The EU has been accused of contributing to the development of ‘surveillance’ capacities in third countries without considering fundamental rights and data protection; according to a complaint filed with the European Ombudsman by a coalition of privacy NGOs.
The dossier sent to the EU oversight body includes internal documents and communications relative to projects that provide training, technology and financing to law enforcement authorities in third countries, notably in Africa and the Western Balkans.
The NGOs regret that in all cases, the EU bodies and agencies failed to provide an impact assessment for the potential implications on human rights and privacy despite the grave consequences if the capacities provided were misused. They have labelled it a case of maladministration.
“EU bodies must equally ensure respect for human rights in their external relations, by, for example, assessing the risks that their actions pose to human rights. What our research suggests, however, is that these assessments are lacking when transferring surveillance capabilities outside the EU,” said Ioannis Kouvakas, legal officer and acting general counsel at Privacy International.
Training law enforcement
The complaint explicitly refers to the training provided by EU authorities to law enforcement agencies from third countries on gathering intelligence online, wiretapping techniques, and decrypting intercepted messages.
The European Union Agency for Law Enforcement Training (CEPOL) was singled out for showing Algerian police how to create fake accounts on social media and to use surveillance tools to gather intelligence.
Participants in a training session in Montenegro were taught how to use IMSI Catchers, which identify all mobile devices in a specific area, for instance, during a protest.
Morocco’s security forces received “telecommunication training” on how to track a specific device. The session also covered how to extract data from a seized mobile phone, including photos, messages, web history, GPS data, and deleted files.
A second training session also included information on how to access cloud-based data, which might result in breaking into entire apps such as Dropbox, Slack, Instagram, Facebook and Twitter, and end-to-end encrypted messaging apps that have backup enabled.
Morocco was one of the countries alleged to have used Pegasus spyware produced by Israeli security firm NSO, to hack the phone of high-level French politicians and journalists.
Another training saw Spanish police explain to Bosnian law enforcement how to track and wiretap internet users in the context of financial crime investigations, presenting spyware solutions, including the types sold by NSO.
An EU-funded training provided by Frontex, the EU border agency, to the Libyan coastguard explained how to secure evidence from electronic devices, as well as to acquire fingerprints also from “children and people with vulnerabilities.”
Biometric recognition systems
The complaint also singles out projects developed in the context EU Trust Fund for Africa targeted at managing migration flows.
Niger, a strategic hub for human traffic, was allocated €11.5 million for surveillance drones, cameras, and software. The funding was also used to develop a wiretapping centre and a device to intercept mobile phone traffic.
A recent Nigerian law against human trafficking, put in place with pressure from the EU, requires authorities to provide relevant information to a foreign country that requests the identification of a Nigerian citizen.
Senegal received €28 million to develop a biometric identity system to gather data about the population. Although a data protection assessment was conducted; the conclusions seem to contradict international privacy standards.
The study considers biometric data as not sensitive and calls for simplified procedures for its processing. It also asks for less strict oversight from the national data protection authority and a derogation to delete personal data. Also, in this case, the biometric data collected seems targeted at identifying Senegalese abroad.
Similarly, the rationale for establishing a biometric identification system in Côte d’Ivoire points to enabling the identification of Ivorian nationals in Europe and facilitating their repatriation.
“Tools coming from the EU are being used to wreak havoc across North Africa. It’s not a case of ‘out of sight, out of mind’ for the millions of people whose rights are in jeopardy,” stressed Marwa Fatafta, MENA policy manager at Access Now.
An additional border control project was carried out in Bosnia and Herzegovina, where authorities were provided with registration equipment, databases, fingerprint devices.
Considering the impact
In one of its replies, the EU Commission said that there “is no obligation or need for the Commission to carry out a data protection impact assessment for EU Trust Fund Projects.”
The NGOs dispute that argument, arguing that EU bodies need to ensure human rights law and principles are respected since they are equipping third countries with intrusive equipment and techniques that could enable mass surveillance.
The argument was echoed by German MEP Patrick Breyer. “The Commission showed itself to be completely ignorant when we asked them about impact assessment, which is not acceptable,” Breyer said.
“Without prior human rights impact assessments, such actions could pose serious threats,” stressed Manos Papadakis, co-founder of Homo Digitalis.
A Commission spokesperson was not readily available for comments.