EU’s Frontex Tripped in Its Plan for ‘Intrusive’ Surveillance of Migrants

Frontex and the European Commission sidelined their own data protection watchdogs in pursuing a much-criticised expansion of “intrusive” data collection from migrants and refugees to feed into Europol’s vast criminal databases, BIRN can reveal.

On November 17 last year, when Hervé Yves Caniard entered the 14-floor conference room of the European Union border agency Frontex in Warsaw, European newspapers were flooded with stories of refugees a few hundreds kilometres away, braving the cold at the Belarusian border with Poland.

A 14-year-old Kurd had died from hypothermia a few days earlier; Polish security forces were firing teargas and water cannon to push people back.

The unfolding crisis was likely a topic of discussion at the Frontex Management Board meeting, but so too was a longer-term policy goal concerning migrants and refugees: the expansion of a mass surveillance programme at Europe’s external borders.

PeDRA, or ‘Processing of Personal Data for Risk Analysis,’ had begun in 2016 as a way for Frontex and the EU police body Europol to exchange data in the wake of the November 2015 Paris attacks by Islamist militants that French authorities had linked to Europe’s then snowballing refugee crisis.

At the November 2021 meeting, Caniard and his boss, Frontex’s then executive director, Fabrice Leggeri, were proposing to ramp it up dramatically, allowing Frontex border guards to collect what some legal experts have called ‘intrusive’ personal data from migrants and asylum seekers, including genetic data and sexual orientation; to store, analyse and share that data with Europol and security agencies of member states; and to scrape social media profiles, all on the premise of cracking down on ‘illegal’ migration and terrorism.

The expanded PeDRA programme would target not just individuals suspected of cross-border crimes such as human trafficking but also the witnesses and victims.

Caniard, the veteran head of the Frontex Legal Unit, had been appointed that August by fellow Frenchman Leggeri to lead the drafting of the new set of internal PeDRA rules. Caniard was also interim director of the agency’s Governance Support Centre, which reported directly to Leggeri, and as such was in a position to control internal vetting of the new PeDRA plan.

That vetting was seriously undermined, according minutes of board meetings leaked by insiders and internal documents obtained via Freedom of Information requests submitted by BIRN.

The evidence gathered by BIRN point to an effort by the Frontex leadership under Leggeri, backed by the European Commission, to sideline EU data protection watchdogs in order to push through the plan, regardless of warnings of institutional overreach, threats to privacy and the criminalisation of migrants.

Nayra Perez, Frontex’s own Data Protection Officer, DPO, warned repeatedly that the PeDRA expansion “cannot be achieved by breaching compliance with EU legislation” and that the programme posed “a serious risk of function creep in relation to the Agency’s mandate.” But her input was largely ignored, documents reveal.

The DPO warned of the possibility of Frontex data being transmitted in bulk, “carte blanche”, to Europol, a body which this year was ordered to delete much of a vast store of personal data that it was found to have amassed unlawfully by the EU’s top data protection watchdog, the European Data Protection Supervisor, EDPS.

Backed by the Commission, Frontex ignored a DPO recommendation that it consult the EDPS, currently led by Polish Wojciech Wiewiórowski, over the new PeDRA rules. In a response for this story, the EDPS warned of the possibility of “unlawful” processing of data by Frontex.

Having initially told BIRN that the DPO’s “advisory and auditing role” had been respected throughout the process, shortly before publication of this story Frontex conceded that Perez’s office “could have been involved more closely to the drafting and entrusted with the role of the chair of the Board”, an ad hoc body tasked with drafting the PeDRA rules.

In June, the EDPS asked Frontex to make multiple amendments to the expanded surveillance programme in order to bring it into line with EU data protection standards; Frontex told BIRN it had now entrusted the DPO to redraft “relevant MB [Management Board] decisions in line with the EDPS recommendations and lessons learned.”

Dr Niovi Vavoula, an expert in EU privacy and criminal law at Queen Mary University of London, said that the expanded PeDRA programme risked the “discriminatory criminalisation” of innocent people, prejudicing the outcomes of criminal proceedings against those flagged as “suspects” by Frontex border guards.

As written, the revamped PeDRA “is another piece of the puzzle of the emerging surveillance and criminalisation of migrants and refugees,” she said.

Religious beliefs, sexual orientation

Leggeri had long held a vision of Frontex as more than simply a ‘border management’ body, one that would see it working in tandem with Europol in matters of law enforcement; to this end, both agencies have been keen to loosen restrictions on the exchange of personal data between them.

