Today, following a complaint filed by Homo Digitalis in May 2021 representing our member and data subject Marina Zacharopoulou, the Hellenic Data Protection Authority (HDPA) issued Decision 35/2022 imposing a fine of 20 million euros on Clearview AI for its intrusive practices. This is the highest GDPR fine, ever imposed by the Hellenic DPA. By the same Decision, the DPA prohibits that company from collecting and processing the personal data of data subjects located in Greece using facial recognition methods and requires it to delete immediately any data it has already collected.

Specifically, in May 2021, an alliance of civil society organizations consisting of Homo Digitalis and the organizations Privacy International, Hermes Center, and noyb filed complaints before the competent authorities in Greece, the United Kingdom, Italy, Austria, France and the United Kingdom against Clearview AI for its mass surveillance practices through facial recognition.

Earlier this year, the Italian Data Protection Authority had decided to fine the company €20 million, while the UK’s equivalent authority had decided to fine it £7.5 million.

The €20 million fine imposed by the DPA today is another strong signal against intrusive business models of companies that seek to make money through the illegal processing of personal data. At the same time, it sends a clear message to law enforcement authorities working with companies of this kind that such practices are illegal and grossly violate the rights of data subjects.

Clearview AI is an American company founded in 2017 that develops facial recognition software. It claims to have “the largest known database of more than three billion facial images” which it collects from social media platforms and other online sources. It is an automated tool that visits public websites and collects any images it detects that contain human faces. Along with these images, the automated collector also collects metadata that complements these images, such as the title of the website and its source link. The collected facial images are then matched against the facial recognition software created by Clearview AI in order to build the company’s database. Clearview AI sells access to this database to private companies and law enforcement agencies, such as police authorities, internationally.

The full text of Decision 35/2022 can be found here (only in EL).

On Wednesday 2 March, the Hellenic Data Protection Authority (DPA) launched an investigation into the Ministry of Immigration and Asylum regarding the supply and installation of the YPERION and KENTAYROS systems in reception and accommodation facilities for asylum seekers.

Specifically, following the successful submission of a request submitted on 18 February by the organisations (in alphabetical order) Hellenic League for Human Rights, HIAS Greece, and Homo Digitalis together with the Lecturer of Queen Mary University of London Dr. Niovi Vavoula before the President of the Hellenic DPA, the Authority addressed a communication to the Ministry of Immigration and Asylum inviting it to inform it immediately about:

– the specific legal basis for the processing of personal data in the context of the operation of YPERION and KENTAYROS systems; and

– the carrying out of an impact assessment study on the impact of the processing on the protection of personal data, taking into account that in the case of the procurement of surveillance and monitoring systems, the carrying out of an impact assessment regarding their operation must be carried out not only before their operation, but also before their procurement, in order to comply with the principles of data protection by design and by default.

As the DPA states, together with the request for investigation we had filed, they had also received a request for information from the European Parliament’s Civil Liberties, Justice and Home Affairs Committee (LIBE Committee) on the surveillance technologies generally used at our country’s borders.

We recall that the YPERION system will be the asylum seeker management system with regard to all the needs of the Reception and Identification Service and will be responsible for access control (entry – exit via security turnstiles), by showing an individual card of a migrant, NGO member, worker and simultaneous use of fingerprints), the monitoring of benefits per asylum seeker using an individual card (food, clothing supplies, etc.) and the movements between the centres, KIDNs and Accommodation Facilities. The KENTAYROS system will be the digital system for managing electronic and physical security around and inside the facilities, using cameras and Artificial Intelligence Behavioral Analytics algorithms.

You can read the relevant letter sent by the DPA to the Ministry of Immigration and Asylum here.
You can read more about the joint request for research filed in February here.

Ahead of the #DigitalServicesAct negotiations, EDRi, Amnesty International, Civil Liberties Union for Europe and 69 civil society organisations call on 20 ministries and state secretaries in the Netherlands, Denmark, Germany, France, Spain, Italy, Luxembourg, Austria, Croatia to BAN #DarkPatterns and pervasive online tracking practices and preserve privacy.

If done right, the #DSA can ensure that you are part of a rights-respecting online environment, in which you have the power to make truly informed choices and where the online advertising industry respects your rights and freedoms.

