A notable development for the fraught issue of cross-border data flows from the Organisation for Economic Co-operation and Development (OECD) Wednesday: After two years of closed-door discussions, the intergovernmental organization has adopted a declaration on government access to data held by private sector entities.
The declaration, which has been adopted by the 38 OECD countries and the European Union, talks about “legitimate government access on the basis of common values” — and identifies seven shared principles (summarized below) which member countries have agreed reflect “commonalities” drawn from their existing laws and practices. The stated aim is to increase clarity about how government agencies can access data.
Member countries adopting the declaration include the U.S., U.K., European Union Member States including France and Germany and other international democracies including Australia, Canada, Israel, Japan, Korea, Mexico and New Zealand.
The move comes almost a decade after NSA whistleblower Edward Snowden brought a different kind of clarity to the world on that topic when he leaked scores of intelligence documents to journalists detailing how spooks in the U.S. and other Western democracies were quietly tapping into commercial Internet platforms and helping themselves to user data without a thought for people’s privacy.
Western governments have moved on from the Snowden scandal by — in many cases — updating their legal frameworks to embed mass surveillance (often with a claimed wrapper of democratic accountability and safeguarding). However differences in levels of legal protections afforded for privacy between countries, and discrepancies between how citizens and foreigners may be treated under surveillance regimes, continues to cause trouble for cross border data flows — which the OECD is concerned threatens the smooth scaling of the global digital economy.
The declaration builds on an earlier (1980!) OECD recommendation, on privacy and transborder flows of personal data, by addressing “policy gaps” affecting the cross-border flow of personal data — and specifically tackling what it describes as “the lack of a common articulation at the international level of the safeguards that countries put in place to protect privacy and other human rights and freedoms when they access personal data held by private entities in the course of fulfilling their sovereign responsibilities related to national security and law enforcement”.
Or, put another way, the OECD wants a set of agreed principles for how governments say they will acquire and use private sector user data to be out there, in writing, building trust that surveillance practices have reformed, are regulated, and are becoming increasingly aligned between economically allied nations, to encourage a lowering of barriers to cross border data flows for members of the club.
Here are the seven principles in the declaration — with lightly condensed summaries:
1) Legal basis: The declaration says data access by government is provided for and regulated by the country’s legal framework that is binding on government authorities and adopted and implemented by democratically established institutions operating under the rule of law — and which sets out “purposes, conditions, limitations and safeguards concerning government access, so that individuals have sufficient guarantees against the risk of misuse and abuse”.
2) Legitimate aims: Government access “supports the pursuit of specified and legitimate aims”, so is not excessive vis-a-vis those aims and is in accordance with legal standards of necessity, proportionality, reasonableness etc — and in conformity with the rule of law. So access cannot be used for purposes such as suppressing criticism or dissent; or disadvantaging persons or groups solely on the basis of protected characteristics etc.
3) Approvals: It says prior approval requirements are embedded in the legal framework to ensure access is “conducted in accordance with applicable standards, rules and processes”. The declaration also notes these are “commensurate with the degree of interference with privacy and other human rights and freedoms that will occur as a result of government access” — and stipulates that “stricter approval requirements are in place for cases of more serious interference, and may include seeking approval from judicial or impartial non-judicial authorities”. Emergency exceptions to approval requirements are also provided for in the legal framework, and are “clearly defined, including justifications, conditions, and duration”. Decisions on approvals are “appropriately documented” and “made objectively, on a factual basis in pursuit of a specified and legitimate aim and upon satisfaction that the approval requirements are met”. Where approvals are not required, the declaration states that other safeguards in the legal framework apply to protect against misuse and abuse, including “clear rules that impose conditions or limitations on the access, as well as effective oversight”.
4) Data handling: Personal data acquired through government access can be processed and handled only by authorised personnel — and this activity is subject to requirements provided for in the legal framework, including putting in place physical, technical and administrative measures to maintain privacy, security, confidentiality, and integrity. Mechanisms to ensure that personal data are processed lawfully; retained only for as long as authorised in the legal framework in view of the purpose and taking into account the sensitivity of the data; and are kept accurate and up to date (“to the extent appropriate having regard to the context”) are also included, along with internal controls to detect, prevent and remedy data loss or unauthorised or accidental data access, destruction, use, modification, or disclosure, and to report such instances to oversight bodies.
