Statement of the the Czech Data Protection Association on the implications of the invasion of Ukraine by the Russian Federation 

Mar 10, 2022

The Czech Data Protection Association is an organization gathering the data protection officers and experts focused on privacy and personal data processing issues in the Czech Republic. As an organisation as well as a group of citizens of the Czech Republic, we cannot ignore the violations of international law and the associated systematic disregard of human rights that are taking place in the context of Russia’s aggression against Ukraine. 

In the context of this conflict and the recent change on the geopolitical scene, we consider it important to highlight some privacy and personal data protection issues that will gain significance as a result of the military aggression against Ukraine: 

1. The situation and the apparent unwillingness of the Russian Federation to comply with its international law obligations have the effect of further reducing the credibility of the Russian Federation and Belarus as potential destinations for the transfer of personal data. This is also true for the use of Russian organisations as processors or joint controllers of personal data. Controllers and processors transferring data to these jurisdictions should take the new situation into account when assessing the lawfulness and the possible risks of such data transfers. At the same time, we believe that the relevant data protection authorities should focus their methodological and supervisory activities on the transfers of personal data to the Russian Federation and Belarus. 

2. We can expect – and are already witnessing – an increase in cyber-attacks led by different entities from the Russian Federation or its supporters against targets in the EU. This has already been pointed out by several relevant authorities, including the NÚKIB (The National Cyber and Information Security Agency of Czech Republic). The security of IT products and other equipment developed or manufactured in the Russian Federation is also a relevant topic. 

3. It is also necessary to assess the possible implications that this international situation may have on the lawfulness of the processing of personal data. For example, there may be a new legal obligation for some service providers to process personal data arising from security legislation or a strong legitimate interest to process personal data, or there may be an obligation to process personal data in connection with international sanctions applied against the Russian Federation or Belarus and their citizens. 

4. We would also like to point out that this situation may bring a new range of processing activities at the national level, e.g. in relation to refugee assistance. While we are aware that the humanitarian aspect of this situation needs to be treated as a priority, the requirement of the lawful processing of the personal data should not be neglected. This is of particular importance for any data that may affect the rights of refugees or their security. Bearing this in mind, the interest in effectively helping the victims of this war should be given the highest priority. The public authorities concerned should therefore create the necessary conditions (organisational, technical, legislative and methodological) to enable the simplest and most effective provision of assistance to refugees or other persons affected by the war and should interpret the relevant regulations, including those on the protection of personal data, in such a way as to achieve this objective as easily as possible. 

5. The current Russian aggression has highlighted the need for Euro-Atlantic cooperation. We believe that instead of the sometimes ideologically tinged disputes over the transfers of personal data between the EU and the US, a new framework for cooperation should now be urgently negotiated. A balanced and substance-oriented legal mechanism that would allow the free movement of data between the EU and the US, while fully respecting the rights of EU citizens, would undoubtedly also contribute to strengthening Euro-Atlantic partnership. 

More information: www.ochranaudaju.cz

Recent news

EFDPO as guest at conference in Prague

EFDPO as guest at conference in Prague

On 6 October 2022, the traditional autumn conference of the Association for Personal Data Protection dedicated to the issue of personal data processing “GDPR 2022” was held in Prague for the sixth time.

read more
Cities trapped by GDPR

Cities trapped by GDPR

Cities and municipalities in the Czech Republic have approached the obligations arising from the right to the protection of personal data differently. If we look away from those who have only formally secured DPOs position and rely on the absence of fines, we come to a smaller group of those with an honest approach and a genuine effort to secure a range of responsibilities. But they often fail in many situations.

read more