On December 14, 2022, the members of the Organization for Economic Co-operation and Development (“OECD”) (which includes various EU Member States, Mexico, Turkey, the UK and the United States) and the EU, adopted the Declaration on Government Access to Personal Data held by Private Sector Entities (“Declaration”). 

The aim of the Declaration is to establish a common set of privacy principles and safeguards to increase trust, and further promote cross-border data flows between the signatory countries.  The principles enshrined in the Declaration will be implemented according to each country’s legal framework.  The Declaration establishes the following shared principles, drawn from existing laws, on government access to personal data held by private entities:

  • Legal basis.  The legal basis for government access to privately held personal data is set out by each country’s legal framework.  This legal framework sets out purposes, conditions, limitations and safeguards concerning government access, so that individuals have sufficient guarantees against the risk of misuse and abuse of their data.
  • Legitimate aims.  Government access must be carried out in a manner that is not excessive in relation to its legitimate aims and must comply with the principles of necessity, proportionality, and reasonableness. 
  • Approvals.  The legal frameworks establish prior approval requirements, specifying the procedure for seeking and granting approval to government access.  These requirements are commensurate with the degree of interference with privacy and other human rights and freedoms.  Stricter requirements are imposed for instances of serious interference or emergency exceptions, which the legal frameworks strictly define. 
  • Data Handling.  Personal data obtained through government access can only be processed by authorized officials.  To achieve this, governments must implement physical, technical and administrative measures to safeguard personal data, which includes processing personal data with a valid legal basis.  In addition, personal data must be retained only for as long as prescribed under the legal framework, taking into account the purpose of processing and the sensitivity of the data.  
  • Transparency.  The legal framework regulating government access must be accessible to the public and each country must put in place appropriate transparency mechanisms on government access to personal data, such as enabling the appropriate oversight bodies to report on government compliance. 
  • Oversight.  There must be effective and impartial oversight of government access to personal data, in compliance with the necessary legal requirements.  Counties’ oversight bodies include, among others, internal compliance, the judiciary, parliamentary committees and independent administrative authorities.  The independence and the functions of these oversight bodies are laid out in accordance with the countries’ legal framework.   
  • Redress.  Individuals are entitled to effective redress, where a violation has occurred.  The redress mechanisms might contain limitations in terms of the right to be informed, taking into account national security rules.  Appropriate remedies may include the deletion of personal data, terminating unlawful processing and providing compensation for damages.  

In reaction to the Declaration, European Commissioner for Justice, Didier Reynders stated that the above-mentioned commitments do not preclude the requirement for governments to adopt bilateral agreements to the transfer of data to another country.  Nonetheless, the OECD framework could assist companies to prove that they are transferring data to a country that offers a heightened standard of protection of personal data.  In this context, while the European Commission’s final adequacy decision on the EU-U.S. Data Privacy Framework is currently in the pipeline (see our previous blog post), the Declaration could be of particular importance in assessing the level of protection afforded to personal data transferred outside of the EU to one of the OECD countries, such as the U.S. 

***

Covington regularly advises companies on all aspects of their international transfers.  Covington’s Data Privacy and Security team is happy to assist with any inquiries relating to the proposed EU-U.S. Data Privacy Framework and other international transfers mechanisms.  

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Read more about Dan Cooper
Show more Show less
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Read more about Anna Oberschelp de Meneses
Show more Show less