Data Protection

Convention & Protocol
Modernisation
Committee
Documents

History

Convention ETS No 108 of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (of 1981) - which was the first legally binding international instrument with worldwide significance on data protection - draws inspiration directly from the European Convention on Human Rights and Fundamental Freedoms, which was opened for signature in 1950. In particular, Article 8 of this Convention states that "Everyone has the right to respect for his private and family life, his home and his correspondence". This right can only be restricted by a public authority in accordance with domestic law and in so far as it is necessary, in a democratic society, for the defence of a number of legitimate aims. But the Convention also lays down, in Article 10, the fundamental right to freedom of expression. This right includes explicitly the "freedom to receive and impart information and ideas without interference by public authority and regardless of frontiers". The "freedom to receive information" set out in Article 10 is considered as implying the "freedom to seek information".

In the conceptual architecture of the Convention, Articles 8 and 10 are not contradictory but complementary. However, in practice, the exercise of one of these rights can sometimes be restricted by the exercise of the other. For this reason, the European Court of Human Rights has defined in case law the limits to the exercise of each of these rights and, in particular, the extent to which public authorities have the right to interfere. This case law is still of great importance to the Council of Europe in its work on data protection as the source of criteria for the development of national regulations on data protection. In its case (M.S. v. Sweden of 27 August 1997), the European Court of human Rights "reiterates that the protection of personal data (...) is of fundamental importance to a person's enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of he Convention". Nevertheless, in the years following the adoption of the European Convention on Human Rights, it became apparent that efficient legal protection of privacy required more specific and systematic development.

From the beginning of the sixties, rapid progress in the field of electronic data processing and the first appearance of main frames allowed public administrations and big enterprises to set up extensive data banks and to improve and increase the collection, processing and interlinking of personal data. While this development offered considerable advantages in terms of efficiency and productivity, in return it gave rise to a clear trend towards massive electronic storage of data concerning the private sphere of individuals. In the face of this trend, the Council of Europe decided to establish a framework of specific principles and norms to prevent unfair collection and processing of personal data.

A first step in this direction was taken in 1973 and 1974, with the adoption of Resolutions (73) 22 and (74) 29 which established principles for the protection of personal data in automated data banks in the private sector and the public sector. The objective was to set in motion the development of national legislation based on these resolutions. However, during the preparation of these texts it became apparent that comprehensive protection of personal data would be effective only through further reinforcement of such national rules by means of binding international norms. The same suggestion was made at the Conference of European Ministers of Justice in 1972.

In 1981, after four years of negotiation, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data - known as Convention 108 - was concluded. Contracting Parties to this Convention take the necessary measures, in their domestic law, to implement the principles laid down in it with regard to the personal data of everyone in their territory. These principles concern in particular fair and lawful collection and automatic processing of data, storage for specified legitimate purposes and not for use for ends incompatible with these purposes, nor kept for longer than is necessary. They concern also the quality of the data, in particular that they must be adequate, relevant and not excessive (proportionality); their accuracy; the confidentiality of sensitive data; information of the data subject; and his/her right of access and rectification.

The Convention provides for free flow of personal data between states party to the Convention. This free flow may not be obstructed, for personal data protection reasons, unless Parties derogate from this provision, which they may do in two specific cases: where protection of personal data in the other Party is not "equivalent", or where the data are transferred to a third state which is not Party to the Convention.

The Convention establishes a Consultative Committee (T-PD), consisting of representatives of Parties to the Convention complemented by observers from other States (members or non-members) and international organisations, which is responsible for interpreting the provisions and for improving the implementation of the Convention. It is also responsible for drafting reports, guide lines and guiding principles on such topics as, the contractual clauses governing data protection during the transfer of personal data to third parties not bound by an adequate level of data protection or data protection with regard to biometrics. This Committee adopted interalia an amendment to Convention 108, allowing the European Communities to accede to it. Moreover, it adopted an additional protocol to Convention 108 regarding supervisory authorities and transborder data flows, opened to signature in 2004, reinforcing the Supervisory Authorities and prohibiting the transfer of personal data to States or organizations that do not provide for an adequate level of protection.

Inasmuch as Article 4 provides that states must have enacted adequate legislation before becoming Party to the Convention, 46 States have ratified the Convention and 35 have ratified the additional protocol. Other states are preparing to ratify these instruments which, with the case-law of the European Court of Human Rights, are part of the community acquis. Nevertheless these instruments are not restricted to Council of Europe member States as Article 23 provides for states which are not members of the Council of Europe to accede to the Convention.

Since the conclusion of the Convention in 1981 the society has been completely transformed, in particular due to personal computers and the Internet which permit any individual or organisation to carry out "automatic processing of data". In the meantime, social and economic development has led to even more complex forms of organisation, management and production, based on powerful processing systems. In this context, the individual becomes an active agent of the "information society" - while, at the same time, his privacy is subjected to even greater interference by the information systems of numerous public and private services - banks, credit services, social security, social assistance, insurance, police, medical care.

This evolution constitutes an enormous challenge in terms of data protection. Today an ever-increasing number of new problems and practical questions is submitted to national data protection authorities -in most countries the national Data Protection Commissioner. These authorities, which, like the Ombudsmen, have become an integral part of the control system in a democratic society, must interpret the principles of the Convention and apply them to these new problems and questions. Nevertheless, experience has shown that neither the principles of the Convention nor national regulations on data protection can regulate exactly every situation in which personal data are collected in different sectors: medical care and research, social security, insurance, banking, employment, police, telecommunications, direct marketing etc. Of course, in each of these sectors data must be collected and processed in accordance with the basic principles of the Convention, but the ways and means may be different. In some sectors conditions may be more flexible than in others, and self-regulation may be more advanced in one profession than in another.

For each of the different sectors, therefore, the principles of the Convention must be further elaborated. Rather than amend the Convention, or add protocols to it, the Council of Europe prefers to use another tool for this purpose: that of recommendations to governments. Such recommendations have the advantage that they are easier to draw up, to adopt and to implement: instead of signature and ratification by each of the member States, they only require unanimous adoption by the Committee of Ministers. It is therefore simpler to adapt them to changing circumstances than to amend conventions; and, above all, although they are not legally binding, they contain real standards of reference for all member States, whether they are Parties to the Convention or not. A recommendation constitutes therefore a request to consider in good faith the possibility of elaborating and implementing domestic law in conformity with internationally agreed interpretation of the principles laid down in the Convention.

In order to draw up these recommendations - which requires, in addition to legal experience, specific knowledge of the subject covered by the recommendation - the Committee of Ministers set up in 1976 a Committee of experts on data protection, which subsequently became the Project Group on Data Protection (CJ-PD) in 1978. This committee was composed of experts from each of the member states who were sometimes accompanied by specialists in the field.

Over the years the Project Group not only drew up a series of recommendations but also published studies, reports and guiding principles in order to reflect the application of the data protection principles to new technologies, such as smart cards and video surveillance.
During the few years, following the ratification of the Convention by the great majority of the member States of the Council of Europe, the continuation of two committees, one composed of representatives of parties to the Convention and the other by all the members States of the Council of Europe, no longer seemed relevant. In the concern of rationalisation of resources and working methods, those two committees merged at the end of 2003 to become a single, enlarged committee which kept the name of T-PD.