Gentlemen’s Rules for Reading Each Other’s Mail: The New OECD Principles on Government Access to Personal Data Held by Private Sector Entities
In 1928, U.S. Secretary of State Henry Stimson famously shut down an intelligence program that deciphered encrypted international cables, indignantly proclaiming that “a gentleman doesn’t read somebody else’s mail.” Nearly a century later, the vast increase in the amount of information held by private companies about individuals (a result of the boom in digital communications) has proved to be an irresistible attraction for national security and law enforcement agencies across the globe. In response to concerns about how security services handle the personal data they collect, the Organization for Economic Cooperation and Development (OECD) recently finalized a Declaration on Government Access to Personal Data Held by Private Sector Entities (OECD Principles), which aims to document the range of protections member governments already have in place for individuals’ data they access.
National security agencies have long ordered companies to provide access to information stored within their borders. For instance, the U.S. Foreign Intelligence Surveillance Act (FISA) authorizes access to the communications of agents of foreign powers; Section 702 extends this authority to the communications of foreign nationals located abroad.
These agencies also utilize clandestine means to directly gain access to communications outside their territories without the consent or knowledge of the data repositories. In 2013, Edward Snowden revealed in some detail how the United States has conducted such programs under the omnibus authority of Executive Order 12333, which allows for measures such as tapping into foreign communications networks. Public attention, particularly in Europe, to the scope and scale of U.S. signals intelligence collection spiked in the aftermath of Snowden’s disclosures. And in the following years, European security agencies’ own practices gradually attracted greater attention from the press and the public, as well as from their own governments.
Law enforcement agencies’ powers to collect evidence stored in foreign jurisdiction have also recently garnered increased attention. In particular, the U.S. Cloud Act, adopted in 2018, confirmed that judicial warrants were available to obtain personal data held outside the United States in the “possession, custody, or control” of electronic communications service providers. A number of European countries, including Belgium, exercise comparable power to command the production of foreign-located electronic evidence for domestic criminal investigations.
Privacy and human rights advocates have pushed for greater controls on, and transparency about, governments’ data access and acquisition practices. Over time, governments have adopted protections for individuals—such as independent oversight—that focus on the interests of their own citizens, not foreigners. Any sort of international comparative discussion of government access rules to foreign data was largely off-limits.
That changed on Dec. 14, 2022, with the issuance of the OECD Principles. The United States is one of the 38 OECD members, and the EU also participates in the organization’s work. The declaration capped an unusual two-year negotiation among national security and law enforcement officials to capture the “significant commonalities” characterizing how “rule-of-law democratic systems” regulate their access to personal data in the possession of private-sector entities such as communications companies. As the OECD notes, it is “the first intergovernmental agreement” on the subject.
The OECD Takes Up Government Access
At the request of the Group of 20 (G-20) in 2020, the OECD began working to address the subject of “data free flow with trust.” The OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, last updated in 2013, have long served as a fundamental reference point for maintaining trust in data flows. OECD member governments are exempt from following these guidelines for reasons of “national security and public policy.” The OECD’s new project on government access set out to illuminate the national protections built within those exemptions.
The OECD’s Committee on Digital Economic Policy established an informal expert group that met 18 times in 2021-2022 to hammer out common principles reflecting member states’ law and practices on government access to personal data held by private-sector entities. The work proceeded in fits and starts. In mid-2021, negotiations broke down temporarily over a dispute, principally between the United States and the European Union, about whether the governments would address not only their legal frameworks for obliging companies to provide access to data but also so-called direct access, where governments act by clandestine means to obtain such information outside their national territory without companies’ knowledge.
One goal of the OECD was to “increase trust among rule-of-law democratic systems that, while not identical, share significant commonalities[,]” while the other was to “provide a standard for how democratic, rule-of-law based systems limit and constrain government power in contrast with approaches that are unconstrained, unreasonable, arbitrary or disproportionate, in violation of human rights and in breach of international obligations” (emphasis added).
In other words, the principles aim to be both descriptive and exemplary, coming at a time of proliferating technological means for information access in authoritarian countries.
In line with these purposes, the OECD document takes the form of a nonbinding declaration, not a convention binding under international law like, for instance, the OECD Anti-Bribery Convention. Declarations are a well-established feature of the international law landscape, and they can have normative significance over time. The United Nations’ Universal Declaration of Human Rights, for example, is a similar “soft law” instrument that influenced a generation of human rights treaties; its content today is largely considered to be part of binding customary international law.
When the declaration was issued, many civil society groups complained that they had not been adequately consulted during the negotiation process. The OECD’s standing committee for consulting civil society on its initiatives, the Civil Society Information Society Advisory Committee, issued a statement decrying that it had been largely excluded from the negotiating process and was not given an opportunity to review the final product, “with which we had meaningful concerns.” The OECD Secretariat’s restrictive treatment of the emerging document was likely due to concern about premature leaks but, nonetheless, came at the price of dissent from a key stakeholder group about the negotiating process.
