The OECD Declaration guides lawful government data access, aligning with GDPR and influencing cross-border data transfer management.

Introduction

Cross-border data transfers are a critical issue for organizations navigating the complex global landscape of privacy and data protection regulations.

The Organization for Economic Cooperation and Development (OECD) Declaration on Government Access to Personal Data Held by Private Sector Entities (the OECD Declaration) provides a global framework for lawful, proportionate, and transparent government access to data. While the OECD Declaration is not a binding law and is primarily directed at governments, it has some important indirect implications for private sector organizations. For privacy professionals, understanding the OECD Declaration in conjunction with existing frameworks, such as the General Data Protection Regulation (GDPR), the European Data Protection Board (EDPB) Guidelines 02/2024 on Article 48 GDPR, and the Court of Justice of the EU (CJEU) decision of 16 July 2020 in case C-311/18 Data Protection Commissioner vs. Facebook Ireland and Maximillian Schrems (the Schrems II decision), is essential for managing risks and ensuring compliance related to cross-border data transfers.

In this Insight article, Laura Léonard and David Dumont, from Hunton Andrews Kurth LLP, explore the principles of the OECD Declaration, draw parallels with the Schrems II decision and EDPB Guidelines on Article 48 GDPR, consider the future outlook for cross-border data transfers, and highlight practical considerations for organizations.

The OECD Declaration

The OECD Declaration was adopted in December 2022 to address concerns about transparency, accountability, and proportionality in government access to data held by private organizations. It aims to promote trust in cross-border data flows by establishing common principles that governments should follow when requesting access to personal data for legitimate purposes, such as law enforcement and national security.

The OECD Declaration outlines seven core principles that governments of the OECD countries (including some of the major world democracies) should follow when accessing personal data held by private organizations:

• Legal basis - Government access must be grounded in clear and publicly available laws.
• Legitimate purpose - Access should serve specific, legitimate purposes, such as combatting crime or ensuring national security.
• Approvals - Requests for access must be subject to prior authorization by an independent authority, such as a court or an administrative body.
• Data handling - Personal data collected should be managed securely, retained only as long as necessary, and protected against misuse.
• Transparency - Governments should publish information about their data access laws and practices to allow individuals to consider the potential impact of government access on their privacy and other human rights and freedoms. Organizations should also be allowed to disclose aggregate statistical reports on government access requests.
• Oversight - Independent oversight mechanisms, through bodies including internal compliance offices, courts, parliamentary or legislative committees, and independent administrative authorities, should monitor government access to ensure compliance with the law and protect individual rights. Oversight bodies are protected from interference in the exercise of their functions and have appropriate resources to effectively carry out their mandate.
• Redress - Individuals must have access to effective judicial and non-judicial redress to identify and remedy infringements of the national legal framework, such as terminating access, deleting improperly accessed or retained data, restoring the integrity of data, and cessation of unlawful processing. Available remedies may also include compensation for damages suffered by an individual, depending on the circumstances.

These principles establish a baseline for aligning global practices, complementing existing legal frameworks like the GDPR, and contributing to harmonized international standards for government access.

Interplay with the Schrems II Decision and EDPB Guidelines on Article 48 GDPR

The OECD Declaration aligns closely with concerns raised in the Schrems II decision and the EDPB Guidelines 02/2024 on Article 48 of the GDPR, both of which address government access to data in the context of international transfer restrictions.

The OECD Declaration, Schrems II, and the EDPB Guidelines form a comprehensive framework for organizations navigating access requests from third-country authorities and related cross-border data transfers.

Schrems II Decision

In the Schrems II decision, the CJEU invalidated the EU-US Privacy Shield framework, finding that US surveillance practices lacked proportionality and effective redress mechanisms for EU individuals.

With respect to the Standard Contractual Clauses (SCCs) issued by the European Commission for the transfer of personal data outside of the EU, the CJEU confirmed that organizations may continue to rely on them to transfer EU personal data to third countries that have not been recognized as providing an adequate level of data protection. However, when doing so, organizations must conduct transfer risk assessments. This means assessing whether, with regard to the nature of the data, the purposes and context of processing, and the laws in the country of destination, there is an adequate level of data protection. This includes looking at the safeguards in place for third-party access to the data, particularly by foreign governments in the destination country.

Similar to the OECD Declaration, the Schrems II decision emphasized the need for government access to be grounded in clear and publicly available laws. In addition, the Schrems II decision highlighted the importance of effective redress mechanisms for individuals whose data is being accessed by foreign (surveillance) authorities, a gap the OECD Declaration aims to address.

While non-binding, the OECD Declaration was regarded, at the time of its adoption, as carrying significant international political weight, with the expectation that it might help foster a shift in the challenging transatlantic political landscape surrounding government access practices.

The OECD Declaration was followed by the adoption of the EU-US Data Privacy Framework in July 2023, following years of intense negotiations between the EU and the US, after the invalidation of the EU-US Privacy Shield in the Schrems II case.

