Late last year, OECD member countries adopted an intergovernmental agreement setting out their shared principles for government access to personal data held by private entities. The OECD Declaration on Government Access to Personal Data Held by Private Entities (the Declaration) documents principles and safeguards, drawn from the OECD members’ existing practices, for accessing personal data held by private sector entities for law enforcement and national security purposes.
The Declaration is a non-binding, soft-law declaration. It is not binding under international law (cf: the OECD Anti-Bribery Convention), and there is no requirement for Australia to implement the Declaration in its local law.
The Declaration aims to promote trust in cross-border data flows and provide confidence to individuals and businesses when transferring data internationally. It also aims to address concerns that an absence of common standards and safeguards could lead to countries legislating undue restrictions on data flows. Some jurisdictions, such as the EU and US, had already started down this path by conducting their own jurisdiction specific assessments for equivalency. The Declaration aims to reduce the need for individual assessments, as it sets out standard principles for accessing personal data by government agencies that apply to all OECD countries.
Shared principles of OECD declaration
The Declaration contains a set of shared principles for how democratic, rule-of-law based systems should limit and constrain government access to personal information. These principles reflect shared values of the OECD member countries and draws on commonalities in their existing laws and practices.
- Legal basis: government access to personal data should be regulated by a legal framework which is binding on the government authorities accessing personal data. The framework should set out the purpose, conditions, limitations and safeguards which apply to government access.
- Legitimate aims: government access to personal data should conform with the rule of law. Access should be necessary, proportional and reasonable to protect against misuse and abuse. The declaration explicitly states that government should not access personal data to supress criticism or disadvantage groups based on characteristics such as age, disability, ethnicity, gender, sexual orientation, or political or religious affiliation.
- Approvals: government access to personal information should be subject to approvals. These approvals should be documented and should apply rules, standards and processes which are appropriate to the degree of interference with privacy and human rights. Stricter approval processes should apply for serious interferences with privacy, which may include seeking approval from judicial or impartial non-judicial authorities.
- Data handling: governments should implement physical, technical and administrative measures to ensure that personal information is protected and that only authorised personnel access the personal information. Governments should also ensure that personal data is only retained for the duration set out in the country’s legal framework, which must take into account the purpose of collection and the sensitivity of the personal information.
- Transparency: governments should make the framework for access clear and accessible to the public. The Declaration acknowledges that any mechanisms for providing transparency must balance the rights of individuals to be informed of access to their personal data, against the need for confidentiality in national security and law enforcement activities.
- Oversight: governments should ensure that there are mechanisms for effective and impartial oversight of its framework for government access to personal data. Oversight bodies must have the power to investigate and redress government entities for non-compliance with the framework, and they must be given adequate resources to carry out their functions.
- Redress: governments should ensure there are effective judicial and non-judicial avenues for identifying and remedying contraventions of the framework for government access to personal information. Remedies should include the power to terminate a government agency’s access to personal data, mandate deletion of improperly accessed data and order cessation of any unlawful processing.
The adoption of the Declaration by all OECD countries is a step towards creating trust between countries with shared values and reducing the global trend towards data localisation. However, it’s fair to be sceptical that this high-level and non-binding Declaration is strong enough to give OECD members any meaningful comfort about the government data accessing processes of their peers.
Authors: Michael Caplan, Claire Harris, Joy Kim