Under the banner of fighting migrant smuggling, Frontex has collected, and unlawfully siphoned to Europol, personal data for years—quietly drawing thousands of migrants, as well as EU citizens aiding refugees, into a widening criminal dragnet through large-scale ‘covert interrogations’.
“My whole life was in that police file: my relatives, my calls to my mother, even false details about my sexual life. They wanted to portray me as promiscuous, a lesbian, using morality to make me look suspicious,” says Helena Maleno, a prominent human rights defender whose work informing authorities about migrants in distress at sea has put her under the spotlight of law enforcement. But it was a criminal investigation, launched more than a decade ago that exposed the dragnet woven around her.
Her file, compiled by the Spanish police, included three reports from Frontex, the EU border agency, based on interviews with migrants who had arrived in Spain by boat in 2015 and 2016. In the reports, seen by Solomon, Frontex officers gathered information, including her Facebook account, presenting her as linked to smuggling networks.
The Spanish police obtained the Frontex reports from a criminal database belonging to Europol, the EU police agency, in late 2016.
Although a Spanish prosecutor dismissed the case in April 2017, finding nothing criminal in Maleno’s actions, the file was transferred by the police to Moroccan authorities—without due process. There, a new criminal investigation was opened, accusing her of human smuggling and facilitating irregular migration from Morocco to Spain.
When summoned to testify in court in Tangier later that year, Maleno was stunned to hear the judge refer directly to the Frontex reports: “I was completely baffled. The judge was asking me specifically about the information contained in the Spanish police and Frontex documents.” In 2019, the Moroccan court acquitted her of all charges.
But questions remain. “How is it possible that Frontex interrogated migrants about me?” Maleno asks. “Is it really their job to spy on human rights activists?”
Maleno is just one of thousands of individuals whose personal data have been amassed by Frontex through ‘debriefing interviews’ – sessions lacking basic legal safeguards and described by experts as ‘covert interrogations‘. Over the course of 8 years (2016-2023), Frontex unlawfully transferred the data of more than 13,000 people to Europol, where it is stored in criminal intelligence files and used in investigations by police authorities across EU member states.
For years, human rights advocates have warned of an alarming trend: the criminalisation of irregular migrants and EU citizens providing humanitarian aid at Europe’s borders, often based on shaky legal grounds and flimsy evidence. Yet the opaque role of Europol and Frontex, the two agencies leading the EU’s counter-smuggling efforts, has largely escaped public scrutiny.
This investigation — conducted by Solomon, the French newspaper Le Monde, the Spanish newspaper El País, and the German outlet Netzpolitik — is based on hundreds of pages of internal documents and interviews with data protection experts, lawyers, insiders, and key frontline actors, and raises serious questions about how Frontex and Europol are implicated in this criminalisation dragnet.
One person unaware that both Frontex and Europol hold information on his activities is Tommy Olsen, a 52-year-old nursery teacher from Norway. Olsen has for many years been aiding individuals undergoing the perilous journey from Turkey to Greece, while documenting violent pushbacks of migrant dinghies by the Greek coastguard. Since 2019, Olsen has faced multiple criminal investigations by Greek authorities, accused of being involved in migrant smuggling – charges he firmly denies.
Freedom of information requests filed for this investigation reveal that Europol’s Migrant Smuggling Centre holds at least three “intelligence notifications” mentioning the Aegean Boat Report, Olsen’s one-man organisation. Europol has refused to disclose the “highly sensitive” content of the files, circulated via its Secure Information Exchange Network Application (SIENA), citing their “direct relevance to past and ongoing investigations” by law enforcement authorities. Just days after Europol’s two SIENA exchanges in May 2024, a Greek prosecutor on the island of Kos issued an arrest warrant for Olsen. While seven prior police investigations against Olsen were dropped, he now faces a potential 20-year prison sentence.
“I had no idea Europol had files on me. Why are they collecting and sharing data about my activities and my organisation that is simply trying to defend the rights of refugees?”, Olsen said to Solomon.
Frontex, too, has declined to release two ‘debriefing’ reports — likely part of the data transfers to Europol — that mention Olsen’s organisation, citing operational confidentiality and the reports’ references to “routes, modus operandi and involvement of facilitators and traffickers.”
Olsen is not the only high-profile migrant rights defender whose organisation’s activities have landed in Europol’s database. In May 2022, Austrian activist Natalie Gruber discovered Europol held a file on her after submitting a Data Subject Access Request (DSAR), one of the few legal tools individuals can use to learn what information EU agencies store about them. Gruber, who co-founded Josoor, a small NGO supporting survivors of and documenting pushbacks from Bulgaria and Greece to Turkey, became a suspect after Greek prosecutors brought multiple charges against her, including facilitating illegal entry. One case against her in Lesvos was dismissed last year, but a second remains open.
Europol has refused to disclose the contents of her file, claiming that doing so could “jeopardise criminal investigations” and impede its operations. Gruber challenged the refusal before the European Data Protection Supervisor (EDPS), but her complaint has remained unresolved since 2022.
