Sign in Subscribe
12 min read

No Nation, No Protection: Who Governs the Data of the World's Refugees?

Share
No Nation, No Protection: Who Governs the Data of the World's Refugees?

The world's 123 million forcibly displaced people exist in a legal no-man's-land for data protection. In Turkey — host to the world's largest single refugee population — that gap has already cost millions their safety, their identity, and what remained of their dignity.

The Scale of the Problem

At the end of 2024, the world contained 123.2 million forcibly displaced people — the highest figure ever recorded. By end-2025, that number had shifted to approximately 117.8 million still displaced, of whom an estimated 45 million were children. They are scattered across more than 100 countries, carrying identities registered in databases they did not choose, governed by laws of countries that do not regard them as citizens, and protected — in theory — by international frameworks that have no meaningful enforcement mechanism when their data is stolen, sold, or weaponised.

Turkey sits at the sharp end of this global problem. Once the world's largest single host of Syrian refugees — with 3.7 million at the 2021 peak — Turkey still hosts approximately 2.3 million Syrians under temporary protection status as of 2026, alongside around 150,000 refugees and asylum-seekers of other nationalities. These are people whose names, ID numbers, biometric data, health records, addresses, family compositions, and displacement histories exist in Turkish government databases, UNHCR systems, NGO case management tools, EU-funded assistance platforms, and commercial payment providers. Not one of these systems is governed by a coherent, enforceable legal framework specifically designed for the people whose data it holds.

That is the problem this article examines.

Turkey: A Case Study in Refugee Data Failure

The Data Architecture of Temporary Protection

Syria's refugees in Turkey do not hold conventional refugee status. Turkey maintains a geographical limitation to the 1951 Refugee Convention, meaning it only extends full refugee recognition to people fleeing events in Europe. Syrians and most others are granted "temporary protection" — a status created under Turkish law, specifically the Law on Foreigners and International Protection enacted in 2014, and administered by the Presidency of Migration Management (PMM, formerly PDMM). Registration, documentation, and movement within Turkey all flow through this system.

Every Syrian refugee in Turkey must register with their local PMM office to receive a Temporary Protection Identification Card — the document that determines access to services, healthcare, education, and the right to remain. That registration involves the collection of extensive personal data: name, date of birth, parents' names, national ID number, address, marital status, biometric information. Movement between provinces requires permits. Address changes require documentation — typically utility bills, registered with local authorities. Failure to update records triggers administrative codes that can effectively make people invisible to the system, or expose them to detention and deportation.

What results is not merely a registration database, but a real-time surveillance and control architecture for millions of people with no meaningful ability to challenge, correct, or withdraw from it.

The 2024 Breach: When the Architecture Fails

In September 2024, the scale of Turkey's refugee data exposure became undeniable. The 108 million-record data breach — which Turkish authorities had been denying for years — included not only Turkish citizens but, as authorities eventually confirmed, refugees and other individuals who had ever been registered with official Turkish institutions. A separate, more targeted breach specifically exposed the personal data of over 3 million Syrian refugees: their names, dates of birth, parents' names, ID numbers, and places of residence. Even those who had subsequently left Turkey, resettled in third countries, or acquired Turkish citizenship found their data in the leaked database.

The consequences were not abstract. The leaked database became searchable. A survey of 869 Syrian respondents in Turkey found that over 56 percent reported their stolen personal information was used to issue SIM cards without their knowledge or consent — SIM cards that were subsequently used in illegal activities including human trafficking. One Syrian woman, a mother of three who kept her children home and spoke in hushed tones after racist violence in Kayseri spread to other cities, discovered her entire family's details listed in the breach. Another was summoned to court in connection with a human trafficking case — a SIM card had been registered in her name. "It's draining, both emotionally and financially," she said. "We lost everything in Syria, we lost everything in the earthquake, yet I have to pay for my lawyer."

Turkish authorities provided no concrete action plan to mitigate harm to the refugees affected. UNHCR made no public comment on the breach or offered any direct support to impacted individuals.

The Structural Vulnerability: Precarity as Amplifier

Syrian refugees in Turkey face a data breach context that is categorically different from what Turkish citizens experience — and that difference is rarely acknowledged.

