Data protection and privacy are top priorities for telco operators. We start 2023 with two new landmarks: the discussions around the proposed EU-US Data Privacy Framework and the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities.
While they address different aspects of data privacy, they are interconnected in their goals of protecting personal data, promoting responsible data governance and fostering international data transfer across borders. A big bang of breakthrough technologies is anticipating a new wave of digitalization. This would require common principles to ensure cross-border data flows with the required safeguards for a booming and trustable digital economy.
Personal data transfer: data flows between the EU and the U.S.
On the one hand, the future Adequacy Decision on a new EU-US Data Privacy Framework is particularly important for EU companies and EU competitiveness and, ultimately, for EU citizens. In our super inter-connected world, European companies rely, on a daily basis, on Cloud or other IT-related services provided by US Big Tech that require the transfer of personal data across borders. For that to happen, organisations need legal certainty.
An Adequacy Decision is a unilateral act by which the European Commission assesses if the legal framework in a third country provides an adequate level of protection similar to the one provided by EU rules. If this is the case, European companies can export data from the EU to this “adequate” country. However, in the US there is no comprehensive federal law, but a myriad of security and privacy rules per sectors (eg.: Children’s Online Privacy, health sector, marketing communications…) or per States (Calfifornia Consumer Privacy Law or Virginia Consumer Data Protection Act).
Equally, different rules tackle privacy protection in the context of national security purposes. As European Commission cannot assess the adequacy of a US comprehensive Law, instead those US companies self-certifying as compliant with the principles of the new EU/US Data Privacy Framework will be allowed to export data from the EU to the US, so to say these companies will be “adequate”.
What is at stake with the EU-US Data Privacy Framework?
The proposed EU-US Data Privacy Framework is the third attempt, after the Safe Harbour and Privacy Shield, which were both invalidated by the European Court of Justice (ECJ) in 2015 and 2020 respectively.
Considering the “substantial improvements” that have been incorporated, expectations are high that the future Framework will not meet the same fate as its predecessors. In this sense, Didier Reynders (European Commissioner for Justice) has expressed his confidence that a legal challenge against the future EU-US Data Privacy Framework by privacy activists will stand the legal scrutiny of the ECJ.
After an agreement in principle for a renewed framework announced by European Commission President Von der Leyen and US President Biden in March 2022, US President signed an Executive Order on enhancing safeguards to limit US Intelligence Agencies’ powers to access personal data of EU citizens (whose data have been transferred from EU to US). In addition, US Attorney General issued a Regulation establishing a new independent Data Protection Review Court. Taking into account these two important developments, which addressed the major concerns raised by ECJ, European Commission adopted its draft Adequacy Decision in December 2022.
On 1st March, European Parliament discussed its draft Motion for a Resolution on the adequacy of the protection afforded by the future EU-US Data Privacy Framework in presence of European Commission representatives and Andrea Jelinek, Chair of European Data Protection Board (EDPB).
Jelinek presented to Members of the European Parliament the main elements of the EDPB Opinion on EU-US Data Privacy Framework, just adopted the previous day, on 28th February. Jelinek stressed the significant improvements brought to US legal framework while, at the same time, recommended European Commission to address remaining concerns to ensure the Adequacy Decision will endure.
In this line, EDPB is asking for some clarifications regarding commercial aspects (rights of data subjects, onward transfers, profiling) as well as regarding issues related to Government access to data. On the latter, Jelinek welcome the introduction of the concepts of necessity and proportionality with regard to US Intelligence Activities and the new redress mechanism with the creation of a new independent Data Protection Review Court.
European Commission will take utmost account of the comments from EDPB and European Parliament, however it is not bound by these Opinions. On the contrary, for the final adoption of the Adequacy Decision, European Commission needs the formal endorsement by Member States.
European companies need legal certainty to continue doing business and ensuring highest levels of protection of personal data in line with EU standards.
Personal data access: procurement of data held by the private sector for Law Enforcement and national security purpose
In parallel with the European Commission’s Adequacy Decision, the recent OECD Declaration on Government Access to Personal Data Held by Private Sector Entities is also important for our business. As a telecom operator, we process large amounts of personal data of our customers.
The OECD Declaration provides a framework for how governments should access personal data held by private sector entities, including telecom operators, while also recognizing the legitimate interests of governments in accessing personal data for national security and law enforcement purposes.
Principles of the OECD Declaration
The Declaration outlines seven principles based on legal basis, legitime aims, approvals, data handling, transparency, oversight, and redress. The overall goal is to ensure that government access to private sector’s personal data is underpinned by our shared democratic values and commitment to the rule of law and Fundamental Righs. The principles state that:
- Access to data must be legally based and bound by a framework that regulates government authorities under the rule of law.
- Access must only support legitimate aims and be carried out in accordance with legal standards of necessity, proportionality, and reasonableness.
- Prior approval requirements are established to ensure access is conducted in accordance with applicable standards, while internal controls are in place to detect, prevent and remedy data loss or unauthorized access.
- Transparent, effective and impartial oversight mechanisms are also required, and individuals must have access to effective judicial and non-judicial redress mechanisms to remedy violations of the national legal framework.
The value of the OECD Declaration
The OECD Declaration is important for several reasons. First, it provides clear guidelines and principles for how governments should access personal data held by private sector entities in the context of Law Enforcement and national security. This is important because it helps to ensure that any government access to personal data is subject to strict safeguards and limitations and is consistent with fundamental rights.
Second, the OECD Declaration helps to promote international standards and cooperation in the area of data protection and privacy. By setting out clear principles for cross-border access to personal data, the declaration helps to ensure that countries work together to protect the privacy rights of individuals.
Third, the OECD Declaration helps to promote trust and confidence in the digital economy by promoting redress mechanism. Personal data is a valuable asset, and individuals are more likely to share their data with companies if they trust that their data will be used responsibly and that their privacy rights will be protected. By setting out clear principles for government access to personal data held by private sector entities, the OECD Declaration helps to promote this trust and confidence.
Challenges of the OECD Declaration
However, the implementation of the OECD Declaration can be challenging. Especially important is balancing privacy and security, ensuring transparency of government policies, preventing misuse of personal data, overcoming legal barriers, addressing cross-border issues, or ensuring redress mechanism in practice.
Government authorities may have diverging interpretations of these principles due to their legal frameworks, judiciary practices or practical barriers. Addressing these challenges will require ongoing cooperation between governments, the private sector, and civil society to ensure that personal data is used in a manner that is consistent with fundamental rights and freedoms.
As a telecom operator, we take our responsibilities under the OECD Declaration very seriously. We welcome the recognition of the basic principle that any requests for personal data from government authorities are made in accordance with the law and are subject to appropriate oversight and review. Telefónica publishes annual transparency reports to our customers and the public, detailing the number and type of requests we receive from government authorities for personal data.
In conclusion, the future European Commission’s Adequacy Decision and the OECD Declaration on Government Access to Personal Data Held by Private Sector Entities in the context of Law Enforcement and national Security are critical developments for telecom operators. As a telecom operator, we take our responsibilities very seriously to ensure compliance with all applicable laws and regulations. We believe that these frameworks provide important protections for our customers’ privacy, and we will continue to advocate for strong data protection standards both domestically and internationally.