“You’re up against this Goliath of bureaucracy that never tells you anything. Every time, all you can do is file another request and wait. Years pass. It’s exhausting, and it profoundly affects your life,” says Gruber.
Exactly how Europol obtained information about Gruber and Olsen’s organisation and whether that data was used to build criminal cases against them remains unclear. “I find it very worrying if this kind of information is being shared by EU agencies. Could it lead to issues for me in the future when I apply for a visa? It certainly makes me even more worried to travel now”, he says.
Last December, Nayra Perez, then-head of Frontex’s Data Protection Office, emailed Executive Director Hans Leijtens, his deputy Uku Särekanno, and the chair of the agency’s Management Board, Frontex’s main decision-making body.
“The EDPS”, Perez wrote, “concludes that the Agency transmitted unlawfully operational personal data for 4 years to Europol”.
At the centre of the EDPS inquiry were Frontex’s so-called “debriefing” interviews conducted at Europe’s external borders. From disembarkation points in Lampedusa and Spain to camps on the Greek islands, Frontex ‘debriefers’ — working alongside national police — have conducted thousands of these interviews each year.
Frontex officers have been instructed by the agency to interview migrants as soon as possible after their interception or arrival, despite their vulnerable status. The interviews focus on the reasons people left their home countries, their journeys, and the methods used by smuggling networks.
Frontex claims these debriefings are entirely voluntary and that it does not actively collect the personal data of interviewed migrants. But legal experts argue they lack legal safeguards typically afforded in criminal contexts, such as access to counsel or the right to remain silent. According to the EDPS, this raises serious risks to interviewees’ “presumption of innocence, the right to a fair trial and their right to remain silent”.
Importantly, Frontex has no legal mandate to proactively investigate crimes. The EDPS’ assessment was unequivocal: “Frontex may not systematically, proactively and on its own collect any kind of information about suspects of any cross-border crimes.”
But that is exactly what Frontex has been doing. A preliminary report from EDPS’ inquiry in May 2023 found that Frontex was routinely labelling as “suspects” anyone mentioned during a debriefing interview, and “pushing” this information to Europol, including “data of persons the interviewee has heard of, has seen, but could not verify the credibility of the name given to him/her, or is mentioning under fear or in an attempt to receive some benefits.”
In March 2025, Frontex’s own Fundamental Rights Office alerted the agency’s management board of cases where debriefing information was “used for follow-up criminal investigation of the debriefed migrant and others”. It also flagged concerns “relating to accessing and gathering information recorded in migrants’ phones during debriefing interviews”.
Daniel Arencibia, a lawyer representing migrants accused of smuggling in the Canary islands — where dozens of migrants have been sentenced by the courts for steering boats — said: “What Frontex does during these interviews takes place in a black box, in the absence of regular criminal procedures or legal safeguards that could limit the exposure of vulnerable migrants to criminalisation”.
Far from being an innocuous exercise, Frontex officers use migrants’ testimonies to gather intelligence on persons who facilitated their journeys — namely, alleged smugglers. With more than 800 debriefing officers deployed in 2024, these interviews now constitute the “largest operational personal data collection at Frontex”, the nearly €1 billion EU agency headquartered in Warsaw.
“Debriefing interviews are not voluntary, friendly chats like they are presented. They are very much part of a system that lands people in prison. But it’s extremely difficult to scrutinize how exactly Frontex exchanges data with other actors, because we lawyers are kept in the dark”, says Arencibia.
Under Frontex’s current legal mandate, in force since 2019, the agency may only share this data with Europol after conducting a strict, “case-by-case” assessment. Yet the EDPS’s final inquiry report — focusing on data transfers between 2019 and mid-2023 — confirmed that Frontex had been “automatically” sending every debriefing report to colleagues in the Hague.
A copy of this final report, obtained through a FOI request, reveals the scale of Frontex’s unlawful data transfers. Between 2020 and 2022 alone, Frontex sent 4,397 debriefing reports — including names, phone numbers, and Facebook ID numbers — to Europol’s Migrant Smuggling Centre. Based on these reports, Europol processed personal data on 937 suspects and issued 875 “intelligence reports” that informed counter-smuggling investigations by national police authorities.
These figures represent just a fraction of the broader picture. According to figures obtained from Frontex, thousands of individuals and hundreds of organisations, including humanitarian NGOs, have landed in Europol’s databases since 2016, when large-scale data transfers began under the so-called ‘PeDRA’ programme. Niovi Vavoula, a data protection law expert at the University of Luxembourg, notes that “automatic data transfers have not been lawful from the very beginning,” a possibility the EDPS had warned of even before transfers commenced.
The stakes are high. The EDPS warns of the “deep consequences” for innocent people swept up in these data transfers, who run “the risk of wrongfully being linked to a criminal activity across the EU, with all the potential damage for their personal and family life, freedom of movement and occupation that this entails.”
On 21 January, Frontex Director Hans Leijtens formally notified his Europol counterpart, Catherine De Bolle, of the unlawful transfers. According to EDPS chief Wojciech Wiewiórowski, this notification obliges Europol to “assess which personal data are concerned by the transmission and proceed to their erasure or restriction”.
