Europe employs technologies in pursuit of terrorism: Do human rights constitute a hindrance?

1

Amsterdam Law School-University of Amsterdam

July 2020

Europe employs technologies in pursuit of terrorism:

Do human rights constitute a hindrance?

Thesis Author: Panagiota Lypimenou

Student No: 12836664

2

Abstract

This Thesis attempts to answer the debatable question of how European existing and new counter-terrorism strategies applying technology and aiming at halting the movement of persons clash with fundamental human rights. The research mainly uses an evaluative approach, yet in the body of the Thesis the different research methods are closely related and are used to a lesser extent so as to formulate the problem statement. For the purpose of the research, three technologies are explicitly evaluated with respect to their function and their interference with human rights. Except for the respect for human rights when using technologies into the fight against terrorism, the Thesis gauges the risks these developments may cause concerning their enjoyment. Parallel to that, it examines the compatibility of counter-terrorism policies using technologies in European borders with international legislation while focusing principally on the right to privacy and data protection which links the three technologies evaluated. Finally, the Thesis shows that the technologies analyzed should be deemed to limit the enjoyment of fundamental human rights in such a way that the proportionality and necessity principle is circumvented.

3

Table of Contents

Introduction……….4

Legal Framework………6

Age assessment of minor asylum seekers………..7

The characteristics of the age assessment procedure………...7

The legal analysis regarding the technology employed in age determination process………9

The age assessment procedure as a strategy in the war against terror……...12

iBorderCtrl………...15

The operational characteristics of iBorderCtrl………...15

The implementation of iBorderCtrl at the EU Member States’ Borders……16

The legal analysis of the technology………..18

Final thoughts on iBorderCtrl……….22

goTravel……….23

The operational characteristics of goTravel………23

The legal analysis of the technology………...24

Final thoughts on goTravel……….29

Legal Analysis………30

The implementation of the proportionality and necessity principle…………30

The right to privacy and data protection………..32

The proportionality and necessity principle in practice………...34

Conclusion………..37

4

Introduction

It is well known that society has evolved spectacularly by virtue of technology. Developments in technology have contributed, inter alia, to the elimination of global poverty, the flourishing of the international trade and the respect and enjoyment of human rights. In fact, there are few areas of human existence in which humankind does not use technology to reach objectives. Thus, it comes as no surprise that technologies are nowadays also broadly used for security reasons, and more specifically, for combatting terrorism.

Terrorism has been a major societal problem in Europe for decades and it has appeared in several patterns. Nonetheless, according to Europol’s “Terrorism Situation and Trend Report of 2019” the main concern of Member States is jihadist terrorism and the closely related phenomenon of foreign terrorist fighters who travel to and from conflict zones. It is stated in this Report that in 2018 13 people lost their lives in jihadist terrorist attacks of a lone-wolf nature.1

The appropriation of smuggling routes by terrorist fighters is a thorn in Europe’s side. Pursuant to Europol’s Report of 2019 it has been proven that terrorists take advantage of the migrant flow in order to reach Europe’s mainland and proceed with the attacks. Ergo, the need for the implementation of technology in the battle against terrorism has increased. The use of technologies for counter-terrorism purposes aims towards either i) the financial regulation which purveys the organization and facilitation of terrorist attacks from the perspective of materiality or ii) the movement of people that are suspected to be the actual perpetrators of spreading hatred across borders.

This Thesis will focus on this second aspect, the interception of suspected terrorists’ movement. More explicitly, it will expand on how European existing and new counter-terrorism measures utilizing technology and aiming at halting the movement of persons clash with fundamental human rights. Chapter 1 will introduce the legal framework of the research. In view of the fact that the flow of migrants and refugees is deemed to favor the influx of terrorist fighters in Europe, Chapter 2 will expound on border technologies employed on migrants and asylum seekers, more precisely on age

5 assessment of young asylum seekers. At the end of the Chapter the research will prove that age determination in combination with the mandatory fingerprinting procedure goes beyond the scope of protecting the child’s best interests and thus it can be considered to serve terrorism prevention. Chapter 3 will introduce iBorderCtrl, a technology financed by the European Union (EU) which is considered able to cease terrorists’ mobility by detecting not only traveling routes of third country nationals towards the EU but also the incentive behind their travel.

Given that certain terrorist attacks have taken place in European Member States and have been committed by European citizens, for instance, the Paris Attacks of November 2015, travelling within Member States should be equally controlled. Hence, Chapter 4 will focus on goTravel, a software solution, employed in air transportation, adopted by the UN and integrated in the fight against terror.

Finally, the implementation of technologies comes with the risk of limiting certain human rights and the EU has urged Member States through pertinent Directives, Regulations and Conventions to adopt protective legislation that ensures the compliance with the proportionality principle when restricting the enjoyment of human rights. Therefore, Chapter 5 will deal with the clash between individual human rights and the collective rights of public security as well as the protection of public order. More precisely, it will present the level of the compatibility of counter-terrorism policies using technologies in European borders with international legislation and will demonstrate the misuse of the proportionality and necessity principle focusing mainly on the right to privacy and data protection, which is the interface between the technologies, while referring to certain practices of mass surveillance originating from this misuse.

6

Chapter 1

Legal Framework

The European Court of Human Rights (ECtHR) has set definite principles regarding the protection of human rights both collective and individual. A deep insight into the ECtHR case law, however, shows that the Court has strived to realize “a pressing social need” or a “democratic need” owed to the public, particularly the protection of public order. In order to achieve public safety however, individual human rights are sacrificed for the “common good”2_.

The research indicates the implementation of the proportionality and necessity principle in a number of cases of national, European and International legal instruments which serve as a legal basis for existing and future Court cases dealing with the clash between the rights of public order and security and individual human rights including the right to human dignity, non-discrimination, health and the right to privacy and data protection. The latter has a leading role regarding the legal analysis of the Thesis considering that the utilization of each technology mentioned interferences with it and raises issues of mass surveillance in the digital age.

While the EU has taken various measures to ensure the protection of the right to privacy and data protection, by adopting for instance the General Data Protection Regulation (GDPR), the Directive 95/46/EC on the protection of personal data and the Convention 108-which is open for accession even by non-Council of Europe Member States- in the international arena the right to privacy is the only one secured under Art. 17 International Covenant on Civil and Political Rights (ICCPR) and Art. 12 Universal Declaration of Human Rights (UDHR). As the International Network of Civil Liberties Organisations addressed “the Human Rights Committee(HRC) is the only relevant U.N. human rights body, to date, not to have taken steps to address digital privacy rights and state obligations to protect them in a systematic and comprehensive manner”.3

2 _{For further research see Hussain, Waheed, "The Common Good", The Stanford Encyclopedia of}

Philosophy, Spring 26 February 2018 Edition, Edward N. Zalta (ed.)

