ICC White Paper on Trusted Government Access to Personal Data Held by the Private Sector

  • 22 August 2022

Lack of trust in cross-border data flows leads to uncertainty that may discourage the participation of individuals, businesses, and even governments in the global digital economy. Without clear parameters and rules around government access to personal data, including access across international borders, legal uncertainty will persist, likely leading to the proliferation of data localisation measures, which negatively impact the global digital economy. Achieving consensus on common principles for trusted government access to personal data held by the private sector will support the transfer of data between jurisdictions by commercial entities and result in positive economic and social impacts.

Go directly to:

Trust in Global Data Flows Underpins Today’s Economies and Societies they Serve

Why Governments Request Access to Private Sector Data

Factors Impacting Trust in Global Data Flows When Governments Request Access to Private Sector Data

Lack of Trust Can Lead to Increased Data Localization Measures

ICC Principles for Trusted Government Access to Personal Data

Government access to personal data is necessary to protect public safety and national security, but access without safeguards inevitably leads to abuse, violations of individuals’ fundamental rights, and a loss of trust in data flows. To ensure that government access to personal data is consistent with the protection of individual rights and the rule of law, surveillance authorities should reflect the following principles:

Principle #1 –Appropriate Legal Bases with Meaningful Opportunities for Stakeholder Input

The laws, rules, and international agreements that allow for government access to personal data should be clear, comprehensive, and developed through transparent processes with meaningful opportunities for stakeholder input.

Principle #2 –Legitimate Aims of Surveillance with Safeguards to Prohibit Unfair Treatment

The purpose and reach of government access laws should be proportionate to meet defined public safety and national security needs. Authorities should not be employed to acquire commercial advantage or data held by foreign governments or the public sector. The authorities should also include safeguards to prohibit unfair and discriminatory treatment. They should not allow the suppression of dissent or free expression, or target individuals based on race, ethnicity, religion, disability, sexual orientation, gender, or gender identity.

Principle #3 –Requirements for Approval Commensurate with Privacy Intrusion

The level of approval required for government access should be commensurate with degree of interference with privacy and other rights and freedoms, with prior judicial approval for any significant interference. Except in cases of true emergencies, criminal demands seeking intrusive personal data should be predicated on prior independent review.

Principle #4 –Appropriate Protections for Handling Personal Data

Governments must require strict and transparent data minimization, dissemination, and retention limits when they seek access to personal data of both citizens and foreign persons.

Principle #5 –Transparency of Government Demands for Access:

The need for transparency extends to the legal framework allowing for government access; the publication of both government and service provider transparency reports that include statistical information on government demands, including national security demands in the aggregate; and the importance of prior user notice. The public has a right to know how, when, and why governments seek access to their data. Absent narrow circumstances, individuals and organizations should be allowed prior notice regarding law enforcement requests for their personal data.

Principle #6 –Independent Oversight of Access Authorities

All government access authorities should be subject to independent oversight. Any non-compliance with surveillance authorities should be both publicly reported and remedied.

Principle #7 –Mechanisms Provided for Effective Redress

Individuals, organizations, and providers impacted by a government access demand should have clear redress mechanisms through which challenge unlawful or inappropriate demands in front of an independent authority, and remedies must be commensurate with the degree of injury.

Principle #8 –Avoidance and Accounting for Conflicts of law

In today’s interconnected digital economy, government access laws must account for the fact that data is truly global and may be subject to the laws of multiple jurisdictions. International agreements should advance frameworks that minimize conflicts of law. And legal bases must include mechanisms to raise conflicts of law so providers are not forced to violate one country’s laws to comply with another’s.

Additional guidance

Prohibition on excessive costs and burdens placed on providers: Government requests should not impose significant costs or burdens on providers, including data retention obligations unrelated to a business purpose.

Intermediary liability: Providers should not be held liable for complying in good faith with legal obligations of jurisdictions in which they operate.

Additional information on the above safeguards can be found in the ICC White Paper on Trusted Government Access to Personal Data Held by the Private Sector.