Indonesia’s Ambassador to Germany made a contentious point in international media recently: the EUDR may constitute a form of spying.
There are two aspects to the Ambassador’s points – which are likely to be dismissed by Brussels officials as scaremongering – that need to be raised.
First is national security. Second is data privacy.
National Security and State Espionage
On national security, before this is dismissed as a conspiracy theory, consider that Ambassador Havas is a senior and serious official in Indonesia’s Ministry of Foreign Affairs. Prior to his posting, he had served as a Deputy Minister in the Jokowi government and as Indonesia’s Ambassador to the EU. This looks like a deliberate effort to send a signal to the Europeans. It is probably also not accidental that the envoy to Germany is leading on this question – data privacy and security is a significant domestic political issue in Germany, arguably more so than in any other European nation.
Now consider the following cases:
- Back in 2020, the Dutch intelligence agency, MIVD, was discovered to be covertly repurposing satellite imagery—originally intended for environmental monitoring—to keep a watchful eye on the maritime activity in the Middle East. The satellite data in question, designed to assist in the observation of oil spills and related environmental concerns, became a tool for the MIVD to meticulously trace the movements of ships in the region.
- In addition, 2009 saw Australia embroiled in a clandestine surveillance operation targeting Indonesia’s then-president, Susilo Bambang Yudhoyono, and other high-ranking officials. Orchestrated by the Australian Signals Directorate (ASD), the nation’s electronic intelligence agency, this surveillance drew on data procured from Australian-funded seismic sensors installed in Indonesia. While these sensors were ostensibly intended for monitoring the archipelago’s volcanic and seismic activity, the ASD utilized the gathered data to map the movements of President Yudhoyono and his advisors.
These are noteworthy because they exemplify how data procured for one objective (including an environmental objective) can be ingeniously repurposed for another. What began as a means to detect volcano activity transformed into a state espionage activity.
In this context, consider also Indonesia’s sensitivities around West Papua – and the fact that the EU has generally disapproved of the Indonesian Government’s conduct in the region, particularly in the European Parliament. (Given the Netherlands’ famous reluctance to give independence to Indonesia, this does look like pots questioning kettles).
The EUDR will result in the collection of vast quantities of data.
According to one industry operational head, a single shipment of palm oil will need to be accompanied by more than 300,000 unique data points to comply with EUDR. These data would change hands multiple times, and be seen by several European agencies and officials.
The technical ability to conduct surveillance via EUDR data gathering seems to be there, given the past examples of repurposing environmental data. And the motivation to do so is certainly present, given the public statements by European officials about West Papua and elsewhere (e.g. alleged deforestation or peatland use in the Malaysian state of Sarawak).
Are there any effective safeguards? How are the data stored? Will the EU just change the rules to “comply” with their very own EUDR?
Within those data, there will be the identities and personal details for millions of smallholders – and not just palm oil farmers. Is there a risk to the rights and freedoms of those smallholders? What will the EU do to prevent any improper use of that data?
This is a question that EU government agencies need to ask if they are processing personal data. This is required as part of a Data Protection Impact Assessment, which is required under the EU’s own General Data Protection Regulation (GDPR).
What the EU agencies will need to do is consider – among other things – the legal basis of the processing. Does the EU have the legal basis to process and collect that data? For example, will consent be needed? Are there other ways to achieve the EU ‘goals’ without collecting the data?
Moreover, EU authorities must make sure that the risks of that information getting into the wrong hands are mitigated appropriately.
But most importantly, an Assessment is required to conduct consultations with the subjects of the regulation, i.e., smallholders. Presumably this would include all smallholder representatives, not only the Potemkin groups that the EU has preferred to deal (and paid for) with in recent months.
It may not be an easy task to explain to smallholders that not only will EUDR raise their costs and potentially cut them out of some supply chains, but it will require their personal data to be collected and held in data servers by governments on the other side of the world.