Glennie Webster

16.08.2021. Personal data is becoming an increasingly global and important issue as more companies, organizations, and individuals subscribe to new technologies to meet their needs. This has been especially true during this recent pandemic which made many turn to virtual mechanisms to protect public health. Currently, an unprecedented amount of personal data is being gathered, managed, and stored. This data is incredibly valuable and needs sufficient protection from third-party actors who can gain illicit access to this data for their own gratification, monetary or otherwise. Since many international organizations, like the World Food Programme (WFP) or the United Nations High Commissioner for Refugees (UNHCR), are involved in data collection through their work, data protection is a significant issue for the humanitarian sector broadly. Sensitive data safeguarding is especially important because they deal with more vulnerable populations like refugees and asylum seekers.

When refugees and asylum seekers transit to other countries, their personal information and biometrics are often shared with local state border authorities to validate their identity. Typically, the personal information includes their name, age, gender, nationality, whereas the biometric data that can be taken is a facial image, fingerprint scan, and an iris scan. Additionally, various border authorities can ask for social media account passwords and mobile phone data depending on national laws. Currently, Denmark and Germany have laws that allow for the extraction of information from electronic devices, while Belgium and Austria have similar proposed legislation[1].

When these various authorities have access to refugees’ social media and/or mobile phone data, this data can be used against them throughout their potential asylum process. While refugees probably have provided “informed consent” of giving up their data, there are concerns surrounding this practice with the natural power imbalance present between refugees and border authorities. Any data that points to them breaking the Dublin III Regulations, not seeking asylum in the first country when they arrive within the European Union, could set back their asylum procedure and threaten their chance of receiving asylum at all. Moreover, phone data can be a conductor for discrimination, especially if refugees’ supposed social media content seems unfavorable to the authorities for representing opposing political opinions. Regardless, this data cannot be a verifiable way to reject an asylum seekers’ application, as it can be misconstrued and falsified by others. Questions therefore arise surrounding legal recourse that refugees can seek regarding their data privacy from authorities.

Refugees are typically being persecuted, surveilled, and at risk of being subjected to human rights violations in their home countries. Due to this predicament, access to their personal data holds great significance in regard to their personal safety and right to anonymity throughout the asylum process. An example of the mishandling of data by an international organization occurred with Rohingya refugees in 2018[2]. For the purpose of creating personal identification cards, the UNHCR gathered personal information and ethnic identities of many Rohingya refugees in Bangladesh camps. A Human Rights Watch report exposed that this registration process shared Rohingya refugee information with the Bangladesh government, who subsequently shared this with the Myanmar government, putting these refugees on a list for potential repatriation[3]. This endangered the safety of these refugees since the Myanmar government openly discriminated against the Rohingya refugees and could have punished these refugees for leaving the country. This example shows the risk that mass data collection poses to refugees due to the consequences of inadvertent ethnic profiling, and the importance to regulate data collection and management when refugees are key data subjects.

Another threat of data accessibility is the sharing of data with state governments in the interest of their national security. For example, in 2014, Lebanon’s government requested access to the UNHCR database of Syrian refugee’s biometric data, justifying this request since the data was being collected on their territory[4]. Consequently, Syrian refugees refused to complete iris scans, risking losing their access to vital humanitarian aid in the process. While this request was eventually denied, this issue probes the influence of international organizations and individual nation’s jurisdiction. Moreover, it emphasizes the lack of agency and legal protection that refugees have over their data once it is gathered.

In Europe, the EU Charter of Fundamental Rights and the General Data Protection Regulation (GDPR) provides basic legal protection over data privacy; including the right to access of personal data, the necessity of informed consent when collecting data, and right to erasure, among others. However, it does not extend to individual asylum seekers or refugees as they are non-nationals within the host country, and simply regulates EU institutions like EURODAC and FRONTEX. Therefore, the gray area that migrants face is filled by international law, such as the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR). These are not legally-binding, but rather are moral obligations. Thus, it can be difficult for asylum seekers and refugees to make a legal case surrounding their own data privacy, further exploiting the natural power imbalance between state authorities and migrants. Laws surrounding data protection and privacy need to cohesively allow for legal recourse by refugees with improved regulations by states and international law

The GDPR sets a standard of data protection law for a larger audience of EU member state candidates like Serbia. In reaction to Europe’s updated law surrounding data protection, Serbia enacted an updated law on Personal Data Protection in 2018, effective on August 22nd, 2019[5]. This Personal Data Protection Law is generally based on the GDPR, effectively having the same protections and practices that are within Europe in Serbia[6]. Therefore, the administration of European law can be incredibly impactful throughout its sphere of influence to garner more protection and privacy over refugee’s data. Through this, law can advocate for a more inclusive practices surrounding data collection.

Additionally, refugee’s education surrounding data privacy is lacking. Often, they do not grasp the importance of their personal data in their asylum procedure even though they are given the opportunity to share it with authorities. This conflicts with the idea of “informed consent” and digital agency over one’s own data that should be respected per the 2015 UNHCR data protection policy, and Article 7 of the GDPR. These policies state that there should be “freely given, specific, informed, and unambiguous” consent provided on a completely voluntary basis. Consequently, this diverges with the general practice of refugee data collection where pre-screening data collection is “compulsory” in an asylum process, as with the proposed European Union’s New Pact on Migration and Asylum. Accordingly, the refugee will agree to sharing their data for fear of not being given asylum from a risk of persecution in their home country. But they may not understand the resulting implications that they could face, including being put into a EURODAC database that can be accessed for criminal investigations if at the EU border. Therefore, there needs to be more clarity around data protection and privacy for refugees as they face great risk in seeking asylum. This could be solved through greater education for refugees about their data privacy rights, and the risks of sharing their personal information, biometric data, social media data, and mobile phone data with institutions, causing unintended yet life-threatening consequences.

While looking at other ways to advocate for data privacy and protection of refugees, various organizations like Privacy International, the Brussels Privacy Hub, the New Humanitarian (formerly IRIN), etc., look to improve the actions of humanitarian workers when handling sensitive data of refugees through analytical publications. Further, they are critical of state border authorities who handle this data, and act as a distinct monitoring mechanism for insufficient data privacy and protection. Overall, this safeguard will create greater trust between the refugees and the border authorities and/or humanitarian workers that they come into contact with, while upholding their right to privacy. However, it will be necessary to look towards more binding legal support across the European Union in order to ensure human rights standards, as this issue’s relevance only intensifies.



[1] Kuner, Christopher, and Massimo Marelli, editors. “Handbook on Data Protection in Humanitarian Action.” International Committee of the Red Cross, no. 2, May 2020, p. 271.


[2] UN Shared Rohingya Data without Informed Consent. Human Rights Watch, 25 June 2021,

[3] Ibid.

[4] Janmyr, Maja. “UNHCR and the Syrian Refugee Response: Negotiating Status and Registration in Lebanon.” The International Journal of Human Rights, vol. 22, no. 3, 17 Mar. 2017, pp. 393–419., doi:10.1080/13642987.2017.1371140.

[5] “Law on Personal Data Protection.” Official Gazette of RS, Commissioner for Information of Public Importance and Personal Data Protection, 2021.

[6] Popovic, Uros, and Milos Andrejevic. “Serbia – Data Protection Overview.” DataGuidance, OneTrust, 16 June 2021,