Role of data privacy in war

This article has been written by Phillip Varghese Thomas, pursuing a Diploma in International Data Protection and Privacy Laws from LawSikho and edited by Shashwat Kaushik.

It has been published by Rachit Garg.

In the past 2 years, we have seen the outbreak of wars and rumours of wars. The past few decades have seen the evolution of war fought physically on the battlefield, often accompanied by attacks in cyberspace, where data is the primary target. Our lives and lifestyles have become so intertwined with technology that a breach of our personal information would be a breach of our privacy, too. Data can be  used or misused by nations to protect their people or gain the upper hand in certain situations. Governments or individuals may employ skilled personnel to utilise data to their advantage during a crisis.

Download Now

Experts in international humanitarian law (IHL) agree that breaches of civilian data could cause more destruction than those against physical property alone and have tried to manage data under the existing legal frameworks.

Data privacy can be understood as a right possessed by a person to protect and safeguard information concerning themselves or something of importance from being shared or exposed to the public or a third person.

Privacy, in data or otherwise, is a right that finds its root in the principle of ‘Human Dignity’, which every person must be offered universally. This right translates to personal information in the form of freedom against being viewed, watched or monitored through any device. The personal dignity of  life can be honoured only by recognising the importance of data privacy and privacy in general.

According to the well established General Data Protection Regulation (GDPR) of 2016:

“Data protection means keeping data safe from unauthorized access. Data privacy means empowering your users to make their own decisions about who can process their data and for what purpose.”

Therefore, data that is characterised as personal in nature bears a high level of importance with respect to its security and organisation. The nature of personal information that lies open without the defence of sufficient privacy laws or technology makes it a ripe target in the hands of the wrong person, especially in a time of crisis. Data manipulation and exploitation have seen an increase in the past few years, especially during times of war, as a form of attack against targets of interest.

Privacy, as with  any other right, stems from the natural need of a human being to be treated in a dignified manner. Although privacy is a need recognised in theory, acceptance of this need and assigning authority to it is what transforms a recognised right into an enforceable law.

At present, the General Data Protection Regulation (GDPR), which is applicable in the EU and its members, is the most popular and comprehensive set of regulations that provide a solid base for understanding and addressing many privacy related matters. It has evolved and adapted over time to recognise certain rights and obligations required by those who process data and those who are subject to it. Some of the popularly known rights that have been recognised and established are:

  1. The right to be forgotten- which means a person may have the right to have certain information about themselves removed from cyberspace in certain situations. This right was born from the case of Google Spain vs. Maria Costa Gonzalez (2014), mentioned in Article 17, which prevents information that is derogatory and false from being accessible on the internet by having them removed or deleted permanently.
  2. The right to access- as mentioned in Article 15, gives a person the right to know what information about themselves is made available to those who are processing their data. This further gives them the right to review and modify their data in accordance with request of the data controller. 
  3. The right to be informed- is the most relatable right, as we come across it on a daily basis when availing of services from various providers. Every data controller is required to inform its clients what personal data will be collected and processed by them. They are required to be fully transparent about the extent and reason for which they are collecting data, as mentioned in Articles 13 and 14.

These rights are not absolute;  they have exceptions and can be restricted, as mentioned in Recital 73 of the regulation, such as for public interest but this is not the case during a cyber attack. As we will see in this article, personal data can be used without consent or manipulated so as to cause destruction by violating every one of these rules. 

Criminal litigation

As the saying goes, “knowledge is power,” and data is knowledge that enables people in power to take actions based on it. It goes without saying that it has been used as a weapon to inflict loss, shame or strife on its victims. Without proper control and the imposition of well founded rules and regulations, the real victims of this cyber warfare are civilians, who face the aftermath of military action and terror.

Consider the war currently taking place in both Ukraine and Gaza, which utilises data from satellite imagery coupled with the attacks commenced by cyber militias against important government databases and the vast amount of user generated content spreading both news and misinformation concerning the situation on the ground. This ocean of data also raises the question of what is truly reliable information.

Cyberattacks have evolved and multiplied over the past few years. With the rapid pace of technological development, the intensity at which cyber warfare could affect society has increased. But the question to be asked is, how do data and information cause harm?

While a breach of confidential data does not cause immediate physical harm to a civilian, it is certainly an encroachment on their privacy, as agreed by courts globally. Cyber operations carried out by opposing forces without adherence to a legal framework of operation will result in the misappropriation or leak of sensitive civilian data, which in turn could threaten and damage society in the long run through targeted attacks, extortions or blackmailing.

Attacks are usually targeted at facilities and data infrastructures of importance, such as emergency services, supply chains, resource production or telecommunication systems. For instance, a Russian hacking group called Sandworm was responsible for ransomware that disrupted transportation and related logistics industries.

Cyberattacks are also well known to disrupt the financial and business markets. The recession experienced due to the effects of these past wars still affects the global economy. This is because false data and rumours are spread with the intention of injecting fear in many, leading to a loss of confidence in the market.