Turkish citizens whose data is stolen face identity fraud, financial loss, harassment. These are serious harms. Syrian refugees whose data is stolen face all of these, compounded by:

Legal exposure. Under temporary protection, Syrians must remain registered in their assigned province. Leaked addresses and location data enable authorities — or anti-refugee vigilantes — to locate people who have sought anonymity for protection reasons, including Syrian opposition activists, journalists, and civil society figures whose organisations operate from Turkey.

Identity weaponisation. Stolen data has been used to register SIM cards, open bank accounts, and commit crimes — crimes that then attach to the refugee's identity and can be used to revoke status, trigger deportation, or subject them to criminal prosecution in a country where their legal position is already precarious.

No redress pathway. Turkish citizens can in principle pursue complaints through the Personal Data Protection Authority (KVKK). Refugees whose data is misused have no clear administrative or judicial pathway to remediation, no legal standing equivalent to that of nationals, and face language barriers, fear of engaging with authorities, and practical resource constraints that make individual redress nearly impossible.

Weaponisation of location. The government throttled internet access for one week in July 2024 amid violent demonstrations against the presence of Syrian refugees in Kayseri Province. In the same period, the 3 million-record Syrian refugee data breach occurred. The temporal proximity was not coincidental in its effects: leaked location data in an environment of organised anti-refugee violence is a physical safety threat.

The New Law and Its Silence on Refugees

Turkey's Cybersecurity Law No. 7545, enacted in March 2025, addresses the governance failures that enabled mass data breaches. It mandates incident reporting, critical infrastructure protection, and cybersecurity standards across public and private sectors. The Personal Data Protection Law (KVKK), amended in 2024, introduced new cross-border data transfer mechanisms, aligned more closely with GDPR principles, and expanded protections for sensitive personal data including biometric and health data.

Neither framework contains refugee-specific provisions.

KVKK applies to the processing of personal data of anyone in Turkey — including refugees. In principle, this creates some protection: the law requires lawful bases for processing, mandates security measures, and provides for rights including access and rectification. In practice, refugees face the same enforcement gap as citizens, amplified by their structural powerlessness. The KVKK's fining record — primarily targeting administrative non-compliance rather than actual security failures — suggests the authority has not prioritised meaningful enforcement of substantive data security.

The new Cybersecurity Law's most politically consequential provision — criminalising reporting on data breaches — creates a chilling effect that is especially damaging for refugee advocacy. Civil society organisations that monitor refugee data security, journalists who report on breaches affecting Syrian populations, and researchers who document harm to refugees all now face potential prosecution for disseminating information about incidents that directly concern refugee safety.

The Global Picture: Refugees in a Data Governance Void

Turkey's failures are acute, but they are not unique. They are symptomatic of a global architecture in which refugees occupy a data governance void defined by three structural gaps.

Gap 1: The Jurisdiction Problem

Refugees, by definition, exist outside the protection of their country of origin — often the very state from which they are fleeing. They are guests in host countries whose laws may not extend full data rights to non-citizens, or whose enforcement of those rights is inadequate. As they move — from camps to cities, across borders, through multiple registration systems — their data crosses jurisdictions with inconsistent protections.

GDPR, the world's most comprehensive data protection regulation, applies territorially and to EU residents. It does not govern data collected by non-EU host countries, does not follow a Syrian refugee from a UNHCR database in Turkey to a resettlement file in Germany, and does not provide remediation when a host country's government database is breached. Regional laws such as PIPEDA in Canada and the UK Data Protection Act similarly operate within national boundaries.

The result is a patchwork. A Rohingya refugee in Bangladesh whose biometric data is held in a UNHCR system operates under no national data protection law that specifically addresses their situation. An Afghan refugee whose data was compromised in an Immigration, Refugees and Citizenship Canada breach in 2021 had limited redress against a government system that failed them. A Syrian in Turkey whose data was sold on Telegram for $5 has no meaningful avenue to demand accountability from the state that lost it.

