I HAVE RIGHTS and Homo Digitalis Publish Report on the Situation in the Samos Closed Controlled Access Centre (CCAC) One Year After the Fine Issued by the Hellenic Data Protection Authority for KENTAURUS and HYPERION Systems
The Hellenic Ministry of Migration (MoMA) continues to violate data protection rights of asylum seekers in the Samos Closed Control Access Centre (CCAC), I Have Rights and Homo Digitalis said in a report released today.
The report, titled “They Never Tell Us Anything”: Ongoing Data Rights Violations in the Samos CCAC analyses the implementation of a compliance order issued by the Hellenic Data Protection Authority (HDPA) in April 2024. In this historic ruling, the HDPA had found that MoMA’s use of surveillance technologies in reception facilities across Greece, including biometric access systems and surveillance infrastructure tools violates EU data protection laws (GDPR).
Ten months after the passing of the implementation period in July 2024, the report finds that MoMA has failed to comply with the order. “The ongoing violations of data protection rights in the Samos CCAC are emblematic of a system where control and surveillance are prioritised over the rights of those seeking protection” said Réka Rebeka Rósa, Legal and Team Coordinator at I Have Rights. “The European Union should press Greek authorities to address prevailing rights violations. Otherwise, these violations risk becoming a blueprint for further (digital) rights abuse of people on the move across Europe.”
The Samos CCAC opened in September 2021 as the first of the now existing five facilities in Greece, following an agreement between the European Commission and the Greek Government in 2020. Since its opening, NGOs, international human rights experts and people held in the facility have consistently raised concerns about the facility’s securitised infrastructure, de facto detention practices, and inadequate living conditions.
These concerns are exacerbated by the overall lack of transparency in the Greek asylum procedure and opaque surveillance system in the Samos CCAC.
As one client explained about the intransparency of biometric data collection: “No, no one explains it. They only take fingerprints and take us from one place to another, and we do it without knowing why. There is no person to explain what is happening.”
Greece has legal and moral obligations to uphold fundamental rights and data protection rights of asylum seekers, as enshrined in the European Charter of Fundamental Rights and GDPR. The European Union, in particular the European Commission – given its central role in conceptualising, financing, operating, and monitoring the CCACs in Greece – bears responsibility to ensure that these standards are fully respected. “The continued lack of GDPR compliance, in terms of transparency and accountability in the deployment of the Centaur and Hyperion surveillance systems, at the Samos CCAC reflects a disturbing erosion of the fundamental rights. By failing to meet even the basic requirements of data protection in practice, MoMA is reinforcing a dangerous trend of surveillance-driven border management that dehumanizes people on the move” said Eleftherios Chelioudakis, Executive Director at Homo Digitalis.
We successfully participated at the panel "AI, Ethics & Family" at the event organized by the Leonteios School Network
Another proud moment! Our co-founder Stefanos Vitoratos and partner at Digital Law Experts (DLE) participated earlier the previous week, in the LeonteiosAI- Shaping the world of education Conference held at the iconic Acropolis Museum, as a Leonteios School Athens alumni and a member of the LeonteiosAI Committee!
Stefanos has contributed to the initiative on adopting AI as part of the school’s educational procedure. Heartfelt thanks to the organizers and committee members for assembling such an inspiring and forward-thinking group of professionals.
Homo Digitalis participates in the panel "AI, Ethics & Family" at the Artificial Intelligence event of the Leonteios School Network
Homo Digitalis is delighted to take part in the panel “AI, Ethics & Family” during the event organized by the Leonteios School Network, titled “LeonteiosAI – Shaping the Future of Learning.”
Stefanos Vitoratos, Co-Founder of Homo Digitalis and Partner at the law firm Digital Law Experts (DLE), is representing us at the event.
Our fellow panelists include representatives from key institutions, including the Minister of Social Cohesion and Family, Ms. Domna Michailidou.
The event will take place at the Acropolis Museum (Amphitheater “Dimitrios Pandermalis”) on April 8, 2025.
From Secrecy to Transparency: The Five-Year Battle for the Publication of Police Camera Operation Decisions
Strategic legal action takes time, but its outcomes benefit society as a whole, strengthening public trust in institutions.
In December 2020, Homo Digitalis, in collaboration with Reporters United and The Press Project, formally requested access to the Hellenic Police’s decisions regarding the operation of drones and other portable cameras in public spaces, as stipulated in Article 12 of Presidential Decree 75/2020. Despite the legal obligation to publish these decisions publicly, the police refused access, disregarding the transparency required by law.
A few months later, in May 2021, we filed a joint complaint before the Hellenic Data Protection Authority (HDPA), citing repeated non-compliance by the police—at least 67 times over a short period. The HDPA launched an investigation into the legality of these practices.
In early 2024, we submitted a request for access to HDPA documents to better understand the progress of the investigation. Correspondence between the Hellenic Police and the HDPA revealed that, even as of March 2024, the police continued to argue that Presidential Decree 75/2020 did not require them to publish camera operation decisions, despite the HDPA’s opposing view.
