Greece’s data protection watchdog is set to issue a long-awaited decision on the legality of controversial high-tech surveillance and security systems deployed in the country’s refugee camps.
The Greek Data Protection Authority’s (DPA) decision, expected by the end of the year, concerns in part a new multimillion-euro Artificial Intelligence Behavioural Analytics security system, which has been installed at several recently constructed refugee camps on the Aegean islands.
The system – dubbed Centaur and funded through the European Union (EU) – relies on algorithms and surveillance equipment – including cameras, drones, sensors and other hardware installed inside refugee camps – to automatically detect purported threats, alert authorities and keep a log of incidents. Hyperion, another system that relies on biometric fingerprint data to facilitate entry and exit from the refugee camps, is also being examined in the probe.
Centaur and Hyperion came under investigation in March 2022, after several Greek civil society organisations and a researcher filed a complaint to the Greek DPA questioning the legality of the programs under Greek and European laws. The Greek DPA’s decision could determine how artificial intelligence (AI) and biometric systems are used within the migration management context in Greece and beyond.
Although the data watchdog’s decision remains to be seen, a review of dozens of documents obtained through public access to documents requests, on-the-ground reporting from the islands where the systems have been deployed, as well as interviews with Greek officials, camp staff and asylum seekers, suggest the Greek authorities likely sidestepped or botched crucial procedural requirements under the European Union’s (EU) privacy and human rights law during a mad rush to procure and deploy the systems.
“It is difficult to see how the DPA will not find a breach,” said Niovi Vavoula, a lecturer at Queen Mary University of London, who petitioned the Greek DPA alongside Greek civil society organisations Homo Digitalis, The Hellenic League for Human Rights, and HIAS Greece.
She said “major shortcomings” identified include the lack of appointment of a data protection officer at the Greek Migration Ministry prior to the launch of its programs.
Security systems a hallmark of new EU camps
Centaur and Hyperion are hallmarks of Greece’s newest migrant facilities, also known as Closed Controlled Access Centres (CCACs), which began opening in the eastern Aegean in 2021 with funding and supervision from the European Commission (EC). Greek authorities have lauded the surveillance apparatus at the revamped facilities as a silver-bullet solution to the problems that plagued previous makeshift migrant camps in Greece.
The Centaur system allows authorities to monitor virtually every inch of the camps’ outdoor areas – and even some indoor spaces – from local command and control centres on the islands, and from a centralised control room in Athens, which Greece’s former migration minister Notis Mitarachi unveiled with much fanfare in September 2021.
“We’re not monitoring people. We’re trying to prevent something bad from happening,” Anastasios Salis, the migration ministry’s director general of ICT and one of the self-described architects of the Centaur system, told me when I visited the ministry’s centralised control room in Athens in December 2021. “It’s not a prison, okay? It’s something different.”
Critics have described the new camps as “prison-like” and a “dystopian nightmare”.
Behind closed doors, the systems have also come under scrutiny by some EU authorities, including its Fundamental Rights Agency (FRA), which expressed concerns following a visit to one of the camps on Samos Island in May 2022.
In subsequent informal input on Greece’s refugee camp security measures, the FRA said it was “concerned about the necessity and proportionality of some of the measures and their possible impact on fundamental rights of residents” and recommended “less intrusive measures”.
Asked during the control room tour in 2021 what is being done to ensure the operation of the Centaur system respects privacy laws and the EU’s General Data Protection Regulation (GDPR), Salis responded: “GDPR? I don’t see any personal data recorded.”
‘Spectacular experimentation’
While other EU countries have experimented with myriad migration management and surveillance systems, Greece’s refugee camp deployments are unique.
“What we see in Greece is spectacular experimentation of a variety of systems that we might not find in this condensed way in other national contexts,” said Caterina Rodelli, a policy analyst at the digital rights non-profit Access Now.
She added: “Whereas in other European countries you might find surveillance of migrant people, asylum seekers … Greece has paved the way for having more dense testing environments” within refugee camps – particularly since the creation of its EU-funded and tech-riddled refugee camps.
The Samos facility, arguably the EU’s flagship camp, has been advertised as a model and visited by officials from the UK, the US and Morocco. Technology deployments at Greece’s borders have already been replicated in other European countries.
When compared with other Mediterranean states, Greece has also received disproportionate funding from the EU for its border reinforcement projects.
In a report published in July, the research outfit Statewatch compared commission funds to Greece between 2014 and 2020 and those projected to be paid between 2021 and 2027, finding that “the funding directed specifically towards borders has skyrocketed from almost €303m to more than €1bn – an increase of 248%”.
Greece’s Centre for Security Studies, a research and consulting institution overseen by the Greek minister of citizen protection, for example, received €12.8m in EU funds to develop border technologies – the most of any organisation analysed in the report during an eight-year period that ended in 2022.
