Although the European Convention on Human Rights (ECHR) does not recognize a right to data protection, the Counsel of Europe (CoE) is the most influential international organization on data protection law. Convention 108 is to this day the only international legally binding agreement on data protection law. It closely aligns with European Data protection law. The CoE has issued several non-binding but very influential resolutions on data protection law. Convention 108 was recently updated to align with GDPR
Although the right to data protection is a relatively newcomer it has already found significant recognition under international law. The most influential international instrument on data protection law is the Convention for the protection of individuals with regard to automatic processing of personal data (“Convention 108"). Convention 108 is a legally binding instrument which was opened for signature on January 28 of 1981 by the Council of Europe (an international organization to which all EU countries belong).
Convention 108 is the seed from which the right to data protection sprouted and it is the reason why Europeans celebrate Data Protection Day annually on January 28th. It was, and still remains, the only legally binding international instrument in the data protection field. It applies to all data processing carried out by both the private and public sectors, including data processing by the judiciary and law enforcement authorities. It seeks to both protect individuals and to regulate the trans-border flows of personal data. Convention 108:
- outlaws, in the absence of proper legal safeguards, the processing of ‘sensitive’ data — such as on a person’s race, politics, health, religion, sexual life or criminal record;
- enshrines the individual’s rights that align with EU data protection law, including the right to know that information is stored and the right to have it corrected;
- permits restrictions on the rights laid down in the convention only when overriding interests, such as state security or defense, are at stake; and
- provides for the free flow of personal data between its Contracting Parties but allows for restrictions on flows to states where legal regulation does not provide adequate protection.
Today, Convention 108 is open for accession by non-Contracting Parties of the CoE. All EU Member States ratified Convention 108 and, as of April 2018, 51 countries are parties including all member states of the CoE (47 countries); Uruguay (the first non-European country to accede in August 2013); Mauritius, Senegal and Tunisia (which acceded in 2016 and 2017).
The CoE started a process of modernization of Convention 108 to align it with GDPR and the new update Convention is currently open for signature.
Convention 108 is binding for states that have ratified it but it is not subject to the judicial supervision of the European Court of Human Rights.
Origins of Convention 108
Council of Europe Resolutions (73) 22 and (74) 29
The Council of Europe (CoE) was formed in the aftermath of the Second World War to bring together the states of Europe to promote the rule of law, democracy, human rights and social development. The CoE adopted the European Convention of Human Rights (ECHR) in 1950, which entered into force in 1953. Contracting Parties to the ECHR have an international obligation to comply with the ECHR, which is enforced through the European Court of Human Rights (ECtHR). The ECHR guarantees the right to respect for private and family life, home and correspondence (Article 8) but not a right to data protection.
With the emergence of information technology in the 1960s, there was a growing need for more detailed rules to safeguard individuals by protecting their personal data. In 1968, the Parliamentary Assembly of the CoE addressed Recommendation 509 to the Committee of Ministers asking it to examine whether the European Human Rights Convention and the domestic law of the member States offered adequate protection to the right of personal privacy vis-à-vis modern science and technology. A study carried out on instruction of the Committee of Ministers in response to that recommendation showed that, at the time, the national legislation gave insufficient protection to individual privacy and other rights and interests of individuals with regard to automated data banks.
On the basis of these findings, the Committee of Ministers adopted in 1973 and 1974 two landmark resolutions on data protection. Despite the fact that these resolutions are not binding, they laid out the principles of data processing and are the foundation of modern EU data protection law.
- Resolution (73) 22 on the protection of the privacy of individuals vis-à-vis electronic data banks in the private sector: The first resolution, (Resolution (73) 22) established principles of data protection for the private sector
- Resolution (74) 29 on the protection of the privacy of individuals vis-àvis electronic data banks in the public sector: The second resolution (Resolution (74) 29) did the same for the public sector.
The resolutions listed a number of ground rules to be observed when personal information is stored in electronic data banks (i.e. data protection principles). Although it was left to the discretion of the member States by what means they would give effect to these rules, it should be noted that practically all those States decided to do so by legislation.
Data protection law at the national level
Within five years after the passing of the second resolution, general data protection laws were enacted in seven member States
- Federal Republic of Germany,
- Norway and
In many other member States (notably Belgium, Iceland, the Netherlands, Spain and Switzerland) legislation on data protection was in an advanced state of preparation by 1981.
The general characteristics of the legislation were in conformity with the principles set out in the Committee of Ministers’ Resolutions (73) 22 and (74) 29. All national data protection laws, as well as the proposals for legislation which were already public, contained similar rules on the substantive law relating to processing of personal data, i.e. on the quality of the data and on the way in which they may be used.
