Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: OECD publishes agreement on government access to personal data

The Organisation of Economic Cooperation and Development ('OECD') announced, on 14 December 2022, the adoption of the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities. In particular, the OECD highlighted that 38 countries and the EU signed up to the Declaration, which clarifies how national security and law enforcement agencies can access personal data under existing legal frameworks. Further, the Declaration notes the commitment to free data flows to promote confidence in individuals and businesses on cross-border data transfers.

More specifically, the OECD outlined that the Declaration rejects any approach by governments to access personal data which are inconsistent with democratic values and the rule of law. Furthermore, the Declaration sets out a range of principles under which governments may access personal data held by organisations. These include:

  • legal basis: legal frameworks which set out the purposes, conditions, limitations, and safeguards concerning access, such that individuals have sufficient guarantees against the risk of misuse and abuse;
  • legitimate aims: governments seek access only for specified and legitimate aims, and do not seek personal data for the purpose of suppressing or burdening criticism or dissent, or disadvantaging persons or groups solely on the basis of particular characteristics;
  • approvals: prior approval requirements for government access to personal data to ensure access is conducted in accordance with standards, rules, and processes, and that stricter approval requirements are put in place for serious interference, while decisions should also be documented;
  • data handling: personal data access should only be handled by authorised personnel, and internal controls and requirements used to prevent loss or unauthorised access;
  • transparency: ensuring that the general legal framework for government access is clear and easily accessible, and that mechanisms exist to provide transparency about government access, with such mechanisms including public reporting by oversight bodies on compliance with such requirements;
  • oversight: ensuring effective and impartial oversight for compliance with the legal framework, including internal compliance offices, courts, and parliamentary or legislative committees; and
  • redress: ensuring individuals have effective judicial and non-judicial redress to identify and remedy violations of the national legal framework, taking into account the need to preserve the confidentiality of national security and law enforcement activities.

You can read the announcement here and the Declaration here.