Yesterday, through a report by journalist Giannis Bazaios in Efimerida ton Syntakton, we learned that such a decision had been published on the Hellenic Police’s website. Indeed, upon verification, we found that as of February 17, 2025, the police had changed their practice and begun publishing these decisions as required by law. The report was published today online here.
From the initial refusal in 2020, it took five years for this change to be implemented. We now eagerly await the final decision of the HDPA and the conclusion of its investigation, which will establish a definitive framework for transparency and accountability within law enforcement.
We co-sign an CSO Open Letter on the proposed GDPR Procedural Regulation
As the trilateral negotiations at the EU level continue regarding the proposed regulation on additional procedural rules for the enforcement of the GDPR, we, together with European Digital Rights and 34 other Civil Society organizations, join our voices in an open letter to lawmakers!
We urge them to prioritize strong enforcement mechanisms that ensure individuals can effectively exercise their rights while highlighting the systemic weaknesses in the enforcement of GDPR provisions.
Read the open letter here.
We sign a common CSO statement for the AI Summit on the protection of environment
Ahead of the AI Action Summit in France, 100+ civil society organisations from around the world have an urgent message for governments and industry leaders: The environmental and human costs of AI are too high – we need action now.
Our 5 key demands:
-Phase out fossil fuels
-Bring computing within limits
-Ensure responsible supply chains
-Enable equitable participation
-Advance meaningful transparency It’s time for AI to be sustainable, just, and accountable.
You can read our full demands here.
You can co-sign our common statement here.
Statements from Homo Digitalis in an article by Reporters United, Investigate Europe & EfSyn on the AI Act
Following the investigation and related revelations carried out last week by Reporters United, Investigate Europe, and EfSyn regarding the trilateral meetings on the AI Act and the negative stance of the Greek government on the security safeguards for biometric identification at a later stage, today in a new report, journalist Εurydice Bersi highlights how various state bodies have been systematically violating for years the security safeguards that European data protection legislation provides for the artificial intelligence systems already in use in our country.
We sincerely thank the journalist for her interest in our related actions and for the opportunity to provide some brief comments on the challenges we have identified and the lack of compliance that has been evident over time. Our statements were represented by Eleftherios Chelioudakis.
In fact, as part of the journalists’ investigation, a request for access to information has already been submitted, calling on the Greek government to disclose the documents with its positions on the trilateral meetings!
You can read the related article and their detailed investigation here.
Open Letter to the President of the European Commission to Stand Up Against Big Tech Companies
Over 40 civil society organizations, across the EU and the US, have an urgent message for the European Commission and President Ursula von der Leyen. Now is the time to stand up to the bullying by Big Tech companies and their allies in the Trump administration.
Europe must commit to strong enforcement of the DSA, DMA regulations, and other digital laws to protect people, our democracy, and our economy!
Read our open letter here.
Civil Society Demands: EU Commission Must Close e-ID Loopholes!
The final technical design of the European Digital Identity Wallet is currently under negotiation. These blueprints will have a big impact on whether or not users will be sufficiently protected when using Europe’s upcoming digital identity system. In concrete terms, this is currently being negotiated in the eIDAS implementation acts between the EU member states and the European Commission.
The positive changes in the first batch of technical rules show: Civil society works! Together with 15 organisations we thank the negotiators and acknowledge these significant improvements for privacy and human rights safeguards. The most recent proposals, however, still have some severe privacy and transparency problems that we address in our open letter to the European Commission.
What is the problem?
The eIDAS regulation lays out concrete rules for those companies and government agencies who want to access personal information from citizens’ Wallets. This could be for example an online platform, a public transport company or your doctor. It obliges these so-called “relying parties” to register their intended use of the Wallet, that is which attributes they intend to request from users. The regulation also prohibits them from asking information that goes beyond their registration. This could mean for example that, according to its registration, an online shop is only allowed to ask for your name and address but not your birth date or other information. A porn platform might use the Wallet to verify your age, but couldn’t obtain not any other information about you or use other means to track your behaviour.
To protect everyone from such illegal requests, the EU’s Digital Identity Wallet needs to know what personal information a relying party is actually allowed to access. The EU Commission, however, proposes a loophole which would leave it to the Member State that registered the relying party to decide whether the Wallet knows about the contents of the registration or not. This would allow Facebook Ireland to circumvent the protections and ask European users for everything. Furthermore, the public register of relying parties risks being useless without harmonised specifications on how to access it and what results to expect. Ultimately, the trust we will put in the Wallet will depend on the protections and transparency that we can rely on.
15 Organisations demand: The Commission’s Loopholes Must be Closed!
If these loopholes remain, this would have disastrous consequences. Any discrimination based on illegal access to attributes in the Wallet (health, gender, income, etc.) would be unchecked. Given the track record of lax data protection enforcement in countries like Ireland, companies like Facebook Ireland would likely have a wildcard certificate, virtually empowering them to request any data they want. Member States dedicated to protecting their users from illegal requests (e.g. Germany, the Netherlands, Spain or Austria), on the other hand, would be incapable of doing so.
We therefore ask the Commission to make relying party registration certificates mandatory for all relying parties and to issue a harmonized specification to access the relying party registry of each Member State.