Published by The Lawfare Institute
in Cooperation With
In December 2020, governments belonging to the Organization for Economic Cooperation and Development (OECD) quietly embarked on an unprecedented exercise to formulate common principles governing their access, for national security and law enforcement purposes, to personal data held by the private sector. The project is based on the premise that these democratic governments, despite divergences in their legal systems, share many commonalities in this area, and that articulating them can help restore trust in data flows between countries and highlight their differences from authoritarian regimes that engage in indiscriminate access to individuals’ data.
In recent months, however, the OECD’s path to identifying common limits on government access has been characterized by disputes and delays. After an impasse that stalled progress during the second half of 2021, the OECD has recently resumed work on the project. The stakes are significant: Can this multilateral project help restore trust in how governments access personal data, in a world in which transnational data flows have often become indispensable.
Here we explore the excercise’s origins, the extent to which there has been agreement—and disagreement—to date, and its relationship to other efforts to balance national security and data protection, such as the U.S.-EU negotiations on a successor to the Privacy Shield. We draw upon OECD documents that have been made available to us, as well as interviews we conducted with governments, institutions, companies and scholars.
Why Governments Access Personal Data
In today’s digital world, governments hold significant amounts of information about individuals. And even more is held by private companies, ranging from cloud service providers to other companies storing data in local servers. Personal data held by the private sector may be valuable for many government purposes, such as public health efforts in response to the coronavirus and regulation of financial markets. Among the most important purposes for government access to data are national security and law enforcement.
Over the past decade, there has been heightened international scrutiny of U.S. intelligence agencies’ access to privately held data, beginning with Edward Snowden’s 2013 revelations about the scope and scale of U.S. signals intelligence collection. Keeping the issue in the spotlight were the 2015 and 2020 Schrems judgments by the Court of Justice of the European Union (CJEU) that terminated data transfers under the EU-U.S. Safe Harbor framework and later the Privacy Shield. The CJEU ruled that the U.S. legal regime for international surveillance did not offer protections equivalent to those required by European law. Subsequent European attention to the activities of the U.S. National Security Agency has broadened gradually into comparative scrutiny of other Western democracies’ counterpart national security surveillance regimes.
Another big reason why governments seek to access data held by the private sector relates to law enforcement needs. Cloud computing’s meteoric rise has troubled law enforcement as relevant evidence is commonly held by service providers on private servers located in another country, leading to the “globalization of criminal evidence.” Indeed, the European Commission has found that over half of all European criminal cases now involve electronic evidence held in different countries.
Countries worldwide are responding with new laws facilitating international access, such as the U.S. CLOUD Act, or legislative proposals, such as the pending E-evidence regulation in the EU. These initiatives have consequences for privacy and human rights. They not only change the procedures by which law enforcement gathers evidence but also increase the risk of international conflicts of laws and pose challenges for internet governance.
Proliferating efforts by governments to access data for national security and law enforcement purposes, in turn, have prompted mistrust and hostile reactions from other jurisdictions. One response has been to advocate the adoption of rules and practices that require data to be retained locally. Data localization mandates, however, are harmful for international trade and cooperation, and the case for such mandates is weaker where equivalent privacy protections apply in the other jurisdiction.
How Governments Access Personal Data
The OECD’s work identified several methods by which governments access personal data held by the private sector for national security or law enforcement purposes. For instance, governments may purchase data from the private sector, taking advantage of the rapid proliferation of data brokers. Companies also sometimes voluntarily provide national security or law enforcement agencies with data they hold, if they suspect it relates to a criminal offense. A social media platform, for example, may voluntarily identify to a law enforcement agency someone who has shared child pornography or other illegal content online.
Two major methods are compelled (or obliged) access and direct (including covert) access. In democratic countries, a law enforcement agency compels access by relying on formal legal process, such as obtaining a judicial warrant; intelligence agencies often act based on an administrative authorization. Non-democratic countries, by contrast, may use coercion or sanctions.
Direct access refers to situations in which intelligence agencies themselves undertake efforts to obtain data held by a private actor without asking the company to provide it and, indeed, in nearly all cases without the private actor even knowing that the government is trying to access the data. This could be carried out, for instance, via signals intelligence and interceptions, covert espionage operations, or hacking.
OECD Negotiations Begin
During its 2019 presidency of the Group of 20 (G-20) governments, Japan proposed an initiative on “data free flow with trust,” aiming to highlight the link between government access and international transfers of personal data privately held for commercial purposes. A contemporaneous World Economic Forum study highlighted both the economic benefits of data transfers and the importance of cross-border sharing for law enforcement purposes, stating that the latter should “only be pursued where it is legitimate.”
