Summary

• Nineteen MEPs have written to the Commission over alleged data-governance failures involving Europol and Frontex.
• The concerns include shadow IT, inadequate auditability, and bulk data transfers between EU agencies.
• The row highlights the risk of expanding public-sector data powers before oversight, logging, and accountability have caught up.

MEPs have urged the European Commission to act over alleged data-governance failures involving Europol and Frontex, putting the EU’s own operational technology under renewed scrutiny.

A letter signed by 19 MEPs raises concerns that the EU’s police agency and border agency processed, stored, and transferred personal data in ways that may conflict with EU data protection law and rule-of-law principles. The concerns include Europol’s use of internal shadow IT systems and Frontex’s transfer of personal data gathered during border interviews.

The dispute concerns the machinery of law enforcement and border control, not a peripheral administrative platform. Data used in these environments can affect investigations, migration decisions, surveillance activity, criminal intelligence, and the treatment of people who may have limited ability to challenge how information about them is collected or shared.

Shadow IT is usually discussed in corporate terms: employees using unsanctioned tools, departments building workarounds, or operational teams moving faster than central technology governance. In a law-enforcement environment, those weaknesses carry heavier consequences. Systems without proper access controls, logging, auditability, retention rules, and independent oversight can undermine the evidential trail needed to show that sensitive data has been processed lawfully.

The MEPs have called for stronger independent oversight and questioned whether Europol and Frontex, in their current institutional and technical forms, can ensure lawful and rights-compliant processing of personal data. They have also raised the possibility of withholding part of Europol’s budget until compliance with data protection and fundamental rights obligations is assured.

The governance problem is sharpened by Europe’s wider security agenda. Europol and Frontex are expected to play larger roles as the EU responds to organised crime, irregular migration, terrorism, hybrid threats, and cross-border security risks. Expanding agency remits without resolving data-governance weaknesses would embed technical debt into systems with growing public power.

The same tension runs through public-sector technology across Europe. Governments are building digital identity systems, interoperable databases, AI-assisted case management, biometric tools, and cross-agency data-sharing platforms. These systems can reduce duplication and improve coordination, but they can also make weak governance more damaging by allowing data to move quickly across institutional boundaries.

Good data governance is not a compliance wrapper added after deployment. Agencies need to know what data they hold, where it came from, who accessed it, what legal basis applies, when it should be deleted, how outputs are reviewed, and how affected individuals can obtain redress. In high-stakes public systems, legal accountability and technical controls have to be designed together.

The Commission now faces a credibility test inside its own administrative system. The EU has spent years developing a strong regulatory model through GDPR, the AI Act, and platform legislation. If EU agencies handle sensitive data through systems that lack sufficient auditability and control, the gap between external regulatory ambition and internal operating discipline becomes hard to ignore.

Oversight bodies such as the European Data Protection Supervisor will need enough access, technical capability, and institutional authority to scrutinise operational systems rather than only written policies. Legislators, meanwhile, will have to decide whether expanding agency mandates and budgets should depend on provable compliance with data protection and fundamental rights obligations.

The technology question is practical. Europe needs security and border systems that work, but effectiveness cannot be separated from auditability, lawful processing, and public accountability. The more power digital systems hold, the less room there is for informal workarounds.