By Alexandra Karaiskou

In recent years, Greece has been investing significant funds and effort to modernize its border and migration management policy as part of the digitalization of its public sector. This modernization comes in a techno-solutionist shape and form which entails, as the term reveals, an enormous trust in technological solutions for long-standing and complex problems. In the field of border and immigration control, this includes the development, testing and deployment of advanced surveillance systems at the Greek borders, its refugee camps, and beyond to monitor unauthorized mobility, detect threats, and alert authorities for rapid intervention. While these technologies can bring noteworthy benefits, such as more coordinated and rapid responses in emergency situations that could prove critical for saving someone’s life, they also come with significant human rights risks. They can be also used to conduct more frequent and ‘effective’ pushbacks further away from the borders in more invisible and indetectable ways. Significant risks also exist for the rights to privacy, data protection, non-discrimination, and due process, which are undoubtedly among the first to be adversely impacted by the rollout of such technologies.

Although this techno-solutionist trend is not solely a Greek but a global phenomenon, its concretization in the Greek geo-political sphere, a country which manages a considerable portion of Europe’s south-east external borders, is illustrative of the future of European and Member States’ digital border and migration management policies. Technology has “become the ‘servant mistress of politics’”, as Bonditti has eloquently put it, which raises serious concerns about how these systems will be used in practice once deployed, given the systemic pushback and other non-entrée practices documented in the Aegean and Mediterranean seas. And while these technologies are being tested and deployed in a regulatory vacuum, the stakes become even higher.

REACTION: Greece’s latest border surveillance R&D project

As a country traditionally faced with important migratory and refugee inflows due to its geographical location, Greece has gained interest in research and innovation (R&D) projects developing border surveillance technologies. In the past 6 years, it has participated in more than nine EU co-funded projects as a research partner and/or a testing ground, including in the famous ROBORDER, CERETAB and AIDERS projects. In brief, these projects aim at developing various technologies, such as drones and other autonomous robotic vehicles equipped with multimodal cameras; automated early warning systems and innovative information exchange platforms; as well as algorithms (software) that can analyse real-time data and convert it into actionable information for national authorities. Their overall objective is to improve situational awareness around the borders and states’ interception capabilities and preparedness for emergency responses.

Having followed these developments closely from the outset, it came as no surprise when we saw yet another border surveillance project uploaded on the Greek Migration Ministry’s website last fall. This time it is REACTION, a project building on the findings of all the above projects, and co-funded by Greece, Cyprus, and the EU Integrated Border Management Fund. It aims at developing a next generation platform for border surveillance which can provide situational awareness at remote frontier locations as an efficient tool for rapid response to critical situations. Responding to irregular immigration, smuggling, human trafficking and, overall, transnational organised crime is described as the main driver behind the development of REACTION. The system will consist of several components, such as drones that can be used in swarm or solo formations, computer vision (via deep learning techniques), object recognition, identification and characterisation of events, early warning systems, as well as big data analytics. In simpler terms, software trained on machine learning techniques will analyse instantly the vast amounts of data collected by the drones and other sensors connected to the system and produce an alert identifying the type of incident and its coordinates. Depending on its design features, it may also offer additional tools to the authorities, such as the possibility to follow an unidentified object or person, zoom in and potentially cross-reference their distinctive features (ex. a person’s facial image) with data stored in existing databases. It is worth noting that REACTION will be interoperable with the servers of the Greek law enforcement authorities, and Reception and Identification Centres (RICs, i.e. refugee camps, analysed below), as well as EUROSUR, the EU border surveillance system operated by the EU Border and Coast Guard Agency, thereby drawing a wealth of information from various national and European sources.

Such systems come with the hope of revolutionising border management by elevating authorities’ detection and intervention capabilities to the next level. To what end, whether to save lives or let die, remains to be seen. Unfortunately, the country’s recent track record in emergency responses at the border, as evidenced by the recent shipwreck off Pylos and numerous other pushback incidents, leaves little room for optimism. Moreover, the deployment of such a tool might also undermine the right to privacy and data protection, among others, to the extent that anyone approaching the border could become a potential target of surveillance, whose sensitive biometric data could be unknowingly processed. It may still be soon to tell how this system will be implemented in the future, but the widening of power asymmetries between state authorities and vulnerable individuals along with the current state of practice paint a very alarming picture.

