🍻 Selber Bier Brauen

Much has already been written about the European Court of Human Rights’ (“ECtHR or the Court”) first substantive climate judgment Verein KlimaSeniorinnen Schweiz and Others v. Switzerland (“KlimaSeniorinnen”) (see for example here and here). This blog post takes that landmark ruling as a starting point to examine the role of procedural rights in climate litigation before the ECtHR. Procedural rights, as we argue, can be understood in a twofold manner: on the one hand, as admissibility criteria structuring access to the Court, and on the other, as substantive guarantees flowing from the Convention itself. Read in this light, KlimaSeniorinnen – alongside Greenpeace Nordic and Others v. Norway (“Greenpeace Nordic”) – reveals key developments in the Court’s emerging climate jurisprudence across both dimensions.

Against this backdrop, we argue that the Court’s restrictive criteria for individual victim status under Article 6 ECHR only allegedly serve to prevent actio popularis, while potentially limiting effective protection of Convention rights – especially in times of democratic backsliding. We further show that in Greenpeace Nordic, the Court developed important procedural safeguards under Article 8 ECHR to protect individuals from climate-related harm, yet applied these guarantees with notable restraint.

KlimaSeniorinnen: Victim Status and Standing Requirements Under Article 6 ECHR

In KlimaSeniorinnen, the Court introduced new, particularly strict victim status criteria for individual climate litigants (see also Judge Pavli’s contribution). Under the new victim status test, the threshold for individuals to prove they are personally and directly affected is especially high (KlimaSeniorinnen, § 488). The Court established that (1) individual applicants must show that they are subject to a high intensity of exposure to the adverse effects of climate change, that is, the level and severity of (the risk of) adverse consequences of governmental action or inaction affecting the applicants must be significant, and (2) the absence or inadequacy of any reasonable measures to reduce harm owes to a pressing need to ensure the applicants’ individual protection (KlimaSeniorinnen, § 487).

On Article 6 ECHR, the Court addressed victim status in conjunction with the question of the provision’s applicability. In doing so, it appears to have adopted the restrictive victim status criteria developed in the context of Article 8 of the Convention (KlimaSeniorinnen, §§ 478-488) as a ratione materiae threshold, into the assessment under Article 6. Notably, the Swiss Government did not contest the victim status of the individual applicants under Article 6. As Judge Eike underlined in his dissenting opinion, “there was, in fact, no dispute and no uncertainty” on this point (KlimaSeniorinnen, Dissenting Opinion, § 22). Against this background, the Court’s restrictive reading does not seem compelled by the circumstances of the case.

As is well established, the applicability of Article 6 requires (1) the existence of a “civil right”, (2) a “genuine and serious dispute”, and (3) that the outcome of the proceedings be “directly decisive” for the applicants’ rights (KlimaSeniorinnen, § 595). While the Court had little difficulty accepting the first two criteria, it drew a distinction regarding the third: it denied that the outcome was directly decisive for the individual applicants, yet affirmed this requirement for the applicant association. This distinction is difficult to reconcile with the Court’s own reasoning. The judgment acknowledged that the dispute had a “direct and sufficient link” to the rights of the association’s members (§ 618). At the same time, however, it did not consider the outcome to be directly decisive for those very members in their individual capacity. The resulting tension suggests that the Court sought to align its new approach of favouring associations over individuals regarding victim status under Article 8 with the uncontested victim status criteria under Article 6. The doctrinal basis for such an alignment remains open to discussion (see also KlimaSeniorinnen, Dissenting Opinion, § 28).

Preventing Actio Popularis?

The Court justified the particularly high threshold for individual victim status by invoking the need to avoid actio popularis, which is not permitted under the Convention. Yet it is not immediately clear that allowing individuals to bring claims of violations of their rights to climate protection would amount to such a prohibited form of litigation – simply because the outcome of the case may benefit the public at large.

This raises a more fundamental question: what qualifies an actio popularis in the Convention system? In general, an application is of an actio popularis nature where an applicant does not claim to be personally affected by a violation of a Convention right, but rather seeks to bring a complaint in the abstract or in the general interest. However, the Court’s case-law on victim status does not require individuals to be affected differently from others. The criteria for excluding actio popularis and for victim status are generally non-comparative. What is decisive, rather, is that an individual is affected in a legally relevant manner – regardless of how many others are affected as well. Likewise, the Court has not, in principle, treated the potential systemic effects of a judgment as an admissibility criterion. The fact that the case may “open the ‘floodgates’ of litigation” and encourage future climate cases is not decisive for the assessment of victim status (for a full argumentation by George Letsas, see here and here; see furthermore here).

