Data protection and crime fighting in Europe are separate worlds. This is shown by a recent EUObserver article, EU to propose mandatory data-mining tool against fraud. This is an article on software called ‘ARACHNE‘ that is already in use. The European software analyses data of beneficiaries of EU funds and checks the data with companies and people behind those companies. In future the system will be used for predictive policing.

This data-mining tool is a good example of what is happening on national and international scale; banks with their anti-money laundering tasks are doing the same. Big companies are developing a crime-fighting and compliance industry, without being accountable to anyone.

Register of data processing
On the site of the EU the Register of the Data Protection Officer (DPO) regarding ARACHNE is published. The software is described as an integrated IT tool for data mining and data enrichment aimed at supporting European authorities.

It is a risk scoring tool that will be used to:

-assess ex-ante certain risks linked to an applicant when submitting an application for funding
– promote the use of a risk based approach to the planning of the verifications of projects
– complement the risk assessments with regards to fraud and irregularities in a consistent way across EU Member States
– identify irregular circumstances on a continuous basis on the basis of pre-defined risk criteria in internal and external data regarding beneficiaries
– provide guidance to Member States on risk indicators and internal controls
– build an overall better defense against fraud and errors.

It is explained that no automated decisions will be taken upon the tool’s outcome. The tool is supposed to provide risk indicators but does not automatically reach the conclusion that something is wrong or irregular.

Data subjects
According to the register the data subjects registered are the beneficiaries/contractors/sub-contractors, including their management and publicly known shareholders, receiving certain EU funds (ESF, ERDF, EAFRD) and possible other persons having relationships with them. The last category is very vague, it is not clear if the later information (‘Description of the categories of data that will be processed‘) contains this category.

The description of the categories of data that will be processed shows a large group of data subjects, not only the beneficiaries and their managers. On the following persons information is obtained from the relevant European authorities:

1. beneficiaries and partners;
2. key staff;
3. (sub-)contractors;
4. key experts for services contracts.

Categories 2. and 4. are data subjects, their names and dates of birth are registered. Categories 1. and 2. need not be natural persons, their names, addresses, VAT numbers and (in category 1) roles are procecessed. It is unclear to me what in category 1. a ‘partner’ is.

On another EU page the list of data subjects differs. There they also mention “involved persons“, without explanation.

Commercial databrokers
The information obtained from the authorities is combined with information from external public data sources. The following commercial providers are mentioned:

• Orbis database through VADIS, with company information and shareholders / management / key staff information.
• World Compliance database, LexisNexis, they provide a global PEP list with profiles of Politically Exposed Persons from over 230 countries, including family members and close associates. State owned companies and foreign officials are added to this list. They also provide a Global Enforcement List, Global Sanctions List and a Global Adverse Media List.

It shows how Europe is depending on the qualitity of information by commercial parties (probably from the United States), that strangely enough are not supervised or independently tested on quality.

(Of course the register says “The contract and license agreement with ARACHNE provider ensures an adequate quality of public data sources used to produce ARACHNE database. The Data Controller will perform regular quality checks.“.)

Rights of data subjects
Interesting is the position of the data subjects. According to the register the data subjects are informed about their rights and how to exercise them. I am curious in what way it is done in regard of key staff and key experts, as they will not always be involved in the process of obtaining the EU-funds.

Our data-mining future of permanent surveillance
ARACHNE shows that in future we will live in a data-mining world, in a world of ‘continuous KYC‘. In this world every natural person and every entity will be permanently monitored on possible criminal activity, preferrably real-time:

• ARACHNE is monitoring the beneficiaries and ‘related persons’ of EU-funds;
• the national ARACHNE-clones will monitor the citizens of each country;
• banks monitors all their clients and their transactions;
• accountants monitor all their clients and their clients relations through their administrations; etcetera.

No one ever makes any mistakes in this data-mining paradise and no one in these databases is ever harmed; so the perfect world is near. Can we believe this?

—

Read EU fraud: Fighting fraud in EU spending: action needed (pdf), special report by the European Court of Auditors, 2019.

More on this blog (mainly in Dutch) on databrokers, surveillance, the IT-provider eu-LISA, digital future, black listing by financial institutions.