Skip to content

OECD countries adopt a declaration on government access to private sector data for national security and law enforcement purposes

The OECD countries adopted the first intergovernmental declaration setting out common approaches to providing privacy and data protection safeguards for governmental access to personal data held by private sector (on 14 December 2022). 

This declaration names seven key principles for the legitimate government access to data on the basis of common values of democracy, the rule of law, protecting privacy and other human rights and freedoms, promoting free flow of data and maintaining a global, open, interoperable and secure internet.

The principles include:

  • government access must be established and regulated by a country’s legal framework that sets out purposes, conditions, limitations and safeguards for such access;
  • government access should support specified and legitimate aims, in a manner that is not excessive and should be carried out in accordance with legal standards of necessity, proportionality, reasonableness and other standards to protect against the risk of misuse and abuse;
  • the country’s legal framework should provide for prior approval requirements for access, including criteria and procedures to be followed, and the need for objective and appropriately documented approval decisions. Safeguards against misuse and abuse other than approvals can be provided for, such as conditions and limitations on the access and effective oversight;
  • personal data acquired through government access should be only processed by authorised personnel and should be subject to requirements to establish physical, technical and administrative measures for privacy, security, confidentiality and integrity of data;
  • transparency mechanisms regarding government access to personal data should be put in place, including public reporting by oversight bodies and procedures to request access to government records. Private entities are allowed to issue aggregate statistical reports on governmental access requests;
  • mechanisms should exist for effective and impartial oversight through internal compliance offices, courts, parliamentary or legislative committees and independent administrative authorities;
  • individuals should be provided with effective judicial and non-judicial redress to identify and remedy violations of the national legal framework.

Read the OECD press release here and the Declaration here.

Stay tuned for an analysis of the key aspects of the Declaration and its significance for cross-border data transfers in the upcoming blog post by our special advisor Steve Wood.

Related expertise