Global data flows have been a source of geopolitical consternation among democratic allies around the world for the last decade, since former U.S. National Security Agency contractor Edward Snowden exposed the agency's global system of bulk electronic surveillance.
At the heart of the matter are national security and law enforcement demands to access private sector data within the U.S., EU and other democratic nations despite the lack of a transnational baseline legal standard to do so.
At the IAPP Global Privacy Summit 2023, former U.K. Information Commissioner and current Baker McKenzie International Advisor Elizabeth Denham called on democratic nations to collaborate and establish a binding legal standard, such as a multilateral treaty starting with G-7 nations, that clarifies where specific lines for intelligence agencies to compel companies to hand over user data are for each country.
"Democracies, especially the G7, should be able to get together and come to an agreement around standards for government access to private sector data," Denham said during the closing keynote panel facilitated by IAPP Research and Insights Director Joe Jones 5 April.
Despite the work of privacy professionals and government data protection regulators, the fundamental push-pull of the intelligence agencies' mission to protect national security, while upholding democratic rights and civil liberties, remains a difficult balance to strike, given authoritarian states are not bound by any such restraints.
During a breakout session at GPS 2023 titled "Government Access to Data: Convergence for the EU and U.S. Approaches," Danish Defense and Intelligence Service General Counsel for Compliance and International Affairs Christian Wiese Svanberg laid out the "pan-European" basis defense intelligence arms of member states within the Council of Europe rely on to collect bulk amounts of data.
Svanberg said the European Court of Human Rights acknowledged the need for intelligence agencies to practice bulk collection of data, under specific parameters, as an effective means to proactively respond to potential national security threats.
"The court clearly says — which I think it's an important point in this trans-Atlantic dialogue — that bulk collection is legal if done in a way that has relevant safeguards," Svanberg said. Bulk collection "is probably the only way that you can actually seek to identify threats beforehand that are unknown. … It's recognized by the court as being something that's broad; it's rarely based on anything specific. You don't necessarily even know what you're looking for to try to find the clues or the connections between your own threats and new ones, and that creates a challenge where you need to move ... and be proactive."
When U.S. President Joe Biden signed an executive order in October 2022 approving the new EU-U.S. Data Privacy Framework, it was met with praise by some EU policy makers, as well as trepidation.
Jones' keynote panel also featured NOYB Honorary Chairman Max Schrems, and European Data Protection Board Chair and Austrian Data Protection Authority Head Andrea Jelinek. Jones asked Schrems if his organization was preparing to mount another challenge of the latest EU-U.S. data sharing framework following the so-called "Schrems I" and "Schrems II" decisions, which invalidated the U.S.-EU Safe Harbor and EU-U.S. Privacy Shield frameworks, respectively, and have left the global data transfer regime among democratic nations in limbo since they were rendered.
Schrems said he believes "the fundamentals" of the new framework are largely unchanged. The fact that Biden’s executive order does not reference "proportionality" or proper redress mechanisms, he said, could be the basis for NOYB to appeal the European Commission's draft adequacy decision.
However, Schrems also pointed to language in Biden's executive order that demonstrated an appetite among U.S. policymakers to ensure its citizens enjoy relatively similar personal data protection as EU citizens, and that it may create an opportunity to build a stronger framework down the road.
"The funny thing about the data transfer issue is (the U.S. and EU are) actually agreeing that surveillance like that is violating fundamental rights," said Schrems. "Given that we're in an interconnected world … your data is always going to be in some country where you're not a citizen, so unless we agree … to say there are some baseline guarantees independent of your citizenship we're going to have that friction in one way or another."
Given the confines some intelligence agencies must work within, there are signs of progress toward building consensus around their ability to legally collect data for national security purposes under a more universal framework for democratic nations.
The Organisation for Economic Development and Cooperation Directorate for Science, Technology and Innovation Head of the Digital Economy Policy Division Audrey Plonk spoke during the government access to data session, prior to Jones' keynote panel. Released in December 2022, Plonk said the new OECD Declaration on Government Access to Personal Data Held by Private Sector Entities serves as an intergovernmental agreement attempting to reestablish trust in transborder data flows among the 38 member nations by clarifying how national security and law enforcement entities can access personal data under existing laws.
Although privacy guidelines "provided a solid ground for the development of privacy legislation globally," Plonk said, "there was a carve out effectively for law enforcement and national security (in terms of) data processing and data access. But the lack of common principles or common standards in those areas of national security and law enforcement is becoming an increasing problem for commercial, democratic or commercial data flows."
Svanberg said the OECD declaration serves as a great starting point for trans-Atlantic adoption of a universal legal basis, setting requirements for democratic governments to follow to compel access to private-sector data.
"As illustrated by the OECD dialogue, which for the first time ever on both sides of the Atlantic and from the rest of the world, was part of that negotiation," Svanberg said. "There were both law enforcement and national security experts in the room." The OECD declaration reflects member nations' common agreement "to put everyone on the same development standards for redress, oversight and proportionality."
However, as Denham noted during the GPS keynote, the OECD’s declaration is not a mandatory requirement for OECD states to adopt as currently constituted. She said she was more optimistic about the ability for countries to agree on a universal standard for data flows several years ago, because conversations about free flows of data "with trust" were taking place among G7 countries in 2018 and 2019.
However, she said current geopolitical dynamics, such as the war in Ukraine and Brexit, could delay efforts to formalize more rigid standards.
"The OECD has done astonishingly good work, but the OECD declaration is not mandatory," Denham said. "We do need to actually have standards in a world where we share rule of law."
While the OECD's current nonbinding declaration for government access to private data may serve as baseline for negotiations for a formalized treaty, ongoing enforcement of the EU General Data Protection Regulation and localization efforts around the globe only add further urgency to its development.
The EDPB's Jelinek said, without an existing universal legal standard, ongoing data transfers under standard contractual clauses require reciprocity to ensure privacy and civil liberties are respected across the board.
"We have the GDPR, we have the OECD and the G7, if they could all stand up and sit at one table, that would be great," Jelinek said. "There are many countries whose legislation is essentially equivalent, like they have a good standard, but we need reciprocity. We can do it, but the point is, we have to rely on what we have."