While the procedural rules differed from one country to another there was a large measure of agreement on the objectives to be satisfied. All national laws recognized:
- the principle of publicity, i.e. that the existence of automated data files should be publicly known; and
- the principle of control, i.e. that public supervisory authorities as well as the individuals directly concerned by the information can require that the rights and interests of those individuals are respected by the data users.
Already in 1981 it was clear that in most of these countries the data protection law had, or was bound to have, a wide scope and apply to data processing in the public sector as well as the private sector:
- Filing systems: In some countries, moreover, not only automated files but also certain categories of manual files fell within its area of application.
- Legal persons: In all countries the legislation covered data relating to natural persons, but in some it also covered data concerning legal persons.
- Derogations: Where, for reasons of public interest, certain restrictions or exceptions from the general rules are necessary, these are generally spelled out by the law itself
Constitutional data protection law
At least three member States (Portugal, Spain and Austria) incorporated data protection as a fundamental right in the Constitution before Convention 108 was adopted. Specifically:
- Article 35 of the 1976 Constitution of Portugal;
- Article 18 of the 1978 Constitution of Spain;
- Article 1 of the 1978 Austrian Data Protection Act.
Taking into consideration this tendency, the Parliamentary Assembly of the CoE, recommended the Committee of Ministers in its Recommendation 890 (1980) to study the possibility of including in the ECHR a provision on the protection of personal data. However, the right to data protection of personal data was never incorporated in the ECHR.
Data protection law and international trans-border flows
In the late 70s, the question of to what extent national data protection laws afforded adequate protection to individuals when data concerning them flow across borders arose. Computers, in combination with telecommunications, were already opening new prospects for data processing on an international scale. They helped overcome several types of barrier to communication between nations: distance, time, language and cost. Distributed processing enabled users to disperse an information system or data base over several countries. Networks helped users to have access to or link information systems in distant countries. In several sectors (for example banking, travel, credit cards, etc.) such trans-border data processing applications were already commonplace.
In principle, the same fundamental rules should apply regardless of where the data processing operations took place and data subjects should have the same safeguards. In practice, however, protection of persons grew weaker when the geographic area was widened and data users could seek to avoid data protection controls by moving their operations, in whole or in part, to “data havens”, i.e. countries which have less strict data protection laws, or none at all. In order to counter those risks some countries had built into their domestic law special controls, for example in the form of a license for export. However, such controls interfered with the free international flow of information, which is a principle of fundamental importance for individuals as well as nations.
As a consequence, CoE set out to create a formula to make sure that data protection at the international level was a reality.
The need for an international convention
Even between States which had relatively similar systems of data protection law, problems arose both with regard to the law itself and with regard to its practical application. When automatic processing of personal data involved parties in different countries (for example, a data bank in one country linked to terminals in other countries) it was not always easy to determine which State had jurisdiction and which national law applied.
Furthermore, persons resident in one country encountered difficulties when exercising their rights with regard to automated data files in other countries. Such problems could only be satisfactorily solved through international co-operation.
More generally, having regard to the rapid evolution of information handling techniques and the development of international data traffic,it was desirable to create mechanisms at the international level to enable States to keep each other informed and to consult each other on matters of data protection.
Terms of reference for the Convention
In 1972, when a committee of experts was preparing the resolutions on data protection (see above), it emphasized that the next step after enactment of national legislation based on these resolutions should be the reinforcement of these national rules by means of a binding international agreement.A similar suggestion was made by the 7th Conference of European Ministers of Justice (Basle, 1972) in its Resolution №3.
The committee considered two models for such an agreement:
- Reciprocity: The first model was based on reciprocity. One country would not allow in its territory data processing operations relating to persons resident in another country if such operations would be illegal under the laws of that country. This model was based on the assumption that each country would apply its own data protection standards.
- Data protection principles: The second model was to be based on the recognition of a number of data protection principles that would be common to all parties to the treaty.
Apart from the practical implications which the reciprocity model entailed, the model was contrary to the idea that all persons should enjoy basically the same rights. The committee therefore expressed its preference for a second model based on data protection principles common to all Parties.
In 1976, the Committee of Ministers instructed the Committee of Experts on Data Processing, placed under the aegis of the European Committee for Legal Co-operation (CDCJ) “…to prepare a convention for the protection of privacy in relation to data processing abroad and transfrontier data processing” (Activity №21.20.1 of the Programme of Intergovernmental Activities)
From November 1976 to May 1979, the Committee of Experts on Data Protection held four meetings, first under the chairmanship of Mr L. Joinet (France), and subsequently under that of Mr R. A. Harrington (United Kingdom).
