Convention 108, The History of Privacy Regulations In Europe
As the right to data protection has become a growing concern in recent years due to the advent of social media sites and the proliferation of eCommerce due to the spread of the internet, many nations around the world have been grappling with the best ways to go about protecting the personal information and data of their citizens. From an American perspective, many states have addressed this issue by passing their own laws that regulate data privacy, such as the California Privacy Rights Act or CCPA and the Virginia Consumer Data Protection Act or VCDPA. However, the U.S. has yet to pass any federal legislation in regard to data privacy rights.
Alternatively, other countries around the world have taken a more broad approach to data protection rights. A prime example of this is the European Union’s General Data Protection Regulation or GDPR. As the EU currently contains 27 member states all across the continent of Europe, citizens who reside within these 27 countries can rest assured that their data protection rights are not only protected within the country they reside in but also in the various other countries they may visit while in Europe. However, this broad approach is not solely limited to the GDPR, as there are other mechanisms in place throughout the world that govern the personal data and information that may be collected and shared across borders.
A prime example of such a mechanism is Convention 108. The Convention for The Protection of Individuals with Regard to Automatic Processing of Personal Data or Convention 108 for short is an international treaty that was the first legally binding international instrument geared toward protecting the data privacy rights of European citizens, prior to the adoption of the EU’s GDPR. Convention 108 was created by the Council of Europe or CoE, an international organization that was established in the wake of the destruction of World War II for the purposes of upholding democracy, human rights, and the rule of law across Europe. Originally signed on January 28th, 1981, the treaty set forth various data privacy rights that continue to be relevant and necessary to this day.
What was the context of Convention 108?
As Convention 108 was created by the CoE, a large reason for the creation of Convention 108 were the horrors and atrocities that resulted from the mass fighting that took place during World War II. As World War II saw the rights of European citizens from dozens of nations be infringed upon and disregarded amidst large-scale military battles and insurrections, the CoE sought to develop and implement measures that would help prevent future conflicts of such magnitude. To this end, the CoE also formed the European Convention of Human Rights or ECHR in 1950, another treaty created for the purposes of guaranteeing European residents the rights to “to respect for private and family life, home and correspondence”
However, with the rise of information technology around the world during the 1960s, very little legislation at the time had the framework or scope needed to regulate such information, much less the potential damage that could result from the authorized access of said information. As such, the Parliamentary Assembly of the CoE addressed Recommendation 509 to the Committee of Ministers, asking to examine whether the ECHR and the domestic laws of the member states aligned with the treaty adequately addressed the issues of “personal privacy vis-à-vis modern science and technology”. These various bodies throughout Europe sought to develop a legal framework that would protect the data privacy rights of European citizens.
In response to the requests of the CoE and ECHR, the Committee of Ministers conducted a study that concluded: “national legislation gave insufficient protection to individual privacy and other rights and interests of individuals with regard to automated data banks”. Due to these findings, the Committee of Ministers adopted two landmark resolutions related to data protection in the years 1973 and 1974 respectively. While these resolutions were not legally binding in the way that data protection laws are in our current time, they nevertheless set the foundation for many EU data protection laws that would come to follow, including Convention 108. These resolutions are are follows:
- Resolution (73) 22 “on the protection of the privacy of individuals vis-à-vis electronic data banks in the private sector”: Resolution (73) 22 established specific principles relating to data protection within the private sector.
- Resolution (74) 29 “on the protection of the privacy of individuals vis-àvis electronic data banks in the public sector”: Conversely, Resolution (74) 29 established specific principles relating to data protection within the public sector.
What were the goals of Convention 108?
The CoE began the process of creating a convention related to the formulation of a data protection law in the late 1970s. Following several years of deliberation, Convention 108 was drawn up by a CoE committee by several governmental experts under the jurisdiction and authority of the European Committee on Legal Co-operation or CDCJ. The Convention was opened for signature to the various member states of the CoE on January 28th, 1981, in Strasbourg, France, and sought to strengthen data protection in the context of providing legal protection for individuals with regards to the automatic processing of personal information or data related to said individuals.
One of the main goals of Convention 108 was to address the need for updated laws and regulations with respect to the increasing use of computers for various administrative purposes. As automated files can be stored, shared, and accessed in ways that manual files never could before, the Convention of 108 quantified this new technological advancement in the term of “information power”. In turn, Convention 108 set forth the following requirements for “actors with “information power’:
- To ensure that the information in their care remained of good quality at all times.
- To refrain from storing information that is not necessary to the given purpose for which it was collected.
- To guard against and prevent the unauthorized misuse or disclosure of information.
- To protect all data and applicable hardware or software from potential physical hazards.
Furthermore, Convention 108 also established substantive law provisions in the form of specific basic principles, requiring special rules for trans-border data flows and sharing, and mechanisms for mutual assistance and cooperation between all parties involved in the collection, storage, and disclosure of personal information. To the point of basic principles, Convention 108 sought to guarantee that data subjects in all countries where the Convention was in force would be afforded certain minimum protections with regard to the automatic data processing of personal data. Moreover, the Convention also sought to reduce the level of restrictions on transborder data flows, ensuring that European nations could share personal information and data with one another with minimal hassle.
Although Convention 108 was not the first privacy law to be passed in Europe, as Germany’s Bundesdatenschutzgesetz or BDSG was passed 3 years earlier in 1978, the Convention nevertheless set the stage for many current data privacy laws that exist such as the EU’s General Data Protection Regulation. Had Convention 108 not taken the unified approach it did in 1981, many countries around Europe may have sought to develop their own personal privacy laws as opposed to adhering to a larger framework that oversees the privacy rights of many nations. Additionally, Convention 108 has been updated several times over the past few decades, including new provisions to align the treaty with the EU’s GDPR, as well as the inclusion of over 50 members states in various regions of the world. As such, Convention 108 was a landmark treaty in regards to not only privacy rights throughout Europe but also the entire world as well.