Greek data watchdog to rule on AI systems in refugee camps

Security systems a hallmark of new EU camps

Centaur and Hyperion are hallmarks of Greece’s newest migrant facilities, also known as Closed Controlled Access Centres (CCACs), which began opening in the eastern Aegean in 2021 with funding and supervision from the European Commission (EC). Greek authorities have lauded the surveillance apparatus at the revamped facilities as a silver-bullet solution to the problems that plagued previous makeshift migrant camps in Greece.

The Centaur system allows authorities to monitor virtually every inch of the camps’ outdoor areas – and even some indoor spaces – from local command and control centres on the islands, and from a centralised control room in Athens, which Greece’s former migration minister Notis Mitarachi unveiled with much fanfare in September 2021.

“We’re not monitoring people. We’re trying to prevent something bad from happening,” Anastasios Salis, the migration ministry’s director general of ICT and one of the self-described architects of the Centaur system, told me when I visited the ministry’s centralised control room in Athens in December 2021. “It’s not a prison, okay? It’s something different.”

Critics have described the new camps as “prison-like” and a “dystopian nightmare”.

Behind closed doors, the systems have also come under scrutiny by some EU authorities, including its Fundamental Rights Agency (FRA), which expressed concerns following a visit to one of the camps on Samos Island in May 2022.

In subsequent informal input on Greece’s refugee camp security measures, the FRA said it was “concerned about the necessity and proportionality of some of the measures and their possible impact on fundamental rights of residents” and recommended “less intrusive measures”.

Asked during the control room tour in 2021 what is being done to ensure the operation of the Centaur system respects privacy laws and the EU’s General Data Protection Regulation (GDPR), Salis responded: “GDPR? I don’t see any personal data recorded.”

‘Spectacular experimentation’

While other EU countries have experimented with myriad migration management and surveillance systems, Greece’s refugee camp deployments are unique.

“What we see in Greece is spectacular experimentation of a variety of systems that we might not find in this condensed way in other national contexts,” said Caterina Rodelli, a policy analyst at the digital rights non-profit Access Now.

She added: “Whereas in other European countries you might find surveillance of migrant people, asylum seekers … Greece has paved the way for having more dense testing environments” within refugee camps – particularly since the creation of its EU-funded and tech-riddled refugee camps.

The Samos facility, arguably the EU’s flagship camp, has been advertised as a model and visited by officials from the UK, the US and Morocco. Technology deployments at Greece’s borders have already been replicated in other European countries.

When compared with other Mediterranean states, Greece has also received disproportionate funding from the EU for its border reinforcement projects.

In a report published in July, the research outfit Statewatch compared commission funds to Greece between 2014 and 2020 and those projected to be paid between 2021 and 2027, finding that “the funding directed specifically towards borders has skyrocketed from almost €303m to more than €1bn – an increase of 248%”.

Greece’s Centre for Security Studies, a research and consulting institution overseen by the Greek minister of citizen protection, for example, received €12.8m in EU funds to develop border technologies – the most of any organisation analysed in the report during an eight-year period that ended in 2022.

Surveillance and security systems at Greek refugee camps are funded through the EU’s Covid recovery fund, known formally as the European Commission’s Recovery and Resilience Facility, as well as the Internal Security Fund.

Early warnings

At the heart of the Greek DPA probe are questions about whether Greece has a legal basis for the type of data processing understood to be required in the programs, and whether it followed procedures required under GDPR.

This includes the need to conduct data protection impact assessments (DPIAs), which demonstrate compliance with the regulation as well as help identify and mitigate various risks associated with personal data processing – a procedure the GDPR stipulates must be carried out far in advance of certain systems being deployed.

The need to conduct these assessments before technology deployments take place was underscored by the Greek DPA in a letter sent to the Greek migration ministry in March 2022 at the launch of its probe, in which it wrote that “in the case of procurement of surveillance and control systems” impact studies “should be carried out not only before their operation, but also before their procurement”.

Official warnings for Greece to tread carefully with the use of surveillance in its camps came as early as June 2021 – months before the opening of the first EU-funded camp on Samos Island – when the FRA provided input on the use of surveillance equipment in Greek refugee camps, and the Centaur project specifically.

In a document reviewed by Computer Weekly, the FRA wrote that the system would need to undergo “a thorough impact assessment” to check its compatibility with fundamental rights, including data protection and privacy safeguards. It also wrote that “the Greek authorities need to provide details on the equipment they are planning to use, its intended purpose and the legal basis for the automated processing of personal data, which to our understanding include sensitive biometric data”.

A botched process?

However, according to documents obtained through public record requests, the impact assessments related to the programs were only carried out months after the systems were deployed and operational, while the first assessments were not shared with the commission until late January 2022.

Subsequent communications between EU and Greek authorities reveal, for the first time, glaring procedural omissions and clumsy efforts by Greek authorities to backpedal into compliance.

