Principles on government access to personal data to be agreed by OECD negotiators this year

International data flows could be shaped by a new declaration of “common principles” on governments’ access, for national-security and law-enforcement purposes, to personal data held by the private sector, with ministers from “like-minded” democratic countries expected shortly to reach a consensus on the issue, MLex has learned.

Digital ministers from the 38-member Organization for Economic Cooperation and Development are planning to meet in Gran Canaria, Spain, on Dec. 14-15 to sign the declaration.

Ministers will meet for lunch on Dec. 14 for the “adoption of the draft declaration on government access to personal data held by private sector entities by ministers and high-level representatives of OECD members and the European Union,” followed by a panel discussion, according to the meeting’s program.

While the declaration’s final wording is still under discussion, the initiative has been hailed as a major step by countries to help build trust in how governments access personal data when international data flows are essential for global commerce.

“We think it's a major advancement for strong and consistent protections for personal data in countries around the world,” Kate Charlet, Google’s director of data governance, said in a recent interview with MLex.

Negotiators are optimistic about reaching a deal around seven principles to help restore companies’ and citizens’ faith that governments protect their rights while also engaging in surveillance under certain safeguards. These principles include a legal basis for accessing personal data, transparency and effective redress for citizens.

There is growing mistrust among citizens in cross-border safeguards, particularly following revelations of US government surveillance by whistleblower Edward Snowden in 2013.

The OECD’s efforts, which have run in parallel with other groups such as the Group of Seven and the Group of 20 leading economies, come as companies raise concerns that governments will resort to data localization requirements, ensuring that they retain access to data over which they claim jurisdiction. The US, for example, is worried about the Chinese government accessing data from popular social-media platforms such as TikTok.

These concerns have also increased since the EU's highest court in July 2020 overturned the EU-US Privacy Shield, which was used by more than 5,000 companies as a legal basis for trans-Atlantic data flows.

The Office of the US Trade Representative’s 2021 report on digital trade barriers listed the EU and 19 nations — large democracies such as Brazil and India as well as smaller states such as Ecuador and Kenya — as having data localization measures that could be barriers to digital trade.

An OECD consensus on “data free flow with trust” principles of government access by democratic countries would send an important message that a balance between privacy and security can be struck. It would also set these countries apart from autocratic governments that don’t uphold individuals’ data protection rights.

Data and privacy

Governments’ efforts to improve global data flows and to build trust began in earnest in June 2019 when Japan chaired the G20. Japan proposed an initiative on “data free flow with trust,” focusing on the link between government access and global transfers of personal data held by private companies.

The OECD’s Committee on Digital Economy Policy took the initiative and issued a statement in December 2020 declaring that “building trust by defining the circumstances where governments can access personal data from companies is critical to maintaining international data flows, a foundation of the global economy”.

The OECD is seen as a good forum for talks because it is linked with trade and the economy. It has also been a key contributor to developing modern privacy laws.

In 1981, the body helped develop the Fair Information Practice Principles, commonly known as the FIPPs, which underlie modern laws such as the EU's General Data Protection Regulation, through the release of its 1981 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These were revised in 2013.

One hope is that even though the new agreement would consist of shared principles without the force of law, they could someday be codified into national laws in the way the FIPPs were, helping to make the international flow of data more stable.

An OECD working group was formed in 2021 with government representatives and officials from law enforcement and national security agencies.

Stumbling block

The OECD working group’s progress has mostly been shrouded in secrecy because of the sensitive nature of government access, which involves law enforcement and surveillance authorities.

But in mid-2021, it became clear that negotiators had hit a roadblock over the scope of the draft declaration on government access.

One side, led by the US and supported by Canada, Australia, Japan and the UK, wanted to keep the initiative to “obliged” access, meaning that a law-enforcement agency compels access by relying on a formal legal process, such as obtaining a judicial warrant.

Another group, led by the EU, several of the bloc's member state governments and South Korea, sought to expand the scope to all methods of government access to personal data held by the private sector. This approach would include “direct” or covert data collection in which a company doesn't know its data is being accessed by security or surveillance authorities.

While there was a risk talks would break down, the OECD secretariat ultimately agreed to work on a two-track process in which both options were considered. Negotiations continued into 2022.

Securing a deal

The final compromise covers all forms of government access. The draft declaration doesn’t use the terms “obliged” and “non-obliged” access, MLex understands. But there is an important nuance for covert access: It mainly covers domestic access, MLex understands.

On the other hand, some government requests — such as from law-enforcement authorities — could cover access that can be addressed to private operators outside a country’s jurisdiction without the addressee being informed. The precise wording on this measure is still being negotiated.

Companies have been increasingly alarmed that data flows between the US and EU nations could be shut down because of the EU Court of Justice’s Schrems II ruling in 2020. That was the second time the EU court had struck down an EU-US data-transfer agreement after the Safe Harbor deal was annulled in 2015.

After the Schrems II ruling that annulled Privacy Shield, the EU and US were obliged to negotiate a new agreement.

In March this year, the two sides announced the EU-US Data Privacy Framework that will impose limitations on US surveillance and set up a new Data Protection Review Court for EU citizens to challenge US spy agencies’ activities. The announcement was then backed by an executive order signed by President Joe Biden on Oct. 7.

Some of the safeguards about government access in the EU-US agreement are now built into the OECD declaration. These include legitimate aims for law enforcement and national security to access data so that it’s carried out in a necessary and proportionate manner.

The principles or “commonalities” also include transparency requirements for government access and a redress system for citizens’ complaints that’s conducted by independent bodies such as courts.

While the OECD declaration isn’t a legally-binding agreement, companies could refer to it when conducting assessments on whether there are risks to government access for international data transfers under EU data protection rules. The declaration is also open to observer countries.

Ministers’ signatures will signal that democratic governments know that building trust between countries is essential to “stabilize” global data flows, Google’s Charlet said.

“This is just a natural extension of all that work that has been done over previous years on data free flow with trust, but one that has created a real tangible product. In that way, it’s quite notable,” she said.