An overhauled Convention 108 was signed by 20 states — including the U.K. — on Oct. 10.
The Council of Europe treaty, more properly entitled the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data has been given an overhaul to bring it into line with the General Data Protection Regulation. Despite its name, the Council of Europe is not a European Union institution, rather it is an international organization with 47 member states stretching far beyond the EU.
The updated protocol, colloquially referred to as Convention 108+, was signed by Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Ireland, Latvia, Lithuania, Luxembourg, Monaco, Netherlands, Norway, Portugal, Spain, Sweden, the U.K., and by Uruguay, one of the six non-European states that have so far joined Convention 108. The other five non-European states are Cape Verde, Mauritius, Mexico, Senegal and Tunisia. Another three countries — Argentina, Burkina Faso and Morocco — have also been invited to accede to the treaty.
“The modernized convention will allow states to share a robust set of principles and rules to protect personal data, and will provide a unique forum for co-operation in this field at global level,” explained Council of Europe Secretary General Thorbjørn Jagland.
The EU as a body will also be a party to the Convention 108+.
“It will reflect the same principles as those enshrined in the new EU data protection rules and thus contribute to the convergence towards a set of high data protection standards,” said the European Commission.
The European Commission sees the protocol as a way of encouraging "third countries" to adopt the basic tenets of the GDPR. This could be particularly interesting for the U.K., which will become a third country after Brexit.
Recital 105 of the GDPR states: “The Commission should take account of obligations arising from the third