During the ongoing Trilogue negotiations, we urge the Member States to defend people and push against toxic #BigTech business models. .

You can read our joint letter here.

AI systems are used to profile people and areas to predict crime, leading to over-policing, surveillance and imprisoning of racialised groups.

That’s why 40+ civil rights organisations led by EDRi and Fair Trials urge the EU to BAN AI predictive & profiling systems in law enforcement & criminal justice in the #AIAct.

Affected people must have clear & effective routes to challenge the use of these systems.

Read the full statement here.

Homo Digitalis together with The Hellenic League for Human Rights, HIAS Greece and Dr. Niovi Vavoula, Lecturer at Queen Mary University of London submitted before the President of the Hellenic Data Protection Authority (HDPA) on 18.2.2022, a request for the exercise of its investigative powers regarding the deployment of the ICT systems IPERION and KENTAUROS in facilities hosting asylum seekers in Greece (protocol number 2515/18.02.2022).

In particular, as described in the relevant website of the Ministry of Digital Governance for the area of migration and asylum, as well as in the annual action plan of the Ministry of Immigration and Asylum:

-The ΙPERION system will be the asylum seekers’ management system with regard to all the needs of the Reception and Identification Services. It will include a detailed record of the data of asylum seekers and it will be interconnected with the ALKYONI II system with regard to the asylum application. In addition, it will be the main tool for the operation of all related facilities as it will be responsible for access control (entry – exit through security turnstiles, with the presentation of an individual card of a migrant, NGO member, worker and simultaneous use of fingerprints), the monitoring of benefits per asylum seeker using an individual card (food, clothing supplies, etc.) and movements between the different facilities. At the same time, the project includes the creation of a mobile phone application that will provide personalized information to the user, will be his/her electronic mailbox regarding his/her asylum application process and will enable the Service to provide personalized information. It is important to note that the IPERION system is presented by the Ministry of Digital Governance as a system that will be completed in the medium term and its construction – installation is already underway. Furthermore, explicit reference is made to this system in Article 7(2) of the General Regulation on the Operation of Closed Controlled Island Facilities. Therefore, it is understood that the IPERION system will process biometric and biographical data of asylum seekers, as well as of NGO members visiting the relevant structures and of people working in them.

-The KENTAUROS system will be a digital system for managing electronic and physical security around and inside the facilities, using cameras and Artificial Intelligence Behavioral Analytics algorithms. It includes centralised management from the headquarters of the Ministry of Digital Governance and the following services: Signaling perimeter breach alarms using cameras and motion analysis algorithms; signaling of illegal behavior alarms of individuals or groups of individuals in assembly areas inside the facility; and use of unmanned aircraft systems to assess incidents inside the facility without human intervention, among other functions. It is noted that the KENTAUROS system is presented by the Ministry of Digital Governance as a system that will be completed in the medium term and its construction – installation is planned. Therefore, it is understood that the KENTAUROS system is incorporating highly intrusive technologies, such as behaviour analysis algorithms, drones and closed circuit surveillance cameras, which create important for challenges for the protection of privacy, personal data and other rights

It is worth noting that Homo Digitalis submitted on 13 October 2021 a request for information re IPERION and KENTAUROS systems before the Secretary General for Asylum Seekers of the Ministry of Immigration and Asylum, Mr Logothetis. Nevertheless, Homo Digitalis did not receive a response from the competent bodies, even though the relevant deadline for reply has already expired.

Based on all of the above, it is understood that there is a serious risk that the installation of these systems could violate the European Union legislation on the processing of personal data and the provisions of Law 4624/2019, while there is also a significant risk that the installation of these systems without the preparation of the necessary Data Protection Impact Assessment may cause a serious violation of the rights and freedoms of data subjects who are hosted in this facilities, visit the facilities, or are employed in them. Finally, the possible creation of databases (including biometric data and other special categories of data) to assist the operation of these systems is not foreseen by any national legal rule providing the necessary safeguards for the rights of data subjects, thus raising significant challenges.

