Protection of personal data and privacy
The Internet has made the access and exchange of information – including personal data – easier and faster than ever. Individuals are providing their personal data online, knowingly and sometimes unknowingly for many different purposes, such as purchasing goods and services, playing, e-learning or paying taxes.
Social interactions are also increasingly taking place over the net – for example in social platforms, creating new opportunities, but also risks to privacy. The frontier-less nature of the Internet, which enables the free flow of data across countries, also brings new challenges.
Personal Data Protection Convention
In 1981 the Council of Europe adopted the first international treaty to address the right of individuals to the protection of their personal data: Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, known as “Convention 108”.
The treaty was drafted in a technologically neutral style, which enables its provisions to be fully valid today, regardless of technological developments. To ensure that its data protection principles are still adapted to new tools and new practices, the text is currently being updated. To this day, it still remains the only legally binding international instrument with a worldwide scope of application, open to any country, and with the potential to become a global standard.
The treaty establishes a number of principles for states to transpose into their domestic legislation to ensure that data is collected and processed fairly and through procedures established by law, for a specific purpose, that it is stored for no longer than is required for this purpose, and that individuals have a right to have access to, rectify or erase their data.
An additional protocol requires each party to establish an independent authority to ensure compliance with data protection principles, and lays down rules on trans-border data flows.
More than fifty countries have ratified Convention 108 and many others have used it as a model for new data protection legislation. The Council of Europe is encouraging non-European states with adequate data protection legislation to apply for accession to the Convention 108.
In addition, the Organisation has adopted a number of recommendations aimed at applying the general principles set out in the convention to the specific requirements of various areas of society:
- on the processing of personal data in the context of employment (2015);
- protection of human rights with regard to social networking services (2013);
- protection of human rights with regard to search engines (2013);
- profiling (2010);
- on the protection of personal data collected and processed for insurance purposes (2002)
- privacy on the Internet (1999);
- personal data collected and processed for statistical purposes (1997);
- medical and genetic data (1997);
- personal data in the area of telecommunication services, telephone in particular (1995)
- communication to third parties of personal data held by public bodies (1991);
- payments and other related operations (1990);
- data used for employment purposes (1989)
- police files (1987);
- social security (1986);
- direct marketing (1985);
- scientific research and analysis (1983);
- automated medical data banks (1981).
In 2013 the Committee of Ministers adopted a Declaration on Risks to Fundamental Rights stemming from Digital Tracking and other Surveillance Technologies.
In 2007 the Council of Europe launched "Data Protection Day", which is celebrated every year globally on 28 January – the date on which the data protection convention was opened for signature - in order to raise awareness of data protection issues.