This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy



Data Protection Leader
Back to Contents

Volume: 15 Issue: 5
(May 2018)

Keywords:
data protection convention 108

Jurisdictions:
international

International: Council of Europe modernises Convention 108

The Council of Europe (‘CoE’) adopted, on 18 May 2018, the Protocol (CETS No. 223) to amend the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (‘Convention 108’) (‘the Protocol’), following a seven year process, and issued an explanatory report (‘the Report’) on the same. The Protocol seeks to modernise Convention 108 in light of new information and communication technologies, as well as strengthen its effective implementation.

The Report states, ‘[Convention 108] has served as the foundation for international data protection law in over 40 European countries. It has also influenced policy and legislation far beyond Europe’s shores. With new challenges to human rights and fundamental freedoms, notably to the right to private life, arising every day, it appeared clear that [it] should be modernised in order to better address emerging privacy challenges […] and, at the same time, to strengthen [its] evaluation and follow-up mechanism […] The general and technologically neutral nature of Convention 108’s provisions must be maintained; [its] coherence and compatibility with other legal frameworks must be preserved; and [its] open character, which gives it a unique potential as a universal standard, must be reaffirmed.’

The amendments introduced by the Protocol include the replacement of the term ‘automatic processing’ with ‘data processing,’ which encompasses automated and non-automated processing, and the introduction of the terms ‘recipient’ and ‘processor.’ Moreover, the conditions for the legitimacy of data processing and quality of data have been expanded to include the data subject’s consent or any other legitimate basis laid down by law, such as the fulfilment of a contract, the vital interest of the data subject or a legal obligation of the controller, as well as the scope of sensitive data to include genetic and biometric data. The Protocol also introduces a data breach notification requirement in cases where the fundamental rights and freedoms of the individual may be seriously affected.

The Report explains, ‘Where such a data breach has occurred, the controller is required to notify the relevant supervisory authorities of the incident, subject to the exception permitted under Article 11 paragraph 1. This is the minimum requirement. The controller should also notify the supervisory authorities of any measures taken and/or proposed to address the breach and its potential consequences.’

Moreover, the Protocol provides for a right to obtain knowledge of the reasoning behind the processing of data of an individual, and establishes the right to object to the processing of data unless the controller demonstrates compelling legitimate grounds for the processing which override those of the data subject’s. Furthermore, the facilitation of transborder data flows is established by two means: either by law, or by ad hoc or approved standardised safeguards. The Protocol will be open for signature on 25 June 2018 in Strasbourg during the third part-session of the Parliamentary Assembly.

Search Publication Archives



Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to data protection leader
Subscribe to data protection leader
Register for a Free Trial to data protection leader
data protection leader Pricing

Social Media

Follow data protection leader on TwitterView data protection leader LinkedIn Profiledata protection leader RSS Feed