Quis Custodiet Ipsos Custodes? Managing Immigrant and Refugees’ Biometric Data in the Age of Artificial Intelligence.

by: Angelo Tramountanis | National Centre for Social Research, EKKE

Introduction

In April 2024, the Hellenic Data Protection Authority issued a fine of €175,000 to the Greek Ministry of Migration and Asylum, due to non-compliance with data protection regulations concerning the operation of new migrant detention centers on the Aegean islands. This marks the highest penalty ever placed on a Greek public body. Specifically, the violations were linked to provisions governing two surveillance systems implemented in the centres titled "Centaur" and "Hyperion”. This fine yet again brings to prominence the ongoing debate surrounding the implications from implementing new digital technologies, particularly Artificial Intelligence (AI), as well as storing and handling biometric data, in the realm of migration governance.

The Use of Artificial Intelligence (AI) in Migration Management

AI technologies in the domain of migration management are currently being utilized in various stages, ranging from pilot programmes to more mature solutions, within national initiatives of EU Member States, at the EU level itself, and in other OECD countries such as the US and Canada. These applications encompass a range of tools and procedures designed to streamline processes such as citizenship acquisition, language identification and assessment, detection of document fraud, and client interaction, among others.

Utilizing AI technologies in migration management holds the potential for significant benefits. Chief among them is the capacity to enhance efficiency and lower costs by automating resource-intensive, repetitive, or highly complex analytical tasks, particularly when dealing with vast quantities of Big Data. This, in turn, allows for a more efficient allocation and utilization of available resources.

These technologies can also be utilised for border controls. A 2021 RAND Europe study commissioned by Frontex, the EU border agency, highlighted potential applications in physical land and sea borders, such as border surveillance, processing of travellers at border crossings, providing situational awareness and threat detection. These solutions have the capacity to strengthen existing capabilities and better address border security challenges.

Furthermore, AI and biometric technologies are expected to play a key role in the future iteration of the EU asylum system. The new interoperability framework, adopted in 2019, will facilitate the interconnection of dispersed information currently housed in the large-scale IT systems related to borders, visa, police, judicial cooperation, asylum, and migration. This framework will enable the Union’s large-scale IT systems to complement each other, by establishing a shared Biometric Matching Service (sBMS), a Common Identity Repository (CIR) and a Multiple-Identity Detector (MID). Data already available in existing IT systems such as the Schengen Information System (SIS), the European Dactyloscopy Database (Eurodac) and the Visa Information System (VIS) will be gradually complemented with information from new IT systems scheduled for implementation in the following years. Therefore, in the coming years, various EU data systems and automated algorithms will be in position to process vast amounts of personal and biometric information about asylum seekers.

Despite the potential benefits of AI in immigration governance, several critical issues and concerns should also be taken under consideration. The use of AI technologies in migration, asylum, and border control management are correctly considered as “high risk” in the recently adopted EU Artificial Intelligence Act (AIA), since “they affect people who are often in particularly vulnerable position and who are dependent on the outcome of the actions of the competent public authorities”. Moreover, the prevalence of biases in algorithms, the opacity inherent in decision-making processes, and the complexities surrounding informed consent pose significant challenges, while data storage and utilization by state agencies raise ethical and practical dilemmas.

The Use of Biometric Data in Migration Management

The issue of data storage of biometric data in particular, concerning vulnerable populations such as refugees, is of paramount importance. Improper storage and use of personal information, especially biometrics, can have significant and long-lasting consequences for these populations. Unlike internet usernames, passwords, or physical and digital IDs, biometric identifiers like irises or fingerprints cannot be easily replaced. Moreover, if a database containing biometric data is breached or compromised, it may result in involuntary repatriation or further persecution of the affected individuals.

The significance of the above considerations becomes more pronounced when the discussion focuses on vulnerable individuals confined in open or closed centres and infrastructures. This is especially true when receiving cash or other forms of assistance is contingent upon providing their biometric data to service providers. For instance, UNHCR utilizes a Biometric Identity Management System (BIMS) that captures fingerprints, iris images, and facial photographs to establish unique registered identities and distribute assistance more efficiently. To this end, iris scans are currently used in order to provide cash-based assistance to Syrian refugees in camps in Jordan and Afghan returnees from Pakistan. These biometric identities will also be utilized in the Greek islands, in the new Closed Controlled Access Centers and Reception and Identification Centers, in order to track provided benefits such as food or clothing supplies per immigrant.

GAPs in Cooperation and Implementation

The above provides the framework to understand the significance of the fine imposed on the Greek Ministry of Migration and Asylum for its two systems. The first one, titled Centaur, is a digital system for managing electronic and physical security around and within facilities hosting refugees and asylum seekers on the Greek islands. It processes personal data, uses motion analysis algorithms powered by Artificial Intelligence (AI Behavioral Analytics), and utilizes, among other technologies, CCTV and drones. The second system, called Hyperion, is an entry-exit control system at these facilities, utilizing RFID cards and fingerprints to regulate entry and exit.

The Hellenic Data Protection Authority (HDPA) based the fine on breaches found in relation to the cooperation with the Authority and the inadequately implemented impact assessments. As explicitly stated in the relevant press release, the HDPA “found a lack of cooperation on the part of the Ministry of Migration and Asylum, as data controller, and further considered that the required Data Protection Impact Assessments carried out by the Ministry were substantially incomplete and limited in scope, and that serious shortcomings remain as regards the Ministry’s compliance with certain provisions of the GDPR (General Data Protection Regulation) in relation to the implementation of the systems in question”.

Broader Implications

The issue at hand, however, is broader in scope than compliance to GDPR provisions. It is crucial to acknowledge that typical compliance with new rules and regulations is oftentimes perceived as a mere checklist formality within an organization's existing culture. Such compliance is often understood only as a means to secure funding and ensure the absorption of funds.

For vulnerable populations confined in open or closed centers, however, mostly unaware of their rights regarding personal data protection and often lacking the ability to exercise them, these GDPR provisions are crucial safeguards designed to protect their rights. Therefore, the relevant impact assessments foreseen in the Regulation should not be perceived as procedural obligations. On the contrary, they are key components and essential preconditions for properly safeguarding the personal data of asylum seekers and refugees. Crucially, they are in place to determine whether potential adverse effects are justified by the overarching purpose of the proposed measures and policies.

Conclusion

In summary, in this new constantly evolving landscape, where AI technologies and the use of biometric data already feature prominently, ensuring the protection and effective management of personal data, especially biometric data, should be pursued as a cornerstone in designing and implementing relevant strategies and policies.

Contact:

Angelo Tramountanis | National Centre for Social Research, EKKE | atramou@ekke.gr