The Internet has made the access and exchange of information – including personal data – easier and faster than ever. Individuals are providing their personal data online, knowingly and sometimes unknowingly for many different purposes, such as purchasing goods and services, playing, e-learning or paying taxes.

Social interactions are also increasingly taking place over the net – notably in social media platforms, creating new opportunities, but also risks to privacy. The frontier-less nature of the internet, which enables the free flow of data across countries, also brings new challenges.

Personal Data Protection Convention

In 1981 the Council of Europe adopted the first international treaty to address the right of individuals to the protection of their personal data: Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, known as “Convention 108”.

The treaty was drafted in a technologically neutral style, which enables its provisions to be fully valid today, regardless of technological developments. In 2018, the treaty was updated by an amending protocol, not yet in force, aimed at ensuring that its data protection principles are still adapted to new tools and new practices.

To this day, “Convention 108” still remains the only legally binding international instrument with a worldwide scope of application, open to any country, and with the potential to become a global standard.

The treaty establishes a number of principles for states to transpose into their domestic legislation to ensure that data is collected and processed fairly and through procedures established by law, for a specific purpose, that it is stored for no longer than is required for this purpose, and that individuals have a right to have access to, rectify or erase their data.

An additional protocol requires each party to establish an independent authority to ensure compliance with data protection principles, and lays down rules on trans-border data flows.

So far, 55 countries have ratified “Convention 108” and many others have used it as a model for new data protection legislation.

In addition, the Council of Europe has adopted a number of recommendations aimed at applying the general principles set out in the convention to the specific requirements of various areas of society:

In 2013 the Committee of Ministers adopted a Declaration on Risks to Fundamental Rights stemming from Digital Tracking and other Surveillance Technologies.