The EU border agency Frontex is processing personal data of migrants in breach of EU law and its own mandate, according to a letter by the European Data Protection Supervisor (EDPS), seen by Euractiv.
Frontex’s board adopted internal rules on processing personal data at the end of 2021. In June 2022, the EDPS issued two non-binding opinions, seen by Euractiv, asking Frontex to improve some provisions to comply with Frontex’s mandate and the EU data protection framework.
Internal rules are set to clarify the application of Frontex’s regulation when operating on the ground.
The two opinions have been taken into account by Frontex but according to the EDPS, the draft rules that will be soon adopted do not comply with the regulation since they outline activities that the EU border agency is not entitled to perform.
In August, the Supervisor sent a letter, obtained by Euractiv through a freedom for information request, to Frontex Director Hans Leijtens pointing out that while the EU border agency took into account some parts of the opinions, other recommendations were not applied and some parts were not up to EU data protection standards.
“The manner all data processing activities carried out by Frontex are encompassed in the [drafted rules by the Frontex management board] on general rules, impacts negatively on a clear allocation of data protection responsibilities,” said the letter, signed by Wojciech Rafał Wiewiórowski, the European Data Protection Supervisor since December 2019.
“In particular, several provisions are drafted in a way that creates a lack of clarity as to the exact scope of such activities, particularly in terms of which data can be collected and further processed, for what purpose and under which applicable data protection framework,” he added.
For instance, Wiewiórowski wrote, the drafted rules allow the EU border agency “to process a vast range of categories of personal data in the context of joint operation without specifying for which purpose and in which role (controller or processor) Frontex may process each category of data.”
The lack of clarity on Frontex’s role when collecting and processing personal and even sensitive data creates a problem defining the “legal basis” of its activity on the ground.
A Frontex spokesperson told Euractiv that the agency “maintains an ongoing dialogue with the European Data Protection Supervisor concerning the processing of personal data. The agency is dedicated to conducting all its activities in accordance with data protection regulations and in respect of fundamental rights”.
An ongoing issue
The EU watchdog already expressed concerns about Frontex’s modus operandi in processing data on more than one occasion, most recently in May 2023 when it published the results of a visit the EDPS made to Frontex headquarters in October 2022.
The report revealed that the collection of personal data on the ground during interviews with migrants (the main source of Frontex’s data during joint operations) presents different problems, such as the not-voluntary nature of interviews, EDPS detected, and the lack of protection of the identity of the people interviewed.
In addition, the EU watchdog found that Frontex directly shared debriefing reports with other EU law enforcement agencies (Europol and Eurojust) and national authorities, without assessing the necessity of such a sharing. This practice breaches the EU legislation, according to the EDPS, which started an investigation into the matter last June.
Europol is responsible for law enforcement cooperation, while Eurojust is an EU agency dedicated to criminal justice cooperation.
Suspect profiling
According to the EDPS, Frontex is not a law enforcement agency. Thus, it cannot “do a criminal analysis of its own purposes, similarly to other EU law enforcement agencies”.
For this reason, the EU watchdog sees as a problematic activity Frontex’s assessment of whether to legally identify a person as a ‘suspect’ and then transfer the data to EU agencies and national law enforcement authorities without assessing if such a transfer is really necessary.
Additionally, it is unclear whether the identification of suspects by the EU border agency “is based on facts or a personal assessment,” the letter pointed out. The same problem remains with the legal definition of ‘witness’ and ‘contacts’ and ‘associates’ of the suspects.
Specific data categories
The EDPS noted in the letter that the ‘legal basis’ on which Frontex processes special categories of data, such as political views, religious beliefs and sexual orientation, is not solid enough.
Other concerns were related to the consideration of data collected on vessels and aircraft, which, according to Frontex, are not considered personal data, while the EDPS contends they are.
The EU watchdog also identified as a problem the lack of clarity of use, scope and protection when it comes to collecting data “for the purpose of investigation of fundamental rights violation”. These data can be voice recording, images for instance, that the EDPS defines as “particularly sensitive”.
Euractiv understands the EDPS might take Frontex to the EU Court of Justice over the alleged breaches of data protection law if no corrective measures are promptly implemented, but only as a last resource.
[Edited by Luca Bertuzzi/Zoran Radosavljevic]