Not sure this would be a popular choice among the younger members of my family but for those grappling with international data transfers the Organisation for Economic Co-operation and Development’s (OECD) Declaration of 14 December 2022 may be welcome news. Increased collaboration between like-minded countries seems to be the emerging theme as we approach the end of 2022. Just in the last couple of months there has been progress with the EU-US Trans-Atlantic Data Privacy Framework with the US Executive Order (also relevant to UK-US data flows), followed last week by the EU Commission’s draft (partial) adequacy decision for the US, the UK’s first post-Brexit finding of data adequacy for the Republic of Korea and the announcement of the UK-Japan Digital Partnership (of which data is one of four pillars), and we understand plenty of progress is being made in the ongoing data priority partnerships negotiations which the Department of Digital, Culture, Media and Sport (DCMS) is leading for the UK.

OECD Declaration

To give it it’s full name the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities (Declaration) is the culmination of nearly two years of negotiation. Its aim is to “improve trust in cross-border data flows – which are central to the digital transformation of the global economy – by clarifying how national security and law enforcement agencies can access personal data under existing legal frameworks”. This carefully worded Declaration signals a “major political commitment” by the 38 OECD countries and the EU, and in the spirit of global co-operation the Declaration is also open for other countries to sign up and adhere to.

The Declaration is the “first intergovernmental agreement on common approaches to safeguard privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes” and the OECD hopes it will:

(i) increase trust among rule-of-law democratic systems that, while not identical, share significant commonalities in order to support cross-border flows of personal data between them; 

(ii) provide a standard for how democratic, rule-of-law based systems limit and constrain government power in contrast with approaches that are unconstrained, unreasonable, arbitrary or disproportionate, in violation of human rights and in breach of international obligations.”

The Declaration builds on the OECD Privacy Guidelines and consists of seven principles. It is interesting to see the old stumbling blocks of transparency, oversight and redress are included in the Declaration, hopefully signalling the will to recognise common values, while understanding there are differences in approach. This also dovetails nicely with the Trans-Atlantic Data Privacy Framework’s (DPF) approach and may be seen by many as an additional attempt to address the shortfalls identified in the Schrems II litigation. Will the Declaration be a useful tool in any Schrems III type challenge to the DPF? It certainly looks like it will be persuasive, however, as it is not legally binding its value may be somewhat limited.

Practical application?

How will this affect transfer risk assessments (TRAs) to non-adequate third countries who are OECD members (or indeed non-Members who sign up to the Declaration), e.g. Australia or Colombia, will this Declaration help? It may be prudent for data transfers to such countries to include reference to the Declaration wording. As noted above while this is not a legally binding document it is an acknowledgement of common values that purport to address the CJEU’s concerns in Schrems II over the proportionality of surveillance laws and redress. Yes they do have a section on redress - it is short and meaningless - but it is there!

Conclusion

It may be the festive spirit giving this flurry of international collaboration a rosy glow. I dare say the Scrooges among us would point to the cold, hard reality that the global digital economy is big business (in more ways than one) and the economic realities are what is driving this seemingly newfound co-operation and drive to rejuvenate projects that have long been talked about. Whatever the reason, 2023 looks like it will be another interesting year in the data and privacy world.