Greek Ministry of Asylum and Migration face a record-breaking €175,000 fine for the border management systems KENTAUROS & HYPERION

On 3 April, the Greek Data Protection Authority (DPA) slapped the Ministry of Asylum and Migration with a record-breaking €175,000 fine under the General Data Protection Regulation for the border management systems KENTAUROS and HYPERION. The DPA’s investigation started back in 2022, following a strategic complaint filed by the EDRi member Homo Digitalis and its partners in Greece.

By Homo Digitalis (guest author) · April 17, 2024

GDPR violations on data protection impact assessments and data controller’s obligations

On 3 April, the Greek Data Protection Authority (DPA) issued a record-breaking €175,000 fine to the Ministry of Asylum and Migration. The fine relates to the border management systems KENTAUROS and HYPERION managed by the Ministry. This is the highest fine ever imposed on a Greek public body by the DPA due to GDPR violations.

KENTAUROS is a surveillance system deployed in the reception and accommodation facilities for asylum seekers. The aim of the system is to manage the electronic and physical security around and inside these spaces. The system is composed of different technologies, including CCTV cameras, drones and artificial intelligence behavioural analytics algorithms. HYPERION is a multi-purpose information and communications technology system, used as the main tool for controlling access (entry and exit) to the above-mentioned facilities by processing biometric data (fingerprints).

The DPA’s decision highlights that the Hellenic Ministry of Asylum and Migration (HMAM) failed to conduct a comprehensive and coherent Data Protection Impact Assessment (DPIA) in accordance with the principles of data protection by design and by default, prior to the procurement and implementation of the KENTAUROS and HYPERION systems. According to the decision, this constituted a breach of Articles 25 and 35 GDPR and the DPA imposed a fine of €100,000 for this violation.

In addition, the DPA held that the communication and cooperation with HMAM was very problematic. The documents submitted before the DPA contained unclear, incomplete, confusing and contradictory information. Additionally, HMAM refused to submit to the DPA any contracts with data processors containing clauses relating to the processing of personal data in the KENTAUROS and HYPERION systems in accordance with Article 28 of the GDPR, claiming reasons of secrecy.

Also, the HMAM failed to provide clarifications on the data processing activities carried out in the context of KENTAUROS. In particular, about its automated functions, and the interoperability of KENTAUROS and HYPERION with other public sector systems, including those operated by the Hellenic Police on criminal matters. For these reasons, the DPA fined HMAM with an additional €75,000 for violating Article 31 GDPR, resulting in a record-breaking total fine of €175,000.

Finally, the DPA obliged HMAM to take all necessary steps to comply with its data controller’s obligations within a period of three months. The HMAM already published a press release, declaring that they are assessing the possibility of challenging the DPA’s decision before the courts.

Civil society and academia sounded the alarm about KENTAUROS & HYPERION long ago

Back in the summer of 2021, the Hellenic Ministry of Digital Governance mentioned the development of KENTAUROS and HYPERION systems in the Digital Transformation Bible 2020-2025. In reaction, the EDRi network and the EDRi member Homo Digitalis started collecting evidence about these systems on a joint research project. The aim of the investigation was to explore potential shortcomings and compliance challenges with the applicable data protection framework. In order to complement this work, in October 2021, EDRi and Homo Digitalis filed an access to documents request before the Secretary General for Asylum Seekers of the Ministry of Asylum and Migration, requesting information about these systems and the steps taken to ensure compliance with the Greek Data Protection Act. However, there was no reply to this request.

These developments caught the attention of the European Parliament Committee on Civil Liberties, Justice and Home Affairs. In December 2021, the Committee requested from the Hellenic DPA information about KENTAUROS and HYPERION. In early February 2022, EDRi member Homo Digitalis in cooperation with the civil society organisations Hellenic League for Human Rights and HIAS Greece, as well as the academic Niovi Vavoula, co-submitted a request for investigation before the Hellenic DPA on these two systems. That resulted in the DPA opening an investigation on this matter. In July 2022, the Delegation of the United Nations High Commissioner for Refugees in Greece also submitted an open letter about these systems before the DPA to express their concerns.

People on the move, such as asylum seekers, are targeted by these intrusive technologies. Strong evidence has shown that the deployment and use of such surveillance technology could increase state surveillance on marginalised communities and lead to human rights infringements. It is important to highlight that KENTAUROS and HYPERION are not the only technology-led border management tools deployed in border management procedures in Greece. In 2021, the Hellenic Police acquired smart policing gadgets, which allow for the use of facial recognition and fingerprint identification technologies during police stops targeting undocumented migrants living in the country. Moreover, the Hellenic Coast Guard has contracted a private vendor to develop an AI social media monitoring tool. The aim is to use this software for surveilling the exchange of information on migration matters on social media channels and instant messaging applications, as well as for predicting migration flows towards Greece and for profiling individuals. EDRi member Homo Digitalis, has opened cases against the above-mentioned projects before the Hellenic DPA, in collaboration with local civil society organisations (CSOs) and the EDRi member Privacy International.

CSOs as natural allies of DPAs

As the European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, has stated in the past, DPAs and CSOs are natural allies when it comes to putting data protection principles into practice, empowering individuals to assert their rights and holding data controllers accountable for their actions.

Such collaborations and meaningful engagement are even more important in countries like Greece, where national supervisor authorities remain seriously unfunded and limited in terms of human resources. In its latest annual report, the Greek DPA highlights that it faces a risk of eviction from its office spaces. In March 2023, it was already forced to vacate one of the two floors on which it was housed. In the same report, the DPA underlines the huge volume of incoming cases and the hard efforts it takes to fully meet its mission while dealing with serious understaffing conditions and low budget. For instance, the current active staff members of the DPA are only 50 people, while its 2023 budget was decreased to €2,219,000.

Despite the fact that the Greek DPA remains understaffed, with a reduced budget, facing even the risk of eviction from its premises, it has fulfilled its mission and maintained citizens’ trust in the independent authorities. But this cannot be the norm, DPAs need more support from the state, so they can continue their important work of protecting people’s rights. While CSO coalitions like Protect Not Surveil can provide important contributions to the work of the DPAs in investigating the impact of intrusive new technologies on data protection and other fundamental rights of people, it is EU Member States that carry the responsibility to provide funding and resources.

The Hellenic Ministry of Asylum and Migration has now a three-month deadline to comply with its obligations as a data controller arising from GDPR. Homo Digitalis, together with its strong allies at the EU and national level, will closely monitor these developments and report back on existing or new challenges that arise for the human rights of the affected people. It remains to be seen how such compliance efforts can be successful when data protection matters appear to be neglected by the data controller since the design phase of these intrusive systems.

Contribution by: Eleftherios Chelioudakis, Co-founder, EDRi member, Homo Digitalis