Against this background, the Court’s reasoning in KlimaSeniorinnen appears to conflate distinct considerations: The concern underlying the judgment may be less about actio popularis in a strict doctrinal sense and more about the practical implications of climate litigation for the Court’s already considerable caseload. The Court has processed hundreds of thousands of applications since its establishment; in 2025 alone, 31,800 applications were allocated to judicial formation. While such considerations are undoubtedly relevant from an institutional perspective, incorporating them into the definition of victim status risks blurring doctrinal boundaries.

Standing of Associations: Does Membership Matter?

Turning to associative standing – “the other side of the ‘victim status’ coin”, as Judge Pavli described it –, the Court argued that the association “represents a vehicle of collective recourse aimed at defending the rights and interests of individuals against the threats of climate change” (KlimaSeniorinnen, § 523) and accepted its standing (for why this, too, does not amount to an actio popularis, see Corina Heri’s compelling argumentation here and here). What remains uncertain is how the Court intends to apply the criteria on associative standing it developed in KlimaSeniorinnen in future climate cases. To bring climate-related claims on behalf of their members associations must fulfil three criteria: they must demonstrate that (1) they are lawfully established or legally recognised in the jurisdiction concerned, (2) they pursue a dedicated purpose in accordance with its statutory objectives in the defence of the human rights against threats arising from the climate crisis, and (3) they are qualified and representative to act on behalf of its members or other affected individuals (KlimaSeniorinnen, § 502).

Already in a talk we gave at the 2024 Lisbon Climate Conference, we suggested that particularly the latter two criteria should not be applied too rigidly. A strict reading would risk excluding organisations such as Greenpeace, which are not structured as membership associations. The judgment in Greenpeace Nordic seemed to confirm a more flexible approach: both organisations were granted standing despite Greenpeace Nordic’s structure.

However, the recent inadmissibility decision in Fliegenschnee and Others v. Austria (“Fliegenschnee”) complicates this picture (for a more detailed discussion of the case, see here and here). As in KlimaSeniorinnen, the case involved individual applicants alongside an environmental association – Global 2000, Austria’s largest environmental NGO. While the Court swiftly rejected the individuals’ victim status, it left the association’s standing open, raising doubts as to whether it fulfilled the criteria set out in KlimaSeniorinnen, its purpose of defending human rights against climate threats and its representative function (Fliegenschnee, §§ 31–32). However, unlike Greenpeace Nordic, Global 2000 is formally a membership organisation and thus appears to meet the requirement of representativeness more readily. Against this background, the decision suggests a more restrictive reading of associative standing than Greenpeace Nordic would indicate, leaving the Court’s approach uncertain.

Greenpeace Nordic: Building Procedural Climate Safeguards Under Article 8 ECHR

In Greenpeace Nordic, the Court was confronted with a different type of climate complaint than in KlimaSeniorinnen: the case was not about what States must achieve, but rather about how they must decide. Two environmental NGOs – Greenpeace Nordic and Young Friends of the Earth – together with six individual applicants challenged Norway’s 2016 decision to grant petroleum exploration licences in the Barents Sea. Crucially, the applicants did not seek to prohibit oil production as such. Instead, they targeted the decision-making process, arguing that Norway had failed to carry out an adequate environmental impact assessment (EIA) and had thereby not ensured sufficient protection against climate harm (Greenpeace Nordic, §§ 1-2). This procedural framing shaped the Court’s approach: Greenpeace Nordic was treated as a procedural case under Article 8, closely aligned with the Court’s established environmental jurisprudence on information duties, rather than a case centring on substantive mitigation obligations of the kind at issue in KlimaSeniorinnen.

The Court reiterated that Article 8 entails a duty for States “to do [their] part” in ensuring effective protection from serious climate-related harm (Greenpeace Nordic, § 314). Importantly, it translated this duty to procedural safeguards. Central among these is the obligation to conduct an adequate, timely, and comprehensive EIA, in good faith and based on the best available science, before authorising potentially harmful activities (Greenpeace Nordic, § 318). For petroleum projects, this entails at least three requirements: (1) a comprehensive accounting of GHG emissions, including combustion emissions, both domestically and abroad, (2) a legal assessment of whether the project aligns with climate obligations, and (3) public participation at a stage where all options remain open and environmental harm can still be prevented at source (Greenpeace Nordic, § 319).