EDPB Guidelines on Article 48 GDPR

Article 48 of the GDPR prohibits transfers of personal data to third countries or international organizations based on decisions made by foreign courts of administrative authority unless recognized under EU or Member State law.

The EDPB Guidelines on Article 48 GDPR (which are currently under public consultation) focus on situations where organizations in the EU receive requests from third-country authorities to disclose or transfer personal data. In its Guidelines, the EDPB stresses that judgments or decisions from third-country authorities cannot automatically or directly be recognized or enforced in an EU Member State. As a general rule, cross-border data transfers related to data access requests should rely on international agreements to ensure lawful government access, such as a mutual legal assistance treaty in force between the requesting third country and the EU or an EU Member State.

Similarly, the OECD Declaration requires that government access be grounded in clear legal frameworks. The EDPB Guidelines require organizations to assess the adequacy of the recipient country's legal framework, particularly focusing on laws governing access to data. This aligns with the OECD Declaration's call for legal clarity and accountability in data access practices. Both the OECD Declaration and the EDPB Guidelines encourage the use of supplementary measures to protect transferred data. These measures may include encryption, pseudonymization, and contractual obligations that limit the scope of data access requests. In addition, both the EDPB Guidelines and OECD Declaration emphasize that government access should be proportionate to the legitimate aim pursued. This principle is particularly relevant when addressing concerns about bulk data collection or overly broad government surveillance practices. Finally, the EDPB Guidelines align with the OECD Declaration's principles of transparency and redress, requiring organizations to ensure that data subjects have access to effective remedies and that governments provide transparency about their data access practices.

Overall, the OECD Declaration and EDPB Guidelines are complementary tools that provide clarity on how government access to data should be managed. While the OECD Declaration is aimed at governments, the EDPB Guidelines focus on how private organizations should navigate conflicts between foreign legal demands and GDPR requirements.

Impact and practical considerations for private organizations

The OECD Declaration is primarily directed at governments in OECD countries and does not impose direct obligations on private organizations. However, for some organizations, the OECD Declaration may have concrete repercussions. For others, the impact is likely going to be more indirect, but it may still provide valuable insights.

Certain organizations, particularly those operating in industries like technology, telecommunications, or financial services, may encounter more tangible repercussions from the OECD Declaration, as they are likely to handle government access requests frequently. Taking into account the OECD Declaration, those organizations may need to refine their policies for documenting and, where legally permitted, disclosing government access requests in aggregate statistical reports to align with the transparency principle of the OECD Declaration. Companies that regularly receive government access requests may also use the OECD Declaration principles as a framework for assessing and responding to such requests. This includes verifying that requests are lawful, specific, necessary, and authorized by an independent body. Although the OECD Declaration does not directly impose these obligations, they represent practical steps for organizations to align with the principles.

For the majority of private organizations that do not frequently receive government access requests, the impact of the OECD Declaration is indirect but still relevant, as the principles laid out in the OECD Declaration offer insights to guide broader compliance strategies. The OECD Declaration's principles can help organizations evaluate risks associated with cross-border transfers, particularly to jurisdictions with extensive government surveillance practices. The OECD Declaration's focus on transparency, oversight, and safeguards complements existing transfer requirements in the EU, such as conducting transfer risk assessments (as required per the Schrems II decision - see above) and implementing supplementary measures to ensure that transfers of personal data are afforded an adequate level of protection. Adopting the principles of the OECD Declaration as part of an organization's internal policies can help strengthen the organization's data governance frameworks and enhance compliance with international standards.

Overall, by understanding the principles of the OECD Declaration, private organizations can refine their compliance strategies, better navigate complexities, and mitigate risks associated with cross-border data flows.

Future outlook for cross-border data transfers and recommendations for privacy professionals

The geopolitical and regulatory landscape will continue to shape the future of cross-border data transfers. The OECD Declaration provides a foundation for trust and collaboration, but several challenges and opportunities lie ahead.

Rising tensions between major economies may lead to increasing data localization requirements, particularly in sensitive sectors such as finance and telecommunications. It may also lead to greater regulatory scrutiny of international data transfers by regulators, creating additional compliance obligations for multinational organizations.

However, the OECD Declaration represents a step toward greater alignment of global data protection standards. By encouraging interoperability with frameworks like the GDPR, the OECD Declaration has the potential to reduce legal fragmentation and promote consistent practices.

Conclusion

The OECD Declaration marked a significant step in addressing the challenges of cross-border transfers and providing a framework for lawful and proportionate government access. It introduced practical considerations to enhance transparency, accountability, and compliance for private organizations receiving government access requests regularly. For others, it offered valuable insights into managing risks and aligning with global best practices.

With the combined understanding of the Schrems II decision and EDPB Guidelines on Article 48 GDPR, the OECD Declaration may equip private organizations with the tools to navigate the evolving regulatory landscape and ensure compliance in an increasingly interconnected world.

---

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.