Here’s how a well-connected security company is quietly building mass biometric databases in West Africa with EU aid funds
Documents disclosed to Privacy International reveal how the European Union has been using aid funds to finance the development of biometric identity systems in countries in Africa as part of its response to migration, and highlight urgent concerns.
- The EU is using aid funds to build mass-scale and high-risk biometric identification systems to manage migration flows to Europe and to facilitate deportations;
- Civipol, a well-connected French company owned partially by some of the largest armed companies in the world, has won lucrative contracts as a result;
- A data protection study that has been undertaken diverges from international standards, while there have been no privacy or human rights risk assessments.
The “EU Trust Fund for Stability and Addressing Root Causes of Irregular Migration and Displaced Persons in Africa” (EUTF for Africa) isn’t exactly headline news (and nor does it exactly roll off the tongue), but its influence is vast and will be felt for decades to come for millions of people across Africa.
Set up in the wake of the 2015 ‘migration crisis’ in Europe and largely made up of money earmarked for development aid (80% of its budget comes from development and humanitarian aid funds), EUTF for Africa commits billions of euros to tackle and “manage” migration to Europe from African countries.
As well as equipping and training security agencies in surveillance, the Fund is being used to bankroll the development of mass-scale biometric identity systems across the African continent and is awarding lucrative contracts to well-connected European security companies in the process.
While such systems can have positive effects on human rights – facilitating the right to a legal identity being the most obvious example – they also pose serious threats to human rights, and divert money which could be used for things like schools or hospitals.
Below, using disclosures released to Privacy International by the Trust Fund under access to documents laws, we provide an analysis of these biometric systems, using Senegal as a case study.
They not only show a failure to adequately mitigate the huge risks posed by the systems, they also reveal how such systems will ultimately be used to facilitate deportations from the Union.
As a result, Privacy International together with other civil society is today calling on the Commission to enact urgent reforms to stop the facilitation of surveillance and diversion of aid money.
What are biometric identity systems?
Biometric identity systems collect (in addition to other personal information such as names, dates of birth, addresses) physical characteristics, such as fingerprints, face data, and/or iris scans and transform relatively fixed and unchangeable physical features into machine-readable identifiers for future use.
Essentially, identity systems provide for some kind of a centralised government identity scheme that links an individual’s identity to a card or number, and in this case also biometric data. This identity will then be used within the system for the provision of public benefits and participation in public life.
Such centralised biometric systems can facilitate social and economic exclusion and discrimination and carry huge implications, including for the rights to privacy and data protection. Because of this, authorities must:
- ensure that any such system is justified by taking into account the principles of legality, necessity and proportionality;
- prove the biometric authentication’s effectiveness and necessity;
- develop safeguards to protect rights and mitigate the risks of function creep and data sharing;
- address concerns regarding their impact on other rights, namely liberty, dignity, and equality.
Who is profiting building those databases? Meet Civipol
Civipol (or Civi.Pol Conseil) is heavily involved in the development of these biometric identity systems. In Senegal, it is the agency which conducted the entire diagnostic evaluation and management plan formulation process, and will now also be involved in implementing it together with the Belgian development agency, ENABEL. In Côte d’Ivoire, it will also be implementing the project by providing technical assistance.
Civipol and EU projects
Over the years, Civipol has been involved in various EU border management projects including organising the formation of a border guards. It wrote “an influential consultancy paper” called “Feasibility study on the control of the European Union’s maritime borders” for the European Commission, that has gone on to provide the foundations for the EU’s current policies on border externalisation.
In December 2016, before expanding to full biometric identity systems, Civipol was already involved in setting-up and deploying fingerprint databases in Mali and Senegal. It is also one of the executive partners of a project called ‘Better Migration Management’ implemented in the Horn of Africa.
Background on Civipol
Civipol was founded in 2001. It is a public limited company (societe Anonyme) that is 40% owned by the French state. It is further part-owned by large arms producers, including Thales, Airbus DS, and Safran.
The company positions itself as the technical cooperation operator of the French Ministry of the Interior. It doesn’t sell equipment, but offers audit, project management, training and consulting in France and abroad.
The company’s connections to the French state run deep. Prefect Jounot Yann, a former National Intelligence Coordinator, is chairman and chief executive of Civipol since June 2017. He is also the president of the Milipol trade show.
Civipol was formerly run by Pierre de Bousquet de Florian, who was appointed chief of Staff for Interior Minister Gérald Darmanin and served as national intelligence coordinator before that. Alexis Kohler, Chief of Staff of Emmanuel Macron, also had a seat at their board.
Civipol is the main shareholder (owns 40%) in the MILIPOL Economic Interest Grouping (EIG), which organises large Milipol security fairs in Paris, Singapore and Doha, regularly featuring surveillance companies such as Syneris, Ercom and NSO group
Civipol/EU Project in Senegal
Documents disclosed by the EUTF to Privacy International detailing the development of the €28 million biometric identity system in Senegal raise various concerns.
