28 January 2022
In the wake of the so-called “refugee crisis” of 2015, EU governments took the opportunity to reinforce the powers and mandates of EU agencies concerned with immigration and border control. Expanded legal remits were accompanied by vast increases in expenditure. But where has that money gone and what has it been used for?
By Chris Jones, Ana Valdivia (Research Associate at SECURITY FLOWS) and Jane Kilpatrick. This blog draws on collaborative work conducted as part of SECURITY FLOWS project, which received funding from the European Research Council (ERC) (grant agreement No 819213).
Graphics (apart from network maps) by Ida Flik.
This article examines spending between 2014 and 2020 by two EU agencies that play a key role in the EU’s border security complex: eu-LISA (dealing with the maintenance and operation of large-scale IT systems and databases) and Frontex (dealing with border control, deportations and risk analysis). It shows a vast expansion in the ‘datafication’ of the EU’s borders, significant spending on the ongoing attempt to step up the number of deportations, and argues that although there is a degree of transparency over the expenditure of EU agencies, a significant layer of opacity remains in place.
Frontex was originally given the mind-bending title of ‘European Agency for the Management of Operational Cooperation at the External Borders of the European Union’, but is now formally known as the European Border and Coast Guard Agency. It was set up in 2004, and has since had its remit expanded on three occasions – in 2007, 2016 and 2019, with additional rules on surveillance of the EU’s external sea borders adopted in 2011.
Its counterpart agency eu-LISA (known formally as the European Agency for the Operational Management of Large-scale IT Systems in the area of Freedom, Security and Justice) was established in 2011, and a reinforced legal basis was adopted in 2018. This agency has become the digital hub of the Schengen area, implementing and managing the main centralised databases for migration control and security purposes.
Both agencies play a crucial role in the ongoing reinforcement of the EU’s borders, but they do not act alone. Their work relies on a hefty array of private contractors that develop technology for law enforcement and migration control, many of whom have actively courted, or been courted by, both agencies. 
Find the raw data here. Note: Smaller categories are grouped as "Other".
In the 2014-2020 period, the two agencies spent an eye-watering €1.9 billion on contracts with the private sector, although eu-LISA spent significantly more than Frontex – €1.5 billion compared to €434 million. Spending on private sector contracts shot up significantly from 2017 onwards, reflecting policy decisions made in the aftermath of the “refugee crisis” – for example, with the expansion of Frontex’s mandate on forced removal and border control operations, and the expansion and transformation of the databases managed by eu-LISA.
While the overall purpose of the expenditure by both agencies is to reinforce the EU’s border regime, the way in which they inject public funds into private purses and the specific aims of their spending differ, in accordance with their respective remits. The infographic below shows the contracts signed by the two agencies by size. Frontex has signed a greater number of contracts than eu-LISA, and their value is generally lower than those signed by the IT agency. The nature of eu-LISA’s work means that it has signed a relatively small number of contracts, although some of these commit huge quantities of public funds.
A number of Frontex’s high-value contracts concern aerial surveillance, on which it spent over €100 million between 2014 and 2020. This includes a €50 million contract with Airbus and Elbit for “aerial surveillance services by the means of Medium Altitude Long Endurance Remotely Piloted Aircraft System (MALE RPAS) for maritime purposes,” for possible deployment in Greece, Italy and Malta; and a €14.5 million contract extension with Diamond-Executive Aviation, CAE Aviation, EASP Air and Indra for “maritime area aerial surveillance.” The trend has continued in 2021, with €84 million – one-sixth of the agency’s annual budget – going to aerial surveillance services.
The largest of the contracts signed by eu-LISA in the period in question was a €300 million deal agreed in 2020 with Idemia and Sopra Steria for the implementation of a new Biometric Matching System (BMS).  The BMS is initially being built as part of the forthcoming Entry/Exit System (EES), which will provide a central biometric register of all external border crossings by almost all non-EU citizens. A separate contract for other work on the system, worth €140 million, was signed in 2018 with a consortium made up of Atos, IBM, and Leonardo (formerly Finmeccanica).
Atos is also involved in the operation and maintenance of the Visa Information System (VIS), along with Accenture and Morpho. The three companies are part of a consortium that agreed a €194 million contract with eu-LISA in 2016. Moreover, analysis of the data available shows that Sopra Steria and Idemia are commonly awarded contracts regardless of the database in question – they have deals in place for maintaining and developing EES, EURODAC, SIS II and VIS.