A working party composed of the experts from Austria, Belgium, France, Federal Republic of Germany, Italy, Netherlands, Spain, Sweden, Switzerland and the United Kingdom, met several times between the plenary committee meetings, to work out the general philosophy as well as the details for the draft convention.
In April 1980 another committee of experts, chaired by Mr J. Voyame (Switzerland), revised and finalized the text. This was approved by the CDCJ at its 33rd meeting and adopted by the Committee of Ministers, which decided to open it for signature on 28 January 1981.
Goals of Convention 108
The CoE started the process for the adoption of a Convention on data protection law in the late 70s. The Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108), drawn up within the CoE by a committee of governmental experts under the authority of the European Committee on Legal Co-operation (CDCJ), was opened for signature by the member States of the Council of Europe on 28 January 1981 in Strasbourg, on the occasion of the third part of the 32nd Session of the Consultative Assembly. An explanatory report was prepared by the committee of experts and submitted to the Committee of Ministers of the CoE which does not constitute an instrument providing an authoritative interpretation of the text of the Convention, but intends to facilitate the understanding of the provisions contained therein.
The object of Convention 108 was to strengthen data protection (i.e. the legal protection of individuals with regard to automatic processing of personal information relating to them). There was a perceived need for such legal rules in view of the increasing use made of computers for administrative purposes.
- Compared with manual files, automated files have a vastly superior storage capability and offer possibilities for a much wider variety of transactions, which they can perform at high speed.
- Further growth of automatic data processing in the administrative field was expected in the coming years inter alia as a result of the lowering of data processing costs, the availability of “intelligent” data processing devices and the establishment of new telecommunication facilities for data transmission.
“Information power” brings with it a corresponding social responsibility of the data users in the private and public sector. In modern society, many decisions affecting individuals are based on information stored in computerized data files: payroll, social security records, medical files, etc. It is essential that those responsible for these files should make sure that the undeniable advantages they can obtain from automatic data processing do not at the same time lead to a weakening of the position of the persons on whom data are stored. For this reason, the drafters of Convention 108 considered that actors with “information power’ should:
- maintain the good quality of the information in their care,
- refrain from storing information which is not necessary for the given purpose,
- guard against unauthorized disclosure or misuse of the information, and
- protect the data, hardware and software against physical hazards.
Although the drafters of Convention 108 admitted that the established legal systems of the member States was not entirely devoid of rules which can help to accomplish these aims (e.g. laws on privacy, tort, secrecy or confidentiality of sensitive information, etc.) they found, there was a lack of general rules on the storage and use of personal information and in particular, on the question of how individuals can be enabled to exercise control over information relating to themselves which is collected and used by others.
Chief characteristics of Convention 108
The convention consists of three main parts:
- substantive law provisions in the form of basic principles;
- special rules on trans-border data flows;
- mechanisms for mutual assistance and consultation between the Parties.
The convention’s point of departure is that certain rights of the individual may have to be protected vis-à-vis the free flow of information regardless of frontiers, the latter principle being enshrined in international and European instruments on human rights (see Article 10, European Human Rights Convention; Article 19, International Covenant on Civil and Political Rights).
Where the convention imposed certain restrictions or conditions on the exercise of freedom of information, it intends to do so only to the extent strictly justified for the protection of other individual rights and freedoms, in particular the right to respect for individual privacy (see Article 8, European Human Rights Convention).
It did not seem advisable at the time, however, to rely solely on the European Human Rights Convention because it was a “closed” instrument, which did not permit the participation of non-European and non member States at the time.
The central part of the convention is Chapter II, in which are laid down basic principles for data protection. Each Party should take the necessary steps to give effect to this “common core” in its domestic legislation. The point of departure for these provisions is the principles laid down earlier in the Committee of Ministers’ Resolutions (73) 22 and (74) 29. These principles being completed, where appropriate, in the light of subsequent legislative developments in the member States.
It should be noted that the convention gives clear and precise indications on the purpose to be achieved by each principle, but leaves to each Party, the manner of implementing it in its domestic law.
The “common core” principles guarantee to data subjects in all countries where the convention is in force a certain minimum protection with regard to automatic data processing of personal data. By undertaking to apply these principles the Parties tend mutually to renounce restrictions to trans-border data flows and thus they avoid that the principle of free flow of information would be jeopardized by any form of protectionism.
Moreover, the intention was that the “common core” should result in a harmonization of the laws of the Contracting States and hence decrease the possibility of conflicts of law or jurisdiction.
Chapter III (concerning trans-border data flows) aimed at reconciling the simultaneous and sometimes competing requirements of free flow of information and data protection, the main rule being that trans-border data flows between Contracting States should not be subject to any special controls. This provision should be seen in close conjunction with Chapter II which ensured that the processing of personal data was subject in all countries concerned to the same fundamental rules (“common core”).