3 _{INCLO, The right to privacy in the digital age, Human Rights Council adopted resolution 34/7, Office}

7

Chapter 2

Age assessment of minor asylum seekers

The present chapter addresses the issue of the intrusiveness of the age determination procedure. It firstly demonstrates the process of the age assessment and then it examines the protective legal framework for young asylum seekers. During the legal analysis it becomes clear that while few advantages originate from this procedure, the “harm” caused by it, is immense. Finally, the chapter elucidates the inclusion of the age determination procedure in the counter-terrorism measures.

The characteristics of the age assessment procedure

One of the most significant procedures taking place in identifying stateless persons or third country nationals is the age assessment procedure of young asylum seekers given that most of them lack official documents proving their identity when they reach the EU Member States. Its importance originates from International, European as well as national policies which grant a greater protection in line with Art.2(h) of Council Directive 2011/95/EU and support to those underage seekers of a better life.4 Within the EU which establishes the right to asylum in Art. 18 Charter of Fundamental Rights of the European Union (CFR), Members States are obliged to act in the best interests of the child pursuant to the Dublin Regulation 604/2013, the European Parliament resolution of 16 January 2008: Towards an EU strategy on the rights of the child [2007/2093(INI)], the Reception Directive 2013/33, the CFR as well as the UN Convention on the Rights of the Child (CRC) ratified by all EU States. The benefits granted include, inter alia, exemptions from detention5, access to the education system6, provision of a representative for unaccompanied minors7 and family unity where possible8.

4 _{CJEU, The Queen on the application of MA, BT, DA v Secretary of State for the Home Department,}

2013, Case C-648/11 3 CMLR 49 (on the benefits of unaccompanied children).

5 _{Art. 11(2,3) EU Reception Directive 2013/33.} 6 _{Art. 14(1) EU Reception Directive 2013/33.}

7 _{Art. 6(2) Dublin Regulation 604/2013, Art. 24(1) EU Reception Directive 2013/33.} 8 _{Art. 8 and 11 Dublin Regulation 604/2013.}

8 In 2019 almost 14.000 unaccompanied minors applied for international protection according to Eurostat’s Newsrelease 71/2020 of 28th April 20209 _{many of whom} underwent medical tests employing technologies in order to get their age determined. Apart from interviews, medical observations and psychological tests, certain countries10 use radiographs of skeleton and/or teeth11, whereas others have prohibited the most intrusive methods of age assessment12 under Art. 25 (5) of the Asylum Procedures Directive. One would possibly wonder why EU members, which act under the same legislation, approach different methods when they adopt national policies on the matter. The reasons behind this phenomenon are multifarious given that there is no unanimity with regard to key factors of the procedure encompassing the quality of the professionals training; the rate of intrusiveness and the potential trauma or psychological effects on those subject to the tests; the legitimacy of the breach of fundamental human rights; the inadequate test results and the margin of error; the forcibility of the examination.

Concerning the latter it is noteworthy that pursuant to Art. 25 (5)(b) of the Directive unaccompanied minors and/or their representatives’ consent to the medical examination is required.13 _{Hence, the unaccompanied minor and/or their representative} may object to the medical test without further consequences on the asylum application procedure. Nonetheless, according to Eurodac’s second inspection report14 _such objection may have a negative impact on the application and thus in actuality the subjects to the test will be left with no choice, if they do not wish to diminish the chances of asylum.

9_{For further research see Eurostat Newsrelease 71/2020 of 28}th _{April 2020 or visit} https://ec.europa.eu/eurostat.

10 _{‘In Norway, a new method for reading stage results of X-ray images of hands and wisdom teeth has}

been developed by the Forensic Department at Oslo University Hospital. It consists of a statistic model combining data from two radiological methods: Demirjian’s staging of the third molar and Greulich and Pyle’s atlas of the hand and wrist’, EASO, Practical Guide on age assessment, 2nd ed., 2018, p.36.

11 _{Anders Hjern et al., Age assessment of young asylum seekers, Acta Paediatrica, Vol. 101, Issue 1, 27}

September 2011.

12 _{‘In France, according to the law of 14 March 2016 on the protection of the child, the use of X-rays is}

now restricted and the sexual maturity observation is explicitly prohibited as a method to assess the age of persons declaring to be under 18’, EASO, Practical Guide on age assessment, 2nd ed., 2018, p.34.

13 _{For the type of consent required in each State See FRA report on Age assessment and fingerprinting}

of children in asylum procedures, 2018.

14 _{Eurodac, Supervision coordination group second inspection report. Brussels: Secretariat of the Eurodac}

9 According to European Asylum Support Office (EASO) 23 out of 28 EU Member States, use at least one form of radiological method including commonly carpal or collar bone X-ray and dental examination.15 Other procedures encompass psychological tests, sexual maturation observation and physical appearance/demeanor.

The legal analysis regarding the technology employed in age determination process

What seems problematic in the case of age assessment is the legitimacy of breaching certain human rights for an outcome that not only is often inaccurate but also could be brought up with an alternative, non-invasive procedure. Regarding the accuracy of the test results in R (B) v London Borough of Merton case the judge held that: “Age determination is an inexact science and the margin of error can sometimes be as much as 5 years either side and came to the conclusion that “it is not possible to actually predict the age of an individual from any anthropometric measure, and this should not be attempted”.16 In a similar vein, in BF (Eritrea) v Secretary of State for the Home Department and the Equality and Human Rights Commission case the judge concluded that the guidance on age assessment were not sufficiently precise giving rise to the risk that children would be wrongly deemed adults and treated as such in the asylum system and considered unlawful the criterion of determining somebody overage if “their physical appearance/demeanour very strongly suggests that they are significantly over 18 years of age”.17 As a consequence a new interim guidance was introduced in the UK stating that one “must treat the claimant as an adult if their physical appearance and demeanour very strongly suggests that they are 25 years of age or over”.18

In addition to the case law certain medical experts have found that age determination can lead to wrong assumptions. According to Prof. Gregor Noll’s point of view

15 _{EASO, ‘Age Assessment Practice in Europe’ Report, 2013, p. 88–89.}

16 _{UK High Court, R (on the application of B) v. London Borough of Merton, Case No: CO/881/2003,}

14 July 2003, para 22.

17 _{UK Court of Appeal, BF (Eritrea) VS Secretary of State for the Home Department and the Equality}

and Human Rights Commission, Case No: C2/2017/2550, 23 May 2019, para 106.

