The OECD breaks new ground with historic declaration on government access to private sector data

On 14 December 2022, Ministers at the Organisation for Economic Co-operation and Development (the OECD) Digital Economy meeting in Gran Canaria signed the Declaration on Government Access to Data held by private sector entities (the Declaration).   It was hailed by OECD as “the first intergovernmental agreement on common approaches to safeguarding privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes”.

My colleagues Jane Finlayson-Brown and Anna van der Leeuw-Veiksha published a short blog before Christmas, highlighting the announcement of the OECD Declaration and the key principles agreed.  In this blog I will take a deeper dive into the detail, the wider context and implications for international data flows.

A shift in data flow policy?

Alongside the positive steps towards restoring EU-US Adequacy (see my December 2022 blog), the new OECD Declaration signals a shift forward in international policy on data flows.  For many years there has been much discussion about the drift towards greater restrictions on international data flows and the difference between various global data frameworks.  We have seen an increased number of laws introducing data localisation, despite connectivity in the digital economy growing apace; international mistrust over data flows has been growing.  Growing cyber risks and concerns about how companies and governments can use technology to track and target people have added to unease about where our data goes and what happens to it.  But the risks of restrictions and uncertainty have created frictions that some fear will impact digital growth and the pluralism of the Internet.

The Declaration recognises OECD countries uphold common standards and safeguards on government access to personal data, and summarises them as a set of principles.   The Declaration also rejects any approach to government access that is inconsistent with democratic values and the rule of law.  It therefore aims to create greater trust across OECD economies and highlight the similarities in the protections they provide for individuals’ rights compared to others.

The OECD has a long standing role in setting global frameworks for data protection and privacy and the wider digital economy.  The 1980 OECD Privacy Guidelines (last updated in 2013) are a foundational instrument internationally, influencing the development of many national laws, particularly in the Asia-Pacific region.  More recently, the OECD has agreed Principles on Artificial Intelligence.  The OECD is therefore particularly well placed to take this work forward.  Also noting the OECD has global membership across most developed economies (eg US, UK, Japan, Australia, France, and Germany), with new countries such as Brazil about to join as well. The European Union was also a signatory.

In my previous role as Chair of the OECD Working Party on Data Governance and Privacy (November 2019- April 2022) it was a great privilege to play a role in assisting the development of this important work in the earlier stages.

Why the declaration was developed?

The Japanese Government have provided important vision and direction for the work.  In June 2019 the late Japanese Prime Minister, Shinzo Abe, presented his proposal for Data Free Flow with Trust (the DFFT) at the G20 Summit in Japan.  The subsequent 2019 G20 Declaration set out the opportunities to be gained from facilitating data free flow and strengthening consumer and business trust.  It also set out the importance of encouraging interoperability of data protection and privacy frameworks. The G20 declarations of 2020 (Saudi Arabia) and 2021 (Italy), also reaffirmed this commitment.   

There was a good level of global agreement on the need to take steps towards strengthening DFFT but many of the initial proposals were light on policy detail and concrete steps.  In late 2019 Japan made an important proposal as part of OECD’s formal review of the Privacy Guidelines.  The proposal was to focus on government access to personal data held by the private sector and consider how OECD members could create greater trust through common principles.  This could also differentiate between states that followed principles under democratic systems and non-democratic states that undertook generalised and indiscriminate access to private sector data. 

This then led to a Statement by the OECD Committee on Digital Economy Policy in 2020  - the committee set out an intention to: “conduct further work to deepen the understanding of approaches in OECD countries and to examine the possibility of developing, as a matter of priority, an instrument setting out high-level principles or policy guidance for trusted government access to personal data held by the private sector”.

This was also followed up in the UK 2021 G7 roadmap for co-operation on data free flow with trust: “We are committed to maintaining domestic data protection and privacy standards, reasonable principles underpinning lawful access regimes, as well as legal powers and arrangements that facilitate access across borders”.