Gap 2: The Humanitarian Data Accumulation Problem

Humanitarian actors — UNHCR, WFP, IOM, ICRC, and hundreds of NGOs — collect enormous quantities of sensitive refugee data as a condition of providing assistance. Biometric data collection has expanded dramatically. UNHCR's Biometric Identity Management System registers biometric data — fingerprints, iris scans — of refugees to create globally unique identities, used across camp registration systems and assistance distribution. WFP uses iris scan technology for food assistance delivery in Jordan and other contexts. Cash assistance programmes, health information systems, and education databases all hold sensitive personal data of populations who frequently have no meaningful ability to refuse registration without losing access to the assistance they need for survival.

The risks are not hypothetical:

In 2021, it was revealed that UNHCR shared Rohingya refugee biometric data with the Bangladesh government, which passed it to Myanmar — the regime from which the Rohingya had fled, and which has a long history of using registration data to exclude and marginalise the community. Refugees told researchers they had not been informed of the risk that their data might be shared with their persecutors.

UNHCR's registration in Kenya was designed to crossmatch with national identification systems — creating a surveillance architecture that extends beyond the humanitarian purpose. The nature of joint registration exercises between UNHCR and host governments means that data frequently feeds into wider identification and surveillance systems, often without the informed consent of those being registered.

UNHCR does have a General Policy on Personal Data Protection and Privacy (2022) that articulates data protection principles. But this is an internal policy, not a legally binding instrument. There is no external enforcement mechanism, no independent oversight body, and no judicial recourse for a refugee whose data UNHCR has mishandled.

In virtually every refugee data context, the concept of meaningful informed consent is a legal fiction. A person registering for temporary protection in Turkey cannot refuse to provide biometric data without losing their status. A refugee receiving food assistance through WFP's iris scan system in Jordan cannot opt out without going hungry. An Afghan family registering with UNHCR cannot decline biometric collection without losing access to resettlement processing.

Consent obtained under conditions of material coercion — where the alternative to providing data is loss of shelter, food, legal status, or physical safety — is not consent in any meaningful ethical or legal sense. Yet data protection frameworks globally rely on consent as a primary lawful basis for data processing, and humanitarian actors frequently cite it as justification for extensive data collection.

The UNHCR Policy acknowledges this tension but does not resolve it. Academic literature and civil society research have increasingly documented that the power asymmetry between humanitarian registration systems and the people they register makes genuine voluntary consent structurally impossible in most refugee contexts.

The EU's Approach: Better, but Still Insufficient

The European Union has made more systematic attempts to address refugee data governance, with imperfect results.

The EU Pact on Migration and Asylum, which entered into force in June 2024 and is to be implemented by June 2026, has introduced for the first time binding provisions on statelessness in EU law — identifying statelessness as a vulnerability and introducing legal requirements to identify and record it. This represents genuine progress.

The revamped Eurodac regulation — Regulation (EU) 2024/1358 — establishes a biometric database for asylum and migration management, replacing the earlier fingerprint-only system with expanded biometric data including facial images, for a wider population including third-country nationals and stateless persons. The regulation includes provisions for data accuracy, retention limits, and law enforcement access controls. But Eurodac is primarily a border and migration management tool — its design logic is oriented toward identifying, tracking, and sometimes removing people, rather than protecting them. Law enforcement access to Eurodac data by both Member States' authorities and Europol creates risk surfaces that civil liberties organisations have repeatedly flagged.

GDPR, while not designed for refugees, does apply to their data when processed by entities in EU member states. EU Data Protection Supervisors have scrutinised asylum and migration processing, and the European Data Protection Supervisor maintains specific oversight of border and asylum data systems. These mechanisms provide a level of procedural accountability that does not exist in Turkey, Bangladesh, Lebanon, or the other major refugee-hosting states.

But GDPR's protection does not follow refugees as they move. A Syrian who has lived in Germany and whose EU-governed data is transferred to Turkey as part of a return process enters a different — and less protected — data environment the moment the border is crossed.

What Accountability Looks Like: And Where It Is Missing

Who holds refugee data in Turkey? The Presidency of Migration Management holds registration data for all temporary protection beneficiaries. UNHCR holds registration and case data for non-Syrian refugees, asylum-seekers, and those in resettlement processing. WFP and partner NGOs hold assistance data. The EU-funded cash assistance programme — which has provided 80 months of uninterrupted support to between 1.4 and 1.8 million refugees — involves data processed by implementing partners under EU humanitarian funding rules. Health data flows through the Turkish health system and international health organisations. Each of these data pools has different governance, different access controls, different security standards, and different accountability mechanisms. None of them is subject to a unified oversight body that specifically represents refugee interests.