10 supported by relevant studies19 _{“radiological age assessment lacks a sufficiently} scientific basis for the dominant nationalities of unaccompanied adolescents arriving in Europe” and as a result variations engendered by the ethnicity and the socio-economic status20 as well as the lack of corresponding standards culminate in “treating unlike cases alike”.21 Along the same lines, Prof. Anders Hjern and others observe that “even if we discard the unknown socioeconomic, ethnic and secular variation in skeletal and dental age, allowing for two standard deviations, including 95% of the population, would give a span of between 2 and 4 years with skeletal and dental age assessment, respectively” and reckon that “neither skeletal nor dental age assessment can establish chronological age with sufficient accuracy to be of any real value in age assessment of young asylum seekers”.22

Furthermore, age determination procedure remains a contentious issue as it has a major impact on the enjoyment of human rights. Even though the Procedure Directive 2013/32 offers definite guarantees, for instance, the prior notification of the minor before any medical examination23, the question over the permissibility of rights’ limitations still stands. Human dignity constitutes one of the fundamental rights that age assessment interferes with. In order to show the impact of the latter on the former, we need to analyze the clash between the protection of human dignity as enshrined in Art. 1 CFR and the legitimate aim of the age assessment procedure. While focusing on specific categories of rights affected by the use of technologies the same procedure will be followed in this research so as to determine a potential breach of the right to health, the right to privacy and data protection and the right to non-discrimination.

19 _{M. Pechnikova and others, ‘The “Blind Age Assessment”: Applicability of Greulich and Pyle,}

Demirjian and Mincer Aging Methods to a Population of Unknown Ethnic Origin’, La Radiologia

Medica, 2011, p.1105,

M Mansourvar and others, ‘The Applicability of Greulich and Pyle Atlas to Assess Skeletal Age for Four

Ethnic Groups’ Journal of Forensic and Legal Medicine, 2014, p.26.

20 _{PK Trickett and others, ‘Child Maltreatment and Adolescent Development’, Journal of Research on}

Adolescence, 2011, p.3, 12,

P Pervanidou and G Chrousos, ‘Metabolic Consequences of Stress during Childhood and Adolescence’, Metabolism Clinical and Experimental, 2012, p.617.

21 _{Gregor Noll, Junk Science? Four Arguments against the Radiological Age Assessment of}

Unaccompanied Minors Seeking Asylum, International Journal of Refugee Law, 2016, Vol. 28, No. 2, p.

238,250.

22 _{Anders Hjern et al., Age assessment of young asylum seekers, Acta Paediatrica, Vol. 101, Issue 1, 27}

September 2011.

11 The right to health is protected both in a European24 and an international level25. Consequently, EU Member States are bound to ensure the enjoyment of everyone’s right to physical and mental health irregardless of any genuine nationality link since human rights are universal and inalienable, indivisible, interdependent and interrelated26 and hence have no borders. The full realization of the right to health of minor asylum seekers, however, clashes with the utilization of bone testing technologies. In other words, how legitimate is the application of X-rays for legal purposes when the therapeutic benefit is absent?

Article 3 of the European Council Directive 97/43/Euratom states that when exposing an individual to ionizing radiation, the net benefit to the individual must outweigh the risks. Moreover, the Council of Europe report of September 2017 determined that t he use of potentially harmful ionizing radiation for the purpose of age assessment, which exposes the person to radiation for non-medical purposes and holds no therapeutic benefit, is considered to be in conflict with medical ethics and potentially unlawful.27 By the same token, the EASO practical guide on age assessment articulates that medical methods involving the use of radiation (carpal, collarbone, pelvic or dental X-rays) carry the risk of potentially harmful effects that radiation may have on the health of the applicant and hence less intrusive methods (non-medical) should be used first and, if it appears necessary to resort to medical methods, radiation-free methods must be prioritised over ones that involve the use of radiation.28 _{In October 2015, the} Royal College of Paediatrics and Child Health and the British Dental Association advised their members that X-rays, including dental X-rays, should not be used to assess a migrant child’s age unless the X-ray has been taken for a therapeutic or medical reason. In her Explanatory memorandum Rapporteur Doris Fiala held that a harmonised model of age assessment would also put an end to inaccurate and potentially traumatising sexual maturity tests and the exposure of children to ionised radiation (X-rays) in the form of dental and wrist x-rays, which are inaccurate and

24 _{Art. 35 CFR.} 25 _{Art. 12 ICESCR,}

Art. 24 UNCRC.

26 _{Vienna Declaration and Programme of Action Adopted by the World Conference on Human Rights in}

Vienna on 25 June 1993.

27 _{Report prepared by Daja Wenke, Age assessment: Council of Europe member states’ policies,}

procedures and practices respectful of children’s rights in the context of migration, Council of Europe,

September 2017, para 131, p.27.

12 ethically questionable as part of medical age determination.29 _{Due to the widespread} use of technologies in age assessment procedures within the EU as well as the difficulty in achieving the harmonization Doris Fiala envisions the age determination is not cast in stone. For instance, in contrast to the positions claiming a potential harm to applicants’ health the French Décision n° 2018-768 QPC of 21 March 2019 by the Conseil Constitutionnel held that the use of bone testing technologies is legitimate considering the safeguards provided for in the law.

After considering the threat of the applicants’ health when using medical technologies, it is vital to explore the potential interference with human dignity. Prof. Gregor Noll deems that such medical examinations are not only unable to provide asylum system with exact results but also so intrusive that they tend to circumvent the fundamental purpose of Art. 25(5) Directive 2013/32/EU urging for the application of the least invasive method. As mentioned above radiological examinations invade the human body in such a way that they have the capacity to cause harm according to a number of scientists. As a consequence, human dignity enshrined in Art. 1 CFR and Art. 10 ICCPR is fully affected by the intrusiveness of age determination procedures.

Discrimination which is prohibited by Art. 14 ECHR and 21 CFR is also a matter that rises when bone testing technologies are employed for age determination purposes. Pursuant to Prof. Gregor Noll EU law, International Refugee Convention and International human rights law principles are breached when “an Afghan or Somali adolescent, or any adolescent national of a country with a weak civil registration system, is made to carry the burden of proof of their age” since “they will be discriminated against on the basis of their nationality”.

When it comes to the right to privacy, it is a valid assumption to consider that data retention of minor asylum seekers is not in line with data protection rules. The latter can be found in Art. 8 ECHR, Art. 7&8 CFR Art. 17 ICCPR and GDPR. Data retention affects the mass population but not proportionally. Migrants and refugees attempting to cross European borders, persons suspected of terrorism and charged criminals are thought to enjoy less of their right to data protection and privacy.

