The Organization for Economic Co-operation and Development adopted a declaration on government access to data held by private sector entities on Wednesday.
The 38 Organisation for Economic Co-operation and Development countries and the European Union have adopted a declaration that talks about "legitimate government access on the basis of common values."
The U.S., U.K., European Union Member States, France and Germany, Australia, Canada, Israel, Japan, Korea, Mexico and New Zealand are included in the declaration.
The move comes almost a decade after EdwardSnowden leaked scores of intelligence documents to journalists detailing how the U.S. and other Western democracies were quietly tapping into commercial internet platforms and helping themselves to user data.
Many Western governments have updated their legal frameworks to include mass-surveillance in order to keep up with the times. Differences in levels of legal protections afforded for privacy between countries continue to cause trouble for cross border data flows, which the Organisation for Economic Co-operation and Development is concerned about.
The declaration is based on an earlier one. Privacy and transborder flows of personal data should be addressed by addressing policy gaps affecting the cross-border flow of personal data.
A set of agreed principles for how governments say they will acquire and use private sector user data to be out there, in writing, building trust that surveillance practices have reformed, are regulated, and are becoming increasingly aligned between economically allied nations, is what the Organisation for Economic Co-operation and Development
The seven principles are summarized in a few words.
The declaration states that data access by government is provided for and regulated by the country's legal framework that is binding on government authorities and adopted and implemented by democratically established institutions.
Government access supports the pursuit of specified and legitimate aims and is in line with the rule of law. Access can't be used for suppressing criticism or dissent, or disadvantaging people solely on the basis of protected characteristics.
Prior approval requirements are embedded in the legal framework to ensure access is conducted in accordance with applicable standards. The declaration states that these are in line with the degree of interference with privacy and other human rights and freedoms that will occur as a result of government access. Emergency exceptions to approval requirements are included in the legal framework. Upon satisfaction that the approval requirements are met, decisions on approvals are documented and made objectively on a factual basis. Clear rules that impose conditions or limitations on the access, as well as effective oversight, are included in the legal framework where approvals are not required.
Personal data acquired through government access can be handled only by authorized personnel, and this activity is subject to requirements for in the legal framework, including putting in place physical, technical and administrative measures to maintain privacy, security, confidentiality, and integrity. To the extent the appropriate having regard to the context is included, there are mechanisms to ensure that personal data are processed lawfully, retained only for as long as authorized in the legal framework, and kept accurate and up to date.
The general legal framework for government access is declared to be transparent so that individuals can consider the potential impact of government access on their privacy and other human rights and freedoms. There are mechanisms for providing transparency about government access to personal data that balance the interests of individuals and the public to be informed with the need to prevent the disclosure of information that would harm national security or law enforcement activities, according to the document. Aggregate statistical reports may be issued by private sector entities.
There are mechanisms for effective and impartial oversight to ensure that government access complies with the legal framework. To ensure that government, bodies acting according to individual mandates have the power to obtain and review relevant information, conduct investigations or inquiries, execute audits, engage with government entities on compliance and mitigate, and receive and respond to reports of non-compliance. Oversight bodies have the financial, human and technical resources to effectively carry out their mandates, according to the declaration. They document their findings, produce reports, and make recommendations which are made public.
The legal framework provides individuals with remedies for violations of the national legal framework. Limitations on the ability to inform individuals whether their data were accessed or whether a violation occurred are included in the declaration. Subject to applicable conditions, available remedies include the cessation of unlawful processing and the deletion of improperly accessed or retained data. Depending on the circumstances, compensation for damages suffered by an individual is possible.
The aim of the declaration is to boost trust and get data moving, according to the press release. They tackle some of the thornier issues that have proved challenging to discuss in the past.
There were concerns that the absence of common principles in the sensitive domain of law enforcement and national security could lead to restrictions on data flows. There is a desire to increase trust in rule-of-law democratic systems that are not identical.
In this digital era, being able to transfer data across borders is essential for everything from social media use to international trade and cooperation on global health issues. Without common principles and safeguards, the sharing of personal data across jurisdictions raises privacy concerns, according to the secretary-general of the Organisation for Economic Co-operation and Development. Common standards and safeguards are recognised by the agreement. It will help to enable flows of data between rule-of-law democracies with the safeguards needed for individuals' trust in the digital economy and mutual trust among governments.
The EU just published a draft decision on the adequacy of data exports from the US to Europe. Two prior data transfer deals were struck down by the bloc's top court over concerns about U.S. government snooping. The U.S. has offered its citizens who have concerns about what is being done with their data once it's over the pond, legal uncertainty and the risk of regional shutdown.
EU confirms draft decision on replacement US data transfer pact
One way to reduce the risk of further legal strikes is to push back against a rising tide of data localization around the globe when/if countries feel moved to keep a hold on citizens' data because of security concerns.
The declaration reads like an attempt to lower protectionist barriers that are standing in the way of the digital transformation of the global economy.
This text is just the beginning of a lengthy process. An older version of the text, which was not made public but which we reviewed via a source, contained some substantially different wording on the topic of cross-border data flows that suggests there was appetite among some in the discussion room for the Organization for Economic Co-operation and Development to take a
The proposal text states that member countries should refuse to restrict cross-border data flows if the destination country observes and implements the principles of the declaration.
In favor of a considerably less ambitious statement of recognition that "where our legal frameworks require that transborder data flows are subject to safeguards, our countries take into account a destination country's effective implementation of the principles as a positive contribution towards facilitating transborder."
The General Data Protection Regulation requires local regulators to suspend data exports to third countries if they believe citizens' data will not get the same legal protection at the destination country.
The EU sent high-level representatives to the meeting of the Committee on Digital Economy Policy in Gran Canaria, Spain, where the declaration was adopted. The bloc seems happy with the outcome. The Commission's spokesman didn't respond to questions about the earlier wording suggesting to replace the regulation of data transfers to third countries with an alternative standard.
AnOECD declaration is not legally binding in any case. While this high level statement by members contains commitments to uphold democracy and the rule of law and protect privacy and other human rights and freedoms, it's not clear how much practical impact the declaration will have on the practice of surveilling.
It's not clear if any reconfiguring of Western democracies' troublesome appetite for mass surveillance is even intended for a declaration that talks about wanting to boost trust in data flows.
The members claim to reject any approach to government access of personal data held by private sector entities that is inconsistent with democratic values and the rule of law.
Stakeholders call for more work by governments to protect privacy and freedom of expression, but they only get a passing mention in the text.
Civil society groups have complained that they were prevented from fully participating in the discussion process, with no ability to comment on the final draft ahead of publication, because of the closed door nature of the negotiations to draw up the declaration.
CSISAC, the voice of civil society at the Committee on the Digital Economy Policy, put out a statement after the declaration was published expressing concern.
The removal of civil society's voice in one of the most sensitive and important projects at the Organisation for Economic Co-operation and Development sets a dangerous precedent. Civil society should not be shut out of sensitive discussions in the future.