Who is accountable when something goes wrong? In Turkey, the answer is effectively: no one. The KVKK can in principle investigate data breaches, but has not done so in the context of refugee data. UNHCR can conduct internal reviews, but has no independent external oversight. NGOs operating under EU funding are subject to EU audit mechanisms, but these focus on financial rather than data security. The Turkish government, which holds the largest and most sensitive database of refugee information, has demonstrated through repeated breaches and denials that it does not treat refugee data protection as a priority.

What recourse do refugees have? In Turkey: very little. Filing a KVKK complaint requires navigating Turkish bureaucracy in Turkish, with the credible fear that contact with any official system may carry risk. Engaging UNHCR requires trust that the agency will act, in the absence of demonstrated willingness to do so. Taking legal action requires resources and access that most refugees in Turkey do not have.

Towards a Framework That Actually Protects People

The data governance gap for refugees is not a technical problem with a technical solution. It is a political problem rooted in the structural position of displaced people: they are among the most data-intensive populations in the world — registered, tracked, documented at every step of their displacement — while simultaneously being among the least empowered to shape, challenge, or protect their own data.

Several principles could anchor a more adequate framework:

Data minimisation as a rights obligation. Humanitarian and government actors should collect only the data strictly necessary for the specific purpose for which it is needed. The accumulation of biometric, health, family composition, and movement data across multiple systems — more data than most citizens provide to their own governments — cannot be justified solely by administrative convenience.

Genuine portability and control. Refugees moving between countries should have the right to access their own registration data, understand what has been shared with whom, and carry their records in formats they can present to new host states or protection bodies. Blockchain-based or other portable identity solutions have been proposed; the technical feasibility exists, even if the political will is absent.

Independent oversight of humanitarian data. UNHCR and other humanitarian actors holding sensitive refugee data should be subject to independent external audits of their data protection practices, with meaningful accountability mechanisms. Internal policies without external enforcement are insufficient.

Host country accountability for refugee-specific harms. When state data breaches expose refugee populations to distinctive harms — identity weaponisation, physical location disclosure in a context of communal violence, exploitation by criminal networks — those harms should be explicitly covered by remediation frameworks, with funded support mechanisms for affected individuals.

Prohibition on sharing with countries of origin. A binding international instrument prohibiting the sharing of refugee data with the government of the country from which they have fled, without the refugee's explicit, informed, and unconstrained consent, is urgently needed. The Rohingya case demonstrated what happens in the absence of such a prohibition. It has not been the last.

Conclusion: The Digitalisation of Displacement

The digitalisation of humanitarian and migration management has transformed how displaced people are identified, served, and controlled. Digital registration enables faster assistance delivery. Biometric systems reduce fraud and ensure resources reach the right people. Cash assistance through digital wallets gives refugees agency and dignity that in-kind assistance cannot.

These benefits are real. They do not make the governance failures less serious.

In 2024, a breach in Turkey exposed the personal information of over 3 million Syrian refugees, making them vulnerable to exploitation. In 2021, it was revealed that the UN shared Rohingya refugee data with Bangladesh, which then passed it to Myanmar, exposing refugees to potential persecution. These are not edge cases. They are predictable outcomes of a system that collects sensitive data at scale, across multiple actors with different interests and security standards, in the absence of a coherent, enforceable, refugee-centred data protection framework.

At the end of 2025, of the 117.8 million forcibly displaced people worldwide, an estimated 45 million — 38 percent — were children below the age of 18. Their biometric data, their medical records, their family information, their displacement histories — all of it is in systems that have demonstrated they cannot reliably protect it.

The question of who governs refugee data is ultimately a question about what displaced people are owed. If the answer is that they are owed the same rights as anyone else — the right to privacy, the right to know how their data is used, the right to redress when it is misused — then the current architecture is a systematic failure. If the answer is that they are owed less, because they are guests, because they lack citizenship, because they depend on the goodwill of states and organisations that hold power over them — then the current architecture is working exactly as designed.

That is the choice the world has not yet honestly made.

Published by:

The CyberDiplomat

Member discussion