Almost six years to the day before the Warsaw PeDRA meeting, a gun and bomb attack by Islamist militants killed 130 people in Paris. It was November 13, 2015, at the height of the refugee crisis in the Mediterranean and Aegean Seas.

The following month, Leggeri signed a deal with the then head of Europol, Briton Richard Wainwright, which opened the door to the exchange of personal data between the two agencies. Addressing the UK parliament, Wainwright described a “symbiotic” relationship between the agencies in protecting the EU’s borders. In early 2016, a PeDRA pilot project launched in Italy, quickly followed by Greece and Spain.

At the same time, Europol launched its own parallel programme of so-called Secondary Security Checks on migrants and refugees in often cramped, squalid camps in Italy and Greece using facial recognition technology. The checks, most recently expanded to refugees from Ukraine in Lithuania, Poland, Romania, Slovakia and Moldova, were introduced “in order to identify suspected terrorists and criminals” but Europol is tight-lipped about the criteria determining who gets checked and what happens with the data obtained.

Since the launch of PeDRA, Frontex officers have been gathering information from newly-arrived migrants concerning individuals suspected of involvement in smuggling, trafficking or terrorism and transmitting the data to Europol in the form of “personal data packages,” which are then cross-checked against and stored within its criminal databases.

According to its figures, under the PeDRA programme, Frontex has shared the personal data – e.g. names, personal descriptions and phone numbers – of 11,254 people with Europol between 2016 and 2021.

But the 2015 version of the PEDRA programme was only its first incarnation.

Until 2019, rules governing Frontex meant that its capacity to collect and exchange the personal data of migrants had been strictly limited.

In December 2021, after years of acrimonious legal wrangling, the Frontex Management Board – comprising representatives of the 27 EU member states and the European Commission – gave the green light to the expansion of PeDRA.

Under the new rules, which have yet to enter into force, Frontex border guards will be able to collect a much wider range of sensitive personal data from all migrants, including genetic and biometric data, such as DNA, fingerprints or photographs, information on their political and religious beliefs, and sexual orientation.

The agency told BIRN it had not yet started processing personal data “related to sexual orientation” but that the collection of such information may be necessary to “determine whether suspects who appear to be similar are in fact the same.”

In terms of social media monitoring, Frontex said it had not decided yet whether to take advantage of such a tool; minutes of a joint meeting in April, however, show that Frontex and Europol agreed on “strengthening cooperation on social media monitoring”.

Indeed, in 2019, Frontex published plans to pay a surveillance company 400,000 euros to track people on social media, including “civil society and diaspora communities” within the EU, but abandoned it in November of that year after Privacy International questioned the legality of the plan.

Yet, under the expanded PeDRA, Vavoula, of Queen Mary University, said Frontex officers could be tasked without scraping social media profiles “without restrictions”.

Commenting on the entire programme, she added that PeDRA “could not have been drafted by someone with a deep knowledge of data protection law”. She cited numerous violations of elementary data protection safeguards, especially for children, the elderly and other vulnerable individuals, who should generally be treated differently from other subjects.

“Sufficient procedural safeguards should be introduced to ensure the protection of fundamental rights of children to the fullest possible extent including the requirement of justified reasons of such a processing of personal data,” Vavoula said. “Genetic data is much more sensitive than biometric data,” and therefore requires “specific safeguards” not present in the text.

Vavoula also noted the absence of a “maximum retention period,” warning, “Frontex may retain the data forever.”

Internal dissent swept aside

Internal documents seen by BIRN show that the man tasked by Leggeri to oversee the drafting of the new PeDRA rules, Caniard, ignored objections raised by the agency’s own data protection watchdog.

Perez, a Spanish lawyer and Frontex’s DPO, has the task of monitoring the agency’s compliance with EU data protection laws not only concerning the thousands of migrants whose data will be stored in its databases but also of the agency’s rapidly expanding staff base, currently numbering more than 1,900 but soon to include a ‘standing corps’ of up to 10,000 border guards.

She had also been working on earlier drafts of the new PeDRA rules since 2018, only to be leapfrogged by Caniard when he was appointed by Leggeri in August 2021.

When she was shown an advanced draft of the new PeDRA rules in October 2021, Perez did not mince her words. “The process of drafting the new rules de facto encroaches on the tasks legally assigned to the DPO,” she said in an internal Frontex document obtained by BIRN. “When the DPO issues an opinion, such advice cannot be overruled or amended.”