29 _{Committee on Migration, Refugees and Displaced Persons, Child-friendly age assessment for}

13

The age assessment procedure as a strategy in the war against terror

It is worthy to wonder why should young asylum seekers undergo such an invasive procedure which could likely be injurious and retains a number of fundamental rights. Is it enough to include the margin of error in the results or to use the benefit of error? Is it guaranteed that the applicants’ refusal to the examination does not lead to an automatic rejection of their application? How much clout do the results of bone testing technologies carry? The variation between the EU Member States with regard to the process followed and the handling of the results can already provide certain answers to these questions. It is not unusual for one to think that the opportunity to produce counter-evidence is at the officials disposal, especially when allowing for underage asylum seekers to be treated like budding terrorists.

This idea may be supported by the mandatory fingerprinting procedures starting from an early age of which EU Agency for Fundamental Rights (FRA) is skeptical due to the interference with the “respect of human dignity, the challenges in correcting or deleting inaccurate data or unlawfully stored information and the risk of illegitimate use and sharing of personal data with third parties”.30 _{FRA further states that lowering the} minimum age of fingerprinting can only be justified if it expressly pursues a child protection objective as well as it brings into focus the negative impacts of taking the biometric data of very young children while criticizing the practices of Eurodac “given that the fingerprints of children applying for international protection may remain in the database for up to ten years and thus the margin of error when comparing children’s fingerprints may be higher than for adults”.31

Except for the data retention issues sprung from the retention of fingerprints of young asylum seekers which can have traumatizing consequences as mentioned above, another proof of the argument supporting that young asylum seekers are treated as budding terrorists is the need of producing fingerprints. Currently in Europe biometric passports which include not only photos but also fingerprints are utilized. Even though Member States have adopted similar policies regarding the inclusion of fingerprints in

30 _{FRA, Report on Age assessment and fingerprinting of children in asylum procedures, 2018, p. 16.} 31 _{Ibid, p. 14.}

14 passports under Regulation (EC) 2252/2004, ID cards do not fall under its scope. Given that EU citizens can cross EU borders using their ID cards, one might think that fingerprinting of EU citizens is not of high importance to security reasons. Nevertheless, in 2018 the European Commission proposed making fingerprinting mandatory in ID cards, while no action has taken place so far. We need to recall two facts leading us to the conclusion that young asylum seekers are considered risky for the security of the EU; firstly, for migrants and asylum seekers, even for the underage ones, fingerprinting is mandatory, and secondly, fingerprints constitute a unique biometric characteristic in contrast to facial features. In other words, fingerprints can provide law enforcement with stronger evidence for catching a terrorist than a simple photo could do. In its report of 2018 FRA claims that “according to a Belgian official, because of suspicion that there could be IS fighters among asylum seekers, copies of fingerprints of specific nationalities are handed over to the anti-terrorism police”. It is also stated that “since the Paris attacks in November 2015, the full list of the names of asylum applicants is handed over daily, which is then screened by police.”32

On the one hand, jihadist terrorism which is the number one threat to the European security according to European institutions, is assisted by the influx of migrants and asylum seekers. On the other hand, fingerprinting, which is irrelevant to the determination of age, is employed even in young asylum seekers which are parts of a vulnerable group in need of protection. There is no doubt that age assessment procedures do not only determine the age of the applicant but also guarantee a safer environment within the EU given that young asylum seekers will leave a lot of data traces behind. By the same token, FRA observes that “having the possibility to undertake checks against certain groups of people – for example asylum applicants or visa applicants – but not against others whose personal data are not stored in a database is likely to result in an artificial increase of crime detection rate, hence stigmatizing these groups as potentially more criminal than others”.33

32 _{FRA, Under watchful eyes: biometrics, EU IT systems and fundamental rights, Publications Office of}

the European Union, 2018, p.66.

15

Chapter 3

iBorderCtrl

The third chapter refers to the Artificial Intelligence (AI) product, named iBorderCtrl, that controls the traveling routes of third country nationals towards the EU as well as the incentive behind their travel. In the beginning, the operation of iBorderCtrl is presented with respect to its pre-registration process, the interview with an avatar which is able to detect deception and the process at the borders. Later on, the implementation of the technology is criticized due to the disproportionate limitation of certain human rights.

The operational characteristics of iBorderCtrl

Member States with the intention of preserving their sovereignty have invested on AI so as to excel at border surveillance. One of the AI technologies, the development of which the EU has supported financially, is the iBorderCtrl. Principally, this intelligent portable control system assists the border checks by indicating a risk level of travelers heading towards the EU. As Prof. Marise Cremona points out biometric data are considered an important tool in terms of document security.34

This project has received funding from the European Union’s Horizon 2020 research and innovation programme. The project aims to be further implemented on the land border crossing points: road, walkway, train stations.

iBorderCtrl pledges to turn border control checks into a convenient and prompt procedure for bona fide travelers. Thus, the project urges you to “Pre-register from your home, Be interviewed by our virtual border agent, Save time at the border crossing point”. iBorderCtrl makes use of software and hardware technologies that enable various types of checks. More precisely, it verifies the biometrics derived from passports and other pertinent documents which are also authenticated, it facilitates the risk assessment of travelers but most importantly it has the capacity to catch you in the act by employing an automated detection deception technology, or in other words, a lie detector.

16 It is essential to enumerate the advantages of this AI product. To begin with, AI is able to increase the efficacy of border control aiming to deter illegal crossings and traveling towards or within the EU behind a terrorist motivation. It should be noted that technology is already widely used for the same purpose. Thus, EU Member States have managed to develop large-scale IT systems for information and data exchange such as the Schengen Information System (SIS II), the Visa Information System (VIS), the European Asylum Dactyloscopy Database (Eurodac), the European Travel Information and Authorisation System (ETIAS), the European Criminal Records Information System (ECRIS-TCN), and the Stolen and Lost Travel Documents database (SLTD). An Entry/Exit System (EES) is currently being developed by EU LISA in order to secure the external borders of the Union and improve their management. iBorderCtrl already demonstrates many of the features planned to be included in the EES and the ETIAS Systems.