5) Transparency: The general legal framework for government access is declared as “clear and easily accessible to the public so that individuals are able to consider the potential impact of government access on their privacy and other human rights and freedoms”. The document also states mechanisms exist for providing transparency about government access to personal data “that balance the interest of individuals and the public to be informed with the need to prevent the disclosure of information that would harm national security or law enforcement activities” — providing examples like public reporting by oversight bodies on government compliance with legal requirements; procedures for requesting access to government records; regular reporting by governments; and, “where applicable”, individual notification. Private sector entities may issue “aggregate statistical reports” regarding government access requests “in line with legal framework requirements”.
6) Oversight: Mechanisms exist for “effective and impartial” oversight to ensure that government access complies with the legal framework — provided through bodies including internal compliance offices; courts; parliamentary or legislative committees; and independent administrative authorities. Bodies acting according to individual mandates have powers to obtain and review relevant information; conduct investigations or inquiries; execute audits; engage with government entities on compliance and mitigation; and address non-compliance — also receiving and responding to reports of non-compliance (and potentially to individual complaints) to ensure that government entities are accountable. “In the exercise of their functions, oversight bodies are protected from interference and have the financial, human and technical resources to effectively carry out their mandate,” the declaration states. “They document their findings, produce reports, and make recommendations, which are made publicly available to the greatest extent possible.”
7) Redress: The legal framework provides individuals with “effective judicial and non-judicial redress” to “identify and remedy” violations of the national legal framework. The declaration says such redress mechanisms “take into account the need to preserve confidentiality of national security and law enforcement activities” — stipulating this may include “limitations on the ability to inform individuals whether their data were accessed or whether a violation occurred”. Available remedies (“subject to applicable conditions”) include terminating access; deleting improperly accessed or retained data; restoring the integrity of data; and the cessation of unlawful processing. Compensation for damages suffered by an individual is also included as a possibility — “depending on the circumstances”.
Thorny issues for cross-border data flows
In a press release accompanying the declaration the OECD says its hope is it will boost trust and get data moving, writing: “The principles set out how legal frameworks regulate government access; the legal standards applied when access is sought; how access is approved, and how the resulting data is handled; as well as efforts by countries to provide transparency to the public. They also tackle some of the thornier issues — such as oversight and redress — that have proved challenging to policy discussions for many years.”
“The project stemmed from growing concerns that the absence of common principles in the sensitive domains of law enforcement and national security could lead to undue restrictions on data flows,” it adds. “Another motivating factor is a desire to increase trust among rule-of-law democratic systems that, while not identical, share significant commonalities.”
“Being able to transfer data across borders is fundamental in this digital era for everything from social media use to international trade and cooperation on global health issues. Yet, without common principles and safeguards, the sharing of personal data across jurisdictions raises privacy concerns, particularly in sensitive areas like national security,” added OECD secretary-general Mathias Cormann in a supporting statement. “Today’s landmark agreement formally recognises that OECD countries uphold common standards and safeguards. It will help to enable flows of data between rule-of-law democracies, with the safeguards needed for individuals’ trust in the digital economy and mutual trust among governments regarding the personal data of their citizens.”
Cross-border data flows remain a very topical issue, with the EU — just yesterday — publishing a draft U.S. adequacy decision on transatlantic data exports. That still-yet-to-be-finalized EU-U.S. Data Privacy Framework is intended to replace two prior data transfer deals that were struck down by the bloc’s top court over concerns about U.S. government surveillance. And in the meanwhile, while EU institutions set to work scrutinzing the quality of redress the U.S. has offered its citizens who have concerns about what’s being done with their data once it’s over the pond, legal uncertainty — and even the risk of regional shutdown — hangs over U.S. cloud services in Europe.
One way to reduce the risk of further legal strikes — and, more broadly, to push back against a rising tide of data localization around the globe when/if countries feel moved to keep a sovereign hold on citizens’ data because of security concerns over foreign surveillance — is for likeminded nations to hew closer to a set of practices governing government access to private sector data.
Hence the declaration reads like an attempt to lower protectionist barriers that the OECD sees as standing in the way of the digital transformation of the global economy — and all the economic upside the latter implies.
