EUROPOL IS WATCHING YOU: EVERYONE’S DATA IN CRIMINAL PROCEEDINGS

The Solomon/Computer Weekly/Netzpolitik investigation – on the processing of bulkdata and, among other things, the proceedings about this by Mr. Reisinger – should focus every defence lawyer’s mind. It describes how, after the “mega‑hack” operations against EncroChat, Sky ECC and ANOM, Europol did not merely act as a conduit for cross‑border evidence. It kept vast copies of the messages (tens of millions from EncroChat alone) and even explored training multiple machine‑learning models on that trove — before the EU’s privacy watchdog intervened. A 2022 mandate later broadened Europol’s powers, while access to meaningful documentation about the agency’s AI tooling remains patchy. These are not academic quibbles; they go to the heart of fairness, legality and accountability in high‑stakes criminal litigation across Europe.

Luxembourg and Strasbourg have already drawn the contours

Two important rulings of the European courts supply the yardsticks.

• In Big Brother Watch v. UK (Grand Chamber, 25 May 2021), the European Court of Human Rights upheld that bulk interception and data‑sharing regimes must be hemmed in by strict, effective safeguards: independent prior authorisation, clear and reviewable selection criteria, robust supervision, and meaningful redress. Absent those, mass acquisition and trawling of communications data breach Articles 8 and 10 ECHR.

• In Prokuratuur (C‑746/18, 2 March 2021), the Court of Justice of the EU reaffirmed that access to retained traffic/location data is permissible only for serious crime and only with prior review by a court or an independent administrative authority; a public prosecutor who later appears for the prosecution is not “independent” for this purpose. The case anchors Articles 7, 8, 11 and 52(1) of the Charter in concrete procedural limits.

These holdings meet the realities described by Solomon head‑on. If a policing agency retains and algorithmically mines enormous, indiscriminately acquired datasets, the ex ante judicial control, purpose limitation, and adversarial verifiability demanded by these judgments are not optional extras—they are constitutional preconditions.

What is still live in Luxembourg

But it doesn’t stop there, due to ongoing proceedings with direct relevance to EncroChat, Sky ECC or Anom-derived evidence. Besides the direct actions against Europol, for liability, on 16 September 2025, France’s Cour de cassation (criminal chamber) referred a question to the CJEU asking, in substance, questions on the requirement for the executing state to provide an effective remedy for the person against whom transnational fathered evidence is used, so that they can challenge the legality and necessity of how that evidence was obtained. The court itself stressed the potential consequences for numerous prosecutions built on data from the “Sky ECC mother procedure.” This reference is pending and could reshape the remedy architecture around cross‑border evidence flows.

Why this matters for Europol’s AI programme

Solomon’s reporting indicates that Europol’s actions and ideas into training models on EncroChat data occurred with limited contemporaneous documentation and was curtailed after scrutiny by the European Data Protection Supervisor—only for the agency’s formal powers to expand months later. If datasets from intrusive, high‑volume intrusions are retained and repurposed to train algorithmic tools, the safeguards in Big Brother Watch and Prokuratuur must be transposed into concrete governance: ex ante independent authorisation that matches the scale of interference; tight purpose limitation; auditable selection and training criteria; adversarial testing of integrity; and accessible remedies where cross‑border orders are used to launder defects in the original capture. Anything less risks turning exceptional hacking operations into a general reservoir for predictive policing, contrary to both the ECHR and the Charter.

Improvement and securing the future

As a collective of lawyers operating and dealing daily with these kind problems, we don’t want to just yell from the sideline about the tension between the relevant legal rules and case-law versus Europol’s aspiration to be the EU’s “criminal information hub”. AI may help sift oceans of data, but it cannot help lawfully expand the ocean. As defence lawyers we continue to press those points on European level, case by case and also by giving our view as input on the new Europol regulation.