Closely linked to this is a right to information when climate risks are at issue. Drawing on its own case-law as well as the Aarhus Convention, the Court underlined that affected individuals must be informed about environmental risks to assess and avert them. Significantly, this right operates ex ante: it applies independently of whether the risk later materialises and is meant to shape decision-making before harm occurs (Greenpeace Nordic, § 295). Taken together, Article 8 includes robust procedural climate safeguards, particularly regarding early-stage information and participation.

A Gap Between Theoretical Findings and Practical Application?

Yet, having set out these requirements, the Court applied them with notable restraint. It concluded that Norway had complied with Article 8– even though key climate-related issues, such as exported combustion emissions, were not assessed at the licensing stage but deferred to later phases of the project (Greenpeace Nordic, § 330). This sits uneasily with the Court’s own emphasis on timing. The judgment stresses that EIAs must precede authorisation and that consultation must occur when meaningful alternatives are still available. Nevertheless, it tolerated a system in which decisive aspects of climate impact assessment were postponed and potentially addressed only after the core political and economic commitments had already been made (Greenpeace Nordic, §§ 331-336). The tension becomes even more apparent when viewed against the Court’s reliance on international materials emphasising early and preventive assessment (e.g. Aarhus Convention, Advisory Opinions of ITLOS, IACtHR, ICJ) (Greenpeace Nordic, § 320-324), as well as its precautionary logic in KlimaSeniorinnen, where it rejected postponing review to a stage at which mitigation opportunities are effectively lost (KlimaSeniorinnen, §§ 413, 548-549, 631-640).

A similar inconsistency arises regarding the right to information. In its earlier environmental case-law, the Court emphasised that serious long-term risks must be evaluated up-front (see, e.g. Taşkın and Others v Turkey, §§ 118-119; Guerra and Others v Italy, § 60). Information about climate risks, EIAs and public participation must therefore occur at a point in time when they can still meaningfully influence decisions and avert harm. Yet, in Greenpeace Nordic, the Court accepted a procedural design that arguably limits precisely this ability.

Conclusion: Procedural Rights as Gatekeepers and Guarantees

Taken together, KlimaSeniorinnen and Greenpeace Nordic illustrate how procedural rights operate along the two dimensions identified at the outset: as gatekeepers to the Court and as substantive guarantees under the Convention. On the substantive side, Greenpeace Nordic marks an important step in consolidating procedural safeguards under Article 8. Even though the application ultimately failed, the judgment clarifies that effective climate protection under the Convention is not only a matter of outcome, but also of process – in particular, timely information, early-stage assessment, and meaningful participation. On the admissibility side, the Court reshapes access to the Convention system in climate matters by setting a particularly high threshold for individual victim status while favouring associative claims – without yet offering a fully coherent doctrinal foundation.

However, what emerges with clarity is the structural importance of procedural rights in climate litigation: they do not merely shape how claims are assessed, but whether they can be brought at all. The Court’s reliance on associations is therefore not without risk. It assumes a functioning civil society – an assumption that becomes fragile in times of democratic backsliding and increasing autocratic tendencies. Where associations committed to climate protection are restricted, dissolved, or do not exist, restricting individual victim status may ultimately leave Convention rights without an effective procedural pathway.

The post Procedural Rights in Climate Cases Before the ECtHR appeared first on Verfassungsblog.

Keir Starmer’s resignation only two years after Labour’s landslide victory is more than a story about the failures of Labour or Starmer himself. It says something larger about the increasingly difficult conditions under which governments in what were once called “advanced liberal democracies” operate today. Across Europe and beyond, political fragmentation, electoral volatility and the rise of populist challenger parties have made governing considerably harder. Even majoritarian political institutions such as those of the UK, which favour single-party majorities and executive stability, can no longer protect incumbents from shifts in public mood as effectively as they once did.

When Starmer entered Downing Street in July 2024, many hoped Britain would return to a more stable political era. After a decade marked by Brexit, constitutional turmoil, revolving-door prime ministers and deep political polarization, Labour’s victory appeared to promise a restoration of moderation and normality. Indeed, this is how Starmer himself described it after the election. Barely two years later, he resigned.

