The Modernization of Convention 108, Amended Privacy Rules
On October 20, 2018, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data or the original Convention 108 for short was overhauled to bring the protocol into line with the EU’s current data protection law, the General Data Protection Regulation or GDPR. Originally signed in 1981, Convention 108 was passed with the intention of protecting the data privacy rights of European citizens amidst the various atrocities that took place against individuals all over the continent over the course of World War II. As stated by Council of Europe Secretary General Thorbjørn Jagland, “The modernized convention will allow states to share a robust set of principles and rules to protect personal data, and will provide a unique forum for cooperation in this field at a global level”.
Why did Convention 108 need to be modernized?
One of the primary reasons that Convention 108 was in need of modernization efforts is the expansion of the Council of Europe in the last 40-plus years. While the council was originally created to protect the personal privacy rights of European citizens, the current Council of Europe contains various member states outside of the continent of Europe, including countries in Africa, Asia, South America, and Oceania. What’s more, there are also a multitude of other countries around the world who have also adopted the provisions and protocol outlined in the treaty, despite the fact that these countries are not official members of the Council of Europe.
Conversely, another primary reason for the modernization of Convention 108 are the drastic ways in which personal privacy has changed in recent decades. As Convention 108 was originally signed in 1981, the treaty was focused on the ways in which the government and militaries of countries had infringed upon the privacy rights of European citizens during World War II. However, with the rise of the internet and the ways in which online communication in the last 40-plus years, what it means to protect an individual’s privacy has taken on a new meaning. While Convention 108 intended to protect the privacy of European citizens, this protection of privacy was largely in the context of handwritten paper documents.
What new provisions were added to the modernized Convention 108?
As is the case with amended privacy laws around the world, Convention 108 updates the language, definitions, and scope of the treaty to match what is currently going on in the world of personal data and information protection. To illustrate this point, the modernized Convention 108 does away with terms such as “controller of a file”, and replaces it with the more commonly used term “data controller”. Furthermore, the updated Convention 108 also covers both automated and non-automated processing of personal data, while the term “sensitive data” now includes both genetic and biometric data.
Alternatively, the updated Convention 108 also contains provisions that govern “the legal basis for data processing, namely, consent of the data subject or legitimate interest”. Moreover, the updated Convention 108 also mandates that business entities and organizations that experience data breaches must notify both impacted data associates as well as the appropriate authorities “without delay”. To this end, the modernized Convention 108 also introduced the following protocols:
- Stronger requirements regarding proportionality and data minimization principles, as well as lawfulness regarding data processing.
- Greater transparency in regards to data processing.
- Stronger accountability on the part of data controllers and processors.
- New rights for data subjects in terms of an algorithmic decision-making context, particularly in connection with artificial intelligence.
- A requirement that “privacy by design” principles are applied by all countries that have signed the treaty.
- Application of the data protection principles of Convention 108 to all data processing activities, including data processing that occurs for national security reasons, with certain restrictions and exceptions subject to conditions set forth by the Convention, including independent and effective review and supervision.
- A clear regime in relation to trans-border data flows.
- Reinforced powers and independence for data protection authorities, as well as an enhanced legal basis for the purposes of international cooperation.
- Provisions that are designed to ensure compatibility and consistency with other data protection legal frameworks around the world, particularly the EU’s General Data Protection Regulation or GDPR.
- Overall reaffirmation of Convention 108’s potential as a universal standard for data protection.
What are the rights of data subjects under the modernized Convention 108?
Just as the modernized Convention 108 establishes new requirements for data controllers and processors in regard to personal information, the amended treaty also includes new rights for data subjects as well. These rights include:
- The right of data subjects to request and access an electronic copy of their personal information.
- The right to obtain knowledge in relation to the underlying reason for which their personal information has been processed.
- The right to object or opt-out of data processing at any time, unless a data controller demonstrates “compelling legitimate grounds” for said data processing, which would override the rights of the associated data subject.
- The right not to be subject to a decision that would affect a data subject, in which said the decision would be based solely on automated processing, without said data subject first having their views taken into consideration.
While many other privacy laws around the world mandate that individuals who violate the privacy of data subjects be subject to various penalties and punishments, “The rights laid down in the Convention are not absolute and may be limited when this is prescribed by law and constitutes a necessary measure in a democratic society on the basis of specified and limited grounds. Among those limited grounds are now included “essential objectives of public interest” as well as a reference to the right to freedom of expression”. As such, business entities, organizations, and individuals who violate the provisions of Convention 108 are not subject to any direct punishment, as the treaty does not have the same legal jurisdiction as a privacy law or statute.
However, the “Convention complements the catalog of the authorities’ powers with a provision that, in addition to their powers to intervene, investigate, engage in legal proceedings or bring to the attention of the judicial authorities violations of data protection provisions, the authorities also have a duty to raise awareness, provide information and educate all players involved (data subjects, controllers, processors, etc. It also allows the authorities to take decisions and impose sanctions. Furthermore, it is recalled that the supervisory authorities should be independent in exercising these tasks and powers”. To this point, Convention 108 can serve as a reference point or means of supplementing the data privacy laws that are already in existence within the countries that have signed the treaty.
As the concept of personal privacy continues to evolve due to advancements in technology, laws, regulations, and treaties such as the modernized Convention 108 are very much needed in an ever-changing data protection environment. As trans-border transfers of information are also happening more than ever before, it is also equally important that countries from around the world are able to find some sort of common ground for the purposes of transferring data in the safest and most efficient manner as possible. For many countries both within and outside of Europe, the modernization of Convention 108 represents this common ground, as the treaty serves as a borderline standard for how countries should go about protecting the privacy rights of their citizens.