HOPLITE Project Overview

The HOPLITE Project aims to improve law enforcement’s capacity to gather and analyse open and closed source data, enhancing public safety through intelligence led response strategies. The project will explore how advanced AI-based data analysis can support timely, intelligence-led decision-making and improve overall response effectiveness.

Project Goals

The project goal is to support the collection and correlation of data and ability to report threats in real-time by processing data sources including, but not limited to, instant messaging, social media feeds, video streams, and open and closed intelligence feeds. The results will be presented to the analyst in near real-time when the threat level is deemed to have exceeded the pre-defined threshold. Once notified, the analyst can review the intelligence presented and verify the results, adjusting the threat level accordingly and choosing whether to publish (share) the results.

EU Funded Project Outputs

HOPLITE will utilise outputs from previously funded EU projects and others that are also freely available to law enforcement agencies (LEAs) and judicial authorities (JAs). These include, but are not limited to, MISP, AIL, INSPECTr, and FREETOOL. These technologies will be integrated to provide a deployable solution for LEAs/JAs by the end of the project, enhancing public safety through intelligence-led response strategies.

Responsible Research

The HOPLITE project activities follow EU laws (including data privacy regulations) and ethics by design.

By following EU data privacy regulations and following an ethics by design approach the HOPLITE project will meet the needs of Law Enforcement end-users while being fully ethically and legally compliant with all European and national regulations.

Regulatory Model

The HOPLITE project is developed with a central focus on ensuring that the highest standards of ethics and personal data protections are met throughout the project.

• The HOPLITE project is a research project and to this end, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as the GDPR, is the primary basis for the data processing for project partners.

• The HOPLITE project will only collect personal data insofar as it is necessary to collect it for the completion of research, validation, dissemination, and exploitation of the project results.

• The HOPLITE project will ensure the proper application of both the GDPR and relevant national laws.

• In addition, fundamental rights concerns (as protected by the EU Charter of Fundamental Rights) will be taken into account both in the design of the technologies envisioned by the project, as well as their testing (experiments and user evaluation) and future implementation in an operational setting.

• In addition to being bound by laws, researchers funded by the European Commission are also bound by ethical standards, for example the ALLEA’s European Code of Conduct for Research Integrity (2023) which requires researchers to follow principles of reliability, honesty, respect, and accountability, and provides specific provisions applicable to HOPLITE’s testing activities.

Principles Of Data Processing

In alignment with the GDPR, there are seven principles of data processing that will be observed by our project:

Development of Ethical Framework

• The dedicated legal and ethical oversight task in the project, carried out by HOPLITE’s ethical lead partner, ensures continued monitoring of requirements defined and mapped out in the early months of the project.
• These requirements will continue to be monitored at regular intervals, combining e.g., data protection, fundamental rights, and AI Act requirements into an iterative and continuous process of legal and ethical monitoring.
• There is a particular emphasis placed on privacy-awareness and legal compliance of all project research regarding the processes and procedures of the project, how technologies are assessed and selected for development and/or integration, the way testing and validation activities are conducted, and with which datasets. All data processing within the testing and validation phases of the project will be subject to safeguards to ensure compliance with applicable data protection law.
• A full suite of ethical, legal and safeguarding documents developed within the project will support the activities of the HOPLITE Consortium including:
  • The implementation of a dynamic Data Management Plan, Incidental Findings Policy, and a Compliance Deliverable that reports on the ethical and legal assessments undertaken to ensure the project adheres to the highest ethical standards and complies with EU regulations.
  • As necessary, data protection impact assessments will be conducted, and/or data processing or data sharing agreements will be established to ensure a clear definition of the scope, nature, and purpose of the data processing and to provide safeguards to ensure compliance with applicable data protection rules. This will include specific clauses regarding the processor’s obligations to ensure the confidentiality and security of the data.
• The Ethical lead partner works closely with the Consortium Partners, who work closely with their own Data Protection Officers (DPOs) and legal teams.