When pressed on whether Europol would in fact delete any of the data, spokesperson Jan Op Gen Oorth distanced the agency from the EDPS’ findings. The carefully worded response avoids addressing the core question: whether Europol will delete data unlawfully sent by Frontex. The fact that the EDPS reprimanded Frontex for not complying with EU law “does not mean that Europol’s data processing of the information received from Frontex was non-compliant,” Oorth said.
Both agencies maintained that the data obtained can help uncover the modus operandi of smuggling networks and support prosecutions.
But according to Vavoula, such arguments do not override Europol’s legal obligations: “These processes clearly feed into the criminalisation of humanitarian assistance to migrants and refugees. Whilst the prohibition of automated data transfers is an important first step, Europol’s responsibility to delete the data it unlawfully received from Frontex cannot be forgotten. Europol’s own processing cannot remove the ‘stain’ on the data as ‘seeds of forbidden fruit’.
Frontex suspended its automatic data transfers to Europol just four days after the EDPS first flagged serious irregularities in May 2023. Since then, the agency has revised its protocols: personal data is now shared with Europol only in response to “specific and justified” requests. Of 18 such requests filed by May 2025, Frontex’s DPO, Perez, approved just four.
“Frontex is committed to upholding the highest legal standards, including full compliance with data protection law and fundamental rights. The agency has drawn clear lessons from this experience and continues to evolve its internal practices accordingly,” Frontex spokesperson Chris Borowksi said.
While Frontex has yet to fully implement all of the EDPS’s binding recommendations to align its debriefing practices with fundamental rights obligations, Frontex’s human rights monitors are now reportedly granted access to debriefing interviews. Last year, Leijtens adopted new — albeit non-binding — standard operating procedures aimed at reinforcing safeguards.
Still, these efforts encountered pushback from some EU member states. According to internal reports, Spain has been particularly resistant, with authorities pressuring Frontex officers to extract as much information as possible from newly arrived migrants, undermining the very safeguards the agency claims to have introduced. Meanwhile, Europol continues to push for broader access to Frontex’s debriefing data.
According to Gabriella Sanchez, a leading scholar at Georgetown University and a former criminal investigator specialising in migrant smuggling, “the notion of smuggling that Frontex and Europol operate with is incredibly simple but powerful. It assumes all facilitators are men constituted into networks; it is based on deeply racist notions of smugglers. But in fact, migrants are systematically accused of facilitating their own smuggling, which expedites their criminalisation. In other words, thousands of people in the EU — especially racialized young men and children — get caught in the dragnet of data collection, and end up being accused of smuggling.”
It was a highly technical discussion during a sparsely attended session of the European Parliament. In November 2022, the European Parliament’s Civil Liberties Committee (LIBE) held its first-ever hearing on PeDRA, Frontex’s little-known surveillance programme for transferring personal data to Europol.
Frontex Deputy Executive Director Uku Särekanno told MEPs that Frontex had, by that point, shared data on about 13,000 “possible suspects” with Europol. Särekanno appeared alongside two other senior officials closely involved in overseeing PeDRA: Jürgen Ebner, Europol’s Deputy Director, and Mathias Oel, then a senior official in the European Commission’s Migration and Home Affairs department.
In carefully synchronised statements, all three officials assured MEPs that data transfers were exceptional and governed by a robust legal framework.
“We are not speaking about bulk data transfer here; it’s a case-by-case assessment”, Särekanno told the LIBE Committee. “We don’t receive bulk data from Frontex; this is done on a case-by-case basis”, echoed Europol’s Ebner. Personal data transfers occur solely on an “ad hoc basis”; PeDRA “is not a systematic exchange of data”, Oel said, adding that the information “gathered about suspects of cross-border crime has a great value for criminal investigations”.
However, internal correspondence obtained through FOI and reviewed by Solomon shows that the three agencies had coordinated in advance to “align” their messaging to MEPs.
When asked why senior officials had presented manifestly misleading information to MEPs scrutinising their activities, Frontex spokesperson Chris Borowski stated that Sarekano’s statement “was made in good faith and based on the then-prevailing internal understanding and framework”.
Matthias Oel told this investigation that “what was stated was based on the information provided by Frontex.” Ebner did not respond to a request for comment.
Despite being exposed in Parliament, the automatic transfers continued unabated for another seven months, until the EDPS intervened in May 2023. Greens MEP Saskia Brickmond, who attended the 2022 LIBE session, said the data transfer revelations uncovered by this investigation are very concerning. “The criminalisation of migrants is a concerning trend that EU agencies should not follow. EU agencies have to abide by transparency and accountability principles. If representatives from Frontex and Europol have lied or hidden information from the European Parliament, this would strongly hamper the mutual trust and require transparency around these accounts as soon as possible.”
* This investigation was supported by IJ4EU.
Before you go, can you chip in?
Quality journalism is not of no cost. If you think what we do is important, please consider donating and becoming a reader who makes our work possible.