Additionally, it is a convenient way to replace the traditional border checks due to its pre-traveling registration which not only is considered to save valuable time but also informs travelers regarding the process of the checks as well as their rights, for instance, their right to privacy given that a massive amount of data is being collected during the identification procedure. It should be noted that pursuant to EU legislation35 _and national law, processing of data requires the traveler’s consent. Another advantage of a pre-registration procedure is that it reduces workload and subjective errors by human agents. Finally, iBorderCtrl comforts regular bona fide travelers contingent upon a number of successful crossings and trouble-free stay according to the project’s official website.36

The implementation of iBorderCtrl at the EU Member States’ Borders

In 2018 the project coordinator George Boultadakis of European Dynamics in Luxembourg gave an interview on the topic of the accuracy of the deception detection technology that iBorderCtrl employs.37 With regard to what factors led to the development of this technology, George Boultadakis answered that “to develop the lie

35 _{Art. 6-7,9 GDPR.}

36 _{Source: https://www.iborderctrl.eu/}

17 detection system, partners at Manchester Metropolitan University have taken some steps to ensure that the system gives reliable results and does not do "wrong" to a traveler”. He further stated that “there is a general conceptual model that demonstrates that there are indications related to a person's non-verbal behavior that are associated with false behavior. These indications are not found in a person who tells the truth which is something that can be detected through machine learning. Indications include, but are not limited to, unusually intense behavior (including "pressure") and behavioral control such as stress, arousal, duping delight and cognitive load”.38

As for the expected accuracy the reporter argued that according to reports, the first tests show that the iBorderCtrl is 76% accurate and it can end up to be as high as 85%. George Boultadakis observed that “it would be wrong to expect 100% accuracy from any deception detection technology based on artificial intelligence, no matter how mature it is. Therefore, the decision to examine a traveler is not based on a single tool (eg deception detection) but on aggregate and correlated risk assessments from all controls, making the overall process quite secure”. He also stressed that “the whole above procedure aims to strengthen and help the decision that the border guard will eventually take and for no reason could it be automated and could the human factor be absent. Finally, he argues that “iBorderCtrl does not work autonomously but helpfully for the border guard, who will use his experience to make the final decision on whether they will allow the final passage of the traveler.”

The test pilots were conducted at two selected border crossing points – one each in Hungary and Latvia, as well as in KEMEA39 and TrainOSE40. Border Guards and Border Managers when questioned about the pilot scheme of iBorderCtrl determined that the pre-registration procedure was a unique concept given that travelers could conveniently register through the Traveller User Application (TUA). According to the scenarios results41 TUA was considered a user-friendly app that guarantees a prompt registration procedure. As user-friendly was the Border Guards User Application (BGUA) also characterized which simplified the operations of the Portable Unit (PU).

38 _{Georgios Emmanouil Boultadakis and others, Intelligent Deception Detection through Machine Based}

Interviewing, International Joint Conference on Neural Networks (IJCNN), July 2018, p.4.

39 _{Center for Security Studies (KEMEA), Athens, Greece.} 40 _{TrainOSE Public Railway Company, Greece.}

18 George Boultadakis elucidates the operation of Pattern detectors which are able to “read” microgestures42 _{and thus detect particular states of objects such as the eyes} located by the object locators by providing an example for the left eye: left eye closed is true when the left eye is closed (1), otherwise false (0), left eye half closed is true when the left eye is half closed (1), otherwise false (0), the left eye may be considered open if neither of these pattern detectors is true. As he further explains microgestures are essential to be detected since “over a time interval, e.g. 3 seconds, complex combinations of microgestures can be mined from the interviewee’s behavior” and later on provide the avatar with a successful risk assessment.

The legal analysis of the technology

Two main issues arise from the implementation of this AI technology; the possible discriminatory effects of the Automated Deception Detection System (ADDS) that constitutes part of the iBorderCtrl in violation of Art. 21 CFR and Art. 14 ECHR as well as the imminent circumvention of Art. 8 ECHR, Art.17 ICCPR and GDPR regarding the right to privacy.

Certain academics have questioned the results coming from the detection of microgestures43_{, while online publication “The Intercept” claims that their reporter who} tested the system before crossing the Serbian-Hungarian border provided honest responses to all questions but he was considered to be a liar with four false answers out of 16 and a score of 48.44 _{iBorderCtrl research team has still to air its findings. Given} that the end date of the program was August 2019, it is counterintuitive that a year later

42 _{“A microgesture is a very fine-grained non-verbal gesture, such as the movement one eye from}

fully-open to half-fully-open.”, 42 _{Georgios Emmanouil Boultadakis and others, Intelligent Deception Detection}

through Machine Based Interviewing, International Joint Conference on Neural Networks (IJCNN), July

2018, p.4.

43 _{Prof. O’Shea (Manchester Metropolitan University) has stated that “Machines and humans both have}

intentionality—beliefs, desires, and intentions about objects and states of affairs in the world. Therefore, complicated applications require you to give mutual weight to the ideas and intentions of both.”, Prof. Meijer, however demonstrated that “An AI system may outperform people in detecting [facial expressions], but even if that were the case, that still doesn’t tell you whether you can infer from them if

somebody is deceptive … deception is a psychological construct. Source:

https://www.technologyreview.com/2020/03/13/905323/ai-lie-detectors-polygraph-silent-talker-iborderctrl-converus-neuroid/.

19 the European Commission has not published any reports on the trials of a project which has costed €4.5 million. Is it because the results will not satisfy the public?

The research on which the implementation of the technology was based has been problematic since the early beginning. Researcher Antoinette Rouvroy criticizes the technology as she is not able to “see what ground truths may exist in order to assess the robustness, reliability or accuracy of the system, nor how the relevant algorithms will be trained to detect biomarkers for deceptive behaviours”.45 Likewise, Researcher Vera Wilde is critical on the research conducted and in her article on the efficacy of iBorderCtrl she makes a reference to Prof. John Ioannidis’s six risk factors that question the validity of the deception detection technology research results46 which she considers existent in this case.47 According to them a research finding is less likely to be true when: i) the studies conducted in a field are smaller, ii) effect sizes are smaller, iii) there is a greater number and lesser preselection of tested relationships, iv) there is greater flexibility in designs, definitions, outcomes, and analytical modes, v) there is greater financial and other interest and prejudice, vi) more teams are involved in a scientific field in chase of statistical significance.

Since the official reports by the European Commission are still not published little can be concluded concerning the validity of the key findings of the research conducted. What is truly problematic is the number of the test subjects and their analogy to the number of the ethnicities. Experiments on ADDS that are utilized in iBorderCtrl technology were employed on 32 people, more precisely on 22 EU Whites and 10 Asian-Arabic.48 Given that this AI technology uses algorithms based, among others, on the facial characteristics, for instance, the facial angle, will this research provide us with safe outcomes? As mentioned in the 1st Chapter regarding the age assessment procedure it is not secure to compare persons with different origins with a specific human type, which means that iBorderCtrl should not consider an EU white as a prototype model for the procedure. Apart from the facial characteristics that are subject to change depending on the origin of the interviewees, it is easy to see that the analogy

45 _Source: https://www.euractiv.com/section/digital/news/eu-set-to-test-ai-guards-to-protect-external-borders/1286780/.

46 _{John P. A. Ioannidis, Why Most Published Research Findings Are False, August 2005,} https://journals.plos.org/plosmedicine/article?id=10.1371/journal.pmed.0020124.

47 _{Source: https://iborderctrl.no/blog:ioannides.}

48 _{Georgios Emmanouil Boultadakis and others, Intelligent Deception Detection through Machine Based}

20 between the EU whites and the Asian-Arabic is not adequate to produce safe results either. How can you end up with a fruitful key finding on a research aiming to prevent third country nationals from reaching the EU land when the majority of people tested are not third country nationals?