The OECD then took up the G-20 initiative, as a logical consequence of its long-standing expertise in economic law and in privacy dimensions of data held by the private sector. Its 1980 Privacy Guidelines, last updated in 2013, have long been an important international reference point for governments and companies as a means of maintaining trust in data flows. The OECD also previously had addressed law enforcement dimensions of international business, through the 1999 Convention on Combating Bribery of Foreign Public Officials in International Business Transactions.
In December 2020, the OECD’s Committee on Digital Economic Policy (CDEP) decided to make the subject a priority and issued terms of reference for an informal working group of members to pursue. The committee stated that it was motivated by concern about “government practices that fail to preserve trust, namely through unconstrained, unreasonable, or disproportionate requirements by governments that compel access to personal data held by the private sector.” It added that “the absence of common principles for trusted government access to personal data may lead to undue restrictions on data flows resulting in detrimental economic impacts.” The goal of the exercise would be to “elaborate a set of common and coherent good practices and legal guarantees from across OECD countries for best reconciling law enforcement and national security needs for data with protection of individual rights.” The committee contemplated a formal nonbinding OECD legal instrument as a potential outcome of the project.
Representatives from 23 of the 38 OECD member countries and the European Union then set to work in an informal drafting group, with the assistance of the OECD Secretariat and two outside rapporteurs, Thorsten Wetzling of Germany and Alex Joel of the United States. Several member countries assigned experts from privacy, law enforcement, and national security agencies to participate in the project, while many others relied on diplomats at their OECD representations. The drafting group held 11 private virtual meetings during the first half of 2021. It also consulted with two OECD standing advisory committees, Business at OECD (BIAC) and the Civil Society Information Society Advisory Committee (CSISAC).
Draft Principles for Compelled Access Emerge
By the middle of 2021, the drafting group had tentatively developed a broad statement of commitments applicable to all methods of government access to personal data held by the private sector. It identified common data protection safeguards such as proportionality, transparency, and the existence of oversight and redress mechanisms. However, it did not define precisely how these safeguards would be employed, which would depend on each country’s legal framework and relevant circumstances.
In addition, the drafting group arrived “with a high degree of commonality and consensus” at a set of seven more detailed principles applicable specifically to the subset of compelled or obliged access, according to a nonpublic June 24 OECD Secretariat internal document. The key elements of the seven detailed principles are as follows:
Legal bases: Law enforcement and national security agencies act under a legal basis for obliged access, but the national legal framework for doing so may be less transparent than applies in the private-sector context. Accordingly, the legal framework for obliged access is publicly available “to the greatest extent possible.”
Pursuit of legitimate aims: The national legal framework sets out legitimate aims for law enforcement and national security access, ensures that the scope of data acquisition and use is consistent with the specified purpose, and documents incidences of access for subsequent oversight and redress purposes. The draft text brackets language on whether to describe these standards as reflecting “proportionality,” a term found in EU data protection law but not utilized by all OECD member states’ legal systems.
Requirements for approval: This principle acknowledges that governments have legally established procedural requirements for government access requests that are commensurate with the extent of interference with individual rights. At the same time, procedures vary depending on the seriousness of the interference; in certain cases, prior approval of an access request is obtained not within a government’s executive branch but, rather, via an independent judicial or administrative body.
Handling of personal data: Data obtained through obliged access is handled in a way that maintains its security and integrity, retained only for so long as legally authorized, and deleted if not authorized for retention. Handling requirements also are designed to enable oversight bodies later to review collection and use.
Transparency: The transparency principle, like several others, recognizes that government access legal frameworks may be less transparent than is afforded by the private sector. Obliged access regimes are transparent and publicly available “to the greatest extent practicable.” While individuals have the right to request the disclosure of the data that agencies have collected about them, a government may prevent the disclosure of classified information for a period of time.
Oversight: This principle recognizes the existence of “a range” of mechanisms for oversight of obliged access, ensuring reporting and remedying instances of noncompliance. Oversight authorities can conduct impartial investigations and audits and to document their findings through regular reports.
Redress: “Effective” redress is conducted by independent bodies such as courts as well as by other impartial entities. These institutions may require correction or deletion of data, or award compensation for damages. If the information obtained through obliged access is later used in a criminal prosecution, the prosecuted individual has the right to obtain and challenge it. This notification right may be limited or deferred, however, “due to legitimate government need to protect the lives and integrity of national persons or national security or law enforcement information and investigations.”
