Modernisation of the Data Protection “Convention 108”
With the recent Court rulings reaffirming the need for a strong protection of individuals with regard to the processing of personal data (such as Schrems case of the EU, and the European Court of Human Rights judgments Szabo v Hungary and Zakharov v Russia), the modernisation of Convention 108 and its global promotion is more than ever a striking necessity.
The Council of Europe is updating its Personal Data Protection Convention - “Convention 108” – with two key aims:
- addressing challenges for privacy resulting from the use of new information and communication technologies,
- strengthening the convention’s follow-up mechanism.
The modernisation process also aims at bringing together the various normative frameworks that have developed in different regions of the world and provide a multilateral framework that is flexible, transparent and robust, facilitating the flow of data across borders while providing effective safeguards against abuse.
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature on 28 January 1981 and is still today the only binding international treaty in this field. It is open to any country, and has the potential to become a global standard. 46 member states of the Council of Europe and Uruguay are state parties, whereas Mauritius, Morocco, Senegal and Tunisia have been invited to accede.
The treaty establishes a number of principles for states to transpose into their domestic legislation to ensure notably that data are processed through procedures set for by law, for a specific purpose, that data are stored for no longer than is necessary for the intended purpose, and that are not excessive in relation to the purposes for which they are stored.
An additional protocol requires each party to establish an independent authority to ensure compliance with data protection principles, and lays down rules on transborder data flows to non Parties.
In a first phase that finished in 2014, an intergovernmental committee (the Ad hoc Committee on data protection) finalised and adopted a proposal for the modernisation of the Convention and transmitted a draft amending protocol to the Council of Europe Committee of Ministers.
In a second phase – starting in 2016 - this Committee will produce a final proposal that will ensure consistency with the new EU data protection Regulation and Directive and the protocol amending the Convention will be eventually submitted for adoption to the Committee of Ministers in the second semester.
The revised text:
- Maintains the Convention’s provisions at principle-level, to be complemented by more detailed sectorial texts by way of recommendations or guidelines;
- Aims to ensure consistency and compatibility with the EU legal framework;
- Maintains technologically neutral provisions;
- Reaffirms the Convention’s potential as a universal standard.
In keeping with the Convention’s philosophy, new draft provisions consist of general, simple and concise principles allowing states parties a certain measure of discretion when implementing them through their national legislation.
The main innovations concern the following issues:
- proportionality (so far implicit and concerning only the data), in particular data minimisation;
- accountability, in particular of data controllers and processors;
- privacy by design;
- obligation to declare data breaches;
- transparency of data processing;
- additional safeguards for the data subject such as the right not to be subject to a decision solely based on an automatic processing without having his or her views taken into consideration, the right to obtain knowledge of the logic underlying the processing, and the right to object.
The revised text continues to require an “appropriate level of protection” if data are communicated or disclosed to recipients not subject to the jurisdiction of a Party to the Convention, recognising that this rule has promoted the development of data protection laws around the world.
Strengthening the follow-up mechanism
The role of the conventional committee, which is composed of representatives of Parties to the Convention, will be strengthened.
The effective enforcement of data protection standards is crucial for the credibility of the Convention and the strengthening of the implementation of the convention through the follow-up mechanism is essential in this regard.