Even if one disregards this disproportion, nobody should omit to refer to the prejudicial selection of Asian-Arabic persons. It is understandable for EU persons to be tested but why should only Asian-Arabic persons join these pilot tests? It is hazardous and totally discriminatory to think that solely Asian-Arabic persons are high risk travelers. Finally, interviewees coming from the EU were all white. Given that the EU black population is increasing49 it is rather perilous to exclude this population from the tests. It is quite obvious that the research conducted has gaps to fill.

Except for the facial characteristics another thing that is of great importance is the mental health or psychological condition of the interviewee which can lead to an unusually intense behavior. Nowhere in the conference paper of 2018 can be seen that people of a certain mental condition were under a special treatment as they should be.50 One should be skeptical to the reaction of an avatar when it interviews, for example, a sociopath or a depressed person. As George Boultadakis pointed out during his interview, stress may be an indication that the person before the screen lies. Let’s take as an example a black man who is a third country national willing to travel to the EU. He registers online and waits for the Avatar to question him. Before the beginning of the interview he scrolls down on social media and comes across news regarding George Floyds' death. It will not be absurd if he suddenly feels the stress of being a black man interviewed by systems of a Union of civilized and progressive States, called EU when in a Union of civilized and progressive States, named USA, a person of his color was unfairly struggled by a white policeman. It should be stressed that on account of his death Amazon banned police from using its face-recognition technology, named Rekognition, for law enforcement purposes for one year due to the invasion of privacy and the targeting of people of color as similar technologies have been criticized for identifying people with darker skin. Hypothetically speaking, a black man would first wonder why a person from his population was absent from the initial pilot tests.

49 _Source: https://qz.com/1236213/europes-black-population-has-increased-by-at-least-a-million-over-the-last-decade/.

50 _{Art. 1,3 Convention on the Rights of Persons with Disabilities (CRPD) and Optional Protocol,}

21 Secondly, he would remind himself of various racist behaviors towards persons of his color within the EU. Thirdly, he would consider that he is not quite safe since he is truly interviewed by policemen, a certain number of which has proven to discriminate against his people. Fourthly, he would start realizing that he is actually taking this interview in view of the fact that the EU Member States try to prevent him from arriving at their land. Well, his stress should be taken for granted!

The same disproportion can be found when comparing the numbers of female (10) and male (22) participants in the experimental phase. Nonetheless, according to the iBorderCtrl research team the Avatar interviewing the applicant can be found in both genders so as to avoid discrimination.51 Can truly an adapting Avatar solve the problem of the less tested female approach to the interview?

Given the circumstances under which the research was taken place one could consider that the key findings are biased. Prof. Ioannidis defines bias as the combination of various design, data, analysis, and presentation factors that tend to produce research findings when they should not be produced. Prof. Meijer determines that the algorithm will be useless at border crossings unless it’s been trained on a data set as diverse as the one it will be evaluating in real life, while Prof. O’ Shea in Manchester Metropolitan University, where the research for the iBorderCtrl was conducted, admits that it is shown that facial recognition algorithms are worse at recognizing minorities when they have been trained on sets of predominantly white faces.52

Final thoughts on iBorderCtrl

At first blush, the implementation of this border AI technology appears to be not in line with the right to privacy as enshrined in Art. 8 ECHR, Art. 7&8 CFR Art. 17 ICCPR and GDPR. The research team of the iBorderCtrl, however, reassures the applicants that the program respects the data protection rules and that “personal data collected in the pilot tests was not shared with any third parties (such as law enforcement agencies)

51 _{Source: https://www.iborderctrl.eu/Frequently-Asked-Questions.}

52 _Source: https://www.technologyreview.com/2020/03/13/905323/ai-lie-detectors-polygraph-silent-talker-iborderctrl-converus-neuroid/.

22 and was securely deleted after the project testing phase concluded in August 2019”, raising no issue of data retention.53

The strongest argument of the team is the present character of the iBorderCtrl tests. According to it no fundamental right is affected by the usage of the system in any step of the procedure, since its implementation is in a voluntary phase. In other words, ordinary participants of the public are not able to claim the circumvention of any of their rights regarding, for instance, the non-discrimination and the human dignity principles given that they provided their consent to be tested without being obliged to travel to the EU only after registering with the system.

23

Chapter 4

goTravel

This chapter discusses about the goTravel software which is able to process bulk data and target the movement of people suspected of terrorism or serious crimes, using data provided by airlines. Apart from the operational facts, the chapter makes mention of the merits and demerits of the technology. Following the introduction of its operation, the legal analysis of this software will take place.

The operational characteristics of goTravel

In 2018 the Dutch government launched an anti-terrorism technology named Travel Information Portal (TR.I.P.). TRIP was later on adopted by the UN and renamed. Today, Members of the UN are able to use goTravel in order to prevent terrorist attacks from taking place in their land or join forces in the war against terror globally by signing a Memorandum of Agreement with the UN which assesses the capability of the requesting State to implement the programme. The technology has been donated in 10 European countries and it is fully operational in the Netherlands.

goTravel constitutes a software that collects, processes and analyzes the passenger name record (PNR) as well as the Advanced Passenger Information (API) data so as to ameliorate the tracking of travel movements of terrorists and serious criminals. It is an enhanced version of tracing terrorists since it performs a great number of operations which originate from simply booking airline tickets. To begin with, it is able to accept and transfer multiple data which receives from carriers performing as a single window. Moreover, since goTravel software has joined forces with national and international law enforcement units, it has the capacity to perform a risk assessment of travelers prior to their flight and proceed with matching the findings with watchlists and law enforcement databases. Parallel to that it can manually search for PNR and API data and automatically inform the authorities if any incident is in need of further investigation. While goTravel verifies and guarantees the quality of the processed data it assists the authorities by linking travelers to objects, for instance, credit-cards by employing pertinent graphs. It even attempts to reveal “unknown” relationships between them, yet the future goTravel is expected to use AI algorithms to success in

24 the detection of the “unknown” links. Even if the installation and operation of goTravel is allowed to differ depending on the State’s legislation and needs, the software achieves the advancement in States’ cooperation by data exchange.

Security Council Resolution 2396 (2017) and the pertinent Resolutions 2178 (2014) and 2482 (2019) urges Member States to “ensure that any measures taken to counter terrorism comply with all their obligations under international law, in particular international human rights law, international refugee law, and international humanitarian law” given that the respect for the rule of law constitutes “an essential part of a successful counter-terrorism effort”. Despite the protective legislation the research will give prominence to cases of interference with the right to privacy, data protection and the freedom of movement.