For example, Greece’s initial assessments of the Centaur system covered the use of the CCTV cameras, but not the potentially more sensitive aspects of the project such as the use of motion analysis algorithms and drones, a commission representative wrote to Greek authorities in May 2022. The representative further underscored the importance of assessing “the impact of the whole project on data protection principles and fundamental rights”.

The commission also informed the Greek authorities that some areas where cameras were understood to have been placed, such as common areas inside accommodation corridors, could be deemed as “sensitive”, and that Greece would need to assess if these deployments would interfere with data protection, privacy and other rights such as non-discrimination or child rights.

It also requested more details on the personal data categories being processed – suggesting that relevant information on the categories and modalities of processing – such as whether the categories would be inferred by a human or an algorithm-based technology – had been excluded. At the time, Greek officials had reported that only “physical characteristics” would be collected but did not expand further.

“No explanation is provided on why less intrusive measures cannot be implemented to prevent and detect criminal activities,” the commission wrote, reminding Greece that “all asylum seekers are considered vulnerable data subjects”, according to guidelines endorsed by the European Data Protection Board (EDPB).

The FRA, in informal input provided after its visit to the Samos camp in May 2022, recommended basic safeguards Greece could take to ensure camp surveillance systems are in full compliance with GDPR. This included placing visible signs to inform camp residents and staff “about the operation of CCTV cameras before entering a monitored area”.

No such signs were visible in the camp’s entry when Computer Weekly visited the Samos camp in early October this year, despite the presence of several cameras at the camp’s entry.

Computer Weekly understands that, as of early October, procedural requirements such as impact assessments had not yet been finalised, and that the migration ministry would remain in consultation with the DPA until all the programs were fully GDPR-compliant.

Responding to Computer Weekly’s questions about the findings of this story, a Greek migration ministry spokesperson said: “[The ministry] is already in open consultation with the Greek DPA for the ‘Centaur’ and ‘Hyperion’ programs since March 2022. The consultation has not yet been completed. Both of these programs have not been fully implemented as several secondary functions are still in the implementation phase while the primary functions (video surveillance through closed circuit television and drone, entry – exit through security turnstiles) of the programs are subject to continuous parameterisation and are in pilot application.

“The ministry has justified to the Greek DPA as to the necessity of implementing the measure of installing and operating video surveillance systems in the hospitality structures citing the damage that the structures constantly suffer due to vandalism, resulting in substantial damage to state assets … and risking the health of vulnerable groups such as children and their companions.”

The commission wrote to Computer Weekly that it “do[es] not comment on ongoing investigations carried out by independent data protection authorities” and did not respond to questions on the deployment of the systems. 

Previous reporting by the Greek investigative outlet Solomon has similarly identified potential violations, including that the camp programs were implemented without the Greek ministry of migration and asylum hiring a data protection officer as required under the GDPR.

Lack of accountability and transparency?

The commission has said it applies all relevant checks and controls but that it is ultimately up to Greece to ensure refugee camps and their systems are in line with European standards.

Vavoula, the researcher who was involved in the Greek DPA complaint, said the EU has been “funding … these initiatives without proper oversight”.

Saskia Bricmont, a Belgian politician and a Member of the European Parliament with the Greens/European Free Alliance, described unsuccessful efforts to obtain more information on the systems deployed at Greece’s camps and borders: “Neither the commission nor the Greek authorities are willing to share information and to be transparent about it. Why? Why do they hide things – or at least give the impression they do?”

The European Ombudsman recently conducted a probe into how the commission ensures fundamental rights are being respected at Greece’s EU-funded camps. It also asked the commission to weigh in on the surveillance systems and whether it had conducted or reviewed the data protection and fundamental rights impact assessments.

The commission initially reported that Greece had “completed” assessments “before the full deployment of the surveillance systems”. In a later submission in August, however, the commission changed its wording – writing instead that the Greek authorities have “drawn up” the assessments “before the full deployment” of the tools.

The commission did not directly respond to Computer Weekly’s query asking it to clarify whether the Greek authorities have “completed” or merely “drawn up” DPIAs, and whether the commission’s understanding of the status of the DPIAs changed between the initial and final submissions to the European ombudsman.

Eleftherios Chelioudakis, co-founder of the Greek digital rights organisation Homo Digitalis, rejected the suggestion that there are different benchmarks on deployment. “There is no legal distinction between full deployment of a system or partial deployment of a system,” he said. “In both cases, there are personal data processing operations taking place.”

Chelioudakis added that the Greek DPA holds that even the mere transmission of footage (even if no data is recorded/stored) constitutes personal data processing, and that GDPR rules apply.

Check… check…  is this camera on?

Greek officials, initially eager to show off the camps’ surveillance apparatus, have grown increasingly tight-lipped on the precise status of the systems.