The immediate explanations are familiar. His government suffered from a series of political blunders, damaging controversies and unpopular policy reversals. Labour performed badly in the local and devolved elections of May 2026, and many pointed to Starmer’s leadership shortcomings, particularly his weak communication skills and inability to establish an emotional connection with voters. All these factors certainly played a role. But they are only part of the story.

The Starmer Government

Starmer’s caution and incrementalism led to a few damaging policy U-turns, notably on digital identity cards, inheritance taxation for farmers, and winter fuel payments, which reinforced the image of a government reacting to events rather than shaping them. Additional political blunders further eroded his political capital. The controversy surrounding gifts and donations reinforced perceptions of a political class detached from ordinary voters. The appointment of Peter Mandelson as ambassador to the United States led to political embarrassment once Mandelson’s ties with disgraced billionaire Jeffrey Epstein were made public.

At the same time, by most measures, especially when compared with some of his recent predecessors, Starmer’s premiership was not an obvious failure, which makes the rapidity of his downfall quite striking. Labour entered office with a large parliamentary majority and moved relatively quickly to implement key parts of its programme. This was notable given the uneven support for Starmer within the parliamentary party (Jeffery et al. 2024) and the precarious electoral position of many Labour MPs. The government strengthened workers’ rights through reforms of sick pay, parental leave and zero-hours contracts. It introduced stronger protections for tenants, advanced its green energy agenda and made progress in reducing NHS waiting lists. After years of political turbulence, it also restored a degree of credibility to Britain’s international position at a moment of considerable geopolitical uncertainty.

The Local Elections of May 2026

The immediate trigger of Starmer’s fall was Labour’s negative performance in the local elections of May 2026. Across 136 English councils, the party lost nearly 1,500 councillors. At the same time, the radical-right populist party Reform UK, Nigel Farage’s latest political vehicle after UKIP and the Brexit Party, gained 1,452 councillors, almost exactly matching Labour’s losses. The Greens also performed strongly, while the Conservatives continued their decline. The picture was hardly better for Labour in the devolved elections in Scotland and Wales. In Scotland, Labour recorded its worst result (17 seats, down five from its previous lowest point in 2021) since the creation of the devolved parliament. In Wales, the party lost control of the Senedd for the first time since devolution, collapsing from 30 to only nine seats despite the expansion of the regional Assembly from 60 to 96 seats.

The political fallout of the defeat was immediate. Starmer’s leadership came increasingly under attack. A week after the vote, four junior ministers resigned, followed two days later by Wes Streeting, Health Minister and Labour leadership hopeful. On the same day, Labour MP Josh Simons resigned his seat in Makerfield to allow Greater Manchester Mayor Andy Burnham to contest the by-election with a view of challenging Starmer’s leadership. Under Labour’s rules, candidates for the party’s leadership must be sitting MPs. Burnham’s candidacy acquired additional significance because only a few months earlier Starmer had blocked his return to Parliament through another by-election, a move widely interpreted as an attempt to prevent a future leadership challenge.

Burnham entered Parliament with a landslide victory, winning 54.8% of the vote, almost 10% more than Labour had obtained in 2024. Having campaigned explicitly as a future leadership challenger, he emerged from the by-election with considerable political momentum. Four days later, Starmer resigned. Barring highly unlikely developments, Burnham is likely to become Prime Minister within weeks.

A Volatile and Fragmented Political Landscape

And yet – even though the extent of Labour’s defeat in the local elections was significant, it would not necessarily have led to the PM’s resignation had British politics not changed profoundly over the last decade. Historically, especially in “majoritarian” democracies such as the UK, poor local-election results might prompt at most a limited cabinet reshuffle or some policy adjustments. They would not normally force a prime minister to resign. The fact that it does now is more due to the radically changed environment of British politics over the past decade than to the failures of Starmer or his government.

The long period during which Labour and the Conservatives dominated electoral competition has gradually given way to a more fragmented and volatile political landscape. Smaller parties command increasingly significant shares of the vote. Electoral loyalties are weaker than they once were. The 2024 election accelerated these trends.

These developments are not unique to Britain. Similar patterns can be observed across many liberal democracies around the world. Traditional centre-left and centre-right parties have experienced long-term decline. A higher number of voters switch parties across elections. Populist political entrepreneurs have successfully mobilized voters dissatisfied with established political actors. Politics has become simultaneously more fragmented and more polarized.

