Skip to main content

OECD countries adopt an agreement on government access to private sector data

OECD countries adopt an agreement on government access to private sector data

OECD countries adopt an agreement on government access to private sector data

OECD countries adopt an agreement on government access to private sector data

31 January 2023

The members of the Organization for Economic Co-operation and Development (“OECD”) and the EU adopted the Declaration on Government Access to Personal Data held by Private Sector Entities (“Declaration”) on 14 December 2022. This declaration, which rejects any approach to public access to personal data incompatible with democratic values and the rule of law, is the culmination of two years of work between the OECD and a group of national experts on data protection, national security, and law enforcement.

The declaration complements the OECD Privacy Guidelines, one of the OECD’s key achievements dating back to 1980, and serves as the foundation for privacy protection rules in many countries. Last revised in 2013, the Privacy Guidelines provide a standard reference for protecting personal data and aim to facilitate transborder data flows while respecting democratic values, the rule of law, and the protection of privacy and other rights and freedoms. Nonetheless, the Guidelines also provide national security and law enforcement exceptions.

The new declaration sets out shared principles that reflect commonalities in the existing laws and practices of OECD Member countries and complement each other in protecting individuals’ privacy and other rights and freedoms.

This declaration establishes the following shared principles (condensed summaries), drawn from existing laws, on government access to personal data held by private entities:


Legal Basis

The declaration states that access to data by the government is provided for and regulated by the country’s legal framework. Additionally, it is binding on government authorities and adopted and implemented by democratically established institutions operating under the rule of law. This legal framework sets out purposes, conditions, limitations, and safeguards concerning government access, to provide individuals with sufficient guarantees against the risk of misuse and abuse of their data.

Legitimate Aims

Government access must be carried out in a manner that is not excessive concerning its legitimate aims and must comply with necessity, proportionality, and reasonableness principles. Meaning access cannot be used for purposes such as suppressing criticism or dissent or disadvantaging persons or groups solely based on protected characteristics etc.


The legal frameworks establish prior approval requirements. It also outlines the procedure for seeking and granting approval for government access. These requirements are commensurate with the degree of interference with privacy and other human rights and freedoms. Stricter standards are imposed for severe interference or emergency exceptions, which the legal frameworks strictly define. Emergency exceptions to approval requirements are also provided for in the legal framework; they must be clearly defined and include justifications, conditions and duration. Decisions on approvals are “appropriately documented” and “made objectively, on a factual basis in pursuit of a specified and legitimate aim and upon satisfaction that the approval requirements are met”. Where approvals are not required, the declaration states that other safeguards in the legal framework are applicable to protect against misuse and abuse, including “clear rules that impose conditions or limitations on the access, as well as effective oversight”.

Data Handling

ersonal data acquired through government access can be processed and handled only by authorized personnel. The handling of this data requires physical, technical and administrative measures to be implemented by the government to safeguard the data (this includes processing personal data with a valid legal basis, retention can only be for as long as prescribed under the legal framework, taking into account the purpose of processing and the sensitivity of the data).


The legal framework regulating government access must be accessible to the public. Additionally, each country must have appropriate transparency mechanisms on government access to personal data, such as enabling the proper oversight bodies to report on government compliance.


There must be practical and impartial oversight of government access to personal data in compliance with the necessary legal requirements (provided through bodies including internal compliance offices, courts, parliamentary or legislative committees, and independent administrative authorities).


Individuals are entitled to effective redress where a violation has occurred. The redress mechanisms might contain limitations, particularly the right to be informed, taking into account national security rules. Appropriate remedies may include the deletion of personal data, termination of unlawful processing and providing compensation for damages.

Next to these principles, the signatories agree that where there are restrictions for transborder flows in national laws, they consider a destination country’s effective implementation of the regulations as a ‘positive contribution’. Coinciding with the declaration, the EU issued its draft adequacy decision on EU-US data flows on 13 December.

In conclusion, the Declaration on Government Access is an important milestone in the OECD’s work to help countries promote confidence in transborder data flows. The declaration complements the OECD’s “Going Digital” project, which focuses on data governance for growth and well-being in its current third phase. It also proposes evidence-based solutions to countries’ significant data governance challenges. The expected outcomes of this project phase, which was completed at the Ministerial Meeting, include the Data Governance Policy Guide and the report on Digital Transformation and Data Governance for Growth and Well-being.


Raluca Suciu

Data Protection Manager


Emeraude Camberlin

DPO Certified & Squad Leader

Contact Our Experts

Contact us