Data Governance According to Geneva
When crisis management forces us to make up rules
Behind every international crisis lies a data challenge: who has already received aid and where, which populations are still accessible in which regions, and which individuals have crossed which borders. Ensuring that this information reaches the right place at the right time, without falling into the wrong hands, is an absolute operational imperative. Geneva has made this its specialty.
To mark the 50th anniversary of the Office for the Promotion of Industry and Technology (OPI), Alp ICT takes a look at what makes Geneva unique. Not as a region to be promoted, but as an ecosystem to be understood: a tapestry of constraints, cultures, and practices that, when woven together, form something no plan could have conceived...
Whenever an earthquake devastates a region, a war forces millions of people to flee, or an epidemic threatens to spread across borders, the phones ring in Geneva. This is where the ICRC, UNHCR, WFP, and WHO are headquartered—along with hundreds of organizations whose mission is to respond to these crises. For seventy years, therefore, it is in this city that issues of data flow and data protection have arisen with particular urgency, and must be resolved under extreme conditions: uncertainty, urgency, and the absence of a stable framework. In this environment, establishing data management rules is not a choice. It is a necessity. The conditions for this necessity to lead to standards are met here as nowhere else: no other city brings together so many organizations facing the same constraints, with the same culture of neutrality and the same confidentiality requirements.
When the crisis dictates the solutions
In the early 2000s, the World Food Programme coordinated one of the largest food distribution operations in history in Afghanistan from Geneva: millions of people, dozens of partner agencies, and registration systems that were incompatible with one another. At the same time, UNHCR was attempting to manage the return of hundreds of thousands of Afghan refugees from Pakistan—some of whom had been registered multiple times, others never at all. In both cases, the problem was the same: no one knew who was who. The solution developed in Geneva: a centralized biometric database, collecting fingerprints and iris scans to establish a unique, tamper-proof identity. Twenty years later, this database records 15.7 million individuals in more than 90 countries. It was not technological ambition that produced this standard. It was a humanitarian imperative—the absolute necessity of establishing a reliable identity, so that no one is left without aid or protection. Michel Warynski, who heads Secodev in Geneva, an NGO active in development cooperation, describes a comparable process, but in the opposite direction:
“We only engage with our beneficiaries in the field through our local partners, from whom we require a data protection policy that they can demonstrate to us.”
From a requirement to a standard
Crises have not ceased, and each one has produced something in Geneva that is more enduring than ad hoc responses: rules. In 2017, the ICRC published the first international framework on data protection in crisis situations—the Handbook on Data Protection in Humanitarian Action. Developed in parallel with the European GDPR, the Handbook addresses situations that civil law had not yet considered: how to protect a civilian’s medical data in a conflict zone; how to deny a government access to the records of its own refugees. The Handbook sets out the principle in these terms:
"The protection of personal data is inseparable from the protection of people's lives, integrity, and dignity."
This framework will not be limited to humanitarian organizations.
Geneva: A Testing Ground for the Rules of an Unstable World
In October 2024, the International Conference of the Red Cross adopted the first global resolution on the protection of civilians in the digital domain in Geneva. This text explicitly recognizes that digital infrastructure and civilian databases must be protected in times of conflict, just as hospitals and humanitarian corridors are. Behind this legal framework lies a question that Geneva has been grappling with for a long time: how can trust be built when everything seems to be working against it—conflict, the vulnerability of populations, power imbalances, and the absence of a reliable state? The standards emerging here are not administrative agreements. They are responses to situations where data can either protect a life or put it at risk.
From the standard to the ecosystem
The process is well-defined. When the ICRC co-founded the Center for Digital Trust with EPFL, alongside Swisscom, Swiss Re, Lombard Odier, and Nagra Kudelski, it was not merely a symbolic partnership: it was a transmission infrastructure. The Center trains NGO lawyers, private-sector executives, and public officials in the same data protection standards that the ICRC has developed under humanitarian imperatives.
The second channel is contractual. Any company providing services to an international organization in Geneva must, as a condition for market access, incorporate the client organization’s data protection standards into its service contract. Whatever the ICRC, UNHCR, or WFP require of their suppliers, those suppliers integrate into their practices and pass on to their own value chain. This is not a diffuse influence. It is a continuous learning mechanism, as Michel Warynski has indeed experienced:
“For an NGO like ours, which is active in development cooperation, data security has quickly become a top priority. The GDPR, in turn, led to an update of Swiss law, which significantly raised the bar.”
An environment shaped by high standards
An environment shaped by high standards
Law firms specializing in data protection, the certifications required by large organizations, continuing education programs offered by the University of Geneva, EPFL, and the GCSP (Geneva Centre for Security Policy): all of this has developed in the wake of the standards established on Avenue de la Paix. Michel Warynski refers to it as “an ecosystem that also encompasses the Lake Geneva region.”
Geneva did not wait for debates on data governance to be settled elsewhere, because the constraints it faces demand levels of reliability that other contexts do not yet require. The companies based there have absorbed these requirements without necessarily having sought them out. What others are deliberately trying to build, Geneva has produced out of necessity. And that is precisely what makes it difficult to imitate.
