OECD Signs "Landmark" Privacy Agreement

Written by

The OECD has published a new transnational agreement which it claims will help to safeguard user privacy when data is accessed for national security and law enforcement purposes.

The OECD Declaration on Government Access to Personal Data Held by Private Sector Entities sets out to clarify how member countries’ security and policing agencies can access this data under existing legal frameworks.

In so doing, it is designed to improve trust in cross-border data flows, which are key to driving global economic growth.

“Being able to transfer data across borders is fundamental in this digital era for everything from social media use to international trade and cooperation on global health issues. Yet, without common principles and safeguards, the sharing of personal data across jurisdictions raises privacy concerns, particularly in sensitive areas like national security,” said OECD secretary-general Mathias Cormann.

“Today’s landmark agreement formally recognizes that OECD countries uphold common standards and safeguards. It will help to enable flows of data between rule-of-law democracies, with the safeguards needed for individuals’ trust in the digital economy and mutual trust among governments regarding the personal data of their citizens.”

The agreement was signed by the 38 OECD countries, including the US and UK, as well as the EU, and is also open to others to join.

It is the result of two years of work by the OECD and complements the flagship OECD Privacy Guidelines first published back in 1980, the group said.

However, it’s unclear whether it will help to smooth increasingly fraught relationship between the EU and US over cross-border data transfers. Previous agreements between the two have been thrown out by European courts on concerns that EU citizens’ privacy can’t be guaranteed given intrusive US state surveillance.

The seven principles covered in the declaration are: legal basis; legitimate aims; approvals; data handling; transparency; oversight; and redress.

Dan DeMers, CEO and co-founder of data company Cinchy, argued that, while commendable, the declaration doesn’t go far enough in bringing about real change.

“Data respects no borders – it’s copied, invisibly and at scale, every time it’s needed to run the applications we need and want. It’s always been this way, until the issue of data privacy started to become a flashpoint for human rights,” he added.

“That’s where we are now. The [OECD declaration] is a welcome change, but it will take more than pious pronouncements to drive a transformation. Data control needs to be the foundation of any regulation looking to enforce data privacy – without control over our data, privacy efforts are futile.”

Editorial credit icon image: Ralf Liebhold / Shutterstock.com

What’s hot on Infosecurity Magazine?