Such environments make governing considerably more difficult. Electoral victories become less durable because the coalitions that produce them are less stable. Local victories of once-excluded parties become an alarm bell that can no longer be ignored or accommodated with marginal adjustments. Governments face growing pressure to respond immediately to changing public moods. Political setbacks that might once have been absorbed become potential existential threats.

The Rise of Reform UK

The marked rise in the polls of Reform UK – a party that, if elected to power, would likely emulate the policies and the governing style of US President Donald Trump – strengthens the sense of urgency in responding to electoral mood swings. Since the 2024 general election, Reform has evolved from a challenger party into one of the central actors in British politics. By mid-2026, it was leading several national polls and had established itself as the primary vehicle for anti-establishment discontent.

Like many centre-left parties across liberal democracies, Labour has haemorrhaged voters over the past two decades. It has lost support both to its right and to its left. The aftermath of the Brexit vote enabled the Conservatives to make significant inroads into the former Labour strongholds of northern England, in particular in the 2019 elections. Labour regained many of these seats in 2024, but typically only thanks to the split of the right-wing vote between Reform and the Conservatives (Jennings et al. 2024). Starmer sought to appeal to these voters by tightening immigration and asylum policies under Home Secretary Shabana Mahmood, and by limiting rapprochement with the EU, even though many argued that Britain’s sluggish growth called for a bolder European strategy. This was, however, insufficient to prevent Reform’s victories in 2026.

As many analysts have emphasized, the more immediate electoral threat to Labour now comes from the opposite direction, namely from the Liberal Democrats and most of all the rapidly ascending Green party. In the 2026 local elections, Labour’s losses to the Greens have been estimated at about 22%, while those to Reform to be about a quarter of that figure. Recent research suggests that economic insecurity is the main driver of Labour defections across the political spectrum, while concerns about immigration play a particularly important role among voters moving (now in smaller amounts) towards Reform. Labour thus faces pressure, even though of different intensity, from both directions simultaneously. If Reform, as the polls suggest, replaces the Conservatives as the most viable contender on the right side of the political spectrum, many northern English Labour seats will be at serious risk.

Of course, this is not only a British problem. In different forms, it is present in nearly all liberal democracies today and significantly restricts the room for manoeuvre of centrist and centre-left governments alike. Attempts to respond to concerns about immigration and cultural change risk alienating progressive voters. Moves designed to satisfy progressive constituencies risk strengthening radical-right challengers.

A Tale of Our Times

These are structural characteristics of British politics today and there is no guarantee that Burnham, whatever his political skills, will be able to carve a way to victory for Labour in the next general elections. How to promote the growth policies that would be necessary to reduce economic insecurity and solidify Labour’s vote, without the prospect of stability and with the imperative of delivering in the short term? How to improve the country’s economic prospects if seriously mending the relationship with the EU remains a taboo for a large minority of the UK electorate? Whether any political leader could easily resolve these problems remains unclear.

Starmer represents a type of politician that post-war European liberal democracies have traditionally produced and often rewarded: serious, pragmatic, institutionally minded and committed to incremental reform. He is not a charismatic populist. His appeal rested largely on competence and moderation. What makes his fall politically significant is not that these qualities failed to generate enthusiasm. That has often been true. It is that they increasingly appear insufficient to sustain political authority.

Political polarization, electoral fragmentation, permanent campaigning, social media dynamics and declining trust in institutions have all made political support more volatile and less durable—in Britain like elsewhere.

Starmer’s resignation does not necessarily mean that moderation is impossible or that liberal democracy is doomed. But it does illustrate how difficult governing has become for moderate political leaders. His fall is a reminder of the increasingly demanding environment in which contemporary democracies must operate – and of the challenges that await not only Starmer’s successors, but governments across the democratic world.

The post A Tale of Our Times appeared first on Verfassungsblog.

Geopolitical threats to data protection have received little attention compared to those in areas such as trade, energy, and artificial intelligence. They can arise in particular from armed conflicts and cyberattacks, and may involve disrupting the processing of personal data needed to deliver vital services, destroying public records and databases, and misusing data to facilitate human rights abuses.

