What set of principles and laws should apply to government access to personal data, including for law enforcement, foreign intelligence, and national security purposes? As framework privacy and data protection laws have spread to most countries in the world, there is considerable uncertainty about how protections apply outside of the commercial sector. In democracies, state power should be exercised under the rule of law, generally including a prominent role for an independent judiciary. Non-democracies have also adopted framework data protection laws, but with uncertainty about how rule of law may apply for government actions. China has now adopted a framework data protection law, but lacks important rule of law institutions. The United States is a democracy with rule of law under its Constitution, but lacks a framework data protection law. Principled discussion about government access thus is emerging as central to geopolitical debates.
• What are the best forums for multi-lateral consideration of these issues of government access?
• What is the difference between “compelled/obliged” access and “direct” access? Does this difference matter when it comes to promoting democratic principles on government access to data held by the private sector?
• What legal rules and principles should apply to a democracy’s efforts to protect its national security through intelligence collection outside of its borders, including toward both allies and adversaries?
• What could we learn from recent developments on these matters, including the EU/US negotiations for a successor to Privacy Shield and the OECD process following the G20 initiative for free data flows with trust?