112 Giacomo Zandonini and shady Europol

00:00:10 Domen Savič / Citizen D 

Welcome, everybody. It’s the 14th of November, 2025, and you’re listening to this episode of the Citizen D Podcast, airing on the 15th of November, same year. Today, we’re joined by Giacomo Zandonini, an investigative journalist whose work has exposed the unusually close and often opaque relationships between Europol and major tech companies. Welcome, Giacomo, and thank you for dropping by.  

To start us off, can you recap your investigation? There’s a link in the notes, but for people who don’t read, can you say a few words about what was the focus of your investigation into Europoling connections with tech companies and what are some of the main findings? 

00:00:59 Giacomo Zandonini 

Yes, thank you very much, and thanks for having me here, Domen. 

The investigations I worked on with the UK-based group Statewatch stemmed from a recent initiative by Europol called the Research and Industry Days. It’s an annual meeting held at Europol’s headquarters, where industry representatives—mainly from various companies and a few research institutes—are invited to present their latest technological tools to Europol. 

This event is organized through an invitation process that takes place around this time each year. For example, the call for the 2026 edition has just been opened. Europol publishes a sort of wish list outlining the types of tools and sectors they’re interested in. 

Since the Research and Industry Days were launched in 2024, the focus has largely been on advanced technologies—AI-powered and machine learning-based systems. These range from tools for monitoring social media and the broader internet, to network mapping and analysis, as well as the use of drones, automated devices, and systems for processing, analyzing, and extracting data from phones or other devices. 

Many of these tools can be considered highly intrusive in terms of privacy, depending on how they’re used. They certainly have that potential. I chose to focus on this annual event because it offers a clear window into the relationship between Europol and the tech industry. It seemed like a good starting point to understand how these interactions work. 

From there, I expanded the scope of the investigation to provide background and context on how this relationship is regulated and how it has evolved—particularly over the past decade, during which Europol’s ties with industry have been notably close. 

That’s the main contribution I aimed to make. 

00:05:02 Domen Savič / Citizen D 

To riff off your comment about how opaque these relationships often are—at the same time, Europol is essentially putting together a wish list that reflects the major selling points the tech industry is currently pushing out to the world. 

You mentioned AI and other tools… So, who would you say is actually steering this relationship? Who’s in charge? Is it the corporations, offering these tools to public decision-makers or are public decision-makers genuinely choosing which tools to adopt based on real needs and requirements coming from the field? 

00:06:00 Giacomo Zandonini 

That’s a very good question, and I don’t think I have an exhaustive answer—because it’s really a two-sided story. 

Europol is an expanding agency within the European Union. Its annual budget isn’t as large as, for example, Frontex. For the past few years, it’s been around €240 million annually. The largest portion of that budget goes toward salaries for roughly 1,000 staff members, who are employed under various types of contracts. Beyond personnel, a significant share is spent on equipment and infrastructure—particularly IT systems. This includes the tools, software, and hardware Europol uses to transform itself into the EU’s Criminal Hub and Criminal Intelligence Analysis Center. 

So, the push to adopt industry products and maintain relationships with tech companies is central to Europol’s initiatives and programs—especially since 2015, when terrorist attacks struck the EU and France. We’re approaching the 10-year anniversary of the Bataclan attack, which marked a turning point for policing in Europe. That event triggered a major push for agencies like Europol to accumulate data and find ways to analyze it—primarily through software programs that, in recent years, are increasingly based on AI and machine learning. 

In this context, Europol began developing relationships with the tech industry. At the same time, companies became more proactive in pitching their products to Europol. One notable example is Palantir, a company revealed through investigations by two colleagues to have worked closely with Europol. Palantir’s software—particularly Gotham—is widely known and has been used across various security domains, from the war in Ukraine to Palestine, and within the U.S. security apparatus. It’s also present throughout Europe. 

Europol used Gotham to analyze and process its accumulated data. However, the relationship didn’t go smoothly, and eventually Europol discontinued its use of Palantir. That said, it’s still unclear exactly where things stand today. 

After 2022, Europol received a new mandate through regulatory reform. This mandate includes a focus on research and innovation, allowing Europol to develop systems internally—especially those based on artificial intelligence. They’ve since opened an Innovation Lab, which organizes events like the Research and Industry Days. 

Additionally, Europol houses the European Cybercrime Centre, which has been central to developing industry relationships over the past decade. So, while Europol is building its own in-house expertise, the industry remains essential. Europol actively seeks out AI-driven products, tests them, and sometimes licenses or contracts companies to use these tools. 

00:11:24 Domen Savič / Citizen D 

From a privacy activist’s perspective, there’s often a tension between privacy and security. Whenever tools like biometric surveillance, IMSI catchers, or AI-based surveillance are proposed, there’s always a counterargument: “But what about our privacy?” 

That framing assumes that privacy and security are opposites—that these tools actually deliver on their promises, and that we must choose one over the other. But how do you view the idea that this sense of security might be misleading? Do you think there’s a lack of evidence showing these tools are truly effective in delivering security? Could it be more about the appearance of safety—what some might call “security theater”—rather than actual improvements in public safety? 

