In war as in peace, data protection matters

Whether it was the little girl singing in an underground bunker, or the farmer crying in desperation for his dead wife, or the destruction of Mariupol, or indeed the LinkedIn professional connection who is now looking for a place to live, we have all been moved by the war in Ukraine. Wars are brutal and numbing by nature but the senseless cruelty of the invasion of Ukraine is revealing how when survival is at stake, everything else is secondary. The triviality of our arduous debates over the necessity of a ‘Reject all cookies’ button, or the applicability of ‘legitimate interests’, or what turns a processor into a controller comes to the fore when witnessing the atrocities of war. Against this backdrop of desolation, are privacy and data protection just niceties that only matter when we face less pressing challenges or do they have purpose that stands even on a battlefield?

Historically, wars have always been a test bed for new technologies. But we are in the 21 century, and that means that the conflict in Ukraine has become a test of data reliant tactics and practices. Reports that Ukraine was using facial recognition technology to help identify the bodies of Russian soldiers killed in combat and track down their families to inform them of their deaths, raised many eyebrows not just because of the dramatic use case at stake, but because the technology provider has previously been at the receiving end of much regulatory scrutiny and active enforcement. Further reports about the procurement by the military of location data surreptitiously obtained from mobile devices and apps point to more sinister data uses than behavioural advertising. The risks presented by these uses of data are exactly what a data protection impact assessment is designed to uncover, but how can such an assessment play a role in the middle of a war?

Modern warfare is a truly multidisciplinary activity. Disinformation and cyberattacks are an essential part of the process which are directly affected by key data protection principles like data accuracy and integrity. Cybersecurity in particular is a key defensive pillar well beyond the theatre of war. In the weeks preceding the invasion, phishing attacks relying on law enforcement-related themes became a major threat and there was a heightened sense of alert. Since then, the warnings about potential cyberattacks against all types of organisations in countries that support Ukraine have only increased. Frankly, the need to adopt cybersecurity best practices – from strengthening firewall protection and keeping software and backups updated to (re-)training employees and reviewing incident response plans and contractual arrangements – has never been more real. So if there is an area of data protection law that is likely to be tested during a war, data security will be at the top of the list.

But as much as data needs to be accurate and kept secure, the war in Ukraine has also shown that data needs to flow. The ability of the Ukrainian government led by its president to communicate and disseminate information globally about the reality of the conflict has become legendary. Without this ability, the situation today would be very different, not just in Ukraine but in the world at large. Similarly, the flow of information between ordinary Ukrainians and the rest of us has fundamentally shaped the course of the conflict. In fact, one of the greatest challenges that the world faces right now is the restrictions affecting the flow of information in Russia. The intrinsic relationship between the essential role of international data transfers and the much needed protection of that data from unjustified interference is a valuable lesson that that will hopefully inform the ongoing debate on this topic for years to come.

Somewhat reassuringly, all of this indicates that the role of data protection does not stop when the shelling starts. If anything, it becomes more life-critical, but as anything affected by war, it needs to adapt to a sense-defying reality. Data protection impact assessments may need to be more agile, data security more robust and data flows more alert, but ultimately, wars change our mindset, not our dignity and our fundamental rights. Data protection on the battlefield may look different but it is very much alive.

This article was first published in Data Protection Leader in March 2022.