Council of Europe convention 108+: A modernised international treaty for the protection of personal data

doi:10.1016/j.clsr.2020.105497

Computer Law & Security Review

Volume 40, April 2021, 105497

https://doi.org/10.1016/j.clsr.2020.105497 Get rights and content

Summary

The Council of Europe has modernized its Convention 108 for the protection of individuals with regard to automatic processing of personal data: in 2018 it adopted Convention 108+. The modernised version of Convention 108 seeks to respond to the challenges posed, in terms of human rights, by the use of new information and communication technologies.

This article presents a detailed analysis of this new international text. Convention 108+ contains important innovations: it proclaims the importance of protecting the right to informational autonomy and human dignity in the face of technological developments. It consolidates the proportionality requirement for data processing and strengthens the arsenal of rights of the data subjects. It reinforces the responsibility of those in charge of data processing as well as its transparency. It requires notification of security breaches. It strengthens the independence, powers and means of action of the supervisory authorities. It also strengthens the mechanism to ensure its effective implementation by entrusting the Committee set up by the Convention with the task of verifying compliance with the commitments made by Parties.

Introduction

Born on 28 January 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (hereafter “Convention 108″) served as the foundation for the data protection regimes of the 47 member States of the Council of Europe, as well as several countries far beyond the European borders.

This Convention is the only legally binding international treaty on the protection of personal data. It has been modernised in order to meet the new challenges arising from the tremendous developments that have taken place since its adoption. The legal responses taken to protect individuals in 1981, at a time when there was no Internet, social networks, big data, connected objects or geolocation, proved insufficient in the current interconnected world where personal data has become the object of all covetousness. The changes that have emerged during these decades relate to the volume of data processed, the variety of actors, the scale of operations on data, the economic value attached to data, the threats to data, the overall availability of data in time and space, etc.¹

The time for revision had also come for other international or regional legal instruments in this area. For example, the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, dated 23 September 1980, were revised on 11 July 2013. As to the European Union's Directive 95/46², it was replaced on 25 May 2018 by the highly publicised General Data Protection Regulation (GDPR).³

The work to modernise Convention 108⁴ was carried out by the Consultative Committee set up under the Convention, and continued by an intergovernmental committee (Ad Hoc Committee on Data Protection - CAHDATA)⁵. It led to the adoption by the Committee of Ministers of the Council of Europe, on 18 May 2018, in Elsinore, Denmark, of the Protocol of Amendment to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.⁶ This Protocol was open for signature on 10 October 2018.

The result of this modernisation work is the subject of the analysis developed in the following pages. The focus will be on the text of the amending protocol of 10 October 2018, which the Council of Europe services have named “Convention 108+”, in view of effective communication, supported by the information provided in the explanatory report on this modernised Convention 108. It should be noted that, in an unusual development, the Committee of Ministers has endorsed the explanatory report. Therefore, “the explanatory report forms part of the context in which the meaning of certain terms used in the Convention is to be ascertained (Article 31, paragraphs 1 and 2 of the United Nations Vienna Convention on the Law of Treaties)”.⁷

Section snippets

Universal standard

As expressly stated in the Preamble to Convention 108+, the States signatories to the Convention recognise “that it is necessary to promote at the global level the fundamental values of respect for privacy and protection of personal data, thereby contributing to the free flow of information between people”.⁸

Although the principles of personal data protection stem from the European melting pot, they are undeniably destined to have an effect well beyond European borders.

Convergence of the European texts: Convention 108(+) and GDPR

The two European regional institutions, the Council of Europe and the European Union (EU), have both had legislative action on data protection for several decades. While the Convention adopted by the Council of Europe sets out general principles, the EU texts (Directive 95/46 and GDPR) elaborate a detailed legal regime for data protection. That said, the texts adopted on both sides have unavoidable links and demonstrate the reciprocal influence of the two institutions.The national legislations

Human dignity

The preamble of Convention 108 in its modernised version solemnly affirms “that it is necessary to secure the human dignity and protection of human rights and fundamental freedoms of every individuals …”.¹⁶

From the outset of the new text, the need to guarantee human dignity with regard to the processing of personal data is being recognised. It is a reminder that the human being must remain a subject and not be reduced to a mere object, be it an object of algorithmic

A particularly broad scope of application

The Convention is applicable to all data processing activities, carried out in both the public and private sectors. It is therefore all processing of personal data which is covered by the rules of protection contained in the Convention. All fields of activity in which data processing is carried out are covered.

The Convention differs in this respect from other legal instruments such as the GDPR adopted by the European Union. Unlike the latter, the scope of the Convention covers data processing

Basic principles of protection

A set of basic principles must be respected in order to achieve the protection of personal data undergoing processing. This catalogue of principles and requirements is set out in Chapter 2 of Convention 108+. It concerns first of all the conditions for the legitimacy of data processing (set out in point 6.1. below) and data quality requirements (point 6.2.) as well as the enhanced protection regime for sensitive data (point 6.3.). It continues with the obligations of security and transparency.