Purposes and Legal Basis for Personal Data Processing

The HOPLITE project will only collect personal data insofar as it is necessary to collect it for the completion of research, validation, dissemination, and exploitation of the project results.

The HOPLITE project is primarily a research project and to this end, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as the ‘General Data Protection Regulation’, hereafter ‘GDPR’ is the primary basis for the data processing for project partners, unless the national law stipulates otherwise.

The table below identifies the legal basis identified for personal data processing in the HOPLITE project and this table will be reviewed and updated as required during the lifetime of the project.

Recipients or Categories of Recipients of the Personal Data.

Personal data processed for research purposes is not shared with third parties outside the project unless there is a legal obligation to do so. Personal data may be shared between research partners/institutions involved in the project, strictly for the purposes of the project, provided appropriate contracts are in place.

Storage and Retention

Personal data will not be stored longer than is necessary for the research purposes pursued by the HOPLITE project. Over the course of the project, data will be reviewed periodically and the necessity of ongoing storage assessed. Data which is no longer necessary will be anonymised or deleted. The maximum duration of data retention will be five years following the completion of the project, in line with the auditing requirements of the Internal Security Fund programme.

Data Subjects’ Rights and Limitations.

The GDPR outlines a number of rights which data subjects have with regard to their personal data. This section outlines each right and how the HOPLITE partners will endeavour to fulfil these rights as far as possible.

The right to be informed: Article 13 of the GDPR requires data controllers to inform data subjects about processing of their data when such data is collected directly from the data subject. Article 14 requires data controllers to inform data subjects about data processing when another entity acquired their data. Generally, data controllers are required to provide information on: the purpose of data processing; the retention period for personal data; who that data will be shared with.2

As a starting point, the HOPLITE partners will provide all necessary information to data subjects at the point of data collection. Where partners use data which they did not collect, they will endeavour to provide the required information to relevant data subjects unless it is impossible, would require disproportionate effort in the context of research or informing the data subject would render impossible or seriously impair the achievement of the objectives of that processing (all conditions in line with art. 14(5)(b) GDPR). Where this is the case, partners will only use these data with appropriate safeguards. 3

The right of access: Article 15 of the GDPR allows data subjects to find out if their personal data is being processed, to have access to such data, and to have access to relevant supplementary information. 4 Partners will provide this information, subject to Article 12 GDPR.

The right to rectification: Under Article 16 of the GDPR, data subjects have the right to rectify inaccurate data which is held about them, or complete data that is incomplete. This links with the requirements for obtaining accurate information noted above 5, but requires data controllers to reconsider data accuracy upon request. HOPLITE partners will endeavour to rectify any inaccurate information which the collect and process and will also endeavour to provide data subjects with opportunity to complete any data which is incomplete

The right of erasure:Article 17 of the GDPR provides data subjects the right for their personal data to be erased. This links with personal data being removed from datasets where individuals withdraw their consent, as mentioned above. Partners will endeavour to comply with requests of erasure but note that data controllers might be exempt from doing so where erasure would endanger the fulfilment of research activities (in line with art. 89(1) of the GDPR, which includes safeguards to protect personal data).6

The right to restrict processing:In certain circumstances, Article 18 of the GDPR provides data subjects with grounds for restricting processing of their personal data. Should any HOPLITE partner receive a request from an individual who wishes to restrict the processing of their personal data, they will abide by that request where Article 18(1)(a)-(d) apply and will store relevant data until the matter is resolved.

The right to data portability:Article 20 of the GDPR provides data subjects with a right to request personal data which is held about them in a ‘structured, commonly used and machine-readable format’ which can be used to transfer data from one data controller to another. Data subjects can only request such data where the data is processed on the basis of consent, or a contract, and the processing is done by automated means. 7

The right to object:Under Article 21 of the GDPR, data subjects have the right to object to processing of their personal data, where processing is either based on public interest (art. 6(1)(e) or legitimate interest (art. 6(1)(f). In line with art. 21(6), where personal data is processed as part of a scientific research activity under art. 89(1), data subjects can object to processing, unless it is required for the performance of a task carried out for reasons of public interest.