Chapters IV and V provide mechanisms for co-operation between the Contracting States, both in individual cases (Chapter IV, mutual co-operation between authorities and assistance to data subjects abroad) and with regard to the convention as a whole (Chapter V). The formula used permitted restricting the contents of the convention to the basic principles and relying on co-operation between States, in the framework of a consultative committee, for the implementation and harmonization of these principles in their domestic law.
The committee of experts also gave attention to the question whether the convention should lay down rules with regard to problems of applicable law. These problems may arise when data processing operations are carried out on the territory of two or more States (contracting or non-contracting) or when parties concerned by data processing, particularly the data subjects and the data users, reside in different countries. The committee decided that it was premature to include in the convention specific rules on this subject. The presence of a “common core” of substantive law (Chapter II), parts of which harmonize procedure, will help to reduce the risk of conflict of laws or legal lacunae. The committee agreed, however, that the problem of applicable law should be kept under review and that at a later stage provisions relating to it should, if necessary, be laid down in a protocol to the convention.
Because all EU countries are part to Convention 108 regulators at the Council of Europe and EU level have always taken the utmost care to ensure consistency and compatibility between the two legal frameworks. The data processing principles laid down in Convention 108 are aligned with the principles under the Directive and GDPR. They concern fair and lawful collection and automatic processing of data, for specified legitimate purposes, the quality of the data, in particular that they must be adequate, relevant and not excessive (proportionality), as well as accurate.
Cooperation between CoE and other international organizations during the drafting of Convention 108
Cooperation with the Organization for Economic Co-operation and Development (OECD)
The committee responsible for the formulation of Convention 108 was instructed to collaborate with the Organization for Economic Co-operation and Development (OECD), as well as the non-European member countries of that organization, having regard to the activities which OECD was carrying out in the field of information, computer and communications policy.
Close liaison was maintained between the two organizations both at the Secretariat level and at the level of the Council of Europe’s committee of experts and the corresponding OECD committee, the Data Bank Panel, which was succeeded in 1978 by an expert group on trans-border data barriers. The latter group was instructed by the OECD Council to develop privacy protection guidelines, to facilitate harmonization of national legislation of the OECD member countries, without this precluding at a later date the establishment of an international convention.
OECD, as well as four of its non-European member countries (Australia, Canada, Japan and the United States) were represented by an observer on the Council of Europe’s committee. Observers from Finland, the Hague Conference on Private International Law and the European Communities also took part in the work.
The Commission of the European Communities
The Commission of the European Communities, which carried out studies concerning harmonization of national legislation within the Community in relation to trans-border data flows and possible distortions of competition, as well as problems of data security, kept in close touch with the Council of Europe. The Commission decided to await the outcome of the work on Convention 108 before deciding on its own action in the field of data protection.
The European Parliament
The European Parliament also expressed a deep interest in data protection. At its May 1979 session it adopted a resolution on the protection of the rights of the individual in the face of technical developments in data processing which it forwarded to the Committee of Ministers of the Council of Europe.
Data protection and CoE post Convention 108
Non binding CoE recommendations:
The CoE’s Committee of Ministers has adopted several non-legally binding recommendations in furtherance of Convention 108. These recommendations have influenced the development of data protection law in Europe. For example, for years the only instrument in Europe providing guidance on the use of personal data in the police sector was CoE Committee of Ministers Recommendation on the use of personal data in the police sector (Rec (87)15) but the principles contained in it were further developed and reflected in Directive 95/46/EC and GDPR. More recent recommendations seek to address the challenges of the digital age — for instance, in relation to data processing in the context of employment.
Modernization of Convention 108:
To deal with challenges resulting from the use of new information and communication technologies and to strengthen the Convention’s effective implementation, the CoE started in In 2011 a process to update the Convention. A public consultation was carried out in 2011 and was completed with the adoption of a protocol amending Convention 108 (Protocol CETS №223). The work was carried out in parallel with the reforms to international data protection instruments, and alongside the reform of EU data protection rules launched in 2012 that culminated in the adoption of GDPR.
The modernization reinforces the Convention potential use as a universal instrument on data protection law. It reaffirms the data protection principles, provides for new rights aligned with the new rights under GDPR and increases the responsibilities of entities that process personal data.
- Resolution (73) 22 on the protection of the privacy of individuals vis-à-vis electronic data banks in the private sector, and
- Resolution (74) 29 on the protection of the privacy of individuals vis-àvis electronic data banks in the public sector.
- Explanatory Report to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
- Convention for the protection of individuals with regard to automatic processing of personal data