Asylum Surveillance Systems Launched in Greece without Data Safeguards

With money from the EU’s pandemic-recovery fund, systems to monitor the movements of asylum seekers in Greece were designed and launched without basic data safeguards required under EU law.
Asylum Surveillance Systems Launched in Greece without Data Safeguards
With money from the EU’s pandemic-recovery fund, systems to monitor the movements of asylum seekers in Greece were designed and launched without basic data safeguards required under EU law.

Greece planned and has begun implementing two surveillance systems directed at asylum seekers and partly financed with European Union pandemic-recovery funds in violation of data privacy protections set down by the bloc’s General Data Protection Regulation, Solomon and BIRN can reveal.

Planning for the two systems – Hyperion and Centaur – began in 2020, the former monitoring movement in and out of state-run asylum camps and the latter deploying behavioural analysis algorithms and transmitting CCTV and drone footage to a control room set up inside the Ministry of Migration and Asylum.

Central to the conservative government’s asylum policy, both Hyperion and Centaur have previously faced criticism from humanitarian organisations which say they risk depriving asylum seekers of fundamental rights and freedoms.

Now, BIRN and Solomon can reveal that both were crafted and initially implemented – with funds from the EU’s Recovery and Resilience Facility – without prior recruitment of a Data Protection Officer at the Ministry of Migration and Asylum, a requirement under the GDPR to ensure adequate oversight. Nor were mandatory Data Protection Impact Assessments, DPIA, conducted in the design phase.

“Such Impact Assessment ought to have taken place to identify the fundamental rights challenges and determine whether these systems should be developed in the first place,” said Niovi Vavoula, a data protection expert at Queen Mary University of London.

“Furthermore, the appointment of a Data Protection Officer took place at a late stage, though Article 38 of the GDPR requires that their appointment takes place ‘in a timely manner’,” Vavoula told Solomon and BIRN. “Therefore, it could be argued that privacy and data protection concerns have been sidelined.”

Photo: Migration and Asylum Minister Notis Mitarachi launched Centaur in a newly-created centre at the ministry in September 2021.

Systems went live without mandatory safeguards

The surveillance first came under scrutiny in October 2021, when Vavoula joined a number of civil society organisations including Homo Digitalis, the Hellenic League for Human Rights, and HIAS Greece, in asking the Greek Data Protection Authority, DPA, to examine whether Hyperion and Centaur complied with EU rules on processing personal data and whether a DPIA had been conducted.

The following March, the DPA launched an investigation and asked the Ministry of Migration and Asylum whether it had indeed conducted a DPIA.

In cases of surveillance and monitoring systems, “an impact study regarding their operation must be carried out not only before their operation, but also before their procurement, in order to comply with the principles of data protection by design and default,” the DPA wrote.

In November 2021, a month after Vavoula and the NGOs raised their concerns, the ministry hired a private contractor to act as its Data Protection Officer, according to a publicly-available decision by the ministry awarding the contract. Under the 28,000-euro contract, the DPO was to conduct and deliver a DPIA to the ministry within a month.

Effectively, Hyperion was designed, approved for EU funding and was being implemented for roughly 18 months without the most basic, mandatory data protection safeguards in place to avoid abuse.

The ministry confirmed as much, telling BIRN and Solomon: “A DPIA for the project was prepared by the DPO appointed in late 2021, as no DPO had been in place since the establishment of the ministry in 2016.”

Centaur went live in September 2021, when Migration and Asylum Minister Notis Mitarachi launched the ministry’s Incident Management Centre, where footage from various camps is relayed. So Centaur too was designed, funded and in operation for two months before the ministry hired a DPO.

Photo: A Direct Award Decision of the Ministry of Migration and Asylum appointing a private company as its DPO at the end of November 2021.

Questions over suitability of RRF funding

Serious questions have also been raised about the financing of Hyperion after a payment order was inadvertently uploaded onto Greece’s public transparency registry late last year.

Containing classified information regarding ministry expenses, the payment order was removed after five hours.

Experts say it is highly unusual for a tender to be declared confidential in its entirety, even in cases when commercial or national security interests are at issue. But the Hyperion tender was made confidential by law in March 2020.

Asked whether such a move is in line with EU financing rules, the European Commission – the EU’s executive arm – told BIRN and Solomon: “The classification of a procurement procedure as confidential for reasons of national security depends explicitly on the provisions of Greek national laws and should be in line with Directive 2014/24/EU on public procurement. This classification does not imply the classification of expenses incurred under the project.”

That said, rules on spending under the Recovery and Resilience Facility, RRF, are “silent on whether Member States can finance confidential/classified expenses of projects,” the Commission said.

“When it comes to the RRF, as explained in recital 19 of the RRF Regulation, the Facility provides for financing not linked to costs and, for this reason, it does not include provisions on eligibility of specific cost items.”

The Ministry of Migration and Asylum did not respond to questions concerning the basis under which Hyperion was declared confidential. Lack of transparency has raised questions about the possibility of the ministry’s controversial ‘black fund’ being the source of funding. Under Greek law, payments below 25,000 euros do not need to be reported to the parliament. All relevant information about such payments is destroyed after six months.


Photo: A classified payment order for Hyperion that was inadvertently uploaded late last year and removed five hours later.

0 Comments

Submit a Comment

Your email address will not be published.

More to read

Related

Serbia: Green waves washing over polluted land

Serbia: Green waves washing over polluted land

Citizens’ growing concern fueled by industrial investments and the urgent need to solve environmental issues has resulted in the election of Serbia’s first Green Party to parliament.

European Court decision finds 2016 collective pushbacks “lawful”

European Court decision finds 2016 collective pushbacks “lawful”

On April 5, the European Court of Human Rights handed down a negative judgement on claims regarding the alleged pushback of approximately 1,500 asylum seekers into Greece via North Macedonia in 2016. ECHR acknowledged their violent persecution, but believed the applicants could have applied for asylum by other legal means ― although there weren’t any.

Ukraine war: the “real” refugees and the lies of the Greek government

Ukraine war: the “real” refugees and the lies of the Greek government

Since the Russian invasion of Ukraine, Greek government ministers and MPs have spread false claims about refugees and international law. While experts, the UNHCR, and EU data refute their claims and more allegations are reported regarding Greece’s illegal pushbacks of asylum seekers.

Masafarhána: Inside the invisible refugee houses in Athens

Masafarhána: Inside the invisible refugee houses in Athens

In Athens, refugees pay to live in small apartments which accommodate up to 22 people. They often fall victim to exploitation by their compatriots. But sometimes the masafarhánas offer them the forgotten feeling of home.

Solomon files complaint with Supreme Court in case against National Intelligence Agency

Solomon files complaint with Supreme Court in case against National Intelligence Agency

Last November, it was revealed that citizens, including a Solomon journalist, were under surveillance by the Greek National Intelligence Agency (EYP) – calling into question the legality of such actions. Now, by filing a legal complaint against EYP with the country’s highest court, we call for authorities to investigate the possibility that criminal offences may have been committed by officials of an agency which appears to operate without any accountability.

Thanks for reading Solomon

We choose to change the narrative by offering a more inclusive and comprehensive approach to media, in an independent and sustainable way. Wanna get updates made just for you?

You have Successfully Subscribed!

Share This