Where personal data is processed as part of a dissemination activity, data subjects may object to processing by clicking ‘unsubscribe’ which will be at the bottom of all electronic communications from the HOPLITE project; this provides data subjects with an opportunity to object to processing of their personal data on the basis of the legitimate interests of the HOPLITE partners.

Rights in relation to automated decision-making and profiling: Article 22 of the GDPR provides people with the right not to be subject to automated decision-making or profiling which creates legal or similar effects for such persons. However, where the data subject consents to this process, such processing can be lawful.8

The HOPLITE project does not plan to conduct activities falling within Article 22’s definition of automated individual decision-making.

If your personal data is processed by HOPLITE, you have the following rights, subject to the described restrictions:

Subject access request (Article 15 GDPR)

Data subjects have the right to obtain confirmation as to whether or not HOPLITE is processing personal data concerning them, and, where that is the case, have access to it.
We will provide this free of charge with a copy of their personal data undergoing processing in a commonly used electronic form.

Right to rectification (Articles 16 and 18 GDPR)

Data subjects also have the right to obtain the rectification of any inaccurate personal data concerning them. If they have challenged the accuracy of their data and asked for rectification they have the right to request the restriction of processing while we are considering your rectification request.

Right to be forgotten (Article 17 GDPR)

In case a data subject objects to the processing of their data and there is no lawful basis to retain their data, we will comply with their request and erase their data. Please note that a right to be forgotten might be limited, such as where the erasure is likely to seriously impair the achievement of the research purposes of the project.

Right to object (Articles 21 and 18 GDPR)

A data subject can object to the processing of their data by HOPLITE. In order to do that, they must provide us with specific reasons based upon their particular situation. Please note that the right to object is not an absolute right. The project will consider their objection and determine how best to respond.

If the processing is carried out for the performance of a task in the public interest (Article 6(1)(e) GDPR) or for a legitimate interest (Article 6(1)(f) GDPR), we can continue with the processing if we can demonstrate compelling legitimate grounds for the processing, which override their interests, rights, and freedoms. If the processing is carried out for scientific research purposes (Article 9(2)(j) GDPR), we can continue with the processing if the processing is necessary for the performance of a task in the public interest.

If any of these are the case, we will explain our decision to them, otherwise their data will be excluded from processing. They have the right to request the restriction of processing while we are considering your objection.

Right to lodge a complaint with supervisory authority (Article 77 GDPR)

If a data subject believes that their rights have been infringed, they can lodge a complaint with any supervisory authority, including the authority where they reside, work or where the infringement on their rights is suspected. This is without prejudice to any other administrative or judicial remedy you have.

Limitations on Data Subject’s Rights.

It is possible that national laws will exist which restrict the rights of the data subjects listed above. For example, national law, which is necessary and proportionate, may provide for such restrictions if they are intended to safeguard the prevention, investigation, detection, or prosecution of criminal offences pursuant to Article 23(1)(d) GDPR. National law can also derogate from some of the rights set out above in circumstances where the data is processed for scientific research purposes, pursuant to Article 89(2) GDPR.

The project consortium is not obliged to maintain, acquire, or process additional information in order to identify the data subject for the sole purpose of complying with the GDPR pursuant to Article 11(1). However, pursuant to Article 11(2) GDPR, where data subjects provide additional information in order to exercise their rights, the HOPLITE consortium will handle the request in a manner compliant with technical and legal requirements. In this regard, the identity of the data subject, as well as their relation to the data referred to in the request has to be sufficiently verified.

Although data subjects’ rights may be restricted under the conditions described, all requests to the abovementioned points of contact will be carefully assessed on a case-by-case basis and replied to.

Contact Details

To contact the project about personal data processing, you should get in touch with the Co-ordinating partner, which is the UCD Centre for Cyber Security and Cyber Crime Investigation (UCD-CCI) at University College Dublin. The contact details for this partner and the organisation’s Data Protection Officer (DPO) are provided below.