But this text is just the end of a lengthy and, by some accounts, rather fraught process. An older version of the text — which was not made public but which we’ve reviewed via a source — contained some substantially different wording on the topic of cross-border data flows that suggests there was appetite among some in the discussion room for the OECD to take a more aggressive approach to beating back barriers to transborder data flows.
The proposal text we reviewed included wording stating that member countries should “refrain” from restricting cross-border data flows over national security or law enforcement access concerns if the destination country, whether an OECD member or not, “substantially observes” and “effectively implements” the principles of the declaration — and suggested member countries should instead focus their concern on data flows to countries where national security or law enforcement access does not align with the principles or is otherwise inconsistent with democratic values, the rule of law and respect for humans rights.
The final OECD declaration scrubs the suggested text — in favor of a considerably less ambitious statement of recognition that “where our legal frameworks require that transborder data flows are subject to safeguards, our countries take into account a destination country’s effective implementation of the principles as a positive contribution towards facilitating transborder data flows in the application of those rules”.
So the idea of signatories agreeing to, essentially, ignore their own rule of law — in the case of the EU (given the General Data Protection Regulation requires local regulators to suspend data exports to third countries if they believe citizens’ data will not get essentially equivalent legal protection at the destination country as it does in the EU — a scenario which is still, currently, the case for the U.S., an OECD member and signatory to this declaration) — in the name of maximizing data flows and economic upside between OECD members has, rather unsurprisingly, been dropped in the final text.
Such a suggestion would have been anathema to the EU — which sent high-level representatives to the Ministerial meeting of the Committee on Digital Economy Policy, in Gran Canaria, Spain, where the declaration was adopted on Wednesday afternoon. So the bloc seems pleased enough with the final outcome. (The Commission’s spokesperson service did not respond to questions about the earlier wording proposing to supplant the GDPR’s regulation of data transfers to third countries with an alternative, lower OECD standard.)
Some implicit inter-OECD member drama aside, it’s worth noting that an OECD declaration is not legally binding in any case. So while this high level statement by members contains commitments they “uphold democracy and the rule of law and protect privacy and other human rights and freedoms” (vis-a-vis government access to data), it’s not clear how much practical impact the declaration could have on surveillance practice and, well, surveillance overreach.
Nor whether any reconfiguring of Western democracies’ troublesome appetite for mass surveillance (to something, er, less legally risky to cross border data flows) is even intended for a declaration that talks about wanting to boost trust in data flows while simultaneously claiming: “[O]ur countries’ approach to government access is in accordance with democratic values; safeguards for privacy and other human rights and freedoms; and the rule of law including an independent judiciary” — despite several OECD members having legislated for state surveillance powers that human rights groups have denounced as anti-democratic and antithetical to privacy, and which continue tenacious sticking with data retention regimes that courts keep finding unlawful.
You won’t find those kind of awkward details recognized in this declaration — despite a claim by members to reject “any approach to government access to personal data held by private sector entities that, regardless of the context, is inconsistent with democratic values and the rule of law, and is unconstrained, unreasonable, arbitrary or disproportionate”.
While stakeholders’ calls for more work by governments to protect privacy and freedom of expression only gets a passing “note[d]” in the text.
The closed door nature of the negotiations to draw up the declaration have also been raised as a concern by civil society groups (aka stakeholders) — who have complained they were prevented from fully participating in the discussion process, with no ability for such groups to comment on the final draft ahead of publication for example.
CSISAC, which acts as the voice of civil society at the OECD’s Committee on the Digital Economy Policy — helping to get information flowing between the oraganization and civil society groups with the aim of achieving better policy outcomes — put out a statement following the declaration’s publication expressing concern at the “lack of procedural guardrails” on the talks on government access and lamenting that the usual formal multi-stakeholder OECD process was not followed in this case.
“The removal of civil society’s voice in one of the most sensitive and important projects at the OECD sets a dangerous precedent,” the committee goes on, pointing out that the reason given by the OECD for this exclusion — namely, the participation of members of the intelligence community in the negotiations for the declaration — need not have led to the exclusion of civil society from later stages of the process. Any future “similarly sensitive discussions” should not see a repeat of civil society input being shut out, it further urges.