This situation is driven by the worsening geopolitical landscape around the world. According to a study by the Peace Research Institute Oslo, 2024 saw the highest number of armed conflicts since 1946, while the World Justice Project Rule of Law Index has noted that in 2025 the rule of law weakened globally for the eighth consecutive year. The risks to data protection are particularly evident in Europe, which has the most complex body of data protection law and also faces serious geopolitical threats, including, for example, ongoing cyberattacks by Russia, the risk of kinetic attacks by that country, and threats against Greenland by the US.

Data protection law protects the processing of data related to identifiable individuals, and the economic, social, and legal importance of data processing means that data protection law must be resilient against geopolitical threats. In the EU, this requires action by the EU institutions and the data protection authorities (DPAs), in particular under the EU General Data Protection Regulation (GDPR), which is the foundational legislation for data protection in the EU and protects fundamental rights set out under the EU treaties. It is also important for politicians and policymakers to recognise that data protection resilience is a crucial aspect of making society and the economy more resilient.

Geopolitical threats to data processing

Emergency situations may result in breakdown of the rule of law upon which data protection law rests. The rule of law is based on factors such as accountability to publicly-promulgated laws, equal enforcement of the law, independent adjudication, and consistency with international human rights standards, as stated by the UN Secretary General. These factors are also required under leading international data protection and privacy instruments such as the GDPR, the African Union Convention on Cyber Security and Personal Data Protection, and the Modernised Council of Europe Convention 108+.

Without the rule of law, courts and DPAs cannot function, belligerents may disregard data protection standards, and individuals cannot exercise their rights. The risks to human rights of the misuse of large population databases throughout history have been amply documented, and can be seen in the judgment of the European Court of Human Rights in Case of Ukraine and The Netherlands v. Russia of July 2025, where the Court found that data collection and so-called “filtration” measures by the Russian armed forces in their invasion of Ukraine resulted in human rights abuses and erosion of the rule of law (see in particular paras. 1178-1182, 1340, and 1618). Such abuses may also arise because of hybrid warfare against critical infrastructure such as hospitals.

Military alliances and humanitarian organisations have increasingly adopted policies and frameworks to protect the personal data that they process. However, data protection risks in armed conflicts are not limited to data concerning the military or state security. Data processed by companies, hospitals, government departments, universities, and other civilian organisations may reveal information such as population density, the ethnicity, age, gender, and sexual orientation of individuals living there, and health conditions of inhabitants. Such databases may also contain crucial data necessary for the functioning of society. One can imagine belligerents misusing them to identify people of a certain ethnicity in order to carry out ethnic cleansing, to persecute those whom they suspect of sympathising with their opponents, or to bring the operation of vital governmental functions to a standstill.

Steps to strengthen resilience

The GDPR contains only a few provisions that could apply specifically in emergency situations, such as Article 45(5) that allows the European Commission to revoke adequacy decisions allowing personal data to flow freely to certain third countries in cases where adequate protection is no longer ensured, including through a breakdown in the rule of law. While the EU has recently taken steps to ensure the continued functioning of the Internal Market in times of crisis through adoption of the Internal Market Emergency and Resilience Act (IMERA), it applies without prejudice to the GDPR (see Article 42(1)). The EU Cyber Resilience Act, which becomes fully applicable in 2027, deals only with the security of hardware and software connected to networks, while the need for data protection resilience is broader than cybersecurity. Like the IMERA, the Cyber Resilience Act also applies without prejudice to the GDPR (Recital 32). Protection of data processing against geopolitical threats must thus be approached via data protection law, in particular the GDPR.

This requires the recognition of a duty to make data protection resilient against geopolitical threats. A duty of data protection resilience can be implied from the protective mandate of the law as expressed in obligations on data controllers under the GDPR (for example the obligation of data security under Article 5(1)(f)) and the duty of DPAs to monitor its application in order to protect fundamental rights and freedoms (Article 51(1)). This should result in controllers taking steps to provide appropriate protection against misuse of personal data by belligerents, and DPAs both supervising compliance with this duty and themselves taking actions such as those described below.