Divisions Emerge on Scope of OECD Work
In the summer of 2021, as the drafting group’s work on obliged access approached completion, a lurking disagreement among negotiators over the scope of the exercise turned into a major split.
One group, including the United States and other governments, urged quick action to finalize the principles for obliged access demands imposed by governments on private-sector entities. They argued that since OECD members have relatively similar obliged cross-border access practices, limited agreement in this area could be achieved quickly. They also argued that the traditional mission of the OECD has been to facilitate trade by the private sector, and that the subject of compelled access had generated most of the concerns about transborder transfers of personal data by companies.
A second group, the European Commission among them, urged that principles for all types of government access, including direct access, first be developed for incorporation into a consolidated legal instrument. They pointed to the greater citizen trust that would result from an accord addressing all forms of government access to data. (Although the commission does not have voting rights at the OECD, EU members are bound to cooperate with it on external affairs. Under EU law, its members retain control over matters of national security, however.)
The OECD Secretariat suggested alternative ways forward, reflecting the divergence among the participants. Under a “two-track” approach, the CDEP would first review the seven principles focusing on obliged access and decide whether and how to embody them in a nonbinding OECD legal instrument. At the same time, it would commission detailed longer-term work on the other elements of the 2020 mandate—voluntary acquisition or purchase of data by law enforcement or national security agencies and, most delicately, direct access. In other words, under this option, the principles on obliged access could be harvested as the first fruit of the OECD’s work, while subsequent work on the other access methods proceeded.
An alternative “one-track” approach would prioritize the development of draft principles with a broader scope, covering all methods of government access, including direct ones. The Secretariat also identified a third, fallback option: suspending all further work until additional resources were obtained through the OECD’s next budget cycle.
The disagreement within the OECD unfolded against the backdrop of the ongoing U.S.-EU negotiation to repair features of the U.S.-EU Privacy Shield framework. The CJEU in its 2020 Schrems II judgment had found that elements of the U.S. foreign surveillance regime relating to redress and proportionality did not meet the requirements of the EU’s Charter of Fundamental Rights. It had considered not only obliged access requests by U.S. national security agencies under the Foreign Intelligence Surveillance Act (FISA) but also covert access rules under Executive Order 12333, a separate legal authority. An OECD agreement limited to obliged access, excluding direct access, thus could have been perceived as downplaying the importance of reaching trans-Atlantic agreement on direct access, such as under Executive Order 12333.
Corporations with major stakes in a stable international data transfer regime were caught in the middle. The Information Technology Industry Council, a Washington-based lobby group for major technology companies, had gone on record as urging the Biden administration to “prioritize achieving multilateral consensus (like at the OECD) that reconciles law enforcement and national security processes with the protection of individual rights.” BIAC preferred the two-track approach, but it also was eager to see the OECD promptly take up direct access. Above all, the multinational businesses did not want to see the OECD process fail, due to the importance of the issues and because it has afforded them a rare foothold in intergovernmental development of rules for national security access to personal data that had been entrusted to companies for commercial reasons.
Faced with these competing approaches to finalizing its work, the OECD committee was unable to reach a consensus on the path forward at its July 8 meeting. The group including the United States reportedly also comprised some non-European OECD members, such as Japan, Australia and the United Kingdom, along with a few EU member states. Other EU members sided with the commission, however, leading to deadlock. The near-final principles on obliged access were put aside, as was projected future work on refining them to address direct access. Planning for future work paused.
The setback proved to be temporary, however. The CDEP met on Dec. 1 and found consensus on restarting work in early 2022. The question of how to prioritize its workstreams on obliged and other types of government access to data, including direct access, was left for the future. Although tensions over scope remain, all governments were able to agree on the importance of moving forward on both subjects.
Other Multilateral Fora on Government Access
As the OECD restarts its work, other multilateral fora, stimulated by the same considerations as the OECD, also have begun to address issues of government access to data held in the private sector.
The Global Privacy Assembly (GPA), comprising national data protection authorities from across the globe, adopted a resolution in October setting forth recommended principles for government access to personal data held by the private sector. The resolution, drafted solely by privacy regulators, unsurprisingly places greater emphasis on individuals’ privacy rights than did the OECD draft, which was prepared by states’ delegations comprising both privacy and security service representatives. For example, the resolution recommends that governments demonstrate the necessity and proportionality of data demands by surveillance authorities. Another GPA principle calls for statutory limits on secondary uses or onward transfers of collected data; the comparable OECD principle would leave these decisions to governments’ discretion. A further difference is that the GPA resolution seems to express a preference for advance judicial authorization for resort to foreign surveillance, while the OECD draft would settle for control by independent bodies, whether administrative or judicial in nature.
