ICC White Paper on Trusted Government Access to Personal Data Held by the Private Sector

Trust in Global Data Flows Underpins Today’s Economies and Societies they Serve

• Global data flows are at the heart of the world’s economy and well-being. This became evident with the COVID-19 pandemic lockdowns in 2020, when companies of all sizes, across all sectors around the world enabled remote work and transitioned their businesses to online-first or online-only.
• Data transfers are estimated to contribute $2.8 trillion to global GDP—a share that exceeds the global trade in goods and is expected to grow to $11 trillion by 2025.
• Companies rely on these flows to conduct day-to-day business with customers, partners, and suppliers; innovate in their business and operations; detect cyber threats and intrusion patterns; and compete more effectively – in sectors as diverse as agriculture, healthcare, manufacturing, banking and shipping.
• Micro-, small-, and medium-sized enterprises (MSMEs) leverage cloud services to reduce barriers of entry to markets, enabling them to be on equal footing with much larger and/or better resourced organizations. For example, digital tools helped MSMEs across Asia reduce export costs by 82 percent and transaction times by 29 percent.
• In 2021, the G7 also emphasized the importance of cross-border transfers, including in the G7 Digital Ministers’ Roadmap, which recognizes that the “ability to move and protect data across borders is essential for economic growth and innovation.”
• However, trust in international data flows is being eroded over concerns that government demands to access data for criminal and national security purposes may conflict with universal human rights and freedoms, including privacy rights, or may conflict with other national laws when such data transcends borders.
• These concerns have led to uncertainty that may discourage individuals’, businesses’, and even governments’ participation in a global economy, negatively impacting inclusive and sustainable economic growth.
• With 60% of global GDP digitized by 2022, and growth in every industry driven by digital technology,5 disruptions in cross-border data flows will have broad reverberations that can lead to reduced potential GDP gains and adverse impact on the local/national digital ecosystems – at a time when economic growth is at the top of the agenda for every government.
• For example, data flow restrictions have been estimated to lead to possible GDP loss across the European Union of about €79bn per year, or €553bn over 2021-2027.
• Data localization measures on Internet of Things applications and machine-to-machine data could lead to a loss of 59–68% of productivity and revenue gains, resulting in investment losses ranging from $4–5 billion and job losses ranging from 182,000–372,000 jobs.
• By contrast, according to the World Bank, countries would gain on average about 4.5% in productivity if they removed their restrictive data policies.
• Cooperation between governments and stakeholders, including business and multilateral organizations, is essential to develop interoperable policy frameworks that would facilitate cross-border data flows and enable data to be exchanged and used in a trusted manner. Initiatives such as the OECD effort to define principles and safeguards for government access to personal data held by the private sector are urgently needed to provide a firm foundation for data-free-flow-with-trust.

Why Governments Request Access to Private Sector Data

• Governments may require access to data related to individuals or businesses located in, or business transactions or other activities carried out within the governments’ jurisdictions for national security or law enforcement purposes.
• Under limited circumstances, companies may voluntarily provide national security or law enforcement agencies with data in case of an imminent threat to the life or safety of an individual or another special circumstance.
• In certain cases, law enforcement agencies can oblige companies to provide access to the data they hold. In democratic countries, law enforcement agencies rely on formal legal processes, such as obtaining a judicial warrant or an administrative authorization. Non-democratic countries, by contrast, might rely on coercion or sanctions or authorities with no independent oversight or accountability. In either case, companies must decide how much information they are compelled to disclose.
• With digital transformation, more data (e.g., emails, social network posts, files) are stored on cloud servers located around the world. A government may seek data relevant to a crime under its jurisdiction that is hosted in another country, while the target may even be located in a third country, potentially implicating numerous jurisdictions’ laws and giving rise to possible conflicts of law.
• In some situations, intelligence agencies may undertake efforts to obtain data held by a private actor without the company’s knowledge or permission, often referred to as “direct access.” There is also increasing concerns related to direct access of source code, oftentimes linked with nation states or nation-state-sponsored cyberattacks on private sector infrastructure.

