Twenty-one states signed today a Council of Europe treaty aimed at strengthening the principles and rules for the protection of personal data at international level.
The treaty, an Amending Protocol, updates the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, also known as “Convention 108”, the only existing international treaty addressing the right of individuals to the protection of their personal data.
The protocol was signed during a ceremony in Strasbourg by 20 Council of Europe member states – Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Ireland, Latvia, Lithuania, Luxembourg, Monaco, the Netherlands, Norway, Portugal, Russia, Spain, Sweden and the United Kingdom – and by Uruguay, one of the six non-European states that have so far joined “Convention 108”.
Secretary General Thorbjørn Jagland said: “The modernised convention will allow states to share a robust set of principles and rules to protect personal data, and will provide a unique forum for co-operation in this field at global level. States parties to “Convention 108” should sign and ratify the protocol so it can enter into force as soon as possible.”
The protocol reinforces the data protection principles of “Convention 108” and includes additional safeguards to tackle the challenges to the protection of personal data brought by new technologies and practices. It also broadens the role of the Convention’s Committee, which will monitor that the Parties implement the provisions of the updated treaty effectively.
The modernised convention, which data protection experts are referring to as “Convention 108+”, aims to ensure that the transfer of personal data across borders is done with appropriate safeguards, and that it is compatible with normative frameworks across the world, including the European Union’s legislation. The revised treaty also provides the possibility for accession by the European Union and international organisations.
Some of the innovations contained in the protocol are the following:
· Stronger requirements regarding the proportionality and data minimisation principles, and lawfulness of the processing
· Extension of the types of sensitive data, which will now include genetic and biometric data, trade union membership and ethnic origin.
· Obligation to declare data breaches
· Greater transparency of data processing
· New rights for the persons in an algorithmic decision making context, which are particularly relevant in connection with the development of artificial intelligence
· Stronger accountability of data controllers
· Requirement that the “privacy by design” principle is applied
· Application of the data protection principles to all processing activities, including for national security reasons, with possible exceptions and restrictions subject to the conditions set by the Convention, and in any case with independent and effective review and supervision
· Clear regime of transborder data flows
· Reinforced powers and independence of the data protection authorities and enhancing legal basis for international cooperation.
Opened for signature in 1981, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data currently has 53 State Parties: the 47 Council of Europe member states, Cabo Verde, Mauritius, Mexico, Senegal, Tunisia and Uruguay. Another three countries - Argentina, Burkina Faso and Morocco - have been invited to accede to the treaty. Many other countries have used it as a model for new data protection legislation and are participating as observers in the Committee of the Convention, which gathers nearly 70 countries in total.