A/HRC/48/Add.xx data obtained from digital devices necessarily leads to reliable evidence is flawed.69 Governments have also resorted to social media intelligence, the techniques and technologies that allow companies or governments to monitor social media networking sites.70 Some of these activities are undertaken directly by government officials themselves but in some instances, governments call on companies to provide them with the tools and/or knowhow to undertake this surveillance.71 31. During the COVID-19 pandemic, the proliferation of contact-tracing apps has raised concerns that sharing information about areas with high concentrations of infections could reinforce the existing social stigmatization of disproportionately infected groups and communities, with a particular disparate impact on the basis of race, ethnicity, national origin and citizenship status. 72 32. One submission detailed concerning practices regarding seizure of digital data in Germany. 73 Pursuant to the amended Asylum Act (Asylgesetz, “AsylG”) § 15, asylum seekers unable to produce a valid passport or equivalent document must surrender all data carriers—not only mobile phones but also laptops, USB sticks, and even fitness wristbands— along with login information to be “read out” by BAMF to confirm identity or nationality. 74 The Law also empowers BAMF to share the data with other government agencies, such as security authorities and intelligence services.75 If determined necessary, the readout takes place before the asylum hearing upon request by the Asylum Procedures Secretariat with the asylum applicant’s signed consent,76 although the submission notes that applicants are “under exceptional pressure to follow governmental requests” for fear of negative consequences that could result from their asylum procedure. 77 This routine practice affected more than half of all first-time asylum applicants in the past two years,78 and certain nationalities more than others raising serious concerns of de facto national origin discrimination. 33. This invasive data extraction from personal devices is unprecedented, targets only asylum seekers, and the legalization of these measures was based on racist and xenophobic assumptions in political discourse.79 The submission further highlights that data carrier evaluations have proven unsuitable to verify the identity or national origin of the asylum seeker with any degree of certainty, or to prevent abuse of asylum procedures.80 Approximately a quarter of attempted readouts fail technically, and even if readouts are successful, most of the evaluation reports are unusable because the set of data reviewed is too small or otherwise inconclusive.81 Among 21,505 mobile phones successfully read out in 2018 and 2019, only about 118 cases, or 0.55%, indicated a contradiction. 82 Furthermore, since neither the algorithms nor training data are known to the public, judges and other decision-makers cannot properly assess their reliability.83 34. Although regulations such as the European Union’s General Data Protection Regulation (“GDPR”) seek to protect data and privacy, some States create exemptions in the immigration enforcement context. Two submissions noted relevant GDPR exemptions in the UK Data Protection Act of 2018.84 Under this “immigration exemption,” an entity with the power to process data, known as a “data controller,” may circumvent core rights of an 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 GFF, Submission. PI et al., Submission. Ibid. https://policyoptions.irpp.org/magazines/april-2020/five-ways-a-covid-19-contact-tracing-app-couldmake-things-worse/. GFF, Submission. Ibid. Ibid. Ibid. Ibid. Ibid. Ibid. Ibid. Ibid. Ibid. Ibid. Ibid.; Platform for International Cooperation on Undocumented Migrants (“PICUM”), Submission. 11