Factors Impacting Trust in Global Data Flows When Governments Request Access to Private Sector Data

• The extent and means by which a government can compel access to private organizations’ data on behalf of the public interest are governed by its domestic regulatory framework.
• Legal barriers to data transfers can arise from differences in laws governing government access and discrepancies in safeguards when data transcends borders. For example, in 2015 and 2020, the Court of Justice of the European Union asserted that certain U.S. legal authorities for international surveillance did not offer adequate protections for data of EU citizens, and terminated existing EU-US data transfer mechanisms.
• Companies that receive government requests for data they hold must decide (a) whether the demand is lawful; (b) whether any cross-border demand presents a conflict of law between jurisdictions in which they operate; (c) how much data they are compelled to disclose; and (d) what information about their responses to these demands may be disclosed to customers and the public.
• These concerns also significantly contribute to public sectors’ reluctance to deploy digital technologies broadly, fearing that this would potentially expose their public sector data to third-party governments that may demand access.

Lack of Trust Can Lead to Increased Data Localization Measures

• Governments may compel data localization to help meet law enforcement and national security needs of the country. However, such measures disrupt cross-border data flows, affecting the efficiency, resiliency and cost of daily operations and services offered by businesses of all sizes, across all sectors, and impacting the economic and societal benefits discussed above.
• Restrictions on the free flow of data can be accompanied by limitations on the capacity of foreign law enforcement agencies to obtain personal data through lawful requests. They may also be used as tools by governments less committed to the protection of human rights to suppress freedom of expression, privacy, and other fundamental human rights.
• These measures further exacerbate conflicts of laws between jurisdictions, further shifting the onus of insufficient regulatory alignment to the private sector.

ICC Principles for Trusted Government Access to Personal Data

Government access to personal data is necessary to protect public safety and national security, but access without safeguards inevitably leads to abuse, violations of individuals’ fundamental rights, and a loss of trust in data flows. To ensure that government access to personal data is consistent with the protection of individual rights and the rule of law, surveillance authorities should reflect the following principles:

Principle #1 –Appropriate Legal Bases with Meaningful Opportunities for Stakeholder Input

The laws, rules, and international agreements that allow for government access to personal data should be clear, comprehensive, and developed through transparent processes with meaningful opportunities for stakeholder input.

Principle #2 –Legitimate Aims of Surveillance with Safeguards to Prohibit Unfair Treatment

The purpose and reach of government access laws should be proportionate to meet defined public safety and national security needs. Authorities should not be employed to acquire commercial advantage or data held by foreign governments or the public sector. The authorities should also include safeguards to prohibit unfair and discriminatory treatment. They should not allow the suppression of dissent or free expression, or target individuals based on race, ethnicity, religion, disability, sexual orientation, gender, or gender identity.

Principle #3 –Requirements for Approval Commensurate with Privacy Intrusion

The level of approval required for government access should be commensurate with degree of interference with privacy and other rights and freedoms, with prior judicial approval for any significant interference. Except in cases of true emergencies, criminal demands seeking intrusive personal data should be predicated on prior independent review.

Principle #4 –Appropriate Protections for Handling Personal Data

Governments must require strict and transparent data minimization, dissemination, and retention limits when they seek access to personal data of both citizens and foreign persons.

Principle #5 –Transparency of Government Demands for Access:

The need for transparency extends to the legal framework allowing for government access; the publication of both government and service provider transparency reports that include statistical information on government demands, including national security demands in the aggregate; and the importance of prior user notice. The public has a right to know how, when, and why governments seek access to their data. Absent narrow circumstances, individuals and organizations should be allowed prior notice regarding law enforcement requests for their personal data.

Principle #6 –Independent Oversight of Access Authorities

All government access authorities should be subject to independent oversight. Any non-compliance with surveillance authorities should be both publicly reported and remedied.

Principle #7 –Mechanisms Provided for Effective Redress

Individuals, organizations, and providers impacted by a government access demand should have clear redress mechanisms through which challenge unlawful or inappropriate demands in front of an independent authority, and remedies must be commensurate with the degree of injury.

Principle #8 –Avoidance and Accounting for Conflicts of law

In today’s interconnected digital economy, government access laws must account for the fact that data is truly global and may be subject to the laws of multiple jurisdictions. International agreements should advance frameworks that minimize conflicts of law. And legal bases must include mechanisms to raise conflicts of law so providers are not forced to violate one country’s laws to comply with another’s.

Additional guidance

Prohibition on excessive costs and burdens placed on providers: Government requests should not impose significant costs or burdens on providers, including data retention obligations unrelated to a business purpose.

Intermediary liability: Providers should not be held liable for complying in good faith with legal obligations of jurisdictions in which they operate.

Additional information on the above safeguards can be found in the ICC White Paper on Trusted Government Access to Personal Data Held by the Private Sector.