Homo Digitalis together with The Hellenic League for Human Rights, HIAS Greece, Privacy International and the researcher Phoebus Simeonidis submitted before the President of the Hellenic Data Protection Authority (HDPA) on 14.2.2022, a request for the exercise of its investigative powers regarding a procurement tender published by the Hellenic Coast Guard for the acquisition of a Social Media Data Collection Software (protocol number 2322/15/2/22 ).

Specifically, as pointed out on 2/2/2022 by researcher Phoebus Simeonidis, in the framework of the European Commission’s “Internal Security Fund” (ISF) program, the Coast Hellenic Guard – Ministry of Maritime Affairs published a tender for the “Upgrade/maintenance of the computer room of the Directorate of Maritime Border Security and Protection” with a total estimated contract value of seven hundred and thirty thousand euros #730.000,00€# (including VAT and other deductions).

One of the deliverables described in this call for tender (see page 34 et seq.) is the supply of Social Media Data Collection Software (hereinafter referred to as Software). As explicitly stated by the Ministry of Maritime Affairs in this notice, the Software should support the social networks Facebook, Twitter, VK, Xing, Instagram, and Telegram, and some of the necessary features as described are:

– The creation of a visualization of multiple correlations (friends, comments, posts, likes and followers).

– The identification of user identifiers including their searches, and

– The simulation of human activity to avoid account blocking.

Specifically for Facebook, the software should allow, among other functions, storage of a profile’s public contact list, storage of all 2nd degree public contacts, storage of public timeline posts (including images, videos, linked YouTube videos, comments and reactions), storage of image galleries, storage of published account information (employer, residences, education), and searching accounts for specific personal characteristics.

With respect to Twitter, the Software should, among other functions, allow for the storage of audience following a profile list, storage of all public contacts of the 2nd degree (Followers List), and storage of public messages (including images, videos, linked YouTube videos, and likes).

For Instagram, the Coast Guard is seeking the Software to allow, among other things, storage of the follower list, storage of the public list following a profile, storage of public comments per profile by time sequence including images, videos, linked YouTube videos, and storage of timelines and Profile Stories.

With regard to Telegram, the software must allow the storage of participants in group conversations (up to 10,000 participants), as well as the storage of the full content of each group conversation (text and photos or other material shared in them).

It is therefore clear that the software in question seeks to monitor an indeterminately large number of users of the social networks in question, and to collect, process and analyse their information, without indicating the purpose of the processing operations, the legal bases that allow them and any other safeguards for the protection of personal data, as the European Data Protection Supervisor has expressly stated in a case of similar software maintained by the European Support Office for It is also worth noting that the European Border and Coast Guard Agency (FRONTEX) had in 2019 withdrawn a related call for tender for the procurement of similar social media data collection software, following a successful action by Privacy International.

Thus, the procurement of this software will be a clear challenge to the right to the protection of personal data and respect for the principle of lawfulness of processing, the principle of purpose limitation and the principle of proportionality (data minimisation) as outlined in EU and national legislation, as well as the rights to respect for privacy and freedom of expression.

Also, the creation of a fake account simulating human activity is contrary to the terms of use of social media and messaging mentioned in the tender, while the logging of searches of third party accounts is a highly intrusive activity. Of course, highly intrusive is also the recording and monitoring of group conversations on Telegram.

On 16 November, the Independent Authority for the Protection of Personal Data (hereinafter the Authority), in the context of its constitutionally enshrined role, published its decision No 50/2021 on the implementation of the e-learning system in primary and secondary education during the pandemic. In this decision, the Authority examined ex officio the compliance of the Ministry of Education with the recommendations of its Opinion No 4/2020 and identified certain shortcomings and violations of personal data legislation, for which it reprimanded the competent Ministry of Education and Religious Affairs, setting a deadline for compliance.

