Greece’s Ministry of Migration and Asylum has received a significant €175,000 fine for violating data and privacy protection regulations in its implementation of two high-tech surveillance and security systems deployed in several Greek refugee camps.
In a decision issued in early April, the Greek Data Protection Authority (DPA) found the country’s migration ministry violated several provisions of the General Data Protection Regulation (GDPR) while launching the Centaur and Hyperion systems, and failed to meet its obligations as data controller.
Centaur has been described as an automated security system that relies on algorithms (artificial intelligence behavioral analytics) and hardware, including cameras, drones and sensors, to automatically detect purported threats in some refugee camps, alerting authorities locally and in Athens. The second system, Hyperion, uses biometric fingerprint data to facilitate entry and exit from the facilities. Both systems are funded by the European Union (EU).
A Computer Weekly investigation published in October 2023 uncovered serious issues about the roll-out of the programs and apparent efforts by the Greek authorities to backpedal into GDPR compliance only after they were launched.
The penalty follows a two-year investigation by the DPA, which was launched in March 2022 after Greek civil society organisations – including Homo Digitalis, HIAS Greece, and the Hellenic Union for Human Rights, along with associate professor Niovi Vavoula at the University of Luxembourg – asked the authority to examine the programs’ compliance with data protection regulations. They also asked it to investigate whether the Greek migration ministry completed impact assessments during the design and planning phase of the projects, a requirement under GDPR.
Eleftherios Chelioudakis, co-founder of Homo Digitalis, welcomed the Greek DPA’s ruling, noting the €175,000 penalty is “the largest ever imposed on a [Greek] public body since GDPR came into play”.
‘Incomplete and limited’ DPIAs
In its decision on 3 April 2024, the data protection watchdog found that the migration ministry failed to carry out “complete, comprehensive and coherent” data protection impact assessments (DPIAs) “by design and by default, before the procurement and implementation of the Centaur and Hyperion programs”, in violation of GDPR. The authority characterised the DPIAs it reviewed as “substantially incomplete and limited in scope”.
The migration ministry also failed to explain the data processing and automated functions of the Centaur program, and to clarify the interconnection of both programs with other state systems and databases, the investigation found.
The DPA noted that the programs “involve the processing of large volumes of data, including special categories of data, in particular biometric data”. Notably, it flagged that the systems “concern a large number of data subjects, including workers and persons with vulnerability characteristics, who have a real difficulty in exercising their rights and possibly lodging a complaint”.
‘Lack of cooperation’ with the investigation
According to the DPA, “a lack of cooperation on the part of the Ministry of Migration and Asylum, as data controller” aggravated the decision.
It added that documents submitted by the migration ministry as part of the investigation contained “unclear, incomplete, confusing and contradictory information”, as well as “ambiguities … and incorrect references”.
The authority faulted the ministry for failing to share contracts struck with two private companies (ESA Security AE – Adaptit AE and Space Hellas SA) involved with the programs. For example, Greece-based ESA Security Solutions is contracted to provide security services for the Centaur program, including operating drones in the camps. According to the DPA, the ministry did not share relevant contract clauses containing terms on how the company intended to process the personal data it collects during its operations in the camps.
Chelioudakis said the use of private companies for the provision of security services, along with the broader “privatisation of border protection and the veil of secrecy that surrounds it, causes significant challenges for the protection of personal data and the exercise of the duties of the data protection authority”.
The DPA concluded that “serious shortcomings remain as regards the ministry’s compliance with certain provisions of the GDPR in relation to the implementation of the systems”.
The ministry has been ordered to take “all the necessary actions to comply with obligations” under GDPR within three months. A larger penalty could be imposed if it fails to do so.
Migration ministry claims evidence ‘incorrectly’ assessed
In a press release after the decision, the Ministry of Migration and Asylum said corrective measures to shortcomings identified by the DPA “to a large extent have already been implemented … or are in the process of being implemented”.
The ministry defended its programs, writing that the data watchdog “did not take into account these systems were partially adopted and piloted in some, not all, reception facilities, which made it necessary to carry out individual impact assessments and not on the whole, since it was not possible to evaluate the processing of personal data before the systems were put into operation”.
The ministry said because the DPA “incorrectly” assessed submitted evidence, it “intends to legally assess the possibility of challenging the decision”.
The ministry also claimed “confidentiality” clauses prevent it from disclosing supply contracts with private companies to the authority – a fact the ministry said it “repeatedly pointed out” during the investigation.
EU-funded tech in EU-funded facilities under scrutiny
Introduced in several EU-funded “new generation” migrant reception centres on the Aegean islands, which began opening in 2021, the technology has previously been scrutinised by civil society organisations and the European Ombudsman over privacy and transparency concerns.
Centaur and Hyperion are funded through the EU’s Covid recovery fund and the Internal Security Fund.
The European Commission told Computer Weekly in a statement that it is “aware” of the Greek DPA’s decision: “The enforcement of the GDPR lies with the national data protection authorities and the commission does not comment on these cases.
“Greek authorities are developing systems that will allow the monitoring of reception areas to ensure security for residents, staff, and the local population … These technologies are part of a broader investment to promote the digital transformation, which will facilitate the asylum procedure and improve reception conditions.”
The commission maintains that since the inception of the projects, it “has requested the Greek authorities conduct a data protection and a fundamental rights impact assessment”. It added that it “remains in close contact with the Greek authorities” and “will continue monitoring closely the implementation of these projects, in line with EU law requirements”.
Lack of transparency since inception of programs
Algorithm Watch first revealed plans for the systems in April 2021. In September that year, Greece’s then-migration minister, Notis Mitarakis, unveiled a centralised control room in the migration ministry building near the Greek capital, to which the camp systems were already connected.
In December 2021, migration ministry officials gave Al Jazeera a tour of the control room, saying the Centaur project was already operational in several camps. However, they did not answer Al Jazeera’s questions about whether legally required data protection impact assessments had been completed.
The Greek investigative site Solomon later revealed that the Centaur and Hyperion programs were designed, funded and launched without the prior recruitment of a data protection officer.
Despite requests for access to the assessment documents, Greek officials and the European Commission kept the impact studies sealed, contrary to EU guidelines recommending the summaries be made public.
Computer Weekly obtained the data protection and fundamental rights impact assessments following a complaint to the European Ombudsman. A review of the documents confirms the earliest versions of the assessments were completed in January 2022, more than three months after the migration ministry initially advertised the program as being active.