When visiting the ministry’s centralised control room at the end of 2021, Computer Weekly’s reporter was told by officials that three camps – on Samos, Kos and Leros islands – were already fully connected to the systems and that the ministry was working “on a very tight timeframe” to connect the more than 30 remaining refugee camps in Greece. During a rare press conference in September 2022, Greece’s then-migration minister, Notis Mitarachi, said Centaur was in use at the three refugee camps on Samos, Kos and Leros.

In October 2022, Computer Weekly’s reporter was also granted access to the local control room on Samos Island, and confirmed that monitoring systems were set up and operational but not yet in use. A drone has since been deployed and is being used in the Samos camp, according to several eyewitnesses.

Officials appear to have exercised more caution with Hyperion, the fingerprint entry-exit system. Computer Weekly understands the system is fully set up and functioning at several of the camps – officials proudly demonstrated its functions during the inauguration of the Kos camp – but has not been in use.

While it’s not yet clear if the more advanced and controversial features of Centaur are in use – or if they ever will be – what is certain is that footage from the cameras installed on several islands is being fed to a centralised control room in Athens.

In early October, Computer Weekly’s reporter tried to speak with asylum seekers outside the Samos camp, after officials abruptly announced the temporary suspension of journalist access to this and other EU-funded camps. Guards behind the barbed wire fence at the camp’s gate asked the reporter to move out of the sight of cameras – installed at the gate and the camp’s periphery – afraid they would receive a scolding call from the migration ministry in Athens.

“If they see you in the cameras they will call and ask, ‘Why is there a journalist there?’ And we will have a problem,” one of the guards said. Lawyers and others who work with asylum seekers in the camp say they’ve had similar experiences.

On several occasions, Computer Weekly’s reporter has asked the Greek authorities to provide proof or early indications that the systems are improving safety for camp residents, staff and local communities. All requests have been denied or ignored.

Lawyers and non-governmental organisations (NGOs) have also documented dozens of incidents that undermine Greek officials’ claims of increased safety in the tech-riddled camps.

Unmet promises of increased security

In September 2022, a peaceful protest by some 40 Samos camp residents who had received negative decisions on their asylum claims escalated into a riot. Staff evacuated the camp and police were called in and arrested several people.

Lawyers representing those accused of instigating the brawl and throwing rocks at intervening police officers said they were struck by the absence of photographic or video evidence in the case, despite their clients’ request to use the footage to prove their innocence.

“Even with all these systems, with all the surveillance, with all the cameras … there were no photographs or video, something to show that those arrested were guilty,” said Dimitris Choulis, a lawyer with the Human Rights Legal Project on Samos.

Asked about the incident, the Samos camp director at the time explained that the system has blind spots and that the cameras do not cover all areas of the camp, a claim contrary to other official statements.

Choulis’s organisation and the legal NGO I Have Rights have also collected testimonies from roughly a dozen individuals who claim they were victims of police brutality in the Samos CCAC beginning in July 2022.

According to Nikos Phokas, a resident of Leros Island, which houses one of the EU-funded facilities, while the surveillance system has proven incapable of preventing harm on several occasions, the ability it gives officials in Athens to peer into the camps at any moment has shifted dynamics for camp residents, staff and the surrounding communities. “This is the worst thing about this camp – the terror the surveillance creates for people. Everyone watches their backs because of it.”

He added the surveillance apparatus and the closed nature of the new camp on Leros has forced some camp employees to operate “under the radar” out of fear of being accused of engaging in any behaviour that may be deemed out-of-line by officials in Athens.

For example, when clothes were needed following an influx of arrivals last summer, camp employees coordinated privately and drove their personal vehicles to retrieve items from local volunteers.

“In the past, it was more flexible. But now there’s so much surveillance – Athens is looking directly at what’s happening here,” said Catharina Kahane, who headed the NGO ECHO100PLUS on Leros, but was forced to cut down on services because the closed nature of the camp, along with stricter regulations by the Greek migration ministry, made it nearly impossible for her NGO to provide services to asylum seekers.

Camp staff in one of the island facilities organised a protest to denounce being subjected to the same monitoring and security checks as asylum seekers.

Residents of the camps have mixed views on the surveillance. Heba*, a Syrian mother of three who lodged an asylum claim in Samos and was waiting out her application, in early October said the cameras and other security measures provided a sense of safety in the camp.

“What we need more is water and food,” said Mohammed*, a Palestinian asylum seeker who got to Samos in the midst of a recent surge in arrivals that brought the camp’s population to nearly 200% capacity and has led to “inhumane and degrading conditions” for residents, according to NGOs. He was perplexed by the presence of high-tech equipment in a refugee camp that has nearly daily water cuts.

*Names have been changed over privacy and safety concerns.

This story was made possible through support from the Pulitzer Centre’s AI Accountability Network.

Ludek Stavinoha contributed research and work towards public records requests featured in this article.