Photo: Dept. of Defence

This post follows on from related posts by Wojciech Wiewiórowski and Mariana Salazar Albornoz.

Introduction 

Personal data has become an integral part of humanitarian action. Leading humanitarian actors such as the ICRC and UNHCR have reacted to this reality by developing rigorous data protection frameworks. Simultaneously, personal data has also become essential for various military activities, and such processing can have a significant impact on communities affected by armed conflict. However, the rules governing the processing of data by military actors are frequently far less clear and transparent. Understanding how military actors might approach the protection of personal data in humanitarian contexts can facilitate data-related interactions with armed actors. Drawing upon a previous analysis of military data processing during situations of belligerent occupation, this post will illustrate why it is necessary to consider how personal data processing is governed by international humanitarian law (IHL) and International Human Rights Law (IHRL). 

Personal data and belligerent occupation 

Personal data processing has become a central part of situations of belligerent occupation. Such a situation exists where one belligerent has effective control over part or all of the territory of an opposing belligerent party. This situation of relative stability allows the implementation of sophisticated data processing programmes. Such measures have been considered as particularly useful in responding to the challenges arising when a belligerent needs to control a hostile population and maintain public order. Occupying powers are usually especially interested in biometric data, which has been considered as a crucial tool to establish ‘identity dominance’. Furthermore, personal data indicating the political views of inhabitants of occupied territories has been collected systematically (Ukraine and the Netherlands v Russia, para 1146). Personal data may be collected, for example, at military checkpoints (see here and here), by soldiers on patrol, or through cyber-based means. 

Limits of data protection law in situations of belligerent occupation 

Are these activities governed by data protection law, and if so, whose data protection law?  The occupying power would not be subject to the domestic laws of the territory it occupies. Consequently, the extent of data protection afforded to individuals would depend on the occupying power’s own legal framework. Some occupying powers might not have robust data protection frameworks. And even if they do, they might be inapplicable. For instance, GDPR-style data protection legislation will generally not be applicable to conflict-related military conduct. Although certain states have committed to applying their domestic data protection law to military data processing (see here, p. 7), national security activities frequently fall through the (deliberate) cracks of domestic data protection law. Putting strictly doctrinal questions aside, it should be noted that while militaries are required to be somewhat fluent in IHL, data protection law may seem like a foreign language. Unless states decide to have their domestic data protection laws extend to their armed forces and train their military personnel accordingly, other bodies of law are more likely to take centre stage. 

What does IHL say? 

IHL, and the law of belligerent occupation specifically, is far too old to address personal data processing explicitly. However, without mentioning the term ‘data’ even once, IHL can provide some protection against certain data processing. However, this protection is not based on the idea that everyone should have control over their personal data. Rather it is an attempt to limit the suffering and disruption caused by the occupation as much as possible. Therefore, it will be necessary to show how personal data processing negatively impacts the data subject, and that this effect went beyond what is necessary to ensure the legitimate interests of the occupying power and those under its control. Consider the following examples. 

Article 43 of the Hague Regulations obliges the occupying powers to restore and ensure public order and civil life. Personal data could be protected by Article 43 Hague Regulations to the extent that it can be shown that social and economic interactions of daily life are disturbed by the data processing in question. Moreover, it would need to be shown that this disruption went beyond what was strictly necessary and proportionate to achieve the legitimate purpose of the measures (e.g. security of the general population or of the occupying power’s troops).  

Article 27 of the Fourth Geneva Convention (Geneva IV) obliges the occupying power to treat all protected persons humanely and to respect, among other things, their person, manners and customs. While it is possible to argue that ‘respect for the person’ means respect for their right to data protection, this interpretation is not the only plausible one, leaving room for alternative, narrower readings. It might therefore be necessary to show, for instance, that military data processing leads to self-censorship and thus prevents data subjects from acting in line with their manners and customs. Again, such effects would further need to be unnecessary and disproportionate to be unlawful under IHL. Pursuant to Article 27 Geneva IV, protected persons must further not be exposed to public curiosity. This includes sharing images or videos in which protected persons are identifiable with anyone who does not need to see said personal data. 

Article 33 Geneva IV prohibits collective punishment, i.e., punitive sanctions applied regardless of individual responsibility. Data processing could violate IHL as collective punishment if it can be established that it restricted the data subject’s freedom or comfort and that this was meant to punish the data subject.  