Find the raw data here
The purpose of these systems is to try to ensure the biometric registration of all non-EU nationals present in the EU or wishing to travel to it, whether they be asylum seekers, visa holders, or those subject to the new “travel authorisation” requirement. They are intended to provide for the digital administration and control of those individuals and the procedures to which they are subject – before they arrive in the EU (in the case of visas and travel authorisations), after they enter, and also after they leave (for example, by attaching biometric identifiers to entry bans, which are stored in another database, the SIS II). This process has been subject to heavy criticism in the decades since it was initiated, in particular on privacy and data protection grounds, and even more so in recent years as the EU has moved to interconnect much of the data in question through the interoperability plans. Nevertheless, it continues apace.
Some of the contracts signed by Frontex also seek to digitise procedures for the management and control of individual movement, primarily with regard to deportation proceedings. However, the majority of the spending is aimed at ensuring control over non-EU nationals in a different manner. The vast spending committed by the agency to different forms of surveillance – in particular, aerial surveillance – are based on a border control model that seeks to keep unwanted individuals away from the territory of the EU, even if they may have a legitimate claim to international protection and are simply unable to travel in any other way. This is perhaps most evident in the Central Mediterranean: here, the aerial and maritime surveillance “services” provided to Frontex by various private companies are used to acquire information on the location of boats in distress, so that the so-called Libyan Coast Guard can be contacted to drag them back to detention, torture and mistreatment in the country’s various internment centres.
Find the raw data here. Note: Groups of companies that were awarded a contract together are treated as their own company and those contracts are not counted towards the individual companies.
In the case of eu-LISA, fewer companies are involved in fewer contracts than is the case for Frontex, but the contracts tend to be of a larger size. Indeed, given the limited number of companies involved in the construction and maintenance of the EU’s digital infrastructure for home affairs, it may be considered a case of oligopoly: “A state of limited competition, in which a market is shared by a small number of producers or sellers.” The contracts are generally awarded to consortiums of huge transnational technology and consulting firms – for example, Idemia (2020 revenue: €2.2 billion) and Sopra Steria (2020 revenue: €4.3 billion).
This creates a form of techno-dependency or ‘vendor lock-in’: every time the database needs to be updated or extended in some way, it is highly like that the contract will be awarded to the same companies that developed the system in the past. Along with the Spanish company Atos, Idemia and Sopra Steria have repeatedly been awarded contracts for the maintenance of certain large-scale databases.
Interestingly, the UK Home Office’s recent ‘Digital, Data and Technology Strategy’ recognises this problem and proposes actions to counter it – although it essentially has similar policy goals in mind with regards to the biometric registration of foreign nationals and the interconnection of different data sources. This may be down to the UK’s disastrous history with large-scale government IT projects, which has not afflicted the EU on the same scale – even if delays and cost increases are not uncommon.
In the case of Frontex, the agency has signed a larger number of contracts for a more diverse set of purposes – although as noted above, its most significant expenditure is in the area of border surveillance and deportations. Three of the companies that provide aerial surveillance services – CAE Aviation, Diamond-Executive Aviation and EASP Air – are clearly popular, having won eight contracts in the 2014-20 period. Perhaps more controversial is the choice to acquire the services of Airbus and Elbit. The former is a multinational aerospace corporation that acquires a significant proportion of its income from ‘defence’ contracts; the latter provides some 85% of the drones used by the Israeli military, thus playing a key role in the maintenance of control over the Occupied Territories. The company’s drones have been used in a number of attacks that have led to civilian deaths.
The different ways in which these contracts are structured is also reflected geographically. Frontex’s companies are dispersed across the European territory (with some exceptions of military companies based in Israel, Canada and US). The subsidiaries of the companies awarded contracts by eu-LISA are primarily located in Belgium, France and Luxembourg.
Find the raw data here. Note: When contracts were awarded to a group of companies, the full amount is counted towards each of the companies. Exact addresses or coordinates were not always available, in which case the closest possible match was used (e.g. the town). Only companies with addresses provided are included on the map and for example, companies that form part of a consortium but where no address was provided, are left out.
Companies are connected in the network if they apply together as a consortium or in the same tender. The companies that won EU database contracts constitute the most significant cluster on the eu-LISA network (3M Belgium, Sopra Steria, Idemia, Atos, Gemalto Cogent, among others). Being awarded with the contract of the development and maintenance of an EU data infrastructure entails technical dependency every time the system needs to be updated or fixed. Therefore, these companies usually get more than one contract over the years in order to maintain the EU databases.
Interestingly, companies that were awarded contracts in the past are nowadays part of the same private family (Bull's parent is Atos, Gemalto Cogent has been acquired by Thales, and Morpho was transformed into Idemia). Moreover, they also cooperate between themselves: a joint venture launched by Atos and Thales seeks to “create the European champion in big data and artificial intelligence for defence and security,” while Idemia and Sopra Steria are working together to develop national and international border control systems.
