The 38 member nations of the Organisation for Economic Co-operation and Development (OECD) and the European Union have signed an important privacy agreement aimed at improving transparency in government access to personal data held by private companies.
The privacy agreement consists of a list of « common principles » drawn from the « common ground » of existing national laws. OECD members include the United States, Canada, Australia, New Zealand, Japan, Korea and Mexico, and some of these countries have little or no data privacy laws at the national or federal level.
Cross-border data transfers have become a major international concern since the Schrems II ruling in Europe put the spotlight on the issue. With the participation of the EU, the OECD represents the first major intra-governmental privacy agreement to achieve parity in data protection frameworks.
At the heart of the international data transfer problem is government access to the personal data of foreign citizens that crosses their borders. The OECD privacy agreement rejects approaches that are « inconsistent with democratic values and the rule of law » and calls on members to develop safeguards rooted in shared values to guide government data purchases, government access to publicly available data, and voluntary disclosures to national security and law enforcement agencies.
The privacy agreement is a major development as it updates an OECD recommendation that was put in place in 1980, long before the level of access to the Internet and devices that is available today could be envisioned.
It does not create a formal framework or immediately change the data processing practices of member countries, but it does create an agreement in principle that can be used as a basis for establishing data transfer relationships.
The privacy agreement was developed against a backdrop of continuing uncertainty about how international data transfers will work in the future, particularly under the strict requirements of the EU.
The U.S. is currently trying to develop a new transfer framework to replace the one that was scrapped by Schrems II; a draft proposal was recently given the green light by the European Commission, but it must first be vetted by other stakeholders in the bloc, and then it will be the subject of another Schrems trial if it eventually passes.
Government access has always been at the heart of this upheaval, with the Snowden leaks nearly a decade ago being the primary motivation for the series of Schrems trials. Western nations have reacted differently in terms of data protection measures, and many are reluctant to give up government access to data flows, but there is a growing awareness that this incompatibility of laws and the perception of widespread foreign surveillance creates a risk of serious negative economic impacts.
However, the agreement does not yet provide a clear path forward. A number of signatories have experienced recent problems with government surveillance that are clear violations of the stated principles.
For example, Mexico was the first country to adopt the controversial Pegasus spyware and initially used it to track drug lords, but reports indicate that cartels have since obtained it for themselves (potentially via corrupt government contacts) and that journalists and presidential candidates have been targeted for tracking by unknown parties.
Turkey has also come under intense international criticism for its media legislation and for the surveillance and arrest of journalists.