To the extent that adherence to data protection principles is required to avoid undue effects like those described above, they will become part and parcel of the occupying power’s IHL obligations. Whether a specific data practice violates one of the above provisions will depend on the specific facts at hand, including the question of whose personal data was processed. Importantly, IHL does not protect all data subjects, but only those who also qualify as protected persons (see Article 4 Geneva IV), which excludes the nationals of the occupying power. This further underlines the general picture emerging from the above analysis: IHL does not protect the right of the data subject to control their personal data per se. Rather, it shields those it considers vulnerable to abuse at the hands of the occupying power against certain harmful effects of not having such control. While this protection can be essential, it might very well cause military actors to protect personal data differently, and most likely less comprehensively if they base their actions solely on what is permissible under IHL. 

Sneaking in data protection through the backdoor of IHRL 

While situations of occupation have traditionally been governed primarily by IHL, it is not the only relevant body of international law. There is a broad (although not universal) agreement that IHRL continues to apply during armed conflict and that it applies extraterritorially in occupied territory. While not yet entered into force at the time of writing, Convention 108+ constitutes an international data protection treaty which does not allow for a blanket exemption for military activities—unlike its foundation, Convention 108, and most domestic data protection laws. Moreover, the right to private life, while not identical with the right to data protection, has been interpreted in a way that echoes certain data protection principles, especially within the European system. 

Data protection is closely connected to the right to private life (Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland, para 137). Data-based interferences with this right must have a sufficiently precise, clear and accessible legal basis (‘legality’), affording appropriate safeguards. This at least partially overlaps with the principles of transparency. Moreover, interferences can only be lawful if they pursue a legitimate objective, such as national security, public safety, or the protection of the rights of others. Although these categories are different from the ‘lawful bases’ for data processing commonly known in data protection law, this requirement aligns with the spirit of the principle of lawfulness. Moreover, any interference must be necessary and proportionate. This has been interpreted as giving rise to an obligation only to process data for the purpose of realising a legitimate objective (Surikov v Ukraine, para 89), echoing the principle of purpose limitation. Where inaccurate data is processed, the processing is not liable to achieve the legitimate aim (Khelili v Switzerland, para 68), and hence not necessary. If data which is inadequate or irrelevant is processed (Khadija Ismayilova v. Azerbaijan, para 147), or where there is no reasonable limit set for its retention (S. and Marper v United Kingdom, para. 125), the processing is not conducted in the least intrusive way possible, thus making it disproportionate. This mirrors the principles of accuracy, data minimisation and storage limitation. States are further obliged to guard against any unauthorised or unlawful processing by third parties (General Comment No. 16, para 10), as also required by the principles of integrity and confidentiality. In sum, the IHRL principles of legality, necessity and proportionality can serve as an entry point for data protection principles into the human right to privacy. 

Still, one crucial and controversial question remains: how does the human right to privacy interact with IHL? One answer would be that IHRL clarifies and complements the IHL obligations set out above. For example, when determining whether personal data processing is proportionate to ensure public order or security in line with Article 43 Hague Regulations, IHRL could provide the concrete legal tests. The same applies for interferences with the guarantees set out in Article 27 Geneva IV. The principle of legality would further complement IHL by establishing an additional duty to create a clear, precise and accessible legal basis for the processing of personal data. If the interaction between IHL and IHRL is approached in this way, international law would give rise to obligations which resemble the data protection frameworks humanitarian actors have committed themselves to.  

Remaining challenges and conclusion 

Nevertheless, things are not quite as straightforward. Some states may reject giving IHRL such a prominent role. They might argue that IHL, due to its specific focus on armed conflict and occupation, remains the primary source of their obligations. As explained above, this would not necessarily leave all military data processing entirely unregulated, but the logic and density of the applicable rules would differ significantly from that of most data protection frameworks. Even states which do not entirely reject the applicability of IHRL might emphasise that specific peacetime obligations would be displaced by more lenient IHL rules due to the particular security challenges coming with situations of occupation, potentially diluting the protection accorded to data subjects. These claims are often difficult to challenge as courts or any other external actor might struggle to accurately determine what is truly necessary to guarantee the security of the occupying forces and the occupying state’s citizens at home. The information needed to make such an assessment will often be unavailable to external actors—again, for reasons related to national security. 

One way to move forward would be for belligerents to adopt data protection frameworks for their armed forces which take into account the particularities of armed conflict, following the example of organisations like the UNHCR and the ICRC in the humanitarian sector. However, as long as this is not common practice, IHL and IHRL may remain important points of reference for militaries regarding personal data processing. For the reasons set out above, this might result in differences in how humanitarian and military actors think and talk about data protection. It is to be hoped that these differences do not entail significant disparities in the substantive protection provided to data subjects. Whether this will be the case will largely depend on whether military actors are as ambitious and forward-looking as humanitarian actors when it comes to protecting personal data. 

These reflections echo themes explored in the recently published Routledge volume Data Protection in Humanitarian Action: Responding to Crises in a Data-Driven World, which examines how data protection frameworks evolve to meet the realities of crises in an increasingly data-driven age.