The Strasbourg-based Council of Europe (COE) has also pursued preliminary steps toward taking up this topic. The COE has previously developed binding multilateral agreements on both data protection (Convention 108+) and law enforcement (the Budapest Convention, with its newly issued Second Additional Protocol). The United States is an observer state at the COE and has acceded to some of its conventions, joining the Budapest Convention but not COE data protection instruments. In March 2020, two senior COE officials publicly asserted that Convention 108+ “does not fully and explicitly address some of the challenges posed in our digital era by unprecedented surveillance capacities.” They called upon COE members to develop specific guidance on Article 11 of that convention, which currently requires that processing activities for national security and defense purposes be subject to independent and effective review and supervision under a party’s domestic law. A consultant recommended developing a guidance note for Article 11, but COE members have not made a final decision on whether to proceed with this work.
In addition, issues of cross-border access to evidence, in connection with investigating cybercrime, will be raised in a new United Nations multilateral negotiating process scheduled to start in January 2022. The U.N. General Assembly in May approved a proposal, led by the Russian Federation, to draft a new convention on cybercrime. Whether and how to proceed with such a convention has been controversial. In contrast to the OECD, GPA, and COE processes, support for the U.N. process has been led by some countries with poor democratic and human rights records.
Nonbinding OECD instruments setting forth principles on government access to data for law enforcement and national security purposes can have important normative significance. They can help identify best practices across member states’ jurisdictions and promote them at the international level. They can express the consensus view of developed democratic governments and potentially contribute to the progressive development of national and international law.
By including law enforcement and foreign surveillance law experts—as well as privacy law experts—in their OECD delegations, the United States, Australia, New Zealand, Canada, the United Kingdom and several European countries have increased the likelihood of a significant result that synthesizes contributions from these quite different subject areas. If the OECD decides to fully explore the subject of covert access, it seems essential that security service representatives from other OECD governments also participate in the talks.
Bridging the divide between the proponents of the one-track and two-track approaches entails acknowledging that, curiously, both sides seem to be right. The EU is indeed correct in highlighting that the OECD process could end up being harmful if a two-track approach is perceived as indicating that strong principles, good practices and essential legal guarantees apply only when governments make requests to private companies to produce personal data but do not apply to direct access. Instead of sending a strong message to authoritarian regimes, such a result could be read as an invitation to further develop cyber-espionage, cyber attacks and hacking, whether conducted directly or by proxy.
But the United States is also right to suggest that fast action is necessary. Obliged access is a subject on which democracies can more quickly find commonalities and send a strong message to authoritarian regimes. In this area they share rule-of-law norms, such as the use of court orders issued by independent judges. It is correct as well to acknowledge the difficulty of discussing in an open multilateral setting how each government conducts direct access and of arriving at common principles and limitations that should govern each use case. Conceivably, principles could be tailored to fit the different forms of government access, with lesser safeguards for direct access than for compelled access. The risk of such an approach is ending up with principles that have a broader scope but less impact, merely amounting to the lowest common denominator.
The OECD has a proven record in meeting difficult negotiating challenges relating to core aspects of national sovereignty. It has done so most recently with its tax project tackling base erosion and profit shifting (BEPS) by multinational enterprises. The result was the OECD/G20 Inclusive Framework on BEPS, under which 141 countries and jurisdictions are implementing a 15-point plan to tackle tax avoidance. The OECD also provided the setting for 136 countries and jurisdictions to strike a ground-breaking minimum corporate tax deal to address the tax challenges arising from the digitalization of the economy.
Negotiating OECD rules governing government access to data for national security and law enforcement purposes is as challenging an endeavor as the organization’s past efforts on international bribery and taxation. The fact that the OECD is made up of like-minded countries, and that it enjoys an institutionalized multistakeholder culture—in a field where the private sector and civil society have a lot to say—increases the prospects for success. Democracies now have a unique opportunity at the OECD to explain how their common commitment to the rule of law and human rights applies in an age when the potential for electronic surveillance of individuals has expanded substantially. Once they agree on how to sequence work linking obliged access principles and direct access methods, they could send a strong message to the rest of the world.