OECD: Decla­ra­ti­on on the con­di­ti­ons and limits of “lawful access” by mem­ber states

The Orga­nizati­on for Eco­no­mic Co-ope­ra­ti­on and Deve­lo­p­ment (OECD), which in addi­ti­on to Switz­er­land also inclu­des count­ries such as the UK and the USA (not the EU, which does, howe­ver, par­ti­ci­pa­te in the OECD’s work), on 14 Decem­ber 2022 issued a Decla­ra­ti­on on public aut­ho­ri­ty access to per­so­nal data at pri­va­te com­pa­nies adopted (Decla­ra­ti­on on Govern­ment Access to Per­so­nal Data held by Pri­va­te Sec­tor Enti­ties). It cer­tain­ly does not come by chan­ce short­ly after the Draft ade­qua­cy decis­i­on for the TADPF..

The decla­ra­ti­on

• is a so-cal­led “Sub­stan­ti­ve Out­co­me Docu­ment”. This OECD instru­ment is not adopted by the OECD its­elf, but by the indi­vi­du­al count­ries invol­ved, which have agreed accor­din­gly within the frame­work of the OECD orga­nizati­on, here inclu­ding Switz­er­land, Tur­key, the UK, the USA and the EU. The­se instru­ments usual­ly con­tain rather abstract or long-term goals and, accor­ding to the OECD, have “a solemn cha­rac­ter”, i.e. they are purely programmatic;
• Is inten­ded to pro­mo­te con­fi­dence in cross-bor­der data flows in the inte­rest of the glo­bal eco­no­my and set a stan­dard for how to limit govern­ment power in a demo­cra­cy; and
• Applies to the acqui­si­ti­on and use of per­so­nal data held or con­trol­led by pri­va­te sec­tor enti­ties (inclu­ding NGOs) to Law enforce­ment and natio­nal secu­ri­ty pur­po­sesand expli­ci­t­ly also when a com­pa­ny is requi­red to release data that is con­tai­ned in a occu­py other sta­te are.

The decla­ra­ti­on is addres­sed to the mem­ber sta­tes and requi­res the fol­lo­wing mea­su­res:

• Data access requi­res a bin­ding, demo­cra­ti­cal­ly legi­ti­mi­zed and suf­fi­ci­ent­ly clear Legal basis that pro­vi­des pro­tec­tion against misu­se and misappropriation.
• Data access may only be gran­ted to cer­tain legi­ti­ma­te Tar­gets ser­ve and must Rela­ti­ve and be lawful. In par­ti­cu­lar, it must not ser­ve the pur­po­se of cen­sor­ship or discrimination.
• The access requi­res a sta­te Aut­ho­rizati­on ahead. If, excep­tio­nal­ly, no appr­oval is requi­red, other pro­tec­ti­ve mea­su­res must take effect.
• Per­so­nal data may only be used by aut­ho­ri­zed per­sons and only within the frame­work of the law, which pro­vi­des for mea­su­res to pro­tect lega­li­ty, pro­por­tio­na­li­ty and data accu­ra­cy, among other things.
• It must Con­trols pro­vi­de to pre­vent, detect, reme­dia­te, and report data loss or misu­se to regu­la­to­ry authorities.
• The regu­la­to­ry frame­work must be clear and acce­s­si­ble to the public so that impacts can be iden­ti­fi­ed and exami­ned. The Trans­pa­ren­cy of access must be ade­qua­te­ly ensu­red, taking into account legi­ti­ma­te con­fi­den­tia­li­ty concerns.
• The Super­vi­si­on by courts or inde­pen­dent aut­ho­ri­ties must be neu­tral, effec­ti­ve, ade­qua­te­ly fun­ded and accoun­ta­ble be
• Indi­vi­du­als have effec­ti­ve judi­cial and ext­ra­ju­di­cial Reme­dies. Howe­ver, it is per­mis­si­ble to rest­rict the infor­ma­ti­on of indi­vi­du­als about acce­s­ses or violations.