Geopolitical threats to data protection have received little attention compared to those in areas such as trade, energy, and artificial intelligence. They can arise in particular from armed conflicts and cyberattacks, and may involve disrupting the processing of personal data needed to deliver vital services, destroying public records and databases, and misusing data to facilitate human rights abuses.

This situation is driven by the worsening geopolitical landscape around the world. According to a study by the Peace Research Institute Oslo, 2024 saw the highest number of armed conflicts since 1946, while the World Justice Project Rule of Law Index has noted that in 2025 the rule of law weakened globally for the eighth consecutive year. The risks to data protection are particularly evident in Europe, which has the most complex body of data protection law and also faces serious geopolitical threats, including, for example, ongoing cyberattacks by Russia, the risk of kinetic attacks by that country, and threats against Greenland by the US.

Data protection law protects the processing of data related to identifiable individuals, and the economic, social, and legal importance of data processing means that data protection law must be resilient against geopolitical threats. In the EU, this requires action by the EU institutions and the data protection authorities (DPAs), in particular under the EU General Data Protection Regulation (GDPR), which is the foundational legislation for data protection in the EU and protects fundamental rights set out under the EU treaties. It is also important for politicians and policymakers to recognise that data protection resilience is a crucial aspect of making society and the economy more resilient.

Geopolitical threats to data processing

Emergency situations may result in breakdown of the rule of law upon which data protection law rests. The rule of law is based on factors such as accountability to publicly-promulgated laws, equal enforcement of the law, independent adjudication, and consistency with international human rights standards, as stated by the UN Secretary General. These factors are also required under leading international data protection and privacy instruments such as the GDPR, the African Union Convention on Cyber Security and Personal Data Protection, and the Modernised Council of Europe Convention 108+.

Without the rule of law, courts and DPAs cannot function, belligerents may disregard data protection standards, and individuals cannot exercise their rights. The risks to human rights of the misuse of large population databases throughout history have been amply documented, and can be seen in the judgment of the European Court of Human Rights in Case of Ukraine and The Netherlands v. Russia of July 2025, where the Court found that data collection and so-called “filtration” measures by the Russian armed forces in their invasion of Ukraine resulted in human rights abuses and erosion of the rule of law (see in particular paras. 1178-1182, 1340, and 1618). Such abuses may also arise because of hybrid warfare against critical infrastructure such as hospitals.

Military alliances and humanitarian organisations have increasingly adopted policies and frameworks to protect the personal data that they process. However, data protection risks in armed conflicts are not limited to data concerning the military or state security. Data processed by companies, hospitals, government departments, universities, and other civilian organisations may reveal information such as population density, the ethnicity, age, gender, and sexual orientation of individuals living there, and health conditions of inhabitants. Such databases may also contain crucial data necessary for the functioning of society. One can imagine belligerents misusing them to identify people of a certain ethnicity in order to carry out ethnic cleansing, to persecute those whom they suspect of sympathising with their opponents, or to bring the operation of vital governmental functions to a standstill.

Steps to strengthen resilience

The GDPR contains only a few provisions that could apply specifically in emergency situations, such as Article 45(5) that allows the European Commission to revoke adequacy decisions allowing personal data to flow freely to certain third countries in cases where adequate protection is no longer ensured, including through a breakdown in the rule of law. While the EU has recently taken steps to ensure the continued functioning of the Internal Market in times of crisis through adoption of the Internal Market Emergency and Resilience Act (IMERA), it applies without prejudice to the GDPR (see Article 42(1)). The EU Cyber Resilience Act, which becomes fully applicable in 2027, deals only with the security of hardware and software connected to networks, while the need for data protection resilience is broader than cybersecurity. Like the IMERA, the Cyber Resilience Act also applies without prejudice to the GDPR (Recital 32). Protection of data processing against geopolitical threats must thus be approached via data protection law, in particular the GDPR.

This requires the recognition of a duty to make data protection resilient against geopolitical threats. A duty of data protection resilience can be implied from the protective mandate of the law as expressed in obligations on data controllers under the GDPR (for example the obligation of data security under Article 5(1)(f)) and the duty of DPAs to monitor its application in order to protect fundamental rights and freedoms (Article 51(1)). This should result in controllers taking steps to provide appropriate protection against misuse of personal data by belligerents, and DPAs both supervising compliance with this duty and themselves taking actions such as those described below.