Data can also be used to sabotage a facility, as reported in May 2020. An Iranian cyber attack was carried out to sabotage Israeli water utility services by slowing the systems that controlled the flow control and treatment of water. The intention was to disrupt and halt the supply of water to that area. Fortunately, the timely interception and diffusion of the attack saved the people from possible hardships that could have resulted from the strike.

Another form of data breach is when an attacking party infiltrates the database of a nation to steal and retain the information of individuals, as in the case of the US in Iraq for supposedly military purposes. The US continued to retain this information post operation claiming to maintain surveillance over certain persons of threat, which was viewed as a violation of international privacy standards by many NGOs.

Methods such as Denial of Service (DoS) attacks, digital blackmailing and false information are some of the many methods employed by cyber militias to wage war against individuals, organisations and nations themselves. The disadvantage of such offences is that non-kinetic attacks do not warrant a valid retaliation with physical force, as there is no direct destruction of ‘objects’ as laid down in the First Geneva Convention’s Article 50. This lacuna in the legal framework and rules has no power to explicitly condemn these newer cyber attacks, which do not conform to those obsolete definitions. This has raised the urgency for a new and well defined international policy along with better interpretation concerning data privacy and its protection.

Data privacy and its protection in war are mainly concerned with the strengthening of data security, which depends on the rules laid down for it and not the commonly conceived notion of the protection of personal data alone. Although privacy of data is the ultimate aim, data protection is what should be considered. The term ‘data protection’ can be closely associated with data confidentiality and integrity, which require privacy to be established as more than a principle or guideline but rather in strict terms by which data is stored, encrypted and guarded and how easily it is accessed without tampering with or diminishing its accuracy when recorded.

There have been several efforts made on a national and international level to develop a functional and well-defined guideline for the management of data privacy and to establish rules under which they might operate. 

The international landscape is mainly constituted by the General Data Protection Regulation (GDPR) and the rules laid down by the International Human Rights Law (IHRL) and the International Humanitarian Laws (IHL), which broadly govern the matter of data privacy, along with resolutions in different conventions.

The GDPR, which is the most popular set of guidelines concerning data privacy, helps by differentiating and defining what personal data is and what aspects of a natural person can be considered as personal data. It further mentions the jurisdiction of the regulation with exceptions such as the processing of personal data outside of the Union “and the processing of personal data by the Member States when carrying out activities in relation to the common foreign and security policy of the Union.”

In Chapter 5 of the regulation, it speaks about “Transfers of personal data to third countries or international organisations” by providing the standards required by the country to which it is being transferred while also stating the exceptions to such a transfer in Article 49. The shortcoming of this wonderful legislation is that it is catered to the EU specific scenario and its members.

The IHL and HRL for that matter, have profoundly greater jurisdiction in comparison with the GDPR and have greater potential to serve the global need with a unified standard. Although both are different bodies, they have a complementary nature towards each other.

The laws of data protection  laid down during peacetime are applicable in wartime as well. Rarely does personal data become the primary target during armed conflict; nevertheless, the laws laid down by the IHL concerning the unauthorised use of personal data greatly help in adding a layer of security. For instance, Rule 7 calls for the distinction between civilian and military objects, which can also be translated to civilian data such as medical and financial data; therefore, unauthorised use of this data will be deemed to be a war crime.

Article 52 of the 1977 Additional Protocol I to the Geneva Conventions reiterates that: “Civilian objects shall not be the object of attack or of reprisals” and that attacks shall be limited strictly to military objectives. So far, it offers a definite military  advantage. Even if personal data was found to be of military advantage, the protocol calls for the protection of civilians while executing action.

There are several other bodies of law that have a hand in shaping the outlook on data privacy. The ICCPR and Universal Declaration of Human Rights have stated in Articles 17 and 12, respectively, that no person shall be subject to arbitrary interference with their privacy. The Charter of Fundamental Rights of the European Union provides under Article 8 that ‘everyone has the right to the protection of personal data concerning him or her’. 132 out of 194 countries under the UN Conference on Trade and Development (UNCTAD) have begun to process legislation catering to concerns about data privacy.

Data in terms of civilian personal data is not the first victim in armed conflict, but it is surely the one that suffers unjustly and the longest. Therefore, it is necessary on an international scale for a law governing the privacy and personal data of individuals with the aim of fortifying the rules by which protection to the information is given. 

As we have seen, data is a powerful tool, and those in power must be able to recognise and classify what is conducive to a conflict without prying into a person’s personal information and disregarding human dignity, which makes one feel vulnerable and unsafe. Although IHL, HRL and GDPR provide definitive guidelines for the conduct and safeguarding of personal data, they do not instill a sense of security under which nations can find refuge on a global scale. Nevertheless, it provides the framework and direction for the birth of a unifying data privacy law in a world that is rapidly progressing in the fields of technology and cyberspace.

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.

Leave a Reply

Your email address will not be published. Required fields are marked *