00:12:50 Giacomo Zandonini 

Absolutely, that’s a key part of Europol’s relationship with the tech industry—especially when it comes to reusing tools developed by private companies. 

It’s important to remember that these companies are driven by profit, not by a mission to provide public security—at least not in our capitalist societies. Profit motives also mean aggressive marketing, and in this case, the primary clients aren’t citizens, but law enforcement agencies. These agencies often have access to significant funding, including from the European Union and the European Commission, to acquire and test new technologies and participate in research and innovation projects. 

There’s a broader movement pushing for law enforcement to adopt the latest tech tools to analyze data and identify potential criminal activity. But the risks are substantial. These systems often have vulnerabilities that can compromise the security of law enforcement agencies themselves. This has been well documented by scientists, researchers, and technologists. They also come with biases—facial recognition is a clear example—and high error rates. More concerning is that they can be used in ways that bypass democratic oversight. 

This is especially relevant when looking at the companies that participated in the last two editions of Europol’s Research and Industry Days. There are major players and smaller firms—some offering innovative tools, others partnering with larger corporations. 

One of the things I focused on was examining the track records of these companies and how their products have been used in other contexts. Of course, that doesn’t mean Europol will use them the same way, especially given existing EU regulations. But it’s still telling. 

Take Cellebrite, for example—an Israeli company publicly traded in the U.S. It’s one of the most powerful providers of technology for extracting data from phones, even without passwords. That’s their most well-known product, but they also offer platforms for analyzing and aggregating data, all aimed at law enforcement. 

Cellebrite’s tools have been used in authoritarian regimes and conflict zones to suppress basic freedoms. It’s one of the most controversial companies in this space. Even in Europe, there have been troubling cases. In Serbia, their tools were used to target journalists and activists. In Italy, they were used to extract data from activists’ phones—though that case is less well known. 

These companies are now central to modern policing. The problem is that we have virtually no public information about Europol’s relationships with these companies. In contrast, U.S. government procurement data—covering even secretive agencies like the FBI and ICE—provides at least some transparency. You can find contract amounts, product types, and renewal dates, even if the full content of the contracts isn’t disclosed. 

Europol, however, operates in a regulatory gray area. Its procurement and financial rules allow it to withhold contract details from the public under the justification of national or European security. Experts in transparency and EU law have told me this is highly problematic. These contracts should be subject to scrutiny. 

While it’s understandable that a law enforcement agency like Europol needs some level of confidentiality, its relationships with private companies raise serious concerns. These companies may access sensitive data and often have interests that don’t align with those of the European Union—or the security and rights of its citizens. 

00:20:49 Domen Savič / Citizen D 

To follow up with a question—you’ve been focusing on Europol and its lack of transparency for quite some time. I’d like to hear your thoughts on why transparency seems to be such a burden for organizations like this. 

As a reporter, whenever you investigate intelligence or police agencies, you often run into issues with their lack of transparency—whether it’s about procedures, tools, or the effectiveness of those tools. Their usual justification is that revealing too much could help the “bad guys,” so to speak. But do you think that’s the whole story? Or do you see deeper issues behind this culture of secrecy? 

00:21:55 Giacomo Zandonini 

Yes, I think this issue is deeply rooted in police culture. Of course, within law enforcement, there are many different personalities and perspectives. Some professionals and officials are more inclined to support transparency, and there are national norms across Europe that vary. 

But broadly speaking, there’s a prevailing idea that police institutions can be exempt from transparency. Formally, Europol isn’t a law enforcement agency, even though we often describe it that way. It’s an EU agency tasked with supporting national law enforcement bodies. Over the past decades, it has worked to legitimize its role by developing strong data analysis capabilities, and now it’s moving toward using advanced machine learning systems. 

National police forces send data to Europol, which analyzes it and provides feedback—essentially offering data insights as a service. Of course, it’s more complex than that, with joint projects, operations, and investigations also in play. Still, Europol seems to have absorbed the broader mindset that police work should be exempt from standard transparency obligations. 

This becomes especially problematic when private companies are involved. Europol often refuses to release information or grant access to documents held by EU institutions. The reasons given usually fall into two categories: commercial interests and national security. The commercial argument is understandable—a company shares internal information and doesn’t want competitors to know how its systems work. That’s fair. 

But the national security argument is used much more broadly. Europol often claims that revealing details would help criminals, who are supposedly watching closely. Sometimes, this logic implies—perhaps unfairly—that journalists investigating these issues are somehow aiding criminal organizations. 

The idea that transparency about relationships with private actors would benefit criminals is problematic, especially when applied so broadly. My team of journalists recently published a story on Europol’s AI program. We submitted a large number of access-to-documents requests, and most were denied. We now have five formal complaints pending with the European Ombudsman, all related to this lack of transparency. 