The DPO proposed more than a hundred changes to the draft; she warned that, under the proposed rules, Frontex “seems to arrogate the capacity to police the internet” through monitoring of social media and that victims and witnesses of crime whose data is shared with Europol face “undesirable consequences” of being part of a “pan-European criminal database.”

During intense internal discussions in late 2021, as the deadline for approving the new rules was fast approaching, the DPO said that Frontex had failed to make a compelling case for the collection of sensitive data such as ethnicity or sexual orientation.

“…the legal threshold to be met is not a ‘nice to have’ but a strict necessity,” Perez wrote.

When the final draft landed on the desk of the Frontex Management Board in November 2021, it was clear that many of the DPO’s recommendations had been disregarded.

At this point, Frontex was already the target of a probe by the European Anti-Fraud Office into its role in so-called ‘pushbacks’ in which migrants are illegally turned away at the EU’s borders, the findings of which would eventually force Leggeri’s resignation in April this year.

In an initial written response for this story, Frontex said that the DPO “had an active, pivotal role in the deliberations” concerning the new rules and that the watchdog’s “advisory and auditing role was respected” throughout the process.

Minutes of the November board meeting appeared to contradict this, however. Written in English and partially disclosed following an ‘access to documents request’, they cite Caniard conceding that the DPO was “consulted twice with a very short notice” and that, since Perez issued her opinion only the day before the meeting, there “was no possibility to take stock of it”. Perez submitted her opinion on November 16 and the board meeting was held on November 17 and 18.

The DPO, for its part, urged the management board to “work on the current draft to eliminate inconsistencies” and, though not legally obliged, “to consult the EDPS prior to adoption”.

Prior to publication of this story, BIRN asked Frontex again whether the DPO’s mandate had been respected during the drafting of the new PeDRA rules. The agency backtracked, saying it should have involved Perez’s office more closely and that the DPO would rewrite the programme.

Dissent was not confined to the DPO. Danish and Dutch representatives in the meeting urged the board to delay voting on the rules given that the DPO’s opinions had not been taken on board and to “do its utmost to avoid any situation where it is necessary to amend rules just adopted just because an EDPS’ conflicting opinion is issued.”

According to the minutes of the November meeting, the Commission representative, however, dismissed this, declaring that it considered the text “more than mature for adoption” and that there was no need to consult the EDPS because “it is not mandatory”.

Email exchanges between the Commission and Frontex reveal the urgency with which the Commission wanted the new rules adopted, even at the cost of foregoing EDPS participation.

One, from the Commission to Frontex on November 14, 2021, just days before the Board meeting said that, “while it would have been good to consult the EDPS on everything, it is more important now to get at least the two first decisions adopted.” An earlier mail, from July 2021 and sent directly to Leggeri, said it was “an absolute political priority to put in place the data protection framework of the Agency without any further delays.” That framework included the processing of personal data under PeDRA.

Asked why it supported the expansion of the Frontex surveillance programme without first having the proposal checked by EDPS, the Commission told BIRN it would not comment on “discussion held in the management board or other internal meetings.”

The EDPS, the EU’s top data protection authority, was only shown a copy of the new rules in late January 2022.

Asked for its opinion, the EDPS told BIRN it is “concerned that the rules adopted do not specify with sufficient clarity how the intended processing will be carried out, nor define precisely how safeguards on data protection will be implemented.”

The processing of highly vulnerable categories of individuals, including asylum seekers, could pose “severe risks for fundamental rights and freedoms,” such as the right to asylum, it said. It further stressed that “routine”, i.e. systematic, exchange of personal data between Frontex and Europol is not permitted and that such exchange can only take place “on a case-by-case basis.”

Collecting data with ‘religious’ fervour

Experts question the effectiveness of such extensive data collection in combating serious crime.

Douwe Korff, Emeritus Professor of international law at London Metropolitan University, decried the apparent lack of results and accountability.

“There isn’t even the absolute minimum requirement for law enforcement authorities to provide serious proof that the expansion of surveillance powers will be effective and proportionate,” said Korff, who has contributed to research on mass surveillance for EU institutions for years.

“If you ask how many people have you arrested using this data that are completely innocent, they don’t even want to know about this. They pursue this policy of mass data collection with a religious belief.”

Indeed, when the EDPS ordered Europol in January to delete data amassed unlawfully concerning individuals with no link to criminal activity, member states and the Commission came to the rescue with legal amendments enabling the agency to sidestep the order.

In May, Frontex and Europol put forward a proposal, drafted by a joint working group named ‘The Future Group’, for a new surveillance programme at the bloc’s external borders that would implement large-scale profiling of EU and third-country nationals using Artificial Intelligence.