Homo Digitalis together with The Hellenic League for Human Rights, HIAS Greece and Dr. Niovi Vavoula, Lecturer at Queen Mary University of London submitted before the President of the Hellenic Data Protection Authority (HDPA) on 18.2.2022, a request for the exercise of its investigative powers regarding the deployment of the ICT systems IPERION and KENTAUROS in facilities hosting asylum seekers in Greece (protocol number 2515/18.02.2022).

In particular, as described in the relevant website of the Ministry of Digital Governance for the area of migration and asylum, as well as in the annual action plan of the Ministry of Immigration and Asylum:

-The ΙPERION system will be the asylum seekers’ management system with regard to all the needs of the Reception and Identification Services. It will include a detailed record of the data of asylum seekers and it will be interconnected with the ALKYONI II system with regard to the asylum application. In addition, it will be the main tool for the operation of all related facilities as it will be responsible for access control (entry – exit through security turnstiles, with the presentation of an individual card of a migrant, NGO member, worker and simultaneous use of fingerprints), the monitoring of benefits per asylum seeker using an individual card (food, clothing supplies, etc.) and movements between the different facilities. At the same time, the project includes the creation of a mobile phone application that will provide personalized information to the user, will be his/her electronic mailbox regarding his/her asylum application process and will enable the Service to provide personalized information. It is important to note that the IPERION system is presented by the Ministry of Digital Governance as a system that will be completed in the medium term and its construction – installation is already underway. Furthermore, explicit reference is made to this system in Article 7(2) of the General Regulation on the Operation of Closed Controlled Island Facilities. Therefore, it is understood that the IPERION system will process biometric and biographical data of asylum seekers, as well as of NGO members visiting the relevant structures and of people working in them.

-The KENTAUROS system will be a digital system for managing electronic and physical security around and inside the facilities, using cameras and Artificial Intelligence Behavioral Analytics algorithms. It includes centralised management from the headquarters of the Ministry of Digital Governance and the following services: Signaling perimeter breach alarms using cameras and motion analysis algorithms; signaling of illegal behavior alarms of individuals or groups of individuals in assembly areas inside the facility; and use of unmanned aircraft systems to assess incidents inside the facility without human intervention, among other functions. It is noted that the KENTAUROS system is presented by the Ministry of Digital Governance as a system that will be completed in the medium term and its construction – installation is planned. Therefore, it is understood that the KENTAUROS system is incorporating highly intrusive technologies, such as behaviour analysis algorithms, drones and closed circuit surveillance cameras, which create important for challenges for the protection of privacy, personal data and other rights

It is worth noting that Homo Digitalis submitted on 13 October 2021 a request for information re IPERION and KENTAUROS systems before the Secretary General for Asylum Seekers of the Ministry of Immigration and Asylum, Mr Logothetis. Nevertheless, Homo Digitalis did not receive a response from the competent bodies, even though the relevant deadline for reply has already expired.

Based on all of the above, it is understood that there is a serious risk that the installation of these systems could violate the European Union legislation on the processing of personal data and the provisions of Law 4624/2019, while there is also a significant risk that the installation of these systems without the preparation of the necessary Data Protection Impact Assessment may cause a serious violation of the rights and freedoms of data subjects who are hosted in this facilities, visit the facilities, or are employed in them. Finally, the possible creation of databases (including biometric data and other special categories of data) to assist the operation of these systems is not foreseen by any national legal rule providing the necessary safeguards for the rights of data subjects, thus raising significant challenges.

Homo Digitalis together with The Hellenic League for Human Rights, HIAS Greece, Privacy International and the researcher Phoebus Simeonidis submitted before the President of the Hellenic Data Protection Authority (HDPA) on 14.2.2022, a request for the exercise of its investigative powers regarding a procurement tender published by the Hellenic Coast Guard for the acquisition of a Social Media Data Collection Software (protocol number 2322/15/2/22 ).

Specifically, as pointed out on 2/2/2022 by researcher Phoebus Simeonidis, in the framework of the European Commission’s “Internal Security Fund” (ISF) program, the Coast Hellenic Guard – Ministry of Maritime Affairs published a tender for the “Upgrade/maintenance of the computer room of the Directorate of Maritime Border Security and Protection” with a total estimated contract value of seven hundred and thirty thousand euros #730.000,00€# (including VAT and other deductions).

