The member countries of the OECD and the European Union have adopted a declaration on access by public authorities to personal data held by private companies. A strong commitment at a time when the cross-border transfer of data raises serious concerns.
The thorny issue of cross-border personal data flows has just undergone a notable development. On December 13, 2022, the 38 member countries of the Organization for Economic Co-operation and Development (OECD) – including the United States, Israel and Canada – and the European Union reached an agreement to adopt the first intergovernmental agreement on common approaches to the protection of privacy and other human rights and freedoms of individuals when accessing personal data for national security and law enforcement purposes.
Behind this much too long name hides the Declaration – with a capital D – which will regulate government access to personal data that is held by private sector entities – such as Google, Apple and Meta, to name a few. In other words, it will clearly define the conditions allowing law enforcement and national security authorities to access personal data under existing legal frameworks. A real political commitment – the Declaration is moreover open to the adhesion of other countries – at a time when the cross-border transfer of data is arousing serious concerns among the various populations, and which the culmination of two years of work for the OECD, in partnership with a group of national experts on data protection, national security and law enforcement.
OECD agreement: concern over cross-border transfer of personal data
To In the era of globalization, the mountains of data accumulated by tech companies on their users raise many concerns, whether on the part of governments or their citizens. And rightly so, since the digital giants don’t have a very good reputation when it comes to their protection – and that’s years counting security breaches and their sales. For example, Amazon gives the police the recordings from his Ring cameras without users’ consent – eleven registrations since the beginning of the year. Meta isn’t all white either, as Facebook provided Nebraska justice with messages between a mother and daughter about an abortion — the practice of which was recently made illegal in the state. And these are just a few cases among others! The most important scandal remains indisputable the revelations of Edward Snowden, who revealed almost ten years ago how the NSA – but this also applies to other Western democracies – broke into Internet platforms and seized user data to pursue their goals without worrying about people’s privacy.
As Mathias Cormann, the Secretary-General of the OECD, pointed out when presenting the Declaration during the OECD Ministerial Meeting on the Digital Economy, “in the absence of general principles and common safeguards, the sharing of personal data between jurisdictions may infringe privacy, particularly in sensitive areas such as national security”. Following the common desire to increase trust between democratic systems – which are supposed to share common values, even if they remain intrinsically different –, he explains that “Today’s historic agreement formally recognizes that OECD countries adhere to common standards and safeguards. It will help enable the flow of data between democracies governed by the rule of law, with the necessary safeguards to trust of individuals in the digital economy and mutual trust between governments regarding the personal data of their citizens”.
OECD agreement: principles governing public authorities’ access to data
What is obvious in these statements is that the problem is not so much the question of people’s privacy, but that of the global digital economy. Indeed, there are different levels of legal protection of privacy between countries, and not all treat their citizens and foreigners in the same way. The new Statement therefore builds on the OECD Privacy Guidelines – which date from 1980 and were last revised in 2013 – to “to facilitate cross-border data flows while respecting democratic values, the rule of law and the protection of privacy and other rights and freedoms” while providing some exceptions aimed at ensuring national security and law enforcement, as reported in the agency’s press release. As a result, the Declaration identifies seven principles common to the different countries, which therefore undertake to respect them, in order to clarify the way in which government agencies can access data.
Thus, public authorities’ access to data must take place within the framework of the rule of law, with a legal framework that “sets out the purposes, conditions, limits and safeguards applicable to government access, so that individuals are sufficiently protected against the risk of misuse and abuse“, and to serve “specific and legitimate purposes” – which automatically excludes purposes aimed at suppressing or blocking criticism and dissent, as well as at disadvantaging persons or groups on the basis of a single characteristic (age, ethnic origin, sexual orientation, religion…). Access should also be subject to prior authorization requirements clearly defined in the legal framework. “to ensure that such access is in compliance with applicable standards, rules and procedures”.
Once the data has been acquired, it must be processed, manipulated and stored only by authorized personnel according to a procedure, again, legally framed. Of course, this legal framework must be perfectly transparent and easily accessible. “so that individuals are able to assess the impact it may have on their privacy and other rights and freedoms“, which requires public reporting and regular reporting supervisory bodies. Of course, these control mechanisms must be “effective and impartial”, which is why they must be ensured by very specific and separate bodies (internal compliance offices, courts, parliamentary or legislative committees, independent administrative authorities, etc.), which are protected from any interference and have the necessary resources. Finally, “Ihe legal framework guarantees individuals the possibility of effective judicial and extrajudicial remedies in order to determine breaches of the national legal framework and, if necessary, to remedy them.
Protection of personal data: a historic agreement with the OECD