Business interests also play an established institutional role in the OECD’s work, through the Business at OECD committee. As the subjects of government access demands, companies welcomed the opportunity to contribute their perspectives to the negotiations and effusively greeted the outcome. For example, the Information Technology Information Council, a trade association representing many technology companies with international interests, called the OECD Principles an “important step” toward greater trust for cross-border data transfers and a “foundation for multilateral collaboration … in the longer term.”
Other external constituencies attempted to influence the drafting process as well. Notably, the Global Privacy Assembly (GPA), an organization made up of data protection authorities from around the globe, adopted a resolution on the principles in October 2021 that should characterize government access regimes.
Principles for Government Access
One of the most fraught aspects of the OECD negotiation was deciding the scope of the government access activities to which the principles would apply. Including both national security and law enforcement access to personal data held by the private sector was uncontroversial. But, as previously noted, the coverage of some aspects of national security access was contested. The OECD ultimately decided that the principles apply when agencies take actions “within their respective territories.” They also cover “situations where countries have the authority under their national legal framework to mandate that private sector entities provide data to the government when the private sector entity or data are not located within their territory” (emphasis added). Notably, direct access, where governments act extraterritorially without involving private-sector entities, appears to be excluded. From a U.S. law perspective, data demands made under the Cloud Act governing law enforcement access to evidence stored abroad are covered, whereas overseas national security activities premised on Executive Order 12333 are not.
The content of the principles is readily recognizable to commercial data protection lawyers, and addressing such standard features as the legal basis and purpose of access, procedural steps for approving access and handling data, transparency, oversight, and redress. However, their substance is nuanced to take account of governments’ needs for discretion and flexibility in the security realm.
For instance, the country’s “legal framework” establishes the legal basis for access (Principle I), but it need not necessarily all take the form of statutory law, as the GPA had advocated. Rather it may also comprise executive measures, as is the case in the United States for national security access under Executive Order 12333.
Principle II—which describes the legitimate aims of government access—is particularly significant from a comparative law perspective. European jurisprudence—as well as the GPA resolution—exclusively utilize the concepts of “necessity” and “proportionality” to measure the relationship of the ends and means of government access. The laws and jurisprudence of some non-EU members of the OECD instead use other analytically similar approaches. Thus, the principle refers to “necessity, proportionality, reasonableness and other legal standards that protect against the risk of misuse and abuse” (emphasis added). Reasonableness is a well-known judicial standard in countries with Anglo-American legal systems. The United States has long argued—including to the Court of Justice of the European Union (CJEU)—that the “reasonableness” test is functionally equivalent to a “necessity and proportionality” analysis.
Prior approval requirements for acquisition of data (Principle III) are set out in the governing legal framework but may not apply in all situations, as befits the security setting. Governments must “appropriately” document prior approval decisions, which often leaves room for documentation to be not available publicly. In emergency cases, approval may be delayed until after governments gain access to the data in question. In the United States, for example, national security requests made under FISA Section 702 undergo prior review by the Foreign Intelligence Surveillance Court, but activities under Executive Order 12333 do not.
The data handling principle (Principle IV) addresses the familiar protections of data minimization, retention, and security, but does so in a more flexible way than in the commercial context. Since governments need continued access to collected personal data throughout criminal proceedings or national security investigations, the principles allow retention “for so long as authorized in the legal framework in view of the purpose and taking into account the sensitivity of the data.” There is no hint in this formulation of the restrictive time limits laid down in recent CJEU judgments on European law enforcement and national security agencies’ data retention practices.
The transparency principle (Principle V) likewise takes account of the inherent need for secrecy in the national security and law enforcement setting. It recognizes that the general legal framework for government access is accessible and that oversight bodies checking on compliance with legal requirements engage in public reporting. For example, the U.S. intelligence community significantly increased its level of transparency following the Snowden revelations. Another transparency technique identified under this principle is notifying individuals that the government has accessed their data, but only “where applicable.” This formulation acknowledges that criminal investigators do not tip off criminal suspects about surveillance measures, only revealing that fact later during judicial proceedings.
According to Principle VI, governments provide “effective and impartial oversight” by a variety of means that include internal compliance offices, courts, legislative oversight, and independent administrative authorities. These bodies “are protected from interference and have the financial, human and technical resources to effectively carry out their mandate.” Oversight powers include investigating, auditing, and, in some cases, remedying individual complaints. The principle notably avoids use of the term “independence,” which is a criterion used by the CJEU in assessing whether European data protection authorities are properly structured. The GPA resolution likewise insisted on “independent” oversight. A good example of an oversight body is the U.S. Privacy and Civil Liberties Oversight Board, which has reported, for instance, on the operation of FISA Section 702.
