Russia’s unprovoked invasion of Ukraine reinforces the fact we live in a very complicated and dangerous world. This attack on an independent European country, Russia’s willingness to unleash violence on civilians, and the Government’s fabrication and dissemination of propaganda, further underscores the critical and increasing role data, surveillance, and intelligence activities will play in this dangerous world. This literally is a matter of life or death.
In the weeks leading up to the invasion the United States government was making public pronouncements forecasting the invasion based on USG interpretations of intelligence data. It is likely that additional, more sensitive data was being shared between allies. Which is certainly appropriate. Odds are that insights from bulk analysis of data continues to be shared between NATO member countries. Again, very appropriate.
Yet last week, EU Executive Vice President Margethe Vestager said that reaching an agreement with the U.S. on data flows would not be easy, “given the fundamental legal clash between European privacy rights and U.S. surveillance overreach.” In the current geopolitical environment that statement was not helpful. It certainly was poorly timed. From our perspective, when compared with the actions of hostile global actors, we don’t see a fundamental clash at all. Rather, we see allies who share common values and a deep respect for the same fundamental rights. If there’s a gap between our respective approaches, it’s more of a crack than a canyon.
There is universal agreement in the West that the protection of life and security of the person are fundamental, individual human rights. You can look to Article 3 of the UN Universal Declaration of Human Rights, Article 6 of the Charter of Fundamental Rights of the European Union, or the Canadian Charter of Rights and Freedoms for clear examples of this deeply embedded commitment to life and security. In the data protection sphere, these fundamental rights are tested and challenged every time communications networks are accessed, and data is used by public actors. Companies invest heavily in cyber security and information technology to secure their data and safeguard these individual rights. They do this for the benefit of the individual, the organization and society.
Signals intercepts and data analysis are not just a government interest. The security of information and safeguarding of individual privacy requires that commercial actors monitor their networks and the flow of data for anomalous activity and signs of malicious activity. There’s no choice. And as we’ve learned over the past half decade, cyber security works best when threat data is shared among companies who are engaged in an increasingly dangerous battle with rapidly evolving threat actors. Data sharing is imperative to the efficient and effective prevention of cyber-attacks. And when necessary, similar data sharing takes place between allied government agencies under defined intelligence sharing agreements. Does anyone doubt that such data sharing is necessary now? Experts predict that as the war with Ukraine continues, Russia will again turn to offensive cyber warfare activities as they have in the past. We need only look to the recent SolarWinds cyberattack by the Russian Foreign Intelligence Service for proof of their capabilities and intentions.
Recital 4 of the EU General Data Protection Regulation is on point: “The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.” The fundamental right to life and security of person is an individual right shared by all in the western world. It should be taken into consideration in relation to its function in society and be balanced against other fundamental rights a proportional manner when considering the risks related to data transfers and cyber intelligence information sharing. We are in no way suggesting there should not be safeguards built into national and cyber security systems and information sharing agreements. The IAF said there should be accountability requirements for intelligence agencies in 2014. Instead, we would suggest that the fundamental right to life and personal security should be part of data protection proportionality equation.
This blog was prepared by the IAF policy team and does not necessarily reflect the views of the IAF Board of Trustees or members.