The Hellenic DPA is requested to take action again the deployment of ICT systems IPERION & KENTAUROS in facilities hosting asylum seekers in Greece
Homo Digitalis together with The Hellenic League for Human Rights, HIAS Greece and Dr. Niovi Vavoula, Lecturer at Queen Mary University of London submitted before the President of the Hellenic Data Protection Authority (HDPA) on 18.2.2022, a request for the exercise of its investigative powers regarding the deployment of the ICT systems IPERION and KENTAUROS in facilities hosting asylum seekers in Greece (protocol number 2515/18.02.2022).
In particular, as described in the relevant website of the Ministry of Digital Governance for the area of migration and asylum, as well as in the annual action plan of the Ministry of Immigration and Asylum:
-The ΙPERION system will be the asylum seekers’ management system with regard to all the needs of the Reception and Identification Services. It will include a detailed record of the data of asylum seekers and it will be interconnected with the ALKYONI II system with regard to the asylum application. In addition, it will be the main tool for the operation of all related facilities as it will be responsible for access control (entry – exit through security turnstiles, with the presentation of an individual card of a migrant, NGO member, worker and simultaneous use of fingerprints), the monitoring of benefits per asylum seeker using an individual card (food, clothing supplies, etc.) and movements between the different facilities. At the same time, the project includes the creation of a mobile phone application that will provide personalized information to the user, will be his/her electronic mailbox regarding his/her asylum application process and will enable the Service to provide personalized information. It is important to note that the IPERION system is presented by the Ministry of Digital Governance as a system that will be completed in the medium term and its construction – installation is already underway. Furthermore, explicit reference is made to this system in Article 7(2) of the General Regulation on the Operation of Closed Controlled Island Facilities. Therefore, it is understood that the IPERION system will process biometric and biographical data of asylum seekers, as well as of NGO members visiting the relevant structures and of people working in them.
-The KENTAUROS system will be a digital system for managing electronic and physical security around and inside the facilities, using cameras and Artificial Intelligence Behavioral Analytics algorithms. It includes centralised management from the headquarters of the Ministry of Digital Governance and the following services: Signaling perimeter breach alarms using cameras and motion analysis algorithms; signaling of illegal behavior alarms of individuals or groups of individuals in assembly areas inside the facility; and use of unmanned aircraft systems to assess incidents inside the facility without human intervention, among other functions. It is noted that the KENTAUROS system is presented by the Ministry of Digital Governance as a system that will be completed in the medium term and its construction – installation is planned. Therefore, it is understood that the KENTAUROS system is incorporating highly intrusive technologies, such as behaviour analysis algorithms, drones and closed circuit surveillance cameras, which create important for challenges for the protection of privacy, personal data and other rights
It is worth noting that Homo Digitalis submitted on 13 October 2021 a request for information re IPERION and KENTAUROS systems before the Secretary General for Asylum Seekers of the Ministry of Immigration and Asylum, Mr Logothetis. Nevertheless, Homo Digitalis did not receive a response from the competent bodies, even though the relevant deadline for reply has already expired.
Based on all of the above, it is understood that there is a serious risk that the installation of these systems could violate the European Union legislation on the processing of personal data and the provisions of Law 4624/2019, while there is also a significant risk that the installation of these systems without the preparation of the necessary Data Protection Impact Assessment may cause a serious violation of the rights and freedoms of data subjects who are hosted in this facilities, visit the facilities, or are employed in them. Finally, the possible creation of databases (including biometric data and other special categories of data) to assist the operation of these systems is not foreseen by any national legal rule providing the necessary safeguards for the rights of data subjects, thus raising significant challenges.