The final principle (Principle VII) elaborates on how governments provide “effective judicial and non-judicial redress” to remedy violations of the legal framework for access to personal data. It indicates that redress in this context may include limitations on informing individuals that their data was obtained or that a violation of law has occurred. Many OECD governments do not provide a judicial forum for contested instances of national security surveillance but, rather, rely on administrative tribunals. For example, in the United States, the new Data Protection Review Court is housed within the Department of Justice.
Implications for Transatlantic Data Transfers
The OECD agreement comes at a propitious moment. Since the 2020 CJEU Schrems II judgment, companies transferring personal data from EU territory to the United States have faced increased obstacles in satisfying European data protection authorities that the U.S. legal regime for government access contains sufficient safeguards. In some cases, European data protection authorities have even considered a theoretical risk of U.S. government access to be unacceptable.
In October 2022, President Biden issued an executive order enhancing safeguards for U.S. signals intelligence activities, as part of a new U.S.-EU Data Privacy Framework (DPF) announced earlier in the year. The European Commission subsequently published a draft decision finding transfers made pursuant to the DPF “adequate” for purposes of EU data protection law.
The United States sought language in the OECD declaration to specify that a member country’s compliance with the principles should prevent another member from limiting data flows between them. This proposal faced “intense pushback from the EU,” because it would have effectively required the EU to grant the United States an adequacy finding. Instead, the declaration states only that a country’s implementation of the OECD Principles should be taken into account “as a positive contribution” toward a determination that cross-border data flows should be facilitated, for example, through an adequacy finding.
Austrian privacy activist Max Schrems already has signaled his intention to challenge the final adequacy decision before the CJEU. In this case, the CJEU would judge whether the U.S. commitments made in the DPF, primarily those relating to redress and necessity and proportionality, comport with the standards laid down in its prior Schrems jurisprudence. Those standards generally do not apply to EU member states’ own government access activities since the EU’s governing Treaty on European Union delimits national security as the “sole responsibility” of each member state. Only in specific areas governed by EU law, such as data retention, has the CJEU examined member state surveillance practices.
The European Court of Human Rights (ECtHR), an organ of the separate, Strasbourg-based Council of Europe, instead exercises judicial control over European governments’ data access practices. The ECtHR’s extensive case law on this topic is more accommodating of government security needs than is the CJEU’s approach. During the earlier phases of the Schrems litigation, the United States repeatedly—but futilely—invoked ECtHR jurisprudence in its briefs, attempting to persuade the CJEU to treat the United States comparably to how the Strasbourg tribunal treats European states. The CJEU’s past practice suggests that it will not consider the OECD declaration as relevant in determining the adequacy of the U.S.-EU DPF, despite the EU’s prominent role in the OECD process.
Nonetheless, the OECD Principles carry international political weight and could contribute to a shift in the difficult transatlantic political environment surrounding government access practices. In choosing to release its draft U.S. adequacy finding during the very same week that the OECD declaration was issued, the European Commission may have been aiming to take advantage of the two documents’ common direction of travel.
Similarly, even if the CJEU takes no formal notice of the OECD Principles, its judges cannot help but be aware of this multilateral effort to define the protections embedded in government access practices. If the court is inclined to put an end to the long transatlantic disagreement on this subject, it might well derive comfort from the OECD’s demonstration that U.S. privacy and due process safeguards in the national security and law enforcement context are in fact in the international mainstream.
The OECD declaration is a notable accomplishment because it demonstrates the surprising degree of commonality in data access safeguards applied by developed democracies’ national security and law enforcement agencies. The achievement is all the more striking since these agencies, for obvious reasons, tend to be publicity shy.
Still, it is fair to question, as have some civil society groups, including the Future of Privacy Forum, how much of a breakthrough the OECD Principles actually constitute. They can be read as self-congratulatory, declaiming to the rest of the world that democracies’ government access practices already are protective of human rights. In addition, the exercise has a largely defensive quality, aimed at assuaging “trust” concerns that have led to increasing restrictions on trans-border data transfers.
Issuance of the OECD Principles does not exhaust the opportunities for multilateral work on governments’ access to personal data. The declaration itself “notes” calls for additional work on other types of data access, including governments’ purchase of commercially available private-sector databases, their resort to publicly available personal data, and their reliance on voluntary disclosures to law enforcement and national security authorities. The OECD refrained from making any commitment to take up these subjects, but they are logical next steps.
The OECD also should consider comprehensively documenting its members’ government access national laws and practices. No such compendium currently exists. The EU’s own Fundamental Rights Agency has issued two reports on EU member states’ practices, but the information they contain is incomplete and increasingly dated. More authoritative reporting across the OECD membership would demonstrate that the declaration’s commitment to transparency is being taken seriously.
International law often advances in small steps, beginning with soft-law instruments and gradually becoming more ambitious. The OECD has made a promising beginning, but the work of assuring citizens that there are serious controls on those who would read their mail is far from done.