While Convention 108 has stood the test of time for more than three decades thanks to its technologically-neutral, principle-based approach, in 2018 the Council of Europe updated the treaty in order to address the challenges for privacy resulting from the use of new information and communication technologies; and to strengthen the convention’s follow-up mechanism.

Close to 40 countries have already signed the Amending Protocol updating the treaty which, once in force, will further strengthen data protection globally.

The modernisation process also aimed at bringing together the various normative frameworks that have been developed in different regions of the world and at providing a multilateral framework that is flexible, transparent and robust, facilitating the flow of data across borders while providing effective safeguards against abuse.

The modernised "Convention 108":

  • maintains the Convention’s provisions at principle-level, to be complemented by more detailed sectorial texts by way of recommendations or guidelines;
  • aims to ensure consistency and compatibility with other data protection legal frameworks, in particular the EU´s;
  • maintains technologically neutral provisions; and
  • reaffirms the Convention’s potential as a universal standard.

In keeping with the Convention’s philosophy, new provisions consist of general, simple and concise principles allowing states parties a certain measure of discretion when implementing them through their national legislation.

The revised convention reinforces the data protection principles of “Convention 108” and includes additional safeguards to tackle the challenges to the protection of personal data brought by new technologies and practices. In addition, it broadens the role of the Convention’s Committee, which will monitor that the Parties implement the provisions of the updated treaty effectively.

The modernised convention also aims to ensure that the transfer of personal data across borders is done with appropriate safeguards, and that it is compatible with normative frameworks across the world, including the European Union’s legislation.

Some of the innovations contained in the protocol are the following:

  • Stronger requirements regarding the proportionality and data minimisation principles, and lawfulness of the processing
  • Extension of the types of sensitive data, which will now include genetic and biometric data, trade union membership and ethnic origin.
  • Obligation to declare data breaches
  • Greater transparency of data processing
  • New rights for the persons in an algorithmic decision-making context, which are particularly relevant in connection with the development of artificial intelligence
  • Stronger accountability of data controllers
  • Requirement that the “privacy by design” principle is applied
  • Application of the data protection principles to all processing activities, including for national security reasons, with possible exceptions and restrictions subject to the conditions set by the Convention, and in any case with independent and effective review and supervision
  • Clear regime of transborder data flows
  • Reinforced powers and independence of the data protection authorities and enhancing legal basis for international cooperation.

Overview of the novelties of the Protocol

Modernisation process

Modernisation proposals elaborated by the Committee of Convention 108 were reviewed between 2013 and 2016 by an intergovernmental committee (the Ad hoc Committee on data protection).

In September 2016 this committee referred its proposal for discussion and adoption to the Committee of Ministers of the Council of Europe.

On 18 May 2018, the Committee of Ministers adopted the amending protocol, which was opened for signature in Strasbourg on 10 October that year.