On 23 June 2021, the Plenary of the Personal Data Protection Authority met to examine the appeals of 5 citizens against the General Secretariat for Civil Protection. The appeals relate to the failure to satisfy the right of access to personal data, as provided for by Greek and European legislation.

Homo Digitalis represented the 5 applicants at the meeting and subsequently submitted a memorandum to the Data Protection Authority. According to European legislation the threatened fine for the GDPR is up to 20 million euros per breach.

The decision of the Data Protection Authority on the case is expected soon.

Brief Background

On 23.11.2020, the applicants proceeded to exercise their right of access to the Controller, General Secretariat for Civil Protection (GSCP), on the basis of Article 15 of the GDPR, by means of an email to the Controller’s address info@gscp.gr, as stated in the GSCP’s Privacy Policy for the use of 13033.

As set out in the GDPR (Article 12(3)), and noted in the 13033 Privacy Policy, the controller must comply with this right without delay and at the latest within one month of the request.

The GGP as controller in breach of the provisions of Article 12(1)(a) of the GDPR shall, in its capacity as controller, ensure that the data are made available to the data subject without undue delay and without undue delay and in full knowledge of the facts. 3 and 4 of the GDPR, failed to reply to the complainants within one month of receipt of the request and failed to inform them, as it was required to do, within one month of the possible impossibility of responding immediately and satisfying their request and of the reasons for the delay, requesting a further extension of the time limit, in breach of the provisions of Article 12(3) and (4) of the GDPR. Moreover, it failed to inform the applicant within one month of the reasons for its failure to act and of the possibility of lodging a complaint and bringing a legal action (Article 12(4) of the GDPR).

In view of the above, two and a half months after exercising the right of access and having received no response from the GGPD, the applicants proceeded on 8/2/2021 to lodge the complaints under consideration before the Personal Data Protection Authority (the Authority).

The Authority invited the GDPR to submit the views on 16-02-2021. The GPO did not respond to this request of the Authority either.

To date (7 months later) the applicants have not received any response to the access requests. A copy of the views of the GSC was first communicated to them on 29 June 2021 following their request to the Authority.

It is noted that the views of the GPO were submitted to the Authority on 18 June 2021 after a significant delay of more than four months. At the first meeting, the GGP submitted a request for postponement of the discussion on the sole ground that the Secretary General for Civil Protection wished to represent the GGP in person, without having presented its views on the appeals up to that point. The request was granted, but the Secretary General did not even attend the adjourned debate.

The subject matter of the appeals is the failure to provide full and correct information and the failure to satisfy the right of access under Articles 15 and 12 of the GDPR.

The European Parliamentary Research Service (EPRS), which is the internal research service and think tank of the European Parliament, makes explicit reference to our actions at national level in its new study published at the beginning of July on the use of AI in the field of border protection!

Of course, important references are also made to the European Citizens’ Initiative #ReclaimYourFace!

You can read the study completely free of charge here.

Homo Digitalis participated on 1 July in the SEE Digital Rights Network event on the challenges that arise in the Balkan region for the protection of digital rights.

The event included the presentation of the relevant study by BIRN and SHARE Foundation.
Lefteris Helioudakis, founding member and Secretary of the Board of Homo Digitalis represented the organization at the event.

Σβήνεις και γράφεις εδώ…………………………

Μετά από πολλές σημαντικές συνεργασίες με κορυφαία πανεπιστήμια και ερευνητικά κέντρα σε Ελλάδα, Ευρώπη και Η.Π.Α., η Homo Digitalis επεκτείνει τις συνεργασίες της και στην Ασία.

Με μεγάλη μας χαρά υπογράψαμε μνημόνιο συνεργασίας με το ερευνητικό κέντρο Centre for Law and Technology της Νομικής Σχολής του Ziauddin University στο Πακιστάν με στόχο την ανάπτυξη κοινών εθελοντικών προγραμμάτων έρευνας και ευαισθητοποίησης του κοινού για ζητήματα που αφορούν, μεταξύ άλλων, την προστασία των προσωπικών δεδομένων, το σεβασμό της ιδιωτικής ζωής και την ελευθερία της έκφρασης στη σύγχρονη ψηφιακή εποχή

A coalition of civil society organisations consisting of Privacy International, Hermes Center, Homo Digitalis and noyb have today, 27/5/2021, filed 5 complaints before the competent authorities in Austria, France, Greece, Italy, Greece and the United Kingdom against Clearview AI, Inc. This company develops facial recognition software and claims to have “the largest known database of more than 3 billion facial images” which it collects from social media platforms and other online sources.

The complaints filed with the relevant authorities, including the Data Protection Authority (No. 3458/27.5.2021), detail how Clearview AI’s automated image collector works. It is an automated tool that visits public websites and collects any images it detects that contain human faces. Along with these images, the automated collector also collects metadata that complements these images, such as the title of the website and its source link. The collected facial images are then matched against the facial recognition software created by Clearview AI in order to build the company’s database. Clearview AI sells access to this database to private companies and law enforcement agencies, such as police authorities, worldwide.

“European law is clear regarding the purposes for which companies can use our data,” says Ioannis Kouvakas, a lawyer at Privacy International. “Mining our facial features or sharing them with the police and other companies far exceeds our expectations as internet users.”

“It seems that Clearview mistakenly believes that the internet is a public forum from which anyone can grab whatever they want,” adds Lucie Audibert, a lawyer at Privacy International. “This perception is completely wrong. Such practices threaten the open nature of the internet and the countless rights and freedoms it encompasses.”

