On December 14, 2022, the members of the Organization for Economic Co-operation and Development (“OECD”) (which includes various EU Member States, Mexico, Turkey, the UK and the United States) and the EU, adopted the Declaration on Government Access to Personal Data held by Private Sector Entities (“Declaration”).
The aim of the Declaration is to establish a common set of privacy principles and safeguards to increase trust, and further promote cross-border data flows between the signatory countries. The principles enshrined in the Declaration will be implemented according to each country’s legal framework. The Declaration establishes the following shared principles, drawn from existing laws, on government access to personal data held by private entities:
- Legal basis. The legal basis for government access to privately held personal data is set out by each country’s legal framework. This legal framework sets out purposes, conditions, limitations and safeguards concerning government access, so that individuals have sufficient guarantees against the risk of misuse and abuse of their data.
- Legitimate aims. Government access must be carried out in a manner that is not excessive in relation to its legitimate aims and must comply with the principles of necessity, proportionality, and reasonableness.
- Approvals. The legal frameworks establish prior approval requirements, specifying the procedure for seeking and granting approval to government access. These requirements are commensurate with the degree of interference with privacy and other human rights and freedoms. Stricter requirements are imposed for instances of serious interference or emergency exceptions, which the legal frameworks strictly define.
- Data Handling. Personal data obtained through government access can only be processed by authorized officials. To achieve this, governments must implement physical, technical and administrative measures to safeguard personal data, which includes processing personal data with a valid legal basis. In addition, personal data must be retained only for as long as prescribed under the legal framework, taking into account the purpose of processing and the sensitivity of the data.
- Transparency. The legal framework regulating government access must be accessible to the public and each country must put in place appropriate transparency mechanisms on government access to personal data, such as enabling the appropriate oversight bodies to report on government compliance.
- Oversight. There must be effective and impartial oversight of government access to personal data, in compliance with the necessary legal requirements. Counties’ oversight bodies include, among others, internal compliance, the judiciary, parliamentary committees and independent administrative authorities. The independence and the functions of these oversight bodies are laid out in accordance with the countries’ legal framework.
- Redress. Individuals are entitled to effective redress, where a violation has occurred. The redress mechanisms might contain limitations in terms of the right to be informed, taking into account national security rules. Appropriate remedies may include the deletion of personal data, terminating unlawful processing and providing compensation for damages.
In reaction to the Declaration, European Commissioner for Justice, Didier Reynders stated that the above-mentioned commitments do not preclude the requirement for governments to adopt bilateral agreements to the transfer of data to another country. Nonetheless, the OECD framework could assist companies to prove that they are transferring data to a country that offers a heightened standard of protection of personal data. In this context, while the European Commission’s final adequacy decision on the EU-U.S. Data Privacy Framework is currently in the pipeline (see our previous blog post), the Declaration could be of particular importance in assessing the level of protection afforded to personal data transferred outside of the EU to one of the OECD countries, such as the U.S.
Covington regularly advises companies on all aspects of their international transfers. Covington’s Data Privacy and Security team is happy to assist with any inquiries relating to the proposed EU-U.S. Data Privacy Framework and other international transfers mechanisms.