Charlie, Convention 108 is of course the father of European data protection legislation and many of the provisions of the GDPR are directly derived from the 1981 Convention.

For others reading my comments here, I should give a bit of background. Convention 108 was created by the Council of Europe — which, confusingly, is an organisation that it is independent from the European Union. The Council of Europe is open to all European countries (that includes Russia and several ex-Soviet states) and nearly all eligible countries are members, including every EU country.

Convention 108 was signed in 1981 and is binding on all the signatories — that are all the 47 members of the Council of Europe plus Mauritius, Senegal, Tunisia and Uruguay. Since then, laws on data protection in the EU and in other countries have moved on — and now we have the GDPR. Naturally the new laws are stricter on data protection than the original Convention. A ‘modernisation’ of the Convention has just been agreed (18th May 2018), and the new Protocol is due to be signed in June. The update to the Convention moves it significantly towards the GDPR, but it remains a ‘sub-set’ — as is only natural, since this has to be the base level accepted by all the signatories.

The original convention envisages that personal data could move freely between the Parties, because they had all signed up to a sufficient level of data protection. However, in practice, the EU has only accepted that a small number of countries have provided a sufficiently-equivalent (‘adequate’) level of data protection that can enable transfers of personal data without additional safeguards. The new version of the Convention, if fully implemented by the signatories, should make it much more likely that the countries will receive a positive adequacy ruling from the EU.