One of the deliverables described in this call for tender (see page 34 et seq.) is the supply of Social Media Data Collection Software (hereinafter referred to as Software). As explicitly stated by the Ministry of Maritime Affairs in this notice, the Software should support the social networks Facebook, Twitter, VK, Xing, Instagram, and Telegram, and some of the necessary features as described are:

– The creation of a visualization of multiple correlations (friends, comments, posts, likes and followers).

– The identification of user identifiers including their searches, and

– The simulation of human activity to avoid account blocking.

Specifically for Facebook, the software should allow, among other functions, storage of a profile’s public contact list, storage of all 2nd degree public contacts, storage of public timeline posts (including images, videos, linked YouTube videos, comments and reactions), storage of image galleries, storage of published account information (employer, residences, education), and searching accounts for specific personal characteristics.

With respect to Twitter, the Software should, among other functions, allow for the storage of audience following a profile list, storage of all public contacts of the 2nd degree (Followers List), and storage of public messages (including images, videos, linked YouTube videos, and likes).

For Instagram, the Coast Guard is seeking the Software to allow, among other things, storage of the follower list, storage of the public list following a profile, storage of public comments per profile by time sequence including images, videos, linked YouTube videos, and storage of timelines and Profile Stories.

With regard to Telegram, the software must allow the storage of participants in group conversations (up to 10,000 participants), as well as the storage of the full content of each group conversation (text and photos or other material shared in them).

It is therefore clear that the software in question seeks to monitor an indeterminately large number of users of the social networks in question, and to collect, process and analyse their information, without indicating the purpose of the processing operations, the legal bases that allow them and any other safeguards for the protection of personal data, as the European Data Protection Supervisor has expressly stated in a case of similar software maintained by the European Support Office for It is also worth noting that the European Border and Coast Guard Agency (FRONTEX) had in 2019 withdrawn a related call for tender for the procurement of similar social media data collection software, following a successful action by Privacy International.

Thus, the procurement of this software will be a clear challenge to the right to the protection of personal data and respect for the principle of lawfulness of processing, the principle of purpose limitation and the principle of proportionality (data minimisation) as outlined in EU and national legislation, as well as the rights to respect for privacy and freedom of expression.

Also, the creation of a fake account simulating human activity is contrary to the terms of use of social media and messaging mentioned in the tender, while the logging of searches of third party accounts is a highly intrusive activity. Of course, highly intrusive is also the recording and monitoring of group conversations on Telegram.

On 16 November, the Independent Authority for the Protection of Personal Data (hereinafter the Authority), in the context of its constitutionally enshrined role, published its decision No 50/2021 on the implementation of the e-learning system in primary and secondary education during the pandemic. In this decision, the Authority examined ex officio the compliance of the Ministry of Education with the recommendations of its Opinion No 4/2020 and identified certain shortcomings and violations of personal data legislation, for which it reprimanded the competent Ministry of Education and Religious Affairs, setting a deadline for compliance.

In particular, the Authority examined the updated Data Protection Impact Assessment and found deficiencies in areas such as: (a) as regards the Ministry’s detailed investigation of the legitimacy of the processing purposes; (b) the information provided to data subjects on the operation of the system; (c) the security measures in place; (d) the expression of the opinion of data subjects or their representatives on the envisaged processing; (e) the proper assessment of the transfer of data to countries outside the EU.

A simple reading of the Authority’s 46-page detailed decision shows the extreme moderation in its tone, the high degree of restraint and its generally mild character, which is also apparent from the emphasis it places on the objective nature of its remarks. The Authority also took its decision at a time when tele-education was not in operation, so as not to disturb the smooth functioning of the educational instruction. It leaves no doubt in the mind of a bona fide observer that the purpose and spirit of the Authority is to improve the system so that, if it should, by any chance, have to be reopened, it will be under improved conditions of protection of users’ personal data. It should be noted that the reprimand that the Authority has issued is one of its most lenient remedial powers, as the General Data Protection Regulation (GDPR) allows for very high administrative fines, which can amount to several million euros per violation.