As already stated goTravel is used by the governmental authorities of certain EU Member States. Therefore, inbound and outbound flights of an EU State authorized to use the software are targeted. Among others, EU citizens that book flights within the participating States are obliged to accept the transfer, analysis and process of their data, for example, the date of travel, the travel itinerary, means of payment, contact details which constitute parts of the PNR54 and the date of birth, the nationality, the full names included in the API55_.

The legal analysis of the technology

Discrimination may not be profoundly at issue given that the software not only accesses and processes passengers’ data equally-unlike iBorderCtrl which was not an international but a European technology and aimed at third country nationals solely-but also pursuant to the EU Commission’s claims it performs a profile assessment prior to the arrival based on objective assessment criteria and previous experience so as to finally target persons who are likely to pose a threat and prevent discriminatory process of data based on unlawful criteria such as the skin colour.56 Prof. Douwe Korff objects

54 _{EU Directive 2016/681 of 27 April 2016 on the use of passenger name record (PNR) data for the}

prevention, detection, investigation and prosecution of terrorist offences and serious crime.

55 _{Art. 3 EU Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate}

passenger data.

56 _{European Commission, Commission Staff Working Paper, Impact Assessment, Accompanying}

25 to these claims and states that discriminatory treatment towards specific groups of people can still occur even if the assessment of data takes place prior to the arrival since “a person may be refused entry based on “pre-determined” criteria”. 57 _{It should be} however recalled that goTravel is adopted by the EU Member States of their own free will. Even though this fact does not diminish the problem, adopting the software and proceeding with the processing of enormous amounts of data is at the State’s discretion. Nevertheless, the freedom of movement as enshrined in Art. 3(2) of the Treaty on European Union, the Art. 21 of the Treaty on the Functioning of the European Union and the Art. 45 of the Charter of Fundamental Rights of the European Union, is at issue. Under this European legislation EU citizens own the right to move and reside freely within the territory of the Member States. One could consider that running through the personal data of an EU citizen passenger breaches its rights to move within the EU with no restrictions. In other words, if targeting an EU citizen just like any other world citizen when traveling in the EU is not deemed restrictive, what is the goal sought of the right to free movement that only EU citizens are privileged to enjoy?

Another issue that arises is that of data retention. According to the official Technical Introduction of goTravel at the relevant UN website58 “the system is by default configured so that data is stored for 5 years and after 6 months, the personal details are masked out and can be “de-masked” if needed”. While the period stated can be altered so as to be in line with the legislation in each individual Member State it is still at issue whether 5 years constitute a proportionate and necessary period of handling data for terrorist purposes. It should be recalled that the data of all passengers booking a flight are processed through the system and they are retained for the same period. Is it though necessary to keep personal data for five years of persons that are not considered suspects?

Pursuant to Art. 6 (1) Directive 2004/82/EC59 data must be deleted within 24 hours after the passenger has entered the external borders of the Member State. If the data are

Passenger Name Record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, Brussels, 2.2.2011 SEC(2011) 132 final, p.12.

57 _{The Consultative Committee Of The Convention For The Protection Of Individuals With Regard To}

Automatic Processing Of Personal Data (T-Pd), Passenger Name Records, data mining & data

protection: the need for strong safeguards, Strasbourg, 15 June 2015, p. 78.

58 _{Source: https://www.un.org/cttravel/goTravel.}

59 _{Art. 6 (1) Directive 2004/82/EC on the obligation of carriers to communicate passenger data, 29 April}

26 needed after this period for by the responsible authorities to exercise statutory functions, data can be retained for the period of time that is necessary for the purposes for which they are collected. In other words, there is not sufficient ground for retaining the data for a longer period than the one that is necessary to, especially when it comes to unsuspected travelers. Retention period can only be extended in circumstances under which a crime investigation, a crime intelligence operation or a prosecution is taking place.

The Evaluation Report from the Commission to the Council and the European Parliament on the Data Retention Directive 2006/24/EC60 showed that retained data have played a significant role on criminal investigations as they constitute pieces of evidence. It reports the case of three Member States as follows; “The Netherlands reported that, from January to July 2010, historical traffic data was a decisive factor in 24 court judgments. Finland reported that in 56% of the 3405 requests, retained data proved to be either 'important' or 'essential' to the detection and/or prosecution of criminal cases. The United Kingdom supplied data that sought to quantify the impact of data retention on criminal prosecutions; it reported that, for three of its law enforcement agencies, retained data was needed in most of if not all investigations resulting in criminal prosecution or conviction.”61

The constitutional court of Romania on the implementation of the data retention directive determined that “data retention addresses everyone regardless of whether they have committed criminal offences or not or whether they are the subject of a criminal investigation or not which is likely to overturn the presumption of innocence and to transform a priori all users of electronic communication services or public communication networks into people deemed to be susceptible to committing terrorist crimes or other serious offenses”.62 In the same spirit, travelers using airlines as means of transportation can be deemed susceptible to committing terrorist crimes. Even in case of prosecution it is noteworthy that data can be retained only if the person is convicted and strictly for as long it is necessary. Otherwise, if the person prosecuted is acquitted

60 _{Directive 2006/24/EC on the retention of data generated or processed in connection with the provision}

of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, 15 March 2006.

61 _{Report from the Commission to the Council and the European Parliament, Evaluation report on the}

Data Retention Directive (Directive 2006/24/EC) COM/2011/0225 final.

27 or the proceedings against them are discontinued, the personal data retained should be immediately destroyed. An example of the necessity of destroying personal data after the acquittal of a suspected criminal is the ECtHR judgement on S and Marper v The United Kingdom case where the court addressed that the retention at issue constituted a disproportionate interference with the applicants’ right to private life and could not be regarded as necessary in a democratic society.63 Along the same lines, the ECtHR in the Brunet v France case found that the applicant’s registration in a recorded offences database after criminal proceedings against him were discontinued was a violation of Art. 8 ECHR64, while in M.K. v. France case the Court concluded that the system for retaining the fingerprints of persons suspected of an offence but not convicted did not strike a fair balance between the competing public and private interests at stake.65 The Agreement between the EU and the USA on the use and transfer of PNR data has adopted a retention period of 5 years.66 The PNR data of 34 fields encompass contact details such as telephone numbers, email address, information on bank numbers and credits cards, and also on the meals ordered for the flight apart from the basic data such as name and address.67 In 2006, the ECtHR determined that the agreement should be annulled in the light of the fact that the transfer of PNR to the US authorities concerns public security and criminal law proceedings and therefore falls within a framework established by the public authorities which is irrelevant to the scope of the EC Directive 95/46 on the protection of personal data given that its Art. 3(2) states that it does not apply to activities “concerning public security, defence, State security and the activities of the State in areas of criminal law”.68 _{Consequently, neither the retention period nor} the “unprotected” on behalf of the EU transfer of data not by the airlines but for public security reasons were at issue in the case of 2006.