The types of contracts Frontex offers are very diverse and this is also reflected in its network. Aviation companies are organised in two different clusters that represent two different type of contracts: for deportation flights (AS Aircontact, Air Partner International, Air Charter Service) and aerial surveillance (DEA Aviation, CAE Aviation, EASP Air BV). The cluster between Elbit Systems, Airbus DS Airbone and Advanced Technology Center represents one of the most valued contracts awarded for aerial and maritime surveillance. Frontex also awarded a contract worth €25 million for interpreting services to a cluster of 6 companies based in Italy, France and the UK.
With some technical knowledge and analytical skills, it is possible to see what contracts have been signed over the years, with whom and for what purpose. In this regard, the regime is relatively transparent: information on contracts is public (even if other details may be kept under lock and key); and the policies and legislation underpinning them are often (if not always) publicly available. On the other hand, without that knowledge and skill, the information in question is likely impossible to understand for the majority of people.
Furthermore, this is merely one level of transparency. The content of contracts themselves remains secret, and many contractors will use a further layer or layers of subcontractors; all of this activity is then wrapped up in secrecy and non-disclosure clauses that restrict individuals involved from talking about their work. It is also one thing to work out what a set of contracts is for, and another entirely to understand the policies they are seeking to implement, which may require specialised knowledge of particular policy goals and topics (for example, laws and plans on deportations, the ‘interoperability’ project, and so on). In this way, the transparency that exists merely leads to a further level of opacity, beyond which the public are not generally not permitted to see.
The most significant of the contracts signed by eu-LISA and Frontex relate to technologies of control –whether the construction of large-scale databases, or the acquisition of aerial surveillance ‘services’. Political responsibility for the introduction of these schemes largely lies with EU legislators, who have given their blessing to the establishment of a series of huge databases, and have extended the powers of Frontex so that it can acquire all manner of surveillance tools and equipment. The approval of that legislation took place, of course, in the space provided for by the EU’s substantial ‘democratic deficit’, which is marked in particular by secret negotiations both between governments (in the Council) and between the Council, Parliament and Commission (in “trilogues”).
The contracts examined in this report are far removed from this process. They represent the point at which legal texts (themselves a ‘translation’ of political demands) have been reduced to bureaucracy and technical jargon. This is clearly reflected in the publicly-available elements of the contracts themselves, which leave no room for considerations of rights, ethics and accountability, aside from requirements to get the job done on time and within budget. This issue is particularly striking in the requirements set out by Frontex for contracts for assistance with deportations, in which the individuals being deported are effectively reduced to a form of cargo, to be transported to the right place, at the right time, at the right cost.
When it comes to some of the advanced technologies increasingly being deployed by border control agencies, the forthcoming Artificial Intelligence (AI) Act may place some restrictions on their use – or, at the very least, introduce provisions requiring more transparency over when and how they are used. The proposal seeks to introduce more regulation of AI technologies in order to propel the development of an EU-wide market and industrial base; it does, nevertheless, provide an opportunity to see some of the more harmful uses of such technology banned or heavily restricted. However, strikingly, the EU’s large-scale databases are currently the subject of an exemption from any of the restrictive measures proposed in the AI Act (see Article 83). As a recent statement signed by 115 civil society organisations, including Statewatch, put it: “No reasonable justification for this exemption from the AIA’s rules is provided in the legislation or can be given”.
Ultimately, the scene is set for the EU’s ‘datafied’ borders to continue expanding for some time to come, despite a growing level of opposition to a border regime that seeks to deny entry to, deport and exclude a vast number of people who may have a valid claim to asylum or whose only ‘crime’ is seeking a better life. As this analysis has demonstrated, EU agencies are spending increasing sums to ‘protect’ and ‘secure’ EU’s borders, a process that relies heavily upon the services of private companies. Biometrics, drones, deportation flights and surveillance technologies will be used to further the key historical and political function of borders – to discriminate – at the same time as those technologies will become increasingly hidden from view. As this process continues, using digital methods and analytical skills to ‘follow the money’ and track both the outsourcing process and its effects will remain key to strategies of resistance.
 eu-LISA does this through ‘Industry Roundtables’, the most recent being on “technologies facilitating contactless or seamless travel in light of the ongoing global pandemic.” . Frontex, for its part, hosts ‘Industry Days’.
 The shared Biometric Matching System (sBMS) will initially be deployed for the Entry/Exit System (EES), but will also come to form the backbone of the EU’s ‘interoperability’ plans.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: c/o MDR, 88 Fleet Street, London EC4Y 1DH, UK. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.