These actions would not impact the EU’s Common Foreign and Security Policy, which is excluded from the scope of the GDPR under Article 2(2)(b), and the Court of Justice of the EU has found anyway that the derogations under Article 2 are to be interpreted restrictively (see VQ v. Land Hessen, Case C-272/19, para. 68). Furthermore, the protection of fundamental rights is one of the legal bases on which the GDPR rests (see Recital 2), and the Court of Justice has stressed the need for a high level of fundamental rights protection under it (for example, in Data Protection Commissioner v. Facebook Ireland and Schrems, Case 311/18, para. 93). Chapter V GDPR mandates that data transferred from the EU be protected against threats when they are transferred to third countries, and it would be strange if the GDPR’s protective mandate did not also cover protection against external threats to data processed in the EU.

The main bodies that should take action include the Commission, the European Data Protection Supervisor (EDPS), an independent authority charged with supervising data protection compliance among the EU institutions, and the European Data Protection Board (EDPB), an independent body under EU law composed of the EDPS and the heads of the DPAs in the European Economic Area countries. The Commission has already begun work in some related areas such as the cybersecurity of hospitals and healthcare providers, which it could expand to cover geopolitical threats more broadly. Article 70 GDPR gives the EDPB broad powers to examine on its own initiative any question concerning application of the GDPR and to issue guidelines, recommendations, and best practices (Article 70(1)(e)), which should include ones dealing with protection against geopolitical threats. The DPAs should also raise public awareness about the need for resilient data processing, which is one of their tasks under the GDPR (see Article 57(1)(b).

The DPAs should explicitly require sensitive databases to be encrypted and render the data immediately unintelligible if unauthorised access by a belligerent is imminent, such as by building in mechanisms to destroy encryption keys securely so that the data can no longer be accessed (so-called crypto shredding). While encryption is not strictly required by the language of the GDPR, Article 32(1)(a) implies that such a duty exists (as noted by Bygrave, p. 71), which must be the case particularly in high-risk situations when data are threatened by kinetic or hybrid attacks.

Just as the military carries out war games to simulate conflict, train personnel in strategy and tactics, and predict future trends, so DPAs could engage in “data protection war games”. These could involve other organisations from the public and private sectors as well, and would simulate situations in which belligerents seek to seize or access data in EEA countries. This would allow the organisations involved to assess the risk of data misuse and develop strategies to deal with them. DPAs and European agencies have already taken part in similar exercises; for example, the EDPS has participated in simulation exercises involving data breaches (such as the PATRICIA III exercise dealing with data breach awareness in cybersecurity incident handling), and the European Union Agency for Cybersecurity (ENISA) organized the first such exercise that included DPA participation in 2024. These exercises could be expanded to cover cyber and kinetic attacks by belligerents as well. While measures such as these would only be a start in meeting these risks, they would begin to deal with an important area that has thus far been neglected, and would raise public awareness of the need for resilience in data processing.

Data protection resilience is a topic of international importance, as countries around the world are faced with threats similar to those faced by the EU. International organisations active in data protection such as the OECD and the Council of Europe should add protecting data against geopolitical threats, including in case of armed conflicts and hybrid attacks, to their agendas. This would fit with the current work being done by the OECD on Data Free Flow with Trust, and with the emphasis in the Modernised Council of Europe Convention 108+ on data security as set out in Article 7. The Global Privacy Assembly (GPA), a group of over 130 data protection and privacy authorities from around the world, should also take up the topic.

Lessons for EU law and data protection law

EU law is currently unprepared to protect data processing in case of a major crisis such as kinetic or cyber warfare, which poses grave risks for the EU’s social and economic structures, the rights of individuals, and the legal system. The EU institutions and DPAs seem not to have noticed the risks posed by potential access and misuse by an aggressor of data not related to defence and national security. The burden for dealing with data resilience rests on data protection law, particularly on the GDPR, but little action has been taken under it to achieve such protection. All this means that there is little public awareness of the issue.

Improving data protection resilience is also hindered by the EU’s current tendency to use the weakening of data protection law as a political bargaining chip. This can be seen in remarks criticising the GDPR made by former Italian President and European Central Bank President Mario Draghi, and in the Digital Omnibus proposal by the Commission containing changes to the GDPR that have been criticised as potentially reducing the level of protection it provides (see here, here, and here). Efforts to weaken the GDPR are shortsighted, as strengthening of data protection in light of geopolitical threats is necessary to ensure the continued functioning of society and the economy, thus making it something that should appeal even to those critical of data protection law. One can only hope that measures will be taken sooner rather than later to strengthen the law against growing geopolitical threats.

The post Strengthening Data Protection Resilience Against Geopolitical Threats appeared first on Verfassungsblog.