Homo Digitalis together with The Hellenic League for Human Rights, HIAS Greece, Privacy International and the researcher Phoebus Simeonidis submitted before the President of the Hellenic Data Protection Authority (HDPA) on 14.2.2022, a request for the exercise of its investigative powers regarding a procurement tender published by the Hellenic Coast Guard for the acquisition of a Social Media Data Collection Software (protocol number 2322/15/2/22 ).

Specifically, as pointed out on 2/2/2022 by researcher Phoebus Simeonidis, in the framework of the European Commission’s “Internal Security Fund” (ISF) program, the Coast Hellenic Guard – Ministry of Maritime Affairs published a tender for the “Upgrade/maintenance of the computer room of the Directorate of Maritime Border Security and Protection” with a total estimated contract value of seven hundred and thirty thousand euros #730.000,00€# (including VAT and other deductions).

One of the deliverables described in this call for tender (see page 34 et seq.) is the supply of Social Media Data Collection Software (hereinafter referred to as Software). As explicitly stated by the Ministry of Maritime Affairs in this notice, the Software should support the social networks Facebook, Twitter, VK, Xing, Instagram, and Telegram, and some of the necessary features as described are:

– The creation of a visualization of multiple correlations (friends, comments, posts, likes and followers).

– The identification of user identifiers including their searches, and

– The simulation of human activity to avoid account blocking.

Specifically for Facebook, the software should allow, among other functions, storage of a profile’s public contact list, storage of all 2nd degree public contacts, storage of public timeline posts (including images, videos, linked YouTube videos, comments and reactions), storage of image galleries, storage of published account information (employer, residences, education), and searching accounts for specific personal characteristics.

With respect to Twitter, the Software should, among other functions, allow for the storage of audience following a profile list, storage of all public contacts of the 2nd degree (Followers List), and storage of public messages (including images, videos, linked YouTube videos, and likes).

For Instagram, the Coast Guard is seeking the Software to allow, among other things, storage of the follower list, storage of the public list following a profile, storage of public comments per profile by time sequence including images, videos, linked YouTube videos, and storage of timelines and Profile Stories.

With regard to Telegram, the software must allow the storage of participants in group conversations (up to 10,000 participants), as well as the storage of the full content of each group conversation (text and photos or other material shared in them).

It is therefore clear that the software in question seeks to monitor an indeterminately large number of users of the social networks in question, and to collect, process and analyse their information, without indicating the purpose of the processing operations, the legal bases that allow them and any other safeguards for the protection of personal data, as the European Data Protection Supervisor has expressly stated in a case of similar software maintained by the European Support Office for It is also worth noting that the European Border and Coast Guard Agency (FRONTEX) had in 2019 withdrawn a related call for tender for the procurement of similar social media data collection software, following a successful action by Privacy International.

Thus, the procurement of this software will be a clear challenge to the right to the protection of personal data and respect for the principle of lawfulness of processing, the principle of purpose limitation and the principle of proportionality (data minimisation) as outlined in EU and national legislation, as well as the rights to respect for privacy and freedom of expression.

Also, the creation of a fake account simulating human activity is contrary to the terms of use of social media and messaging mentioned in the tender, while the logging of searches of third party accounts is a highly intrusive activity. Of course, highly intrusive is also the recording and monitoring of group conversations on Telegram.

Homo Digitalis has received an invitation to participate on 10 November in the online regional consultation organised by Chatham House and EU Cyber Direct Project on a new International Cybercrime Convention. The consultation is being held in light of United Nations General Assembly Resolution 74/247 and aims to inform the relevant law-making work that will begin in 2022.

Our member Anastasios Arabatzis will represent Homo Digitalis in the consultation.

Homo Digitalis was a guest on the radio show of the Hellenic League for Human Rights on October 10, 2021.

The Hellenic League for Human Rights is the oldest human rights organization in our country, founded in 1953. Every Sunday at 20.00-21.00 it conducts the radio show “Rights on FM” on the air of the Athens 9.84 radio station.

On Sunday 10 October 2021, Konstantinos Kakavoulis and Dimitris Dosas spoke with Fotini Kokkinaki about the recent incident of the Facebook platform not operating, the rights of users on online platforms, as well as about whistleblowers.
We would like to thank the Hellenic League for Human Rights for hosting us.