The EU border management agency Frontex produces untrustworthy risk analyses on migration due to the ‘low reliability of the data collected’, an investigation conducted by the European Data Protection Supervisor (EDPS) found on Wednesday (31 May).

The supervisor, which oversees the data processing of EU bodies, questioned the methodology used to integrate interviews collected on the field into risk analyses and denounced the “absence of a clear mapping and exhaustive overview of the processing of personal data” which the authority assessed as not sufficiently protected.

The voluntary nature of interviews themselves is also not guaranteed, the report has found, as they “are conducted in a situation of deprivation (or limitation) of liberty” and aim at “identifying suspects on the basis of the interviewee’s testimony”.

The concerns regard “the use of information of low reliability for the production of risk analyses and its implications for certain groups who may be unduly targeted or represented in the output of risk analysis products”.

“Such undue representation could have negative impacts on individuals and groups through operational actions as well as the policy decision-making process,” the EU watchdog said.

The new investigation results from fieldwork occurred in late 2022 at the Frontex headquarters in Warsaw.

It is not the first time that the body has raised serious concerns about the data processing practices of an EU agency. In 2020, the supervisor initiated an investigation on Europol, the EU’s law enforcement agency, that resulted in the European Commission revising the agency’s mandate.

EU watchdog orders Europol to delete personal data unrelated to crimes

The European Data Protection Supervisor (EDPS) instructed the law enforcement agency Europol to delete the personal data of individuals who have no established link with criminal activity, concluding an inquiry started in April 2019.

Lack of protection

The report explains that Frontex uses as its “main source of personal data collection” interviews that it conducts jointly with the member state they are operating in. Interviews are carried out on an ad hoc basis with people intercepted while trying to cross a border “without authorisation”.

The EU agency collects information about their journey, the causes of the departure and any other information that can be relevant to the agency’s risk analysis.

Despite Frontex carrying out interviews without putting the name of individuals, the information the exchanges contain “would allow for the identification of the interviewee and thus constitutes personal data within the meaning of data protection law”, the report argued.

Among others, the EU agency collects personal data about individuals suspected to be involved in cross-border crimes, such as human smuggling, whose data are shared with Europol.

According to the report, the EU agency may not “systematically” collect information about cross-border crimes since it “must be strictly limited to” Europol, Eurojust, and the member states’ “identified needs”.

However, evidence shown by the EDPS indicates “that Frontex is automatically exchanging the debriefing reports with Europol without assessing the strict necessity of such exchange”.

Since the latter constitutes a breach of Frontex rules themselves, the authority said that it would open an investigation on the matter.

The authority also considers the arrangements that should be put in place when data are collected jointly between Frontex and member states to be “incomplete”.

According to the EDPS, there are “no arrangements between the joint controllers for the allocation of their respective data protection obligations regarding the processing of personal data of interviewees”.

“The audit report challenges the fundamental legality of risk analysis systems used against migrant people, and it highlights the serious harms that derive from their use,” Caterina Rodelli, EU Policy Analyst at the NGO Access Now told EURACTIV.

Rodelli sees the EDPS report as an “important step” to set a limit to Frontex’s “disproportionate power” and it comes in a pivotal moment of risk assessment of data collecting tools regarding migratory flows.

The authority sent Frontex 32 recommendations, of which 24 must to be implemented by the end of 2023.

Read more with EURACTIV

Has software industry missed the train on EU’s new liability rules?

Due to a glaring misconception or simple lack of capacity, the tech sector has overlooked, or largely underestimated, one of the EU’s legislative proposals that should define the liability regime for the decades to come and might open the door to mass claims.