The Authority has provided the Ministry with an ideal opportunity to use its findings, in particular with regard to the information provided to data subjects, the security measures in place and the expression of data subjects’ views on the processing, so that the Ministry can integrate them into the educational process in order to deepen the education of pupils on their rights in the face of the challenges of digital technology. In this way, the Ministry would set a good example, showing that the public authority is always trying to improve and enhance the level of protection of the personal data of the users of its services.

Unfortunately, the Ministry of Education and Religious Affairs did not seize this opportunity. It issued a statement in an extremely strong tone and, what is worse, included in it its response to the Official Opposition, revealing an attempt to question the independence of the Authority in order to politicise it. The Ministry of the Interior has committed a serious institutional faux pas and committed a major institutional impropriety by manifesting, quite unjustifiably, a spirit of antagonism towards the Authority and by using strong language, such as: “Due to the sudden change of course on the part of the Authority and bypassing its ongoing dialogue with the Ministry of Education and Religious Affairs”, “no deviations from the data protection rules were ever pointed out, and certainly not those just invoked for the first time by the Authority to justify its new decision”, ‘while tele-education is no longer applied and our schools have returned to normal, an extraordinary meeting is curiously convened’, ‘to date, no failure has ever been pointed out by the Authority in relation to the information provided in the midst of the pandemic’, ‘the Ministry of Education and Religious Affairs certainly respects the Decisions of the Independent Authorities.

Unfortunately, the Ministry of Education and Religious Affairs did not seize the opportunity. However, these decisions are subject to judicial review.” The Hellenic League for Human Rights calls on the Executive and in particular the Government and the Ministries not to undermine the position and work of the Independent Authorities and to accept the constitutional role of the Independent Authorities which are the guardians of citizens’ rights and stand by society against public and private authorities that threaten fundamental rights, especially in the digital age. Already many of the Independent Authorities face significant challenges as they operate with limited financial and human resources. Ministers must learn to be accountable to the Independent Authorities and must cooperate with them, because ultimately the Independent Authorities derive their authority from the enlarged majority of the Parliament that has elected them and from the authority of the fundamental rights enshrined in the Constitution, the ECHR and the EU.

The public questioning of the work of the constitutionally guaranteed Independent Authorities by Ministers, with expressions and positions that constitute a direct accusation of a lack of integrity and independence, may damage the credibility of the Independent Authorities, the foundations of their operation and ultimately the protected trust of citizens.
Such actions directly challenge the popular mandate for the establishment and functioning of the constitutionally enshrined Independent Authorities and are within the limits of the democratic order, if not beyond it.Ministers do not exercise hierarchical control over the Independent Authorities. They are well advised to respect the few remaining counterweights to authority in this country, for the sake of the citizens.

Instead of these actions, Ministers should seek to strengthen the Independent Authorities that have greater needs with further financial resources and human resources. Such a development would clearly be very positive in terms of strengthening the control of the executive, with the direct effect of strengthening the foundations of our democratic constitution.

The Centre for European Policy Studies – CEPS working group on Cybersecurity and Artificial Intelligence has published its final study! More than 100 pages of analysis, the result of hard work, are now freely available!

We would like to thank the main authors of the study Lorenzo Pupillo, Stefano Fantin, Afonso Ferreira and Carolina Polito for their excellent collaboration from 2019 to date, as well as for the explicit mention of Homo Digitalis’ contribution to the chapter on privacy and data governance.

Homo Digitalis has been a member of the working group since September 2019 and during this time we have had the opportunity to exchange views and ideas with leading actors by actively participating in meetings, conferences and presentations and promoting the protection of human rights in our field of action.

Our representative in the CEPS Working Group on Cybersecurity and Artificial Intelligence was our co-founding member and secretary of our Board, Lefteris Chelioudakis.

You can read the study here.

Today, 15 May 2019, European Digital Rights (EDRi) along with other 45 civil society organizations, academics and private actors from 15 different countries, including Homo Digitalis, sent an open letter to European legislators informing them on the dangers resulting from the extensive use of deep packet inspection technology.

This technology has significant potential for intrusion into user privacy, but mobile operators continue to use it to investigate the content of our communications and to collect information such as the applications we use and the material we see on the internet. By extending zero-rating to almost all EU Member States (except two), companies use this technology to provide packets that give access to only specific services and service providers ( e.g. packets for exclusively Internet use for specific social networking platforms etc).

You can learn more about the open letter in the relevant EDRi article and see the full text here.