Personal data protection and privacy

The Internet has made the access and exchange of information – including personal data – easier and faster than ever. Individuals are providing their personal data online, knowingly and sometimes unknowingly for many different purposes, such as purchasing goods and services, playing, e-learning or paying taxes.

Social interactions are also increasingly taking place over the net – for example in social platforms, creating new opportunities, but also risks to privacy. The frontierless nature of the Internet, which enables the free flow of data across countries, also brings new challenges.

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

In 1981 the Council of Europe adopted the first international treaty to address the right of individuals to the protection of their personal data: the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, known as “Convention 108”.

The treaty was drafted in a technologically neutral style, which enables its provisions to be fully valid today, regardless of technological developments. To ensure that its data protection principles are still adapted to new tools and new practices, the text is currently being updated. To this day, it still remains the only legally binding international instrument with a worldwide scope of application, open to any country, and with the potential to become a global standard.

  • Establish a number of principles for states to transpose into their domestic legislation to ensure that data is collected and processed fairly and through procedures established by law, for a specific purpose, that it is stored for no longer than is required for this purpose, and that individuals have a right to have access to, rectify or erase their data.
  • An additional protocol requires each party to establish an independent authority to ensure compliance with data protection principles, and lays down rules on transborder data flows.
  • More than forty countries have ratified Convention 108 and many others have used it as a model for new data protection legislation. 
  • The Council of Europe has adopted a number of recommendations aimed at applying the general principles set out in the convention to the specific requirements of various areas of society:    

- protection of human rights with regard to social networking services (2013);
- protection of human rights with regard to search engines (2013);
- profiling (2010);
- privacy on the Internet (1999);
- personal data collected and processed for statistical purposes (1997);
- medical and genetic data (1997);
- personal data in the area of telecommunication services, telephone in particular (1995);
- communication to third parties of personal data held by public bodies (1991);
- payments and other related operations (1990);
- data used for employment purposes (1989);
- police files (1987);
- social security (1986);
- direct marketing (1985);
- scientific research and statistics (1983);
- automated medical data banks (1981).

  • Declaration of the Committee of Ministers on Risks to Fundamental Rights stemming from Digital Tracking and other Surveillance Technologies.
  • Publication of studies and reports on the application of the convention’s principles to video surveillance, smart cards, biometric data, global telecommunications networks and profiling. 
  • In 2007 the Council of Europe launched “Data Protection Day”, which is celebrated every year globally on 28 January to raise awareness of data protection issues.
Next steps
  • The Council of Europe is encouraging non-European states with adequate data protection legislation to apply for accession to the Convention 108. 
  • The Council of Europe is currently updating the convention. The modernisation work has taken into account contributions from multiple stakeholders from around the globe. The data protection recommendations regarding employment and police are being revised.