Modernisation of the Data Protection “Convention 108”
The Council of Europe is updating its Personal Data Protection Convention - “Convention 108” – with two key aims:
- addressing challenges for privacy resulting from the use of new information and communication technologies,
- strengthening the convention’s follow-up mechanism.
The modernisation process also aims at bringing together the various normative frameworks that have developed in different regions of the world and provide a multilateral framework that is flexible, transparent and robust, facilitating the flow of data across borders while providing effective safeguards against abuse.
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature on 28 January 1981 and is still today the only binding international treaty in this field. It is open to any country, and has the potential to become a global standard. The 47 member states of the Council of Europe and Mauritius, Senegal, Tunisia, Uruguay are Parties to it, while Argentina, Burkina Faso, Cap Verde, Mexico and Morocco have been invited to accede to the Convention.
The treaty establishes a number of principles for states to transpose into their domestic legislation to ensure notably that data are processed through procedures set for by law, for a specific purpose, that data are stored for no longer than is necessary for the intended purpose, and that are not excessive in relation to the purposes for which they are stored.
An additional protocol requires each party to establish an independent authority to ensure compliance with data protection principles, and lays down rules on transborder data flows to non Parties.
Modernisation proposals elaborated by the Committee of Convention 108 were reviewedbetween 2013 and 2016 by an intergovernmental committee (the Ad hoc Committee on data protection) which transmitted a draft amending protocol to the Council of Europe Committee of Ministers. In September 2016 this proposal was referred for discussion and adoption to the Committee of Ministers of the Council of Europe, the executive body of the organisation where the 47 member states are represented. This body is still discussing the draft with a view to finalising the text in the coming months and opening the treaty to signature.
The revised text:
- Maintains the Convention’s provisions at principle-level, to be complemented by more detailed sectorial texts by way of recommendations or guidelines;
- Aims to ensure consistency and compatibility with other data protection legal frameworks, in particular the one of the EU;
- Maintains technologically neutral provisions;
- Reaffirms the Convention’s potential as a universal standard.
In keeping with the Convention’s philosophy, new draft provisions consist of general, simple and concise principles allowing states parties a certain measure of discretion when implementing them through their national legislation.
The main innovations concern the following issues:
- proportionality (so far implicit and concerning only the data), in particular data minimisation;
- accountability, in particular of data controllers and processors;
- privacy by design;
- obligation to declare data breaches;
- transparency of data processing;
- additional safeguards for the data subject such as the right not to be subject to a decision solely based on an automatic processing without having his or her views taken into consideration, the right to obtain knowledge of the logic underlying the processing, and the right to object.
- possibility for International organisations to accede to the modernised Convention.
The revised text continues to require an “appropriate level of protection” if data are communicated or disclosed to recipients not subject to the jurisdiction of a Party to the Convention, recognising that this rule has promoted the development of data protection laws around the world.
Strengthening the follow-up mechanism
The role of the conventional committee, which is composed of representatives of Parties to the Convention, will be strengthened.
The effective enforcement of data protection standards is crucial for the credibility of the Convention and the strengthening of the implementation of the convention through the follow-up mechanism is essential in this regard.