OECD countries limit government access to personal data

On December 14, 2022, the 38 member countries of the Organisation for Economic Cooperation and Development (OECD) adopted a groundbreaking framework for how governments access personal data held by companies. By providing a common standard for democratic, rule-of-law-based countries, the Declaration on Government Access to Personal Data Held by Private Sector Entities seeks to promote trust in the increasingly complex international data transfer landscape.

Although not legally binding, the OECD framework could assist companies in transferring personal data to certain jurisdictions. In moving data to OECD countries, businesses could leverage the framework to help justify their decisions – particularly with regulators.

Following on more than two years of negotiations among privacy, national security, and law enforcement officials, the Declaration articulates seven shared principles drawn from OECD member nations’ existing laws and practices:

1. Legal basis: The country’s legal framework sets forth the purposes, conditions, limitations, and safeguards concerning government access to personal data, so that individuals have sufficient guarantees against the risk of misuse and abuse.
2. Legitimate aims: The government seeks access to personal data only for legitimate and specified aims that are necessary, proportional, and reasonable (e.g., it does not seek access for the purpose of suppressing dissent or discriminating against persons on the basis of certain characteristics).
3. Prior approvals: The government ensures that access is conducted in accordance with applicable standards, rules, and processes—including documented prior approvals from the appropriate government authorities.
4. Data handling: Personal data acquired through government access is (a) processed and handled lawfully and by authorized personnel, (b) subject to measures that maintain its privacy, security, confidentiality, and integrity, and (c) retained only for as long as authorized.
5. Transparency: The legal framework for government access is clear and easily accessible to the public, and mechanisms exist to balance the interest of individuals and the public to be informed with the need to prevent disclosures of information that would be harmful to national security or law enforcement activities.
6. Oversight: Mechanisms exist for effective and impartial oversight to ensure that government access complies with the country’s legal framework. They include compliance offices, courts, legislative committees, and independent administrative authorities.
7. Redress: The legal framework provides individuals with effective judicial and non-judicial redress to identify and remedy violations of the national legal framework.

This unprecedented collaboration among privacy, national security, and law enforcement officials reflects the growing acknowledgement among governments of the exceedingly onerous compliance burdens that companies now face with respect to cross-border data transfers.

Find out more about the implications of this collaboration on your business by contacting the authors or any member of our data privacy team.

Madison Swoy is a law clerk with the Regulatory and Government Affairs - Data Protection, Privacy and Security group, based in San Diego. Reach her at madison.swoy@us.dlapiper.com.