This matters because past investigations and questions from well-informed members of the European Parliament have revealed conflicts of interest—cases of “revolving doors,” where individuals move from Europol to private companies while continuing to work on the same issues. These are public officials with significant responsibilities, and such transitions raise serious concerns. 

So yes, some level of transparency is essential. I’m not saying Europol should disclose every operational detail or how a specific product is used in every situation. But we should at least know which companies they engage with, under what terms, and through what procurement processes. 

In fact, national police forces across Europe often provide more information about their contracts with companies than Europol does. That’s not a statistical claim—I haven’t reviewed every procurement system—but in countries I’ve looked at, like Italy, I’ve found clear traces of contracts with companies like Cellebrite, including renewal dates, contract amounts, and the types of software licensed. 

So yes, there’s definitely room for improvement 

00:28:34 Domen Savič / Citizen D 

We’re slowly wrapping up, and I just have two more questions for you. 

The first one relates to an investigation—or rather, a collaborative investigation—you were involved in back in 2022. I’m referring to a Guardian article titled “A Data Black Hole: Europol Ordered to Delete Vast Store of Personal Data.” It describes how Europol was holding a massive trove of data, much of it gathered from hacked encrypted phone services and even from asylum seekers who had never been involved in any crime. 

Looking at that story and comparing it to your more recent work on Europol, would you say the trend is moving in the right direction when it comes to privacy awareness within Europol and similar organizations? 

Or is this just history repeating itself—more privacy-invasive tactics and the same kind of opaque, non-transparent operations? 

00:29:52 Giacomo Zandonini 

I’d definitely say it’s the second option—it’s history repeating itself. 

Some of the issues raised by the European Data Protection Supervisor in early 2022, which we also covered in that Guardian article, were addressed to some extent. Europol had accumulated large amounts of data not necessarily linked to criminal activity—which means it could have included data on any of us. 

They did take steps to resolve part of the issue, at least from what I and other colleagues understand. For example, they began categorizing data more carefully. Europol is not allowed to retain personal data unless the individual is a suspect, a witness, or a potential victim of a crime. Any other data must be deleted. 

There’s also the matter of data retention—how long Europol can store personal data and the need to regularly review that. The problem is that Europol’s power to process, use, and store data is expanding. But we’re not seeing a corresponding expansion in oversight capacity. Despite what’s outlined in EU regulations, the European Data Protection Supervisor likely doesn’t have the resources or authority to fully monitor Europol’s activities. The internal offices within Europol tasked with oversight also raise questions about whether they have sufficient capacity, independence, and resources to do the job properly. 

So yes, we’re still facing the same challenges. And this lack of transparency could become even more problematic. Next year, the European Commission is expected to propose a reform aimed at turning Europol into what they call an “effective law enforcement agency.” While we don’t yet know the full details of the reform, one thing is clear: the proposed budget is expected to double—which is a significant signal of the direction things are heading 

00:32:46 Domen Savič / Citizen D 

To wrap things up—and maybe take the conversation into a darker direction—how do you see this whole issue? Europol is collecting massive amounts of data and using AI tools to analyze it and make decisions based on that analysis. 

How do you view this entire field in relation to the concept of digital sovereignty? It’s a term that’s been thrown around quite a bit in recent years, and I’m curious how you interpret it—especially considering that most of the companies involved aren’t European. We’re talking about U.S. companies, Israeli companies—essentially foreign actors handling EU data. 

00:33:47 Giacomo Zandonini 

Yes, that’s definitely an issue—and it’s becoming more visible. The European Union has launched strategies aimed at building digital sovereignty. One example is a recent proposal from the European Commission to create a dedicated European cloud for law enforcement. 

But so far, what we’re seeing from Europol suggests that powerful companies from outside the EU still play a significant role in its infrastructure. It may seem symbolic, but the fact that Microsoft employees now have a sort of permanent presence within Europol’s headquarters is quite telling. It raises serious questions about tech sovereignty. 

This collaboration with Microsoft could be a topic for further investigation, if colleagues decide to explore it more deeply. As I mentioned earlier, companies like Cellebrite—an Israeli firm listed on the U.S. stock exchange—and Palantir, which has grown even more powerful in recent years, are key players in this space. So yes, there’s a real issue here. 

To be fair, Europol does appear to be trying to move toward greater digital sovereignty. Some member states, like Germany and possibly France, are pushing in that direction. These are countries with strong ties to national and private security industries, and they’re advocating for more European control over tech infrastructure. 

For example, when it comes to Europol’s IT systems, they are increasingly contracting European companies to build and maintain them. Still, the EU remains heavily dependent on U.S. and Israeli tech markets. These companies are dominant—not just in terms of software, but also infrastructure. It’s definitely something we need to keep a close eye on. 

00:36:54 Domen Savič / Citizen D 

Thank you very much, Giacomo, for joining us and sharing your insights on this important topic and best of luck with your future endeavors. 

And to you, dear listener—thank you for tuning in, we release one episode each month, so stay connected and catch the next episode of the Citizen D Podcast in December. 

Thank you again, Giacomo, and all the best.