The relevant authorities now have 3 months to respond to our complaints. We expect them to cooperate and jointly decide that Clearview AI’s practices have no place in Europe.

Clearview AI became internationally known in January 2020 when a New York Times investigation revealed its practices, which until then had been shrouded in a veil of mystery. The 5 complaints filed add to a series of investigations launched following these revelations.

“Just because something is on the internet does not mean that others can use it in any way they wish. The Data Protection Authorities need to take action,” says Alan Dahi, a privacy lawyer at noyb.

Other reports made it known that Clearview AI had developed partnerships with law enforcement authorities in several European countries. In Greece, following questions submitted by Homo Digitalis, the Greek police have officially stated that they have not used the services of this company. “It is important to intensify the control. Data Protection Authorities have strong investigative powers and we need a
coordinated response to such collaborations between public and private entities,” says Marina Zacharopoulou, a lawyer and member of Homo Digitalis.

Because of its intrusive nature, the use of facial recognition technology, and especially the business models based on it, raises significant challenges for modern societies and the protection of our freedoms. Last month, the Italian Data Protection Authority stopped the use of live facial recognition by police authorities. “Facial recognition technologies threaten our lives both online and offline” says Fabio Pietrosanti, President of Hermes Center.

People living in Europe can ask Clearview AI if their face is in the company’s database and demand that their data be deleted. Privacy International has outlined the relevant steps in detail here.

Of course, support for the European #ReclaimYourFace initiative, which aims to end mass biometric surveillance in public places, is also important.

You can read more in the respective informative articles posted by Privacy International, noyb and Hermes Center.

You can read the complaint here.

Today, a petition was filed before the President of the Hellenic Data Protection Authority (Hellenic Data Protection Authority), Mr. Menoudakos, by Homo Digitalis, Reporters United and The Press Project (No. Prot. G/EIS/3129/12-05-2021), in which at least sixty-four (64) violations of the provisions of the legislation concerning the use of portable cameras in public places are complained of by the Hellenic Police (Hellenic Police). At the same time, the organizations are requesting that the HACCP exercise its investigative, corrective and advisory powers on this important issue.

In particular, in accordance with the provisions of Article 12 para. 2 of Decree 75/2020, the Hellenic Police, as the controller, must each time before the operation of a surveillance system in a public place, issue and notify the decision to operate this system at least on its website, specifying obligatorily: a) the time of activation, b) the duration of its operation, c) the range of its operation, d) its specific characteristics, and e) the justification of the feasibility of its use.

However, the Hellenic Police has not complied with the obligation to publish on its website the decisions to operate the surveillance systems it uses in public places. On the contrary, in breach of its statutory obligations, the Hellenic Police Service has consistently confined itself to publishing a simple notice on its website, which indicates only the number of each operating decision, the duration of operation of the surveillance systems and their place of operation in a general and vague manner.

In other words, that notice does not communicate the content of the operating decision and does not make any reference to the important information required by Article 12(1)(b). 2 of Decree 75/2020, namely the scope of operation of the surveillance system, its specific characteristics and the justification for its use. This last element is particularly important in the context of the principle of lawfulness of processing, as Article 5 of Decree 75/2020 requires that there are sufficient indications that specific criminal offences are being or will be committed in the public place in question and that there is a reasonable belief that there is a serious risk to public security.

Moreover, the EL.AΣ. denies access to these operating decisions even after filing requests for access to documents that citizens and members of the organizations Homo Digitalis, Reporters United and The Press Project had brought before it in December 2020. Therefore, it is obvious that the EL.AΣ. manages these operating decisions as confidential documents that it does not publish and to which it does not allow access, in violation of the provisions of Article 12 para. 2 of Presidential Decree 75/2020.

We consider these practices to be illegal and undermine the protection of personal data and the relevant safeguards provided for in the Legislative Decree 75/2020 within just a few months of its entry into force (September 2020). We therefore denounce the violations before the DPA, and request the latter to fully exercise its investigative, corrective and advisory powers.

The full text of our petition is available here.

Read more on the websites of Reporters United and The Press Project!

If you want to learn more regarding the use of intrusive technologies such as drones, cameras and facial recognition technologies in public spaces you can visit the European Citizens’ Initiative’s #ReclaimYourFace page and sign our campaign! Say a resounding yes to protect public space from intrusive biometric surveillance technologies!

Today, Tuesday 6 April 2021, Homo Digitalis and Sarantaporo.gr submitted joint proposals to the open consultation of the National Telecommunications and Postal Commission (EETT). The consultation concerns the determination of the location of the Terminal Network Point.

If you want to know why the location of the Network Termination Point is important for all internet users in Greece, you can read the very interesting and detailed article by ELLAK.

In essence, it is about the freedom to choose a router in Greece.

With their positioning Homo Digitalis and Sarantaporo.gr stress that end users should have the right to use terminal equipment of their choice.

The same position is supported by the Open Technologies Organisation – ELLAK, the Consumer Association EKPIZO, as well as the European organisation FSFE with the submission of respective proposals.

The positions of Homo Digitalis and Sarantaporo.gr are available here.

Proposals can be submitted until Friday 7 May at 15.00. If you want to support the freedom of router choice in Greece, you can read the EETT call and submit your proposals.

Homo Digitalis and Sarantaporo.gr have been working together for more than a year to lay the foundations to combat the digital exclusion of remote areas and communities of our country from the internet and digital services and at the same time to give citizens the opportunity to be informed and educated about modern networking technologies and the safe and effective use of the internet.