A collection of documents from an investigation into Frontex's attempts to expand the collection and use of "operational personal data" in order to try to step up its role as a law enforcement agency.
For a number of years, Frontex has been keen to make use of powers it has been granted to process personal data in order to deal with "cross-border crime". Its plan was to build on an existing project called PeDRA: Personal Data for Risk Analysis.
In July this year, the journalists Luděk Stavinoha, Apostolis Fotiadis and Giacomo Zandonini revealed that:
"Frontex and the European Commission sidelined their own data protection watchdogs in pursuing a much-criticised expansion of “intrusive” data collection from migrants and refugees to feed into Europol’s vast criminal databases."
The documents published here were used in that investigation, and make it crystal clear how the management of the EU's most powerful agency sought to ignore the advice of its Data Protection Officer (DPO), echoing previous attempts to sideline the agency's Fundamental Rights Officer (FRO) in the scandal over pushbacks at the Greek-Turkish border and operations at the Hungarian-Serbian border.
While the agency was seeking to enable greater collection and use of personal data from various sources, it does already collects substantial amounts of data through "debriefing" interviews it conducts with people who arrived on EU territory.
Research by Cova Bachiller López and Fran Morenilla has shown that:
"...debriefing interviews have a clear aim: to identify the skipper and others involved in the ‘organization’ of irregular travel, which often simply entails those steering the boat, those in charge of the GPS or the petrol. To do that, officers conduct covert interrogations with one or two potential witnesses as well as the suspect that will be then referred to the national authorities. Interviews take place surrounded by utmost opacity: there is no paper trail, no records of Frontex referrals to national authorities, no privacy and no lawyer is present."
As for the implementing decision that Frontex has to adopt in order to make greater use of "operational personal data", it was adopted by the management board on 21 December 2021. However, following the publication of the investigation into the process of adoption, they were rescinded and are now being redrafted. The issues bear resemblance to those at Europol that recently revealed by Statewatch.
At the time of publication of these documents, renewed versions were yet to be adopted. Minutes of a Management Board meeting at the end of July (pdf) note:
"The MB was informed about the EDPS opinion on MB Decisions 68/2021 adopting the rules on processing personal data by the Agency and 69/2021 adopting the rules on processing operational personal data by the Agency. The MB urged the Agency to present the amened draft decisions to the MB as soon as possible."
List of preparatory activities, consultations and meetings by the management board of Frontex between June 2021 and December 2021 ahead of the adoption the new Frontex rules on Operational Personal Data (‘OPD’), meant to be done by the end of 2021.
Documents with the first and second round of comments on the draft decisions on processing operational personal data.
Text of the Management Board Decision 68/2021 of 21 December 2021 adopting the rules on processing personal data by the agency.
Text of the Management Board Decision 69/2021 of 21 December 2021 adopting the rules on processing operational personal data by the agency.
Management Board Decision 69/2021 of 21 December 2021 adopting the rules on processing operational personal data by the agency.
An invitation for members of the Frontex Management Board to approve rules on "processing operational personal data". The intention is to allow "the full operationalisation of Article 90 of the Regulation." The document includes comments on the draft Management Board Decision from the European Commission and three member states: Denmark, Estonia and the Netherlands.
The minutes reflect the discussion on the implementing rules on processing of operational personal data (MB Decision 69/2021) and non-operational personal data (MB Decision 68/2021). The DPO warns of risks to fundamental rights and urges EDPS consultation. The Commission deems draft “more than mature for adoption” and considers the EDPS consultation as “not mandatory”.
In this exchange the Commission initially advises to consider consultation of the European Data Protection Supervisor (EDPS). Yet, a few days later, the Commission prioritises adoption by writing “while it would have been good to consult the EDPS on everything, it is more important now to get at least the two first decisions adopted”.
Opinions of the Data Protection Officer on Frontex's proposed draft rules on OPD. The DPO was evidently not happy with the drafts.
Minutes from the second workshop. Only the key points from the presentation by Legal and Procurement unit was not redacted (LPU). LPU stressed the “importance and urgency to finalise these rules” related to the processing of operational personal data.
DPO’s note on the legal provisions governing data subject rights and draft provisions related to procedural aspects of data subject requests.
In the email, the Commission states that “it is an absolute political priority to put in place the data protection framework of the Agency without any further delays."
Four presentations given at Frontex's Operational Personal Data Workshop, on the "practical implementation of processing OPD", an overview of the new rules, a contribution from Frontex's Law Enforcement Sector and Coast Guard Sector, and the potential for air and maritime surveillance activities.
Minutes from the first Operational Personal Data Workshop dedicated to discuss Frontex’s processing of "operational personal data" in light of the ongoing drafting of Management Board Decision 69/2021. The meeting was attended by experts from the member states, Commission representatives and Frontex staff members.
Frontex's minutes from the meeting between Frontex and EDPS on 7 December 2018 where the expansion of PeDRA was discussed.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.
Statewatch does not have a corporate view, nor does it seek to create one, the views expressed are those of the author. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement. Registered UK charity number: 1154784. Registered UK company number: 08480724. Registered company name: The Libertarian Research & Education Trust. Registered office: MayDay Rooms, 88 Fleet Street, London EC4Y 1DH. © Statewatch ISSN 1756-851X. Personal usage as private individuals "fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions of that licence and to local copyright law.