OECD countries have adopted the first intergovernmental agreement on common approaches to safeguarding privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes.
The OECD Declaration on Government Access to Personal Data Held by Private Sector Entities seeks to improve trust in cross-border data flows – which are central to the digital transformation of the global economy – by clarifying how national security and law enforcement agencies can access personal data under existing legal frameworks. It marks a major political commitment by the 38 OECD countries and the European Union that signed up to it during the OECD’s 2022 Digital Economy Ministerial Meeting. The Declaration is also open for adherence by other countries.
“Being able to transfer data across borders is fundamental in this digital era for everything from social media use to international trade and cooperation on global health issues. Yet, without common principles and safeguards, the sharing of personal data across jurisdictions raises privacy concerns, particularly in sensitive areas like national security,” OECD Secretary-General, Mathias Cormann said, launching the Declaration during the OECD Digital Economy Ministerial Meeting. “Today’s landmark agreement formally recognises that OECD countries uphold common standards and safeguards. It will help to enable flows of data between rule-of-law democracies, with the safeguards needed for individuals’ trust in the digital economy and mutual trust among governments regarding the personal data of their citizens.”
The Declaration, which rejects any approach to government access to personal data inconsistent with democratic values and the rule of law, is the result of two years of work by the OECD with a group of country experts in data protection, national security and law enforcement. The project stemmed from growing concerns that the absence of common principles in the sensitive domains of law enforcement and national security could lead to undue restrictions on data flows. Another motivating factor is a desire to increase trust among rule-of-law democratic systems that, while not identical, share significant commonalities.
The Declaration complements the OECD Privacy Guidelines, one of the OECD’s flagship achievements dating back to 1980, and the basis of many countries’ privacy rules. Last updated in 2013, the Privacy Guidelines provide a common reference point for the protection of personal data and aim to facilitate cross-border data flows while upholding democratic values, the rule of law and the protection of privacy and other rights and freedoms. Crucially, however, they allow for exceptions for national security and law enforcement purposes. This new Declaration articulates a set of shared principles that reflect commonalities drawn from OECD members’ existing laws and practices and complement each other in protecting privacy and other human rights and freedoms.
The principles set out how legal frameworks regulate government access; the legal standards applied when access is sought; how access is approved, and how the resulting data is handled; as well as efforts by countries to provide transparency to the public. They also tackle some of the thornier issues – such as oversight and redress – that have proved challenging to policy discussions for many years.
The Declaration on Government Access is an important milestone in the OECD’s work to support countries in promoting trust in cross-border data flows. The Declaration complements the OECD’s Going Digital project, which in its current and third phase focuses on data governance for growth and well-being and offers evidence-based solutions to critical data governance challenges that countries face. Deliverables from this phase of the project, concluded at the Ministerial Meeting, include the Going Digital Guide to Data Governance Policy Making and the report Going Digital to Advance Data Governance for Growth and Well-being.