This article originally appeared, in German, in the Beck publication Zeitschrift für Datenschutz.
The Council of Europe’s Committee of Ministers recently adopted "Amending Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" (ETS No. 108) after several years of negotiations. The Protocol, now open for signature, modernizes Convention 108 to deal with innovations that have occurred in the area of information and communication technology since its original adoption in 1981 and to strengthen the convention’s effective implementation.
Novelties in the modernized Convention 108
The modernized Convention 108 significantly updates the 1981 version. Among other things, the amending protocol includes the following novelties:
- New rights for data subjects in response to technologies such as profiling, automated data processing, algorithms, etc. Such new rights include the right not to be subject to a decision significantly affecting a data subject based solely on automated data processing without considering their view; the right to obtain knowledge of the reasoning underlying data processing where the results are applied to the data subject; and the right to object to data processing, among others.
- Revised data protection principles.
- Genetic and biometric data are now included as special categories of data.
- New obligations for controllers relating to transparency, accountability, privacy by design and by default, risk assessment, and data breach notification.
- Revised provisions around trans-border flows of personal data. Where applicable, these obligations would apply to data processors as well.
- Reinforced powers for supervisory authorities and enjoins them to cooperate for the performance of their duties.
- Establishes a monitoring mechanism to ensure the signatories respect the obligations imposed by the conventions.
One significant thing about the modernized convention is its compatibility with the EU General Data Protection Regulation, as both instruments tend to tackle similar data protection and privacy challenges posed by internet and communications technologies. Recital 105 of the GDPR, which indicates the European Commission will take into account a third country’s accession to Convention 108 in its adequacy findings, shows this compatibility. Convention 108 is still receiving new signatories with the latest being Mexico, marking the 53rd party. By including state parties across the globe, the convention is truly solidifying its nature as an international standard in the area of data protection.
If you want to comment on this post, you need to login.