In October 2021, the Global Privacy Assembly, the international group representing Data Protection Regulators, adopted a resolution on Government Access to Data, Privacy and the Rule of Law: Principles for Governmental Access to Personal Data held by the Private Sector for National Security and Public Safety Purposes.  This also gave further impetus to the OECD’s approach and confidence that it could be feasible to identify common principles from existing frameworks.   

To place the Declaration into context it is also worth considering this further paper on Fostering cross-border data flows with trust that OECD also issued at the 2022 Digital Ministerial Meeting.  This recognises that the work on government access data needs to be part of a series of actions to enhance DFFT.  This includes initiatives at global and national levels, involving a range of stakeholders from government, regulators and business.   

What does the declaration say?

The document is concise, it sets the background and context in a set of opening recitals covering “Legitimate government access on the basis of common values” and “Promoting trust in cross-border data flows”. 

The recitals explain the scope and application, in particular: “these principles apply to government access to and processing of personal data in the possession or control of private sector entities when governments are pursuing law enforcement and national security purposes.” 

It is also clarifies which aspects of territorial scope the principles apply to: “within their respective territories in accordance with their national legal framework, including situations where countries have the authority under their national legal framework to mandate that private sector entities provide data to the government when the private sector entity or data are not located within their territory.”

The national security and law enforcement community often refer to ‘upstream’ and ‘downstream’ surveillance - upstream surveillance involves access to digital communications as they move over the internet backbone, and downstream surveillance covers access to digital communications from companies directly eg from online platform.  The reference to possession or control clearly covers downstream surveillance.  It seems unclear whether data moving over the internet backbone is in ‘the control’ of private entities, and the reference to entities that ‘provide data’ would also preclude the internet backbone access if an access request is not made.

The document then contains the following seven principles: (1) Legal basis (2) Legitimate aims (3) Approvals (4) Data Handling (5) Transparency (6) Oversight (7) Redress.  Each principle is explained using globally recognised legal terms, concepts and practices, while avoiding a detailed level of prescription. 

Some notable aspects of the drafting:

• Like the EU-US Data Privacy Framework there is now a clear recognition of the terms necessity and proportionality, plus the term reasonableness is also used. This recognises the interoperability of EU, UK and US legal terms, helping bridge the civil law and common law backgrounds of OECD members.   A common global language is now emerging.
• There is also a flexible explanation of approval requirements, stating that this “may include seeking approval from judicial or impartial non-judicial authorities”.  It also recognises that there may be situations where approvals are not required but other safeguards and oversight should continue to provide protection.
• Oversight is framed as effective and impartial rather than independent. This is notable as ‘independent’ is the preferred term in EU legislation eg in GDPR Article 51. This again indicates some flexibility and interoperability between different concepts.   There is also recognition that a range of bodies can provide effective oversight: “bodies including internal compliance offices, courts, parliamentary or legislative committees and independent administrative authorities”.  This agreed range of bodies seems to indicate that practical effectiveness of oversight can be as important as form. 
• There is a recognition that effective judicial and non-judicial redress can identify and remedy violations. The recognition that non-judicial mechanisms can be effective is an indication of flexibility on a matter that is the subject of much debate in the context of the GDPR.  It can provide support to those who seek to argue for a nuanced and context driven assessment of redress in third countries’ surveillance regimes under GDPR.

It is important to emphasise that the principles are developed from drawing out common features from existing frameworks, aiming for an approach that does not prescribe or impose new concepts on OECD members.  The focus is common safeguards and practices and the document makes clear that they don’t need to be identical. 

What status does the Declaration have?

The Declaration is a formal OECD legal instrument but isn’t a legally binding treaty on the OECD members who agreed to adhere to it.  Most OECD instruments don’t have binding status – binding instruments are generally reserved for specific issues where there is a clear policy necessity, for example on global tax agreements. About 85% of OECD legal instruments are non-binding.  There is a helpful overview of the different types of OECD instruments, including their binding status, on their website. The Declaration on government access is a classed as a “Substantive Outcome Document”, these documents are adopted by the individually listed adherents rather than by an OECD body.