Nonetheless, Advocate General Henrik Saugmandsgaard while delivering his opinion on the EU-USA agreement on the use and transfer of PNR data, argued that standard

63 _{ECtHR, S. and Marper v. The United Kingdom, Applications nos. 30562/04 and 30566/04, 4 December}

2008.

64 _{ECtHR, Brunet v France, Application no. 21010/1018, 18 September 2014.} 65 _{ECtHR, M.K. v. France, Application no. 19522/09, 18 April 2013.}

66 _{Art. 8 Agreement between the United States of America and the European Union on the use and}

transfer of passenger name records to the United States Department of Homeland Security, Official Journal L 0215, 11 August 2012 P. 5 – 0014.

67 _{Elspeth Guild & Evelien Brouwer, The Political Life of Data, The ECJ Decision on the PNR Agreement}

between the EU and the US, CEPS Policy Brief, No. 109, July 2006, p.1.

28 contractual clauses are in line with EU law, yet he challenged the validity of the Privacy Shield agreement69 _{between the Parties due to the bulk surveillance programmes}70 _that the USA utilizes which circumvent EU privacy legislation since it seems that the Privacy Shield Agreement constitutes an impediment to the cessation of any kind of data transfer to the US.71 The CJEU recently invalidated the Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield even if it considered that Commission Decision 2010/87 on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.72 It can be concluded that the privacy rights of EU citizens are at risk when they are shared with the US authorities.

Another judicial opinion that underlines the necessity of the establishment of strong safeguards for the transfer of data is that of the Grand Chamber of the European Court of Justice in 201773 regarding the Agreement on PNR data between the EU and Canada. The Grand Chamber deemed the agreement incompatible with the Art. 7 on the right to respect for private life, Art. 8 on the right to the protection of personal data, Art. 21 on non-discrimination and Art. 52(1) on the principle of proportionality of the Charter of Fundamental Rights of the EU given that it does not preclude the transfer, use and retention of sensitive data while it referred to seven requirements that the agreement must include, specify, limit or guarantee in order to be in line with the Charter.

69 _{Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC}

of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176) (Text with EEA relevance), Official Journal of the European Union, L 207/1, 1 August 2016.

70 _{See relevant case law: CJEU, Grand Chamber Judgment, Maximilian Schrems v Facebook Ireland}

Limited, Case C-498/16, 25 January 2018.

71 _{CJEU, Opinion of Advocate General Saugmandsgaard, Data Protection Commissioner v Facebook}

Ireland Limited, Maximillian Schrems, interveners: The United States of America, Electronic Privacy Information Centre, BSA Business Software Alliance, Inc., Digitaleurope, Case C‑311/18, 19 December 2019.

72 _{CJEU, Data Protection Commissioner v Facebook Ireland and Maximillian Schrems, C-311/18, 16}

July 2020.

29

Final thoughts on goTravel

As a result, goTravel in principle has to meet stricter requirements so as to be compatible with the European and international standards and secure the enjoyment of the rights to privacy, protection of personal data, non-discrimination and freedom of movement. In an interview with UN News, Jelle Postma, chief of the Countering Terrorist Travel and Aviation Security Section in the UN Office of Counter-Terrorism, insisted that the technology was built with safeguards in place for data and human rights protection, explaining that “after a certain period of time, sensitive data elements, such as sexual orientation, or trade union membership, will be automatically deleted by the system”.74

According to the UN official website, the UN is not able to access any passenger’s data without the authorization provided by the data owner. However, it is crucial that goTravel performs an automated analysis of large data volumes on passengers on all inbound and outbound traffic. This technology has the capacity to import watchlists from other national and international databases and request information from governmental agencies, for example, Border and Customs pursuant to the United Nations Security Council resolutions 2178, 2396 and 2482. Its main characteristic, which assists the fight against terrorism, is that it proceeds with the configuration of rule-based risk indicators and watch lists from the available PNR and API data. Who can determine the power and accuracy of a risk indicator? Surely, the “sample” is more representative as PNR and API data belongs to the whole population booking a flight than just to travelers originating from certain countries as is the case with iBorderCtrl. We must not overlook, though, that the broader the scope of the technology, the broader the possible impact will be on privacy and on the freedom of movement which might end up in total surveillance of travel movements into and out of the EU. This is why the implementation of goTravel requires a cogent justification of necessity, proportionality and subsidiarity. Since in the future the UN plans not only to deploy AI but also to extend its functionalities to road, rail and maritime transportation, it is debatable whether this bulk transfer of data, encompassing unsuspected travelers, will satisfy these principles.

30

Chapter 5

Legal analysis

In this last chapter the Thesis expounds on the level of the compatibility of counter-terrorism policies using technologies in European borders with international legislation and thus it attempts to answer the question whether these strategies can lawfully prevail over the protection of inalienable human rights. The legal analysis demonstrates the misuse of the proportionality and necessity principle focusing mainly on the right to privacy and data protection which is the interface between the aforementioned technologies as well as the practices of mass surveillance originating from this misuse.

The implementation of the proportionality and necessity principle

The principle of proportionality as enshrined both in European75 _{and in international}76 legal framework is a value European and International judicial instruments have in common when they apply the law.

Moreover, they share the extraterritorial character of human rights that go beyond any borders. The European Court of Human Rights in the case of Bosphorus v. Ireland77 as well as in the Liberty and others v. The United Kingdom case78 demonstrated that the respect for human rights is not limited to the rights of persons physically in a State’s territory. In the same vein, the Human Rights Committee condemned the circumvention of the rights of Lopez Burgos in the Lopez Burgos v. Uruguay case79. This meeting of minds concerning the extraterritorial respect and enjoyment of human rights evince their vital role in the legal systems of every State which surpasses even the commonly recognized sovereignty principle.

With respect to the sensitive issue of terrorism and human rights European and international standards are not always in concordance. A great example of their

75 _{Art. 52(1) Charter of Fundamental Rights of the EU,}

Art. 5 Treaty of the EU.

76 _{ICCPR (e.g. Art. 12), ICESCR (e.g. Art. 8).}

77 _{ECtHR, Bosphorus Hava Yollari Turizm Ve Ticaret Anonim Şirketi (“Bosphorus Airways”) v. Ireland}

30 June 2005, Application no. 45036/98.

78 _{ECtHR, Liberty and others v. The United Kingdom, Application no. 58243/00, 1 July 2008.}

79 _{HRC, Sergio Euben Lopez Burgos v. Uruguay, Communication No. R.12/52, U.N. Doc. Supp. No. 40}