Presentation to the OECD roundtable on data localisation and unlimited government access to privacy sector data on 6 Oct 2020

1. Trusted
Government
Access to Private
Sector Data
Dr Ian Brown (@1br0wn)
OECD Roundtable, 6 Oct 2020

2. Key issues to consider
in agreeing standards
Complexity of national surveillance
regimes (UK review 2015-16 cost
~£¼m)
Interaction with human rights and
constitutional law – incl. protections
for non-residents (outside state
territory but within jurisdiction)
Opacity of intelligence activities

3. This is far from a
US-specific issue
The US legal framework “contains
much clearer rules on the
authorization and limits on the
collection, use, sharing and
oversight of data relating to foreign
nationals than the equivalent laws
of almost all EU Member States”
(Brown et al., 2017)

4. “Unconstrained” access
Does any democratic state have “unconstrained” access to private sector data?
Constitutional /human rights law constraints, data protection, IHRL...
– Need for clear and foreseeable law (avoiding secret rules and interpretations); necessity and
proportionality of intrusions on rights, serving a legitimate aim; avoid excessive discretion
– Direct state access to telecommunications links is a key issue (as identified in CJEU’s Schrems
II) – better to have court orders for private sector to provide state access to specific data
Independent (ideally judicial) prior authorization of access a key European and
(domestic) US standard – UK legal reform was a key part of CLOUD Act
recognition
Legislative and judicial oversight of executive also essential, with notification
and redress for individuals

5. Shared practices and
mechanisms for trust in
govt access
Civil society – International Principles on the
Application of Human Rights to Communications
Surveillance (2014)
Eight US tech companies – Global Government
Surveillance Reform: The Principles (2013)
US Govt – Liberty and Security in a Changing World
(2013)
European Parliament (LIBE) – Report on the US NSA
Surveillance Programme, Surveillance Bodies in
Various Member States and Their Impact on E.U.
Citizens’ Fundamental Rights and on Transatlantic
Cooperation in Justice and Home Affairs

6. OECD role in high
level principles
Sharing information on member governments’
access and localization laws and practices – work
with Global Privacy Assembly, and Council of
Europe Data Protection Convention Committee
-See forthcoming webinar on 9 November 2020 ft. Sophie
in ‘t Veld MEP, Dunja Mijatović, Joe Cannataci, Max
Schrems and Kenn Propp
Agreeing common reporting metrics for member
government’s law enforcement and national
security accesses
Agreeing common baseline metrics for private
sector reports

7. Council of Europe joint
statement
The UN Special Rapporteur on privacy has twice
recommended “to all UN Member States to accede to
Convention 108+”.
For processing of personal data for national security and
defence purposes, Convention 108+ contains a robust
system of checks and balances
Countries must agree at international level on the extent
to which the surveillance performed by intelligence
services can be authorised, under which conditions and
according to which safeguards, together with independent
and effective oversight