Surveillance and security systems at Greek refugee camps are funded through the EU’s Covid recovery fund, known formally as the European Commission’s Recovery and Resilience Facility, as well as the Internal Security Fund.
Early warnings
At the heart of the Greek DPA probe are questions about whether Greece has a legal basis for the type of data processing understood to be required in the programs, and whether it followed procedures required under GDPR.
This includes the need to conduct data protection impact assessments (DPIAs), which demonstrate compliance with the regulation as well as help identify and mitigate various risks associated with personal data processing – a procedure the GDPR stipulates must be carried out far in advance of certain systems being deployed.
The need to conduct these assessments before technology deployments take place was underscored by the Greek DPA in a letter sent to the Greek migration ministry in March 2022 at the launch of its probe, in which it wrote that “in the case of procurement of surveillance and control systems” impact studies “should be carried out not only before their operation, but also before their procurement”.
Official warnings for Greece to tread carefully with the use of surveillance in its camps came as early as June 2021 – months before the opening of the first EU-funded camp on Samos Island – when the FRA provided input on the use of surveillance equipment in Greek refugee camps, and the Centaur project specifically.
In a document reviewed by Computer Weekly, the FRA wrote that the system would need to undergo “a thorough impact assessment” to check its compatibility with fundamental rights, including data protection and privacy safeguards. It also wrote that “the Greek authorities need to provide details on the equipment they are planning to use, its intended purpose and the legal basis for the automated processing of personal data, which to our understanding include sensitive biometric data”.
A botched process?
However, according to documents obtained through public record requests, the impact assessments related to the programs were only carried out months after the systems were deployed and operational, while the first assessments were not shared with the commission until late January 2022.
Subsequent communications between EU and Greek authorities reveal, for the first time, glaring procedural omissions and clumsy efforts by Greek authorities to backpedal into compliance.
For example, Greece’s initial assessments of the Centaur system covered the use of the CCTV cameras, but not the potentially more sensitive aspects of the project such as the use of motion analysis algorithms and drones, a commission representative wrote to Greek authorities in May 2022. The representative further underscored the importance of assessing “the impact of the whole project on data protection principles and fundamental rights”.
The commission also informed the Greek authorities that some areas where cameras were understood to have been placed, such as common areas inside accommodation corridors, could be deemed as “sensitive”, and that Greece would need to assess if these deployments would interfere with data protection, privacy and other rights such as non-discrimination or child rights.
It also requested more details on the personal data categories being processed – suggesting that relevant information on the categories and modalities of processing – such as whether the categories would be inferred by a human or an algorithm-based technology – had been excluded. At the time, Greek officials had reported that only “physical characteristics” would be collected but did not expand further.
“No explanation is provided on why less intrusive measures cannot be implemented to prevent and detect criminal activities,” the commission wrote, reminding Greece that “all asylum seekers are considered vulnerable data subjects”, according to guidelines endorsed by the European Data Protection Board (EDPB).
The FRA, in informal input provided after its visit to the Samos camp in May 2022, recommended basic safeguards Greece could take to ensure camp surveillance systems are in full compliance with GDPR. This included placing visible signs to inform camp residents and staff “about the operation of CCTV cameras before entering a monitored area”.
No such signs were visible in the camp’s entry when Computer Weekly visited the Samos camp in early October this year, despite the presence of several cameras at the camp’s entry.
Computer Weekly understands that, as of early October, procedural requirements such as impact assessments had not yet been finalised, and that the migration ministry would remain in consultation with the DPA until all the programs were fully GDPR-compliant.
Responding to Computer Weekly’s questions about the findings of this story, a Greek migration ministry spokesperson said: “[The ministry] is already in open consultation with the Greek DPA for the ‘Centaur’ and ‘Hyperion’ programs since March 2022. The consultation has not yet been completed. Both of these programs have not been fully implemented as several secondary functions are still in the implementation phase while the primary functions (video surveillance through closed circuit television and drone, entry – exit through security turnstiles) of the programs are subject to continuous parameterisation and are in pilot application.
“The ministry has justified to the Greek DPA as to the necessity of implementing the measure of installing and operating video surveillance systems in the hospitality structures citing the damage that the structures constantly suffer due to vandalism, resulting in substantial damage to state assets … and risking the health of vulnerable groups such as children and their companions.”
The commission wrote to Computer Weekly that it “do[es] not comment on ongoing investigations carried out by independent data protection authorities” and did not respond to questions on the deployment of the systems.
Previous reporting by the Greek investigative outlet Solomon has similarly identified potential violations, including that the camp programs were implemented without the Greek ministry of migration and asylum hiring a data protection officer as required under the GDPR.
Lack of accountability and transparency?
…