The 38 member nations of the Organisation for Economic Co-operation and Development (OECD) and the European Union have signed a notable privacy agreement aimed at improving transparency in government access to personal data held by private companies.
The privacy agreement consists of a list of “shared principles” drawn from “commonalities” in existing national laws. OECD includes the United States, Canada, Australia, New Zealand, Japan, Korea and Mexico among its members, and some of these countries have limited or no data privacy laws at the national or federal level.
Privacy agreement meant to address concerns about mass surveillance
Cross-border data transfers have become a major international concern since the Schrems II court ruling in Europe put a spotlight on the issue. With the EU’s involvement, the OECD represents the first broad intragovernmental privacy agreement on building parity in data protection frameworks.
The heart of the international data transfer issue is government access to the personal data of foreign citizens that crosses its borders. The OECD privacy agreement rejects approaches that are “inconsistent with democratic values and the rule of law” and calls for members to develop safeguards rooted in common values to guide government data purchases, government access to publicly available data, and voluntary disclosures to national security and law enforcement agencies.
The privacy agreement is a major development as it updates an OECD recommendation that had been put in place in 1980, well before anyone could imagine the level of internet and device access that is available today. It does not create any sort of a formal framework or make an immediate change to any member nation data handling practices, but it does create an agreement in principle that can be used as a foundation to build out data transfer relationships.
Seven specific principles are named in the agreement. The first is establishment of a legal basis for government access to data in each member country that offers “sufficient guarantees against the risk of misuse and abuse” along with “purposes, conditions, limitations and safeguards” that are supported by rule of law.
The privacy agreement expands on the “purposes and conditions” with its second principle, which addresses legitimate aims that are in keeping with legal standards and not excessive. This principle specifically names the suppression of political dissent or government criticism as unacceptable aims, as well as various forms of demographic profiling.
Prior approval requirements are also named as a principle, and emergency exceptions involving government access must be “clearly defined” and have an approval process that is “appropriately documented.” Clear rules that restrict access to necessary purposes are also required for situations in which prior approval is not required.
The privacy agreement principles also call for data handling only by authorized and qualified personnel, the establishment of well-funded oversight bodies that are free of interference, and both judicial and non-judicial redress processes for data subjects.
A path toward better-regulated government access
The privacy agreement has been hammered out amidst lingering uncertainty about how international data transfers will function going forward, especially under the EU’s stringent requirements. The US is in the midst of attempting to work out a new transfer framework to replace the one that was eliminated by Schrems II; a draft proposal was recently given the green light from the European Commission, but first faces scrutiny from other stakeholders in the bloc, and then almost certainly another Schrems court challenge if it ends up being adopted.
Government access has always been at the heart of this upheaval, with the Snowden leaks of nearly a decade ago providing the central motivation for the series of Schrems lawsuits. Western nations have responded differently in terms of data protection measures, and many are loath to give up government access to data flows, but there is increasing awareness that this incompatibility in laws and perception of widespread foreign surveillance is creating a risk of serious negative economic impacts.
The agreement creates some degree of potential, but does not yet illuminate a clear path forward. A number of the signatories have had recent issues with government surveillance that are clear violations of the listed principles. For example, Mexico was the earliest known adopter of the controversial Pegasus spyware and initially used it to track drug kingpins, but reports indicate that the cartels have since obtained it for themselves (potentially via corrupt government contacts) and that both journalists and presidential candidates have been targeted for tracking by unknown parties. Turkey has also faced heavy international criticism for its media laws and for targeting journalists for surveillance and arrest.
It also remains unclear if the privacy agreement will help the case of a number of countries on the list that are not considered adequate data transfer partners under EU law. David Maynor, Senior Director of Threat Intelligence for Cybrary, believes that this proposal needs to be followed up with something more concrete before it will really be meaningful: “There is plenty of cross-border data flow now; malicious or shady actors are doing it. This agreement makes all the typical missteps of focusing on theoretical or academic issues rather than addressing the day-to-day concerns of Data Care*. An agreement should also include provisions for the proper ongoing training for cybersecurity training for those involved in data handling since the two biggest threats affecting this type of data will be insiders performing attacks or mishandling data and ransomware actors. Flowery language does not increase the survivability and integrity of data in either case.”