The Sky elliptic-curve cryptography (Sky ECC) operation is a prime example of a data driven investigation. The collection of approximately 1 billion messages from 70,000 phones paved the way for hundreds of criminal investigations, resulting in numerous convictions in the Netherlands and Belgium alone. This article addresses how the Sky ECC operation interferes with the right to privacy and the right to a fair trial. We examine whether or not, and on what terms, there is a future for data driven criminal investigations. Our main research question is therefore how data driven criminal investigations can be (better) regulated in order to be in line with case law of the European Court of Human Rights. To answer the research question, the main characteristics and legal criteria for data driven investigation are identified. These criteria derived from the right to privacy and the right to a fair trial. Finally, we examine the impact of a violation of these criteria for the use of evidence in criminal proceedings. The research uncovers a disconnection between data protection regulations and criminal procedural law. It highlights that practitioners concentrate primarily on the collection phase, governed by criminal procedural law, whereas the most urgent questions relate to the respect of data protection law and the right to a fair trial. This finding suggests an ongoing discourse relating to the transparency of data driven criminal operations like Sky ECC and the need to address concerns regarding the reliability of evidence.

Vice President for Promoting our European Way of Life Margaritis Schinas, stated at the time of the adoption of Europol’s amendment that “Europol is a true example of where EU action helps protect us all. Today’s agreement will give Europol the right tools and safeguard to support police forces in analysing big data to investigate crime and in developing pioneering methods to tackle cybercrime.” While some characterized the changes as an achievement for the adaptability and operational role of Europol, others argued that it undermines fundamental rights and weakens data protection. This paper analyses the amendments made to the Regulation and explores Europol’s increasing role of in national investigations and the associated dangers of it. The paper starts with a historical analysis of Europol’s legal framework and role in national criminal investigations, before diving into the core of the Regulation. After 2022, Europol supports Member States’ investigations in many ways. First, through the continuous retention of large and complex datasets, which was strongly criticized by NGOs and the EDPS. Second, through the transformation of Europol into the information hub and broker for the exchanges of data with private parties. Third, more indirectly, through Europol’s support of research and innovation projects, for national authorities to use and explore new technologies in their work. However, these amendments are not without dangers. The Regulation of 2022 pushes the boundaries of Europol’s competences further, by circumventing existing limits and questioning the legality of the operations. The stronger role of Europol lacks sufficient safeguards and efficient oversight. This is highly problematic considering the impact Europol may have on national investigations, and as a result on the situation of individuals.