Appropriate safety measures

Personal data should be protected against unhealthy curiosity from inside or outside or against unauthorised manipulation, whether accidental or malicious. A duty to adopt security measures already existed in the original text of the Convention. It has been taken over in the modernised version of 2018 with, in passing, a clarification of the responsibility for security: it is the responsibility of the controller as well as of the processor, in cases where the services of a processor are used.

The rights of the data subject

Everyone, regardless of age, residence or nationality, has rights vis-à-vis those who process data about them. Convention 108+ has remarkably expanded the list of guaranteed rights and strengthened the rights that already existed before.

The rights granted to the data subject are aimed in particular at ensuring transparency on request of data processing operations. This transparency must enable the data subject not only to be aware of, but also to control what is done with his or her data, to

Exceptions

As said earlier, exceptions to some of the conditions for the legitimacy of data processing (the requirement of fairness, the purpose principle and the data quality requirement), as well as to the obligation of transparency (including the reporting of security incidents of data breaches) and the rights of data subjects, are allowed subject to the conditions laid down in Article 11 of Convention 108+.

Thus, such exceptions are allowed only¹²⁶ if they are provided

Transborder data flows

Prior to the modernisation of Convention 108, the issue of transborder data flows was the subject of two different provisions, one inserted in Article 12 of Convention 108 (for transborder data flows within Parties), the other in the 2001 Additional Protocol¹²⁸ (for flows to

The supervisory authorities

In 1981 no one thought of mentioning specific supervisory authorities in Convention 108. Twenty years later, the desire emerged to strengthen the effective protection of the individual through the creation of one or more supervisory authorities that contribute to the protection of the rights and freedoms of the individual with regard to data processing. The experience gained over the last 20 years had indeed shown that when they are equipped with effective powers and enjoy real independence in

The Convention Committee

A Convention Committee with enhanced functions will take over from the Consultative Committee attached to the original Convention 108.

It will be composed of one delegate per Party and will be given an extended list of functions compared to the functions assumed by the Consultative Committee to date.¹⁴⁴ These functions include, inter alia: a power to make recommendations with a view to facilitating or improving the application of the Convention, a power to

Conclusion

At the end of this analysis of the modernised Convention 108, the main strengths of the new text to be highlighted are:

First of all, it is the only universally binding legal instrument on the protection of personal data. It offers a model regime of protection for all States and international organisations concerned with providing guarantees to individuals whose data are processed. This status of universal instrument therefore has the advantage that the inexorable increase in the number of

Declaration of Competing Interest

The author declares that she has no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

References (0)

Cited by (8)

Data subject rights as a research methodology: A systematic literature review
2023, Journal of Responsible Technology
Data subject rights provide data controllers with obligations that can help with transparency, giving data subjects some control over their personal data. To date, a growing number of researchers have used these data subject rights as a methodology for data collection in research studies. No one, however, has gathered and analysed different academic research studies that use data subject rights as a methodology for data collection. To this end, we conducted a systematic literature review that searched, compiled, and analysed 32 academic studies that use data subject rights as a data collection method. We find that the right of access is the most commonly-used data subject right by researchers, most studies are interested in measuring data subject rights compliance, and that a variety of difficulties exist in conducting research studies with data subject rights. We conclude that researchers should explore other data subject rights for alternative purposes, ease the process of exercising data subject rights, and improve the scalability of these studies.
Data protection governance framework: A silver bullet for blockchain-enabled applications
2022, Procedia Computer Science
Blockchain technology is taking centre stage in major industries, ushering in a new era of decentralisation and digitalisation. While blockchain has garnered widespread traction in various sectors, there remain many technological, operational, societal, and legal challenges in deploying blockchain, mainly attributable to its sheer novelty. With ensuing ruminations about data protection concerns and given the real threats posed by the increasing usage of blockchain, scholars have examined these underlying challenges faced by blockchain users and regulators globally. Trust-building issues, such as data protection breaches, warrant our attention due to the negative consequences that may manifest and concretise in any measurable manner, triggering fragmentation of blockchain-based applications and socio-technical assemblages. This paper proposes eight data protection indicators (DPIs) to assess the maturity levels of countries in addressing data protection challenges in the blockchain landscape. The DPIs can contribute to developing institutional and governance frameworks to spur the global diffusion of hard and soft law instruments and establish broader safeguards of blockchain users’ data.
The third country problem under the GDPR: Enhancing protection of data transfers with technology
2023, International Data Privacy Law
The Regulation of Personal and Non-Personal Data in the Context of Big Data
2023, Journal of Human Rights, Culture and Legal System
Conceptualizing an AI-based Police Robot for Preventing Online Child Sexual Exploitation and Abuse: Part 2 - Legal Analysis of PrevBOT
2022, Nordic Journal of Studies in Policing
IDENTIFYING BARRIERS TO DATA PROTECTION AND INVESTOR PRIVACY IN EQUITY CROWDFUNDING: EXPERIENCES FROM INDONESIA AND MALAYSIA
2022, UUM Journal of Legal Studies

View all citing articles on Scopus

View full text