It would be unfair to overly dwell on the non-binding status of the Declaration, it is a highly important document and breaks new ground in the agreement reached on common principles.  The commitment to sign the document, from a globally diverse set of democratic countries, creates a real opportunity to leverage greater trust between digital economies in the coming years.

Can non-OECD countries sign up to it?

The answer is yes.  A number of other countries are not full OECD Members but as accession countries (eg Brazil) or key partners (eg India) they can still agree to adhere to OECD instruments.   For example, the OECD AI Principles have eight non-OECD members as adherents.   It will be interesting to see whether incentives start to emerge for other countries to declare they adhere to the principles.

How can the Declaration make a difference?

One of the most crucial recitals sets out how the OECD members may reference or use the Declaration in future: “WE RECOGNISE that where our legal frameworks require that transborder data flows are subject to safeguards, our countries take into account a destination country’s effective implementation of the principles as a positive contribution towards facilitating transborder data flows in the application of those rules.”

This allows us to consider a number of scenarios where OECD countries and other stakeholders could take account of implementation:

• In future reforms to Data Protection and Privacy laws: where these laws have adequacy type provisions, the implementation of the OECD government access principles could be recognised as a relevant factor.  For example recital 105 of the EU GDPR recognises Council of Europe Convention 108.  The UK Data Protection and Digital Information Bill may also offer an opportunity to recognise the OECD principles as a factor on the face of the law.
• The OECD principles could potentially be referenced in adequacy guidance even without direction from primary legislation.  For example the European Data Protection Board (the EDPB) Recommendations on the European Essential Guarantees for surveillance measures or UK DCMS manual guidance.
• Guidance from Data Protection Authorities could also reference the OECD principles as a relevant factor to consider when controllers are conducting Transfer Impact Assessments (TIAs) or Transfer Risk Assessments (TRAs).
• OECD countries and non-members could consider the OECD principles when drafting or updating laws on national security and law enforcement access to data.
• The OECD principles could be considered by other international organisations when setting relevant standards eg the Council of Europe, the African Union.   

The spotlight is now particularly on the European Commission and the EDPB, and how they may formally refer to the Declaration.   At a December 2022 Politico event on data transfers European Commissioner Didier Reynders and Deputy Director Bruno Gencarelli from the European Commission were asked about the value it could add. Their responses recognised the key achievement and they highlighted the benefit the Declaration could provide as a “minimum standard”, while stressing that the test for adequacy will always be against EU law. There was a reference to the Declaration as a ‘first step”, implying the Commission have ambitions for it to add more detail.

Will attention turn to transfers to non-OECD states?

While there is cause for optimism that the Declaration can help increase trust and facilitate smoother transfers between OECD countries the work could turn the spotlight towards non-OECD countries that do not meet these principles. It is important to recognise that there will be non-OECD states, who operate under democratic systems and the rule of law, which will meet the principles.

It is worth noting the 2021 study report the EDPB commissioned on government access to data in third countries - this clearly sets out the differences between EU safeguards and  the safeguards that countries such as China and Russia have in place.

Conclusion

Overall, the Declaration is a good step forward and the international data protection community should now seek to engage and provide feedback on implementation - there is still much more work to deliver practical benefits. 

The Declaration and announcement did not set out further concrete steps towards implementation.  The recitals hint at further work: “WE NOTE stakeholders’ calls for additional work and engagement to identify existing common safeguards in OECD Member countries to protect privacy and freedom of expression, and therefore promote trust, in the context of purchasing commercially available personal data, accessing publicly available personal data, and receiving voluntary disclosures of personal data by law enforcement and national security authorities.”

The OECD could update other instruments to reference the OECD principles, such as the OECD Privacy Guidelines.  This was suggestion made by the Japanese delegation at the public event to launch the Declaration. 

An additional output that would be of significant practical value would be a factual compendium of all the relevant laws in OECD member countries. This would be a helpful reference tool to sit alongside the Declaration. 

Japan holds the G7 Presidency in 2023 and this should create further impetus for progress, particularly at the main summit later this year.