On the 18th of May 2018, in Helsingør, the Council of Europe adopted an Amendment Protocol of Convention № 108 from 28.01.1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data (“The Convention”).
About the Convention
As of now, the Convention is the only globally relevant international agreement in the field of data protection. It has been created in response to the ongoing challenges to the privacy rights, stemming from the use of new information and communication technologies. With the complete revision of the Convention, the Council of Europe seeks to update it, expand its scope and strengthen the mechanisms it provides, in order to guarantee its effective application.
What are the novelties introduced in the Convention?
The changes to the Convention generally aim to facilitate the trans-border exchange of data while further developing the foundational mechanisms for protection of personal data laid down in the Convention in accordance to the legislative changes on European level. The Convention encompasses data processing in both the public and private sectors, hence, the changes seek to improve the level of personal data protection and its current scope. The discussions and the work on the amendment started back in 2012 and ran in parallel with the rest of the legislative changes to the personal data protection framework within the EU, including with the famous General Data Protection Regulation (GDPR).
The Secretary General of the Council of Europe Thorbjørn Jagland points out that the modernization of the Convention is a reflection of the frequent violations of data protection law as for the main focus in its implementation will be preventing of such in the future.
Numerous novelties in the Convention are in accordance with the solutions provided by the GDPR. Some of the main novelties include:
- The categories of sensitive data are expanded – additionally to the current personal data related to: race, political views, religious or other beliefs, health conditions, ethnicity, crimes, criminal proceedings and sentences; now genetic and biometric data, as well as syndicate membership and data related to ethnicity have also been included to the category;
- Some of the data subject rights have been expanded, including:
– The right not be a subject of automated decision-making, when the decision has a significant impact on the subject, without considering their viewpoint;
– The right to be informed about the data processing;
– The right of the subject to be informed about the reasoning for data processing, particularly in cases when algorithms are used for the automated decision-making and profiling;
– The right to object against the processing of personal data, related to the subject unless in cases where the legitimate interest of the controller is prevailing;
- Additional obligations to the personal data controllers and processors have been introduced:
– The measures undertaken for data protection have to be connected with their obligation to be able to prove the lawfulness of the data processing (the so-called “accountability” principle);
– The principles of data protection shall be applied at all stages of processing, including the designing stage (“privacy by design” and “privacy by default”);
– The suitable measures that have to be undertaken include: training of personnel, establishing suitable notification procedures (establishing data retention periods and specific deadlines for their deletion from the systems); establishing specific contract clauses for delegated processing; establishing of internal procedures providing the possibility to review and to justify compliance, etc.
– The powers of the Authority elected by the parties of the Convention have been strengthened in order to guarantee the application of the provisions of the Convention. According to the Explanatory Protocol to the Convention, the Authority can either be sole (a commissioner) or collegiate body. Most importantly the Authority has to possess effective regulatory powers and functions and to be independent;
– The parties of the Convention may introduce other specific authorities whose activity covers only a very restricted sector (According to the Explanatory Protocol the electronic communications sector, the healthcare sector, the public sector and others);
– The Authority has to be empowered to initiate or participate in court proceedings related to all data protection violations. This is linked to the powers to conduct an investigation and detection of infringements;
– An obligatory notification about data protection breach has also been introduced;
- The measures for proportional data processing and application of the principle of data minimization have been strengthened;
- Amendment of the current terminology – the term “automated data file” has been repealed and there is one new participant to the data processing, called with the term “receiver” (1) , etc.;
- One of the most important additions to the Convention is the enhanced role of the Convention Committee, which has advisory, but also evaluation and supervisor capacity. It will determine whether and to what extent a Member State or an international organization has fulfilled the requirements set by the Convention. The Committee has the right to evaluate the compliance of the internal law of a Convention party and to determine the effectiveness of the undertaken measures.
It is important to note that all countries as well as international organizations, including the European Union, can accede to the Convention. This turns the Convention into a key tool for harmonizing various data protection legal regimes, by ensuring high degree of protection on international level.
The modernization of the Convention is a crucial step towards the promotion of global data protection standards. The renewed Convention seeks to stimulate the inclusion of as many countries as possible aiming to encourage the international business and its development, now on the basis of more secure and universally applicable rules regarding personal data and its efficient protection.
You can find more information on the official website of the Council of Europe here.
(1) Art. 3, “e” – “recipient” means a natural or legal person, public authority, service, agency or any other body to whom data are disclosed or made available; Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), URL.