The EU border company Frontex is processing private knowledge of migrants in breach of EU regulation and its personal mandate, in response to a letter by the European Information Safety Supervisor (EDPS), seen by Euractiv.
Frontex’s board adopted inside guidelines on processing private knowledge on the finish of 2021. In June 2022, the EDPS issued two non-binding opinions, seen by Euractiv, asking Frontex to enhance some provisions to adjust to Frontex’s mandate and the EU knowledge safety framework.
Inner guidelines are set to make clear the applying of Frontex’s regulation when working on the bottom.
The 2 opinions have been taken into consideration by Frontex however according to the EDPS, the draft guidelines that shall be quickly adopted don’t adjust to the regulation since they define actions that the EU border company will not be entitled to carry out.
In August, the Supervisor despatched a letter, obtained by Euractiv via a freedom for data request, to Frontex Director Hans Leijtens stating that whereas the EU border company took into consideration some elements of the opinions, different suggestions weren’t utilized and a few elements have been lower than EU knowledge safety requirements.
“The way all knowledge processing actions carried out by Frontex are encompassed within the [drafted rules by the Frontex management board] on basic guidelines, impacts negatively on a transparent allocation of knowledge safety obligations,” stated the letter, signed by Wojciech Rafał Wiewiórowski, the European Information Safety Supervisor since December 2019.
“Particularly, a number of provisions are drafted in a method that creates a scarcity of readability as to the precise scope of such actions, notably by way of which knowledge could be collected and additional processed, for what function and beneath which relevant knowledge safety framework,” he added.
As an illustration, Wiewiórowski wrote, the drafted guidelines permit the EU border company “to course of an unlimited vary of classes of private knowledge within the context of joint operation with out specifying for which function and during which function (controller or processor) Frontex might course of every class of knowledge.”
The shortage of readability on Frontex’s function when amassing and processing private and even delicate knowledge creates an issue defining the “authorized foundation” of its exercise on the bottom.
A Frontex spokesperson advised Euractiv that the company “maintains an ongoing dialogue with the European Information Safety Supervisor regarding the processing of private knowledge. The company is devoted to conducting all its actions in accordance with knowledge safety rules and in respect of basic rights”.
An ongoing subject
The EU watchdog already expressed issues about Frontex’s modus operandi in processing knowledge on a couple of event, most just lately in Might 2023 when it printed the outcomes of a go to the EDPS made to Frontex headquarters in October 2022.
The report revealed that the gathering of private knowledge on the bottom throughout interviews with migrants (the principle supply of Frontex’s knowledge throughout joint operations) presents totally different issues, such because the not-voluntary nature of interviews, EDPS detected, and the dearth of safety of the id of the folks interviewed.
As well as, the EU watchdog discovered that Frontex straight shared debriefing stories with different EU regulation enforcement businesses (Europol and Eurojust) and nationwide authorities, with out assessing the need of such a sharing. This follow breaches the EU laws, in response to the EDPS, which began an investigation into the matter final June.
Europol is chargeable for regulation enforcement cooperation, whereas Eurojust is an EU company devoted to felony justice cooperation.
Suspect profiling
In keeping with the EDPS, Frontex will not be a regulation enforcement company. Thus, it can not “do a felony evaluation of its personal functions, equally to different EU regulation enforcement businesses”.
Because of this, the EU watchdog sees as a problematic exercise Frontex’s evaluation of whether or not to legally establish an individual as a ‘suspect’ after which switch the information to EU businesses and nationwide regulation enforcement authorities with out assessing if such a switch is de facto obligatory.
Moreover, it’s unclear whether or not the identification of suspects by the EU border company “relies on details or a private evaluation,” the letter identified. The identical downside stays with the authorized definition of ‘witness’ and ‘contacts’ and ‘associates’ of the suspects.
Particular knowledge classes
The EDPS famous within the letter that the ‘authorized foundation’ on which Frontex processes particular classes of knowledge, reminiscent of political opinions, spiritual beliefs and sexual orientation, will not be strong sufficient.
Different issues have been associated to the consideration of knowledge collected on vessels and plane, which, in response to Frontex, usually are not thought of private knowledge, whereas the EDPS contends they’re.
The EU watchdog additionally recognized as an issue the dearth of readability of use, scope and safety with regards to amassing knowledge “for the aim of investigation of basic rights violation”. These knowledge could be voice recording, pictures for example, that the EDPS defines as “notably delicate”.
Euractiv understands the EDPS would possibly take Frontex to the EU Courtroom of Justice over the alleged breaches of knowledge safety regulation if no corrective measures are promptly applied, however solely as a final useful resource.
[Edited by Luca Bertuzzi/Zoran Radosavljevic]
Learn extra with EURACTIV