These actions would not impact the EU’s Common Foreign and Security Policy, which is excluded from the scope of the GDPR under Article 2(2)(b), and the Court of Justice of the EU has found anyway that the derogations under Article 2 are to be interpreted restrictively (see VQ v. Land Hessen, Case C-272/19, para. 68). Furthermore, the protection of fundamental rights is one of the legal bases on which the GDPR rests (see Recital 2), and the Court of Justice has stressed the need for a high level of fundamental rights protection under it (for example, in Data Protection Commissioner v. Facebook Ireland and Schrems, Case 311/18, para. 93). Chapter V GDPR mandates that data transferred from the EU be protected against threats when they are transferred to third countries, and it would be strange if the GDPR’s protective mandate did not also cover protection against external threats to data processed in the EU.

The main bodies that should take action include the Commission, the European Data Protection Supervisor (EDPS), an independent authority charged with supervising data protection compliance among the EU institutions, and the European Data Protection Board (EDPB), an independent body under EU law composed of the EDPS and the heads of the DPAs in the European Economic Area countries. The Commission has already begun work in some related areas such as the cybersecurity of hospitals and healthcare providers, which it could expand to cover geopolitical threats more broadly. Article 70 GDPR gives the EDPB broad powers to examine on its own initiative any question concerning application of the GDPR and to issue guidelines, recommendations, and best practices (Article 70(1)(e)), which should include ones dealing with protection against geopolitical threats. The DPAs should also raise public awareness about the need for resilient data processing, which is one of their tasks under the GDPR (see Article 57(1)(b).

The DPAs should explicitly require sensitive databases to be encrypted and render the data immediately unintelligible if unauthorised access by a belligerent is imminent, such as by building in mechanisms to destroy encryption keys securely so that the data can no longer be accessed (so-called crypto shredding). While encryption is not strictly required by the language of the GDPR, Article 32(1)(a) implies that such a duty exists (as noted by Bygrave, p. 71), which must be the case particularly in high-risk situations when data are threatened by kinetic or hybrid attacks.

Just as the military carries out war games to simulate conflict, train personnel in strategy and tactics, and predict future trends, so DPAs could engage in “data protection war games”. These could involve other organisations from the public and private sectors as well, and would simulate situations in which belligerents seek to seize or access data in EEA countries. This would allow the organisations involved to assess the risk of data misuse and develop strategies to deal with them. DPAs and European agencies have already taken part in similar exercises; for example, the EDPS has participated in simulation exercises involving data breaches (such as the PATRICIA III exercise dealing with data breach awareness in cybersecurity incident handling), and the European Union Agency for Cybersecurity (ENISA) organized the first such exercise that included DPA participation in 2024. These exercises could be expanded to cover cyber and kinetic attacks by belligerents as well. While measures such as these would only be a start in meeting these risks, they would begin to deal with an important area that has thus far been neglected, and would raise public awareness of the need for resilience in data processing.

Data protection resilience is a topic of international importance, as countries around the world are faced with threats similar to those faced by the EU. International organisations active in data protection such as the OECD and the Council of Europe should add protecting data against geopolitical threats, including in case of armed conflicts and hybrid attacks, to their agendas. This would fit with the current work being done by the OECD on Data Free Flow with Trust, and with the emphasis in the Modernised Council of Europe Convention 108+ on data security as set out in Article 7. The Global Privacy Assembly (GPA), a group of over 130 data protection and privacy authorities from around the world, should also take up the topic.

Lessons for EU law and data protection law

EU law is currently unprepared to protect data processing in case of a major crisis such as kinetic or cyber warfare, which poses grave risks for the EU’s social and economic structures, the rights of individuals, and the legal system. The EU institutions and DPAs seem not to have noticed the risks posed by potential access and misuse by an aggressor of data not related to defence and national security. The burden for dealing with data resilience rests on data protection law, particularly on the GDPR, but little action has been taken under it to achieve such protection. All this means that there is little public awareness of the issue.

Improving data protection resilience is also hindered by the EU’s current tendency to use the weakening of data protection law as a political bargaining chip. This can be seen in remarks criticising the GDPR made by former Italian President and European Central Bank President Mario Draghi, and in the Digital Omnibus proposal by the Commission containing changes to the GDPR that have been criticised as potentially reducing the level of protection it provides (see here, here, and here). Efforts to weaken the GDPR are shortsighted, as strengthening of data protection in light of geopolitical threats is necessary to ensure the continued functioning of society and the economy, thus making it something that should appeal even to those critical of data protection law. One can only hope that measures will be taken sooner rather than later to strengthen the law against growing geopolitical threats.