03 / 04 / 2024

Heavy fine for the Ministry of Migration’s surveillance systems

The Hellenic Data Protection Authority issued the Ministry a €175,000 fine in regards to their digital management systems “Centaur” and “Hyperion”. Solomon had previously revealed that the Ministry’s two flagship programs were designed and implemented without the required data privacy protections.

Credits

Author:

Illustration:

Translation:

Tags:

The Hellenic Data Protection Authority (DPA) has imposed a fine of €175,000 on the Ministry of Migration and Asylum for violation of the legislation regarding personal data protection during the planning and implementation of surveillance systems, which also use biometric data, in the reception centers for asylum seekers.

The Authority finds that the failure to carry out a full, comprehensive and coherent Impact Assessment regarding data protection “from the design and by definition, before the deadline and implementation” of the Centaur and Hyperion systems constitutes a violation of articles of the European General Data Protection Regulation (GDPR).

These programs, at a cost of €20 million, are financed by European resources from the Recovery Fund.

In August 2022, Solomon reported that the Centaur and Hyperion systems were designed, financed by European funds, and were initially implemented by the Ministry of Migration without meeting the necessary technical provisions regarding the personal data protection of the population being monitored.

“Contradictory answers” from the Ministry

The inadequate response from the Ministry during the investigation into the matter also influenced the Authority’s decision.

The Authority points out the filing of “incomplete documents and inaccurate, contradictory and confusing answers (e.g. no clarifications have been provided, among other things, regarding the behavioral analysis algorithms, or the contribution of the DPO (Data Protection Officer) to the impact assessment”.

The Data Protection Authority underlines the difficulty in cooperation and the non-submission of critical data by the Ministry.

In its decision, the Authority also confirmed that “the processing for surveillance purposes, for which there are violations of the requirements of the GDPR, concern a large number of subjects, including employees and vulnerable people, who experience great difficulty in exercising their rights and filing any complaints.”

The €175,000 fine is believed to be the largest ever imposed on a public body in Greece, according to Eleftherios Chelioudakis, co-founder and Secretariat of Homo Digitalis.

“The detailed analysis of the Personal Data Protection Authority highlights the most important shortcomings of the Ministry of Migration and Asylum in the context of the preparation of a comprehensive and coherent Impact Assessment, while the very high fine demonstrates the significant violations of the GDPR that are identified and concern a large number of subjects who have real difficulty in being able to exercise their rights,” he commented.

“It doesn’t end here”

“Of course, nothing ends here. A high fine means nothing by itself. The Ministry of Migration and Asylum must comply immediately,” he stated to Solomon.

As part of the decision, the Ministry of Migration was instructed to “take all necessary actions to complete its compliance with the obligations of the controller” within three months. If the Ministry does not comply with submitting the requested documents and clarifying information within the prescribed time frame, a larger fine may be imposed. This decision could also pave the way for additional complaints, Chelioudakis added.

He told Solomon that “if data subjects make new complaints, revealing that the systems are up and running, in breach of an individual’s data protection rights, another fine could be imposed.”

Connection with Hellenic Police and confidential contracts

From the Authority’s decision, further information has emerged regarding the connection of the Centaur system to the Civil Protection Ministry, National Center for Emergency Assistance, the Hellenic Police, the National Fire Service and the Coast Guard. 

According to the document, “a Video Decoder is provided to the Hellenic Police, Civil Protection, Fire Service at points that will be indicated/agreed upon so that in the event of a crisis, images can be transferred from the Ministry’s Incident Management Center to the operational centers of the agencies in question.”

“Access to the data of the beneficiaries,” it states, “is done through the Hellenic Police’s network ‘POL’, which is a classified, independent network, with management access only by the authorized users of the Hellenic Police.”

Ministry representatives cited the confidential nature of the contracts and their lack of full access to the required information in regards to their lack of clarity and lack of a coherent overall picture in the Ministry’s impact assessments.

The Authority describes the Ministry’s claim as indifferent “to the relevant requirements of the GDPR, in particular, given that carrying out an impact assessment is an obligation of the data controller and does not mean invoking the confidentiality of contracts.”

The Authority describes the Ministry’s claims about the confidentiality of the contracts as “indifferent” to the requirements of European legislation.

Programs designed without planning assessments, by a Ministry without a Data Protection Officer

In February 2022, the organizations Homo Digitalis, Hellenic League for Human Rights, and HIAS Greece, together with Dr. Niovi Vavoula, associate professor at the University of Luxembourg, submitted a request to the president of the Hellenic Data Protection Authority to examine whether the Centaur and Hyperion programs comply with the requirements of EU legislation for the processing of personal data.

They also asked the Authority to investigate whether the mandatory impact study had been carried out (Data Protection Impact Assessment – DPIA) during project planning. On March 2, 2022, the Authority started a relevant investigation.

In an earlier publication in August 2022, Solomon had reported that the EU-funded projects were initially implemented by the Ministry of Migration without meeting the necessary requirements regarding the implementation of project planning assessments to protect the personal data of the monitored population.

For its own needs, the Ministry of Migration had proceeded with the appointment of Data Protection Officer services on November 26, 2021, one month after the organizations’ request.

The company Euroaxones Innovative Technological & Consulting Services S.A. was hired by the Ministry to provide Data Protection Officer services at a total cost of €34,720 for a 12-month contract.

As the Ministry confirmed in response to Solomon’s questions, during the planning and certification stages of the programs, up until the appointment of relevant services to Euroaxones, the Ministry did not even have a Data Protection Officer.

Down the line, the Ministry’s Data Protection Officer also assumed a role at a law firm specializing in Data Protection issues.

Despite requests for access to the documents, both the Ministry and the Commission have kept the impact studies confidential, contrary to EU guidelines that require summaries of impact assessments to be published.

The Ministry of Migration had also ignored a parliamentary request to make the assessments public.

More to read

Before you go, can you chip in?

Quality journalism is not of no cost. If you think what we do is important, please consider donating and becoming a reader who makes our work possible.