The Organisation of Economic Cooperation and Development ('OECD') announced, on 14 December 2022, the adoption of the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities. In particular, the OECD highlighted that 38 countries and the EU signed up to the Declaration, which clarifies how national security and law enforcement agencies can access personal data under existing legal frameworks. Further, the Declaration notes the commitment to free data flows to promote confidence in individuals and businesses on cross-border data transfers.

More specifically, the OECD outlined that the Declaration rejects any approach by governments to access personal data which are inconsistent with democratic values and the rule of law. Furthermore, the Declaration sets out a range of principles under which governments may access personal data held by organisations. These include:

• legal basis: legal frameworks which set out the purposes, conditions, limitations, and safeguards concerning access, such that individuals have sufficient guarantees against the risk of misuse and abuse;
• legitimate aims: governments seek access only for specified and legitimate aims, and do not seek personal data for the purpose of suppressing or burdening criticism or dissent, or disadvantaging persons or groups solely on the basis of particular characteristics;
• approvals: prior approval requirements for government access to personal data to ensure access is conducted in accordance with standards, rules, and processes, and that stricter approval requirements are put in place for serious interference, while decisions should also be documented;
• data handling: personal data access should only be handled by authorised personnel, and internal controls and requirements used to prevent loss or unauthorised access;
• transparency: ensuring that the general legal framework for government access is clear and easily accessible, and that mechanisms exist to provide transparency about government access, with such mechanisms including public reporting by oversight bodies on compliance with such requirements;
• oversight: ensuring effective and impartial oversight for compliance with the legal framework, including internal compliance offices, courts, and parliamentary or legislative committees; and
• redress: ensuring individuals have effective judicial and non-judicial redress to identify and remedy violations of the national legal framework, taking into account the need to preserve the confidentiality of national security and law enforcement activities.

You can read the announcement here and the Declaration here.