In particular, the Authority examined the updated Data Protection Impact Assessment and found deficiencies in areas such as: (a) as regards the Ministry’s detailed investigation of the legitimacy of the processing purposes; (b) the information provided to data subjects on the operation of the system; (c) the security measures in place; (d) the expression of the opinion of data subjects or their representatives on the envisaged processing; (e) the proper assessment of the transfer of data to countries outside the EU.

A simple reading of the Authority’s 46-page detailed decision shows the extreme moderation in its tone, the high degree of restraint and its generally mild character, which is also apparent from the emphasis it places on the objective nature of its remarks. The Authority also took its decision at a time when tele-education was not in operation, so as not to disturb the smooth functioning of the educational instruction. It leaves no doubt in the mind of a bona fide observer that the purpose and spirit of the Authority is to improve the system so that, if it should, by any chance, have to be reopened, it will be under improved conditions of protection of users’ personal data. It should be noted that the reprimand that the Authority has issued is one of its most lenient remedial powers, as the General Data Protection Regulation (GDPR) allows for very high administrative fines, which can amount to several million euros per violation.

The Authority has provided the Ministry with an ideal opportunity to use its findings, in particular with regard to the information provided to data subjects, the security measures in place and the expression of data subjects’ views on the processing, so that the Ministry can integrate them into the educational process in order to deepen the education of pupils on their rights in the face of the challenges of digital technology. In this way, the Ministry would set a good example, showing that the public authority is always trying to improve and enhance the level of protection of the personal data of the users of its services.

Unfortunately, the Ministry of Education and Religious Affairs did not seize this opportunity. It issued a statement in an extremely strong tone and, what is worse, included in it its response to the Official Opposition, revealing an attempt to question the independence of the Authority in order to politicise it. The Ministry of the Interior has committed a serious institutional faux pas and committed a major institutional impropriety by manifesting, quite unjustifiably, a spirit of antagonism towards the Authority and by using strong language, such as: “Due to the sudden change of course on the part of the Authority and bypassing its ongoing dialogue with the Ministry of Education and Religious Affairs”, “no deviations from the data protection rules were ever pointed out, and certainly not those just invoked for the first time by the Authority to justify its new decision”, ‘while tele-education is no longer applied and our schools have returned to normal, an extraordinary meeting is curiously convened’, ‘to date, no failure has ever been pointed out by the Authority in relation to the information provided in the midst of the pandemic’, ‘the Ministry of Education and Religious Affairs certainly respects the Decisions of the Independent Authorities.

Unfortunately, the Ministry of Education and Religious Affairs did not seize the opportunity. However, these decisions are subject to judicial review.” The Hellenic League for Human Rights calls on the Executive and in particular the Government and the Ministries not to undermine the position and work of the Independent Authorities and to accept the constitutional role of the Independent Authorities which are the guardians of citizens’ rights and stand by society against public and private authorities that threaten fundamental rights, especially in the digital age. Already many of the Independent Authorities face significant challenges as they operate with limited financial and human resources. Ministers must learn to be accountable to the Independent Authorities and must cooperate with them, because ultimately the Independent Authorities derive their authority from the enlarged majority of the Parliament that has elected them and from the authority of the fundamental rights enshrined in the Constitution, the ECHR and the EU.

The public questioning of the work of the constitutionally guaranteed Independent Authorities by Ministers, with expressions and positions that constitute a direct accusation of a lack of integrity and independence, may damage the credibility of the Independent Authorities, the foundations of their operation and ultimately the protected trust of citizens.
Such actions directly challenge the popular mandate for the establishment and functioning of the constitutionally enshrined Independent Authorities and are within the limits of the democratic order, if not beyond it.Ministers do not exercise hierarchical control over the Independent Authorities. They are well advised to respect the few remaining counterweights to authority in this country, for the sake of the citizens.

Instead of these actions, Ministers should seek to strengthen the Independent Authorities that have greater needs with further financial resources and human resources. Such a development would clearly be very positive in terms of strengthening the control of the executive, with the direct effect of strengthening the foundations of our democratic constitution.