The declared aim of the project is to respect individuals’ rights by facilitating the recognition of their identity through a biometric identity system. However, there is little reflection on why a biometric identification system is needed. While such systems can indeed help people access their right to a legal identity – which is an important Sustainable Development Goal – this is often used to justify the development of data-intensive mass-surveillance systems, when a simple non-biometric and non-centralised system of identity management would suffice.
Instead, the aspiration of EU authorities is that they will be able to access these identification systems in the future to accelerate the deportation process from the European continent. In Côte d’Ivoire, the €30m biometric identity system project description explicitly states that it is to be used to assist in the identification of Ivorians irregularly residing in Europe and to organise their return more easily.
Once an asylum seeker or other person on the move dares to cross the European border, or is identified by immigration enforcement agencies in Europe, authorities will be collecting their biometric data, compare them with data in the African systems and in their ideal fast track the return of the person to that country.
Documents relating to one of the projects repeatedly underline the need to ensure that any biometric collection will take into account the data of the Senegalese living abroad.
What data will they process?
The documents suggest conducting a massive census operation to collect all kinds of data from the population, including biometric data. They further suggest merging in the new system data collected from other databases, including the current national ID system and the passport system. However, the documents do not specify exactly what biometric data they intend to collect.
A partial answer might be found in the document, but they decided not to disclose this information
Who will have access?
The documents clearly indicate the desire to ensure that the data will be accessed by a wide range of at least national actors as possible, but there appears to be no reflection on how to minimise access depending on what each actor would need to have access to. (Doc 7.2. pg 58-59)
Ensuring the interoperability of datasets/database is a recurring priority, but again with little consideration on how to ensure that there are barriers to what this database could be connected to or to which administration it could be connected to. (Doc 3.3 p 7; Doc 3.4, Doc 7.7)
The only safeguard suggested is that any decision to connect databases will be subject to authorisation by the national data protection authority. (Doc 7.7)
What will be the applicable legal framework?
While a data protection study (Doc 7.7) was conducted in order to guarantee the effectiveness of the central register of civil status, (Doc 3.3. p 7) and ensure that that it complies with international data protection standards (Doc 3.3. p 7), it contains several suggestions that diverge from international data protection standards.
The study, limited to an examination of the applicable legal frameworks in Senegal and recommendations regarding legal reforms, briefly lists the international documents that are relevant for the assessment and primarily focuses on the national data protection law.
While the first recommendation rightly suggests that they data processed should not be excluded from the data protection framework, the second recommendation asks for the definition of data under civil law to clearly state that this data is personal data. There is no consideration in the study that biometric data is sensitive data and as such require additional and enhanced protections. The current data protection law does not provide for enhanced protections for biometric data.
This is important because of the fact that the use of biometric data is uniquely problematic given that it represents a part of a person’s body, and as in the case of fingerprints and iris scans, raises concerns of sensitivity and control of one’s own body.
Despite this, the current national legal framework contains only one reference to biometric data, requiring that any processing of biometric data and other data is subject to authorisation by the national data protection authority (Art 20, Law 2008-12).
Instead of promoting stronger protections however, on the contrary, the study asks for the procedures and formalities regarding the obligations of those responsible for processing personal data to be simplified (Doc 7.7).
Finally, the study asks for the definition of processing of data to exclude the deletion of personal data, contrary to international standards on data protection as well as Senegal’s national law (Art 4, Law 2008-12). It is not clear why such an exception from international and national standards of data protection is sought.
What about the data protection and privacy impact assessments or human rights risk assessments?
Beyond the data protection study, the only other study that pertains to an impact assessment is a separate informatic and security study which confines itself to some general information of possible technical options for securing the information (Doc. 7.6).
No privacy or data protection impact assessments appear to have been conducted, which would have allowed to identification and management of data protection and privacy risks arising from the project. Similarly, a human rights risk assessment would have identified potential risks for human rights, but from the documents we received there is nothing indicating that such studies were even considered let alone conducted.
The biometric technology underlying identity systems is fallible and not always accurate, leading to authentication failures which can have profoundly negative impacts on individuals enrolled in identity systems, and particularly affect the most vulnerable populations. An impact assessment would also have taken into account the frequency of biometric authentication failure.
While these biometric identity systems are financed by the EU Trust Fund, a set of other EU bodies and instruments also support similar initiatives. These include the Instrument contributing to Stability and Peace, a multi-billion euro fund used to provide security assistance to countries around the world , the Instrument of Pre-accession Assistance, used to provide support to potential future EU member countries, and the European Neighbourhood Instrument, used to provide assistance to other neighbouring countries.
As the EU finalises its next budget which will set its priorities for 2021 to 2027, many of these different instruments will be centralised into one main one, called the Neighbourhood, Development and International Cooperation Instrument.
Privacy International and partner NGOs are calling on the European Commission to work with the Parliament and member states to take the opportunity presented by centralising these disparate instruments and address the inherent dangers posed by these training regimes.
In particular, we are calling on the Commission to improving due diligence and risk assessments, increase transparency and parliamentary scrutiny and public oversight, and to instead focus resources on supporting the capacity of judicial, security, and regulatory institutions to protect rights before proceeding with allocating resources and technologies which, in absent of proper oversight, will likely result in fundamental rights abuses.
More details can be found here.