The Organization for Economic Co-operation and Development (OECD), which in addition to Switzerland also includes countries such as the UK and the USA (not the EU, which does, however, participate in the OECD’s work), on 14 December 2022 issued a Declaration on public authority access to personal data at private companies adopted (Declaration on Government Access to Personal Data held by Private Sector Entities). It certainly does not come by chance shortly after the Draft adequacy decision for the TADPF..
The declaration
- is a so-called “Substantive Outcome Document”. This OECD instrument is not adopted by the OECD itself, but by the individual countries involved, which have agreed accordingly within the framework of the OECD organization, here including Switzerland, Turkey, the UK, the USA and the EU. These instruments usually contain rather abstract or long-term goals and, according to the OECD, have “a solemn character”, i.e. they are purely programmatic;
- Is intended to promote confidence in cross-border data flows in the interest of the global economy and set a standard for how to limit government power in a democracy; and
- Applies to the acquisition and use of personal data held or controlled by private sector entities (including NGOs) to Law enforcement and national security purposesand explicitly also when a company is required to release data that is contained in a occupy other state are.
The declaration is addressed to the member states and requires the following measures:
- Data access requires a binding, democratically legitimized and sufficiently clear Legal basis that provides protection against misuse and misappropriation.
- Data access may only be granted to certain legitimate Targets serve and must Relative and be lawful. In particular, it must not serve the purpose of censorship or discrimination.
- The access requires a state Authorization ahead. If, exceptionally, no approval is required, other protective measures must take effect.
- Personal data may only be used by authorized persons and only within the framework of the law, which provides for measures to protect legality, proportionality and data accuracy, among other things.
- It must Controls provide to prevent, detect, remediate, and report data loss or misuse to regulatory authorities.
- The regulatory framework must be clear and accessible to the public so that impacts can be identified and examined. The Transparency of access must be adequately ensured, taking into account legitimate confidentiality concerns.
- The Supervision by courts or independent authorities must be neutral, effective, adequately funded and accountable be
- Individuals have effective judicial and extrajudicial Remedies. However, it is permissible to restrict the information of individuals about accesses or violations.