OECD countries adopt an agreement on government access to private sector data

31 January 2023

The members of the Organization for Economic Co-operation and Development (“OECD”) and the EU adopted the Declaration on Government Access to Personal Data held by Private Sector Entities (“Declaration”) on 14 December 2022. This declaration, which rejects any approach to public access to personal data incompatible with democratic values and the rule of law, is the culmination of two years of work between the OECD and a group of national experts on data protection, national security, and law enforcement.

The declaration complements the OECD Privacy Guidelines, one of the OECD’s key achievements dating back to 1980, and serves as the foundation for privacy protection rules in many countries. Last revised in 2013, the Privacy Guidelines provide a standard reference for protecting personal data and aim to facilitate transborder data flows while respecting democratic values, the rule of law, and the protection of privacy and other rights and freedoms. Nonetheless, the Guidelines also provide national security and law enforcement exceptions.

The new declaration sets out shared principles that reflect commonalities in the existing laws and practices of OECD Member countries and complement each other in protecting individuals’ privacy and other rights and freedoms.

This declaration establishes the following shared principles (condensed summaries), drawn from existing laws, on government access to personal data held by private entities:

Legal Basis

The declaration states that access to data by the government is provided for and regulated by the country’s legal framework. Additionally, it is binding on government authorities and adopted and implemented by democratically established institutions operating under the rule of law. This legal framework sets out purposes, conditions, limitations, and safeguards concerning government access, to provide individuals with sufficient guarantees against the risk of misuse and abuse of their data.

Legitimate Aims

Government access must be carried out in a manner that is not excessive concerning its legitimate aims and must comply with necessity, proportionality, and reasonableness principles. Meaning access cannot be used for purposes such as suppressing criticism or dissent or disadvantaging persons or groups solely based on protected characteristics etc.

Approvals

The legal frameworks establish prior approval requirements. It also outlines the procedure for seeking and granting approval for government access. These requirements are commensurate with the degree of interference with privacy and other human rights and freedoms. Stricter standards are imposed for severe interference or emergency exceptions, which the legal frameworks strictly define. Emergency exceptions to approval requirements are also provided for in the legal framework; they must be clearly defined and include justifications, conditions and duration. Decisions on approvals are “appropriately documented” and “made objectively, on a factual basis in pursuit of a specified and legitimate aim and upon satisfaction that the approval requirements are met”. Where approvals are not required, the declaration states that other safeguards in the legal framework are applicable to protect against misuse and abuse, including “clear rules that impose conditions or limitations on the access, as well as effective oversight”.

Data Handling

ersonal data acquired through government access can be processed and handled only by authorized personnel. The handling of this data requires physical, technical and administrative measures to be implemented by the government to safeguard the data (this includes processing personal data with a valid legal basis, retention can only be for as long as prescribed under the legal framework, taking into account the purpose of processing and the sensitivity of the data).

Transparency

The legal framework regulating government access must be accessible to the public. Additionally, each country must have appropriate transparency mechanisms on government access to personal data, such as enabling the proper oversight bodies to report on government compliance.

Oversight

There must be practical and impartial oversight of government access to personal data in compliance with the necessary legal requirements (provided through bodies including internal compliance offices, courts, parliamentary or legislative committees, and independent administrative authorities).

Redress

Individuals are entitled to effective redress where a violation has occurred. The redress mechanisms might contain limitations, particularly the right to be informed, taking into account national security rules. Appropriate remedies may include the deletion of personal data, termination of unlawful processing and providing compensation for damages.

Next to these principles, the signatories agree that where there are restrictions for transborder flows in national laws, they consider a destination country’s effective implementation of the regulations as a ‘positive contribution’. Coinciding with the declaration, the EU issued its draft adequacy decision on EU-US data flows on 13 December.

In conclusion, the Declaration on Government Access is an important milestone in the OECD’s work to help countries promote confidence in transborder data flows. The declaration complements the OECD’s “Going Digital” project, which focuses on data governance for growth and well-being in its current third phase. It also proposes evidence-based solutions to countries’ significant data governance challenges. The expected outcomes of this project phase, which was completed at the Ministerial Meeting, include the Data Governance Policy Guide and the report on Digital Transformation and Data Governance for Growth and Well-being.

AUTHOR

Raluca Suciu

Data Protection Manager

REVIEWER

Emeraude Camberlin

DPO Certified & Squad Leader

Contact Our Experts

> Back to all news

Cookie	Duration	Description
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non-necessary".
CookieLawInfoConsent	1 year	The cookie is used to store the summary of the consent given for cookie usage. It does not store any personal data
wp-wpml_current_language	1 day	No description

Cookie	Duration	Description
APISID	1 years	Set by YouTube on pages with embedded YouTube video
CONSENT	20 years	To store cookie consent preferences
HSID	2 years	Set by YouTube on pages with embedded YouTube video
hustle_module_show_count-embedded-3	Session	To allow the display of a pop-up
LOGIN_INFO	2 years	Set by YouTube on pages with embedded YouTube video
PREF	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SAPISID	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SID	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SIDCC	1 year	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SSID	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
VISITOR_INFO1_LIVE	8 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_135556958_1	1 minute	Google uses this cookie to distinguish users.
_gat_gtag_UA_135556958_2	1 minute	Google uses this cookie to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duration	Description
hustle_module_show_count-embedded-3
inc_optin_popup_long_hidden-1

Cookie	Duration	Description
__Secure-3PAPISID	2 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting
__Secure-3PSID	2 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting
__Secure-3PSIDCC	1 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting
DSID	12 days	To serve targeted advertisements that are relevant across the web
IDE	1 year	To serve targeted advertisements that are relevant across the web
RUL	1 year	Used to determine whether website advertisement has been properly displayed
YSC	session	Set by YouTube on pages with embedded YouTube video

OECD countries adopt an agreement on government access to private sector data

OECD countries adopt an agreement on government access to private sector data