The Czech Data Protection Association is an organization gathering the data protection officers and experts focused on privacy and personal data processing issues in the Czech Republic. As an organisation as well as a group of citizens of the Czech Republic, we cannot ignore the violations of international law and the associated systematic disregard of human rights that are taking place in the context of Russia’s aggression against Ukraine.
In the context of this conflict and the recent change on the geopolitical scene, we consider it important to highlight some privacy and personal data protection issues that will gain significance as a result of the military aggression against Ukraine:
1. The situation and the apparent unwillingness of the Russian Federation to comply with its international law obligations have the effect of further reducing the credibility of the Russian Federation and Belarus as potential destinations for the transfer of personal data. This is also true for the use of Russian organisations as processors or joint controllers of personal data. Controllers and processors transferring data to these jurisdictions should take the new situation into account when assessing the lawfulness and the possible risks of such data transfers. At the same time, we believe that the relevant data protection authorities should focus their methodological and supervisory activities on the transfers of personal data to the Russian Federation and Belarus.
2. We can expect – and are already witnessing – an increase in cyber-attacks led by different entities from the Russian Federation or its supporters against targets in the EU. This has already been pointed out by several relevant authorities, including the NÚKIB (The National Cyber and Information Security Agency of Czech Republic). The security of IT products and other equipment developed or manufactured in the Russian Federation is also a relevant topic.
3. It is also necessary to assess the possible implications that this international situation may have on the lawfulness of the processing of personal data. For example, there may be a new legal obligation for some service providers to process personal data arising from security legislation or a strong legitimate interest to process personal data, or there may be an obligation to process personal data in connection with international sanctions applied against the Russian Federation or Belarus and their citizens.
4. We would also like to point out that this situation may bring a new range of processing activities at the national level, e.g. in relation to refugee assistance. While we are aware that the humanitarian aspect of this situation needs to be treated as a priority, the requirement of the lawful processing of the personal data should not be neglected. This is of particular importance for any data that may affect the rights of refugees or their security. Bearing this in mind, the interest in effectively helping the victims of this war should be given the highest priority. The public authorities concerned should therefore create the necessary conditions (organisational, technical, legislative and methodological) to enable the simplest and most effective provision of assistance to refugees or other persons affected by the war and should interpret the relevant regulations, including those on the protection of personal data, in such a way as to achieve this objective as easily as possible.
5. The current Russian aggression has highlighted the need for Euro-Atlantic cooperation. We believe that instead of the sometimes ideologically tinged disputes over the transfers of personal data between the EU and the US, a new framework for cooperation should now be urgently negotiated. A balanced and substance-oriented legal mechanism that would allow the free movement of data between the EU and the US, while fully respecting the rights of EU citizens, would undoubtedly also contribute to strengthening Euro-Atlantic partnership.
More information: www.ochranaudaju.cz