Hyperion & Centaur: the new surveillance systems at Greece’s refugee camps

Another area where new surveillance technologies are being piloted is Greece’s refugee camps. The Greek Ministry of Migration currently develops seven projects for the digitalisation of the asylum procedure and the camps’ management. One of them, Hyperion, which is expected to be deployed soon, will be the new management system of all the RICs, closed centres, and shelters. It will register asylum seekers’ personal data, both biographic (ex. full name, date and country of birth, nationality, etc.) and biometric (fingerprints), and will be the primary tool for controlling their entry in and exit from the camp by scanning their asylum seeker’s card and a fingerprint. It will also store information about most services provided to them, such as food, clothing, etc., and their transfers from one camp to another. In the near future, asylum seekers’ moves will be closely and continuously scrutinized by this system, as if they were inmates in high security prisons, which leads to highly intrusive practices that are difficult to justify. Besides surveillance, another objective of Hyperion is to enforce strict discipline to the state’s power: if someone, for instance, leaves the camp and does not return within the authorised time period, they could lose their access to the camp and to the rest of the services provided to them, leaving them homeless and without the most basic living conditions. Noteworthily, Hyperion will also be interoperable with an asylum seeker’s digital case file at the Asylum Service, which means that any alert in the system about a breach of the camp’s rules may have negative implications on their asylum claim. In the example above, unjustified absence from the camp could lead to the rejection of their asylum application, exposing them to the risk of detention and deportation.

In addition, Centaur is the new high-tech security management system of the camps that will automatically detect security breaches and alert the authorities. It consists of drones, optical and thermal cameras, microphones, metal detectors, and advanced motion detectors based on AI-powered behavioural analytics that monitor the internal and surrounding area of the camp. It is connected to a centralised control room in the Ministry’s headquarters in Athens and produces red flags whenever a security threat is detected, such as fights, unauthorized objects, fires, etc. From there, Ministry employees can zoom in and assess the risk, and instruct personnel on the ground on where and how to intervene. It has already been piloted at several camps and works complementarily to Hyperion by surveilling whatever move has been left unmonitored. In practice, the only places where people can enjoy some privacy is the bathrooms and to a certain extent the insides of their rooms. In the words of the 25-year-old refugee living in Samos camp: “there’s not a lot of difference between this camp and a prison”.

Although these systems have been promoted by the Greek authorities as efficient tools to ensure asylum seekers’ safety, this certainly comes at a high cost for privacy and fundamental rights. Besides their right to privacy, which is obviously seriously restricted, their right to non-discrimination or due process could be adversely affected, if the use of these systems leads to biased decisions or summary rejections of asylum applications. Moreover, their right to data protection is also severely compromised. Importantly, no Data Protection Impact Assessment seems to have been conducted, although required by the GDPR; and no regulatory framework has been adopted yet to govern the use (and potential misuse) of these systems, and mitigate these and other human rights risks. While the Ministry’s radio silence on these issues echoes loudly, we look forward to the findings of the Greek DPA’s investigation and trust them to ensure the protection of all persons’ rights in the digital era, regardless of where they are coming from.

Four steps to compliance today

Although the deadlines are further down the line, affected organizations do not have to sit and wait. Time (and money) is precious when preparing to achieve compliance with the NIS2 and DORA requirements. Organizations must assess and identify actions they can take to prepare for the new rules.

The following recommendations are a good starting point:

Governance and risk management: Understand the new requirements and evaluate the current governance and risk management processes. Additionally, consider increasing funding for programs that help detect threats and incidents and strengthening enterprise-wide cybersecurity awareness training initiatives.

Incident reporting: Evaluate the maturity of incident management and reporting to understand current state capabilities and gauge awareness of the various cybersecurity incident reporting standards relevant to your industry. You should also check your ability to recognize near-miss situations.

Resilience testing: Recognize the talents needed to design and carry out resilience testing, including board member training sessions on the techniques used and their implications for repair.