Today, Access Now joins Privacy International, Sea-Watch, BVMN, Homo Digitalis, and International Federation for Human Rights (FIDH) in calling on the European Ombudsman, Emily O’Reilly, to open an inquiry into several EU institutions’ failure to promote and respect human rights when transferring surveillance tools to third non-EU countries.
“The European Union has a responsibility to not only uphold the rights of people within its borders, but it must work to safeguard the rights of at-risk people in the non-EU countries it works with,” said Estelle Massé, Senior Policy Analyst and Global Data Protection Lead at Access Now.
The complaint follows Privacy International’s investigation last year which revealed how the European Commission and EU institutions — including the European Border and Coastguard Agency (Frontex) and the European Union Agency for Law Enforcement Training (CEPOL) — provided funding and trainings to non-EU intelligence and security authorities in surveillance techniques, wiretapping tech and biometric ID systems as a part of migration control and surveillance programs.
Notably, North African countries are receiving a large share of these programmes and training. “State of the art technology” was allocated to Tunisia and Morocco to establish a screening system for agencies to collect data at border crossing points. In Morocco, security officials were taught how to extract data from mobile phones using Xry and Ufed — extraction software produced by MSAB and Israeli-based Cellebrite. While members of the Algerian National Gendarmerie were trained on how to use anonymous and fake profiles to gather intelligence.
“Tools coming from the EU are being used to wreak havoc across North Africa,” said Marwa Fatafta, MENA Campaigner at Access Now. “It’s not a case of ‘out of sight, out of mind’ for the millions of people whose rights are in jeopardy. We’re calling for accountability from the European Ombudsman.”
Through this complaint, the coalition calls on the European Ombudsman to:
- Open an inquiry into whether the lack of prior human rights impact assessments constitutes maladministration, and if so, refer the matter to the relevant EU institutions and bodies;
- Make recommendation(s) to the institutions concerned to ensure their compliance with EU law; and
- Keep the complainants informed of the progress and outcome of any inquiries carried out with regard to the present complaint.
This complaint and the prior investigation by Privacy International raise important data protection red flags, in particular regarding the sharing of personal data between third country authorities and EU institutions. To address these matters and complement the work of the European Ombudsman, a copy of the complaint was also sent to the European Data Protection Supervisor urging the authority to initiate an investigation in the form of data protection audits.