Weaponizing Cross-Border Data Flows: An Opportunity for NATO?

Abstract

On July 12, 2022, following the Russian invasion of Ukraine, the European Data Protection Board (EDPB) issued a warning to data exporters, reminding them Russia did not have an adequacy agreement governing cross-border data flows of Europeans’ personal data to Russia. As such, blanket transfers of personal data were not permissible under European data protection law; instead, compliance needed to be assessed by data exporters on a case-by-case basis, and, where it could not be ensured, transfers should be suspended. This article views the EDPB declaration as a shot across the bow and extrapolates it to a future where cross-border data flow restrictions are deployed as an instrument of cooperative security as well as deterrence and defense. Given the potential sensitivity of personal information being transferred across borders, along with the economic value inherent in data flows in the digital economy, restrictions on cross-border data flows have the potential to inflict serious harm. This article explores the broader implications of this potential practice, assessing its security opportunities and drawbacks. The article advocates for reforming North Atlantic Treaty Organization (NATO) members’ divergent approaches to the regulation of processing of cross-border data transfers; it suggests these member states can and should overcome their splintered approaches by establishing a “safe data zone” to facilitate cross-border data flows among members, where NATO retains the power to issue embargoes on cross-border data flows to specific jurisdictions while otherwise leaving decisional authority for transfers to supranational entities like the European Union (EU) or sovereign states. This approach would increase cross-border data flows between allies while permitting restrictions with adversaries where doing so achieves security objectives.