By BROOKS TIGNER
BRUSSELS – Eurosur, the EU’s future border surveillance system, is moving too fast with too little attention paid to its technical feasibility, potential cost and especially its use of drones and their implications for the EU’s privacy and data protection rules, says a new study by Germany’s Heinrich Böll Foundation. Eurosur’s planned exploitation of drones and high-resolution cameras “means that much more personal data is likely to be collected and processed than is being claimed,” it asserts.
Led by Frontex, the EU’s border management agency in Warsaw, Eurosur will fuse maritime and other border-related operational data from many national and EU authorities and sensor platforms into a common picture. This will be made available to participants on a need-to-know basis.
Commissioned by members of the Green/European Free Alliance political coalition of the European Parliament (EP), the 84-page study – “Borderline: The EU’s New Border Surveillance Initiatives” – focuses on Eurosur and the European Commission’s so-called “smart border” package. The latter, due for unveiling in the second half of 2012, will contain proposals for an automated biometrics-based entry/exit system and a “registered traveller” programme for trusted visitors entering the EU.
The bulk of Borderline, however, lingers on Eurosur and what it sees as the concept’s faults and weaknesses. Given that few, if any, reports have levelled much criticism against Eurosur so far, SECURITY EUROPE offers its readers the below summary of the study’s major technical accusations:
* Design by stealth. Whereas proposals creating Frontex and Europol (the EU’s police agency) were reviewed by the EP, national parliaments and civil society groups, Borderline says the European Commission has used a “technocratic process” to develop and finance Eurosur “well in advance of legislation now on the table”. This will lead to a fait accomplit whereby Eurosur will be up and running in 2013 at the same time that the EP comes under pressure to pass the system’s legislation, whose draft regulation was unveiled only in December 2011.
* Data-processing by default. Borderline argues that Eurosur pays “minimal attention” to privacy and data protection issues. Though Frontex can process personal data collected by the member states and use it for risk analysis, the data is supposed to be anonymised. However, the study points out that Frontex’s future use of drones – especially over third-country ports and coasts – plus the capture of vessel-identification data by satellite could generate streams of personal data, whose reconciliation with the EU’s data protection laws “is unclear”.
* Implicit function-creep. Because the draft regulation would give access to Eurosur’s fused-picture data to a wide diversity of EU agencies and international organisations, the study asserts that “function creep” will be built into Eurosur “from the outset”. Moreover, Eurosur will be subsumed into CISE – the EU’s forthcoming common information sharing environment – where there are “substantial data protection concerns” due to the breadth of CISE’s user community, according to Borderline. CISE will embrace a huge range of stakeholders across Europe, from EU institutions to national law enforcement agencies to foreign affairs ministries.
* Cost illusions. Eurosur’s sheer scope “is a potential recipe for technical failures and cost overruns”, argues the study. It lambastes a 2010 technical study done by industry for Frontex on the system’s estimated cost to the member states – an exercise partly based on a questionnaire circulated to national capitals. Borderline notes that at least a quarter of the capitals failed to respond, while data received from the others was erratic in its completeness and comparability. It says the Commission “should have acknowledged that the margin of error of such an approach renders its estimates as purely speculative”.
Moreover, it posits that the EP will have the near-impossible task of asserting budgetary authority over Eurosur or tracking its real costs since the Commission and the member states can dip into so many scattered pots of money across the EU’s general budget. In a word: buyer beware.
Borderline study: http://www.statewatch.org/news/2012/jun/borderline.pdf
Borderline’s warnings about the cost illusions, for example, or the risks linked to Eurosur’s possible “data processing by default” are spot on. The idea of data-capture by drones is already causing a major stir on the other side of the Atlantic where the US public is increasingly opposed to their use for domestic surveillance duties. Civil groups here in Europe are bound to latch onto the same fears as Eurosur comes on line. Indeed, the legal, administrative and civil liberty aspects of drones have not been sufficiently studied in Europe and are a topic ripe for exploration early on in the EU’s next Security Research programme.
The study’s complaints about Eurosur’s cost ring true, too: the EU has a poor cost-control record for large data-base oriented systems, which Eurosur will be. The Commission’s cost estimate of EUR 338.7 million for a “partly centralised” Eurosur system should be taken with a very large grain of salt, in our view.
However, the study’s two other accusations of design-by-stealth and function creep rest on thin ice.
Borderline berates the Commission, Frontex and other stakeholders for the large technical effort and money spent in years prior to Eurosur’s legislative unveiling in December 2011. Yet it would have been foolish for the Commission to do the reverse. No government entity would formally propose a project of Eurosur’s scope and complexity without doing as much prior technical and administrative homework as possible.
As for function creep, Borderline’s analysis is off base and, in places, simply inaccurate. For example, its assertion that the Commission’s draft Eurosur regulation “does not include a single reference to the CISE system” is flat wrong: CISE is cited at least four times in the document.
Both Eurosur and CISE will link a huge diversity of public sector stakeholders into a nexus where expanding exchanges of border and security-related data are, precisely, the whole point. As long as this takes place alongside strict data-protection and need-to-know rules, the “creep” is intentional and should be benevolent…even if the ultimate budgetary price-tag probably will not be.