of the cooperation board are the main problem drivers. Together these factors contribute to weakened protection, lack of supervision and discord in how consistently data is protected across Member States. This led us to an alternate possible solution to improve the current data protection system: the possibility for Europol and the national units to be cast as joint controllers. By designating Europol and contributing national units as joint controllers under a lex specialis provision in the Europol Regulation, uncertainty is stripped away from parties and the availability of a stronger data protection safeguard in cross-border investigations would be ensured. In order to effect this change, publicly accessible policy should be put in place that specifies who does what and is enforceable by both the EDPS and relevant national data protection authorities.
Joint controllership should be guided by Article 26 of the General Data Protection Regulation (GDPR) but adapted for law enforcement use in line with the Law Enforcement Directive. Although joint controllership imposes a bigger administrative burden, its implementation would be proportionate given the fundamental rights impact of data processing. In the case of joint controllership, the parties share responsibility for determining the purposes and/or the means of data processing. Furthermore, in accordance with article 82(146) GDPR, each controller should be fully liable for all damage. This approach would be the most effective as it aligns with the national tort law of different Member States and should ultimately lead to more transparency and greater accountability in joint operations.
- [DRAFT] by Mary, Justin, Samuel and Naima - April 8, 2026
- [DRAFT] Europol needs to be careful with our data. Who’s going to make them? - April 8, 2026
- [DRAFT] Accountability in EU pharmaceutical enforcement: the problem of many hands - April 8, 2026
