Greece planned and has begun implementing two surveillance systems directed at asylum seekers and partly financed with European Union pandemic-recovery funds in violation of data privacy protections set down by the bloc’s General Data Protection Regulation, Solomon and BIRN can reveal.
Planning for the two systems – Hyperion and Centaur – began in 2020, the former monitoring movement in and out of state-run asylum camps and the latter deploying behavioural analysis algorithms and transmitting CCTV and drone footage to a control room set up inside the Ministry of Migration and Asylum.
Central to the conservative government’s asylum policy, both Hyperion and Centaur have previously faced criticism from humanitarian organisations which say they risk depriving asylum seekers of fundamental rights and freedoms.
Now, BIRN and Solomon can reveal that both were crafted and initially implemented – with funds from the EU’s Recovery and Resilience Facility – without prior recruitment of a Data Protection Officer at the Ministry of Migration and Asylum, a requirement under the GDPR to ensure adequate oversight. Nor were mandatory Data Protection Impact Assessments, DPIA, conducted in the design phase.
“Such Impact Assessment ought to have taken place to identify the fundamental rights challenges and determine whether these systems should be developed in the first place,” said Niovi Vavoula, a data protection expert at Queen Mary University of London.
“Furthermore, the appointment of a Data Protection Officer took place at a late stage, though Article 38 of the GDPR requires that their appointment takes place ‘in a timely manner’,” Vavoula told Solomon and BIRN. “Therefore, it could be argued that privacy and data protection concerns have been sidelined.”
Systems went live without mandatory safeguards
The surveillance first came under scrutiny in October 2021, when Vavoula joined a number of civil society organisations including Homo Digitalis, the Hellenic League for Human Rights, and HIAS Greece, in asking the Greek Data Protection Authority, DPA, to examine whether Hyperion and Centaur complied with EU rules on processing personal data and whether a DPIA had been conducted.
The following March, the DPA launched an investigation and asked the Ministry of Migration and Asylum whether it had indeed conducted a DPIA.
In cases of surveillance and monitoring systems, “an impact study regarding their operation must be carried out not only before their operation, but also before their procurement, in order to comply with the principles of data protection by design and default,” the DPA wrote.
In November 2021, a month after Vavoula and the NGOs raised their concerns, the ministry hired a private contractor to act as its Data Protection Officer, according to a publicly-available decision by the ministry awarding the contract. Under the 28,000-euro contract, the DPO was to conduct and deliver a DPIA to the ministry within a month.
Effectively, Hyperion was designed, approved for EU funding and was being implemented for roughly 18 months without the most basic, mandatory data protection safeguards in place to avoid abuse.
The ministry confirmed as much, telling BIRN and Solomon: “A DPIA for the project was prepared by the DPO appointed in late 2021, as no DPO had been in place since the establishment of the ministry in 2016.”
Centaur went live in September 2021, when Migration and Asylum Minister Notis Mitarachi launched the ministry’s Incident Management Centre, where footage from various camps is relayed. So Centaur too was designed, funded and in operation for two months before the ministry hired a DPO.
Questions over suitability of RRF funding
Serious questions have also been raised about the financing of Hyperion after a payment order was inadvertently uploaded onto Greece’s public transparency registry late last year.
Containing classified information regarding ministry expenses, the payment order was removed after five hours.
Experts say it is highly unusual for a tender to be declared confidential in its entirety, even in cases when commercial or national security interests are at issue. But the Hyperion tender was made confidential by law in March 2020.
Asked whether such a move is in line with EU financing rules, the European Commission – the EU’s executive arm – told BIRN and Solomon: “The classification of a procurement procedure as confidential for reasons of national security depends explicitly on the provisions of Greek national laws and should be in line with Directive 2014/24/EU on public procurement. This classification does not imply the classification of expenses incurred under the project.”
That said, rules on spending under the Recovery and Resilience Facility, RRF, are “silent on whether Member States can finance confidential/classified expenses of projects,” the Commission said.
“When it comes to the RRF, as explained in recital 19 of the RRF Regulation, the Facility provides for financing not linked to costs and, for this reason, it does not include provisions on eligibility of specific cost items.”
The Ministry of Migration and Asylum did not respond to questions concerning the basis under which Hyperion was declared confidential. Lack of transparency has raised questions about the possibility of the ministry’s controversial ‘black fund’ being the source of funding.
Under Greek law, payments below 25,000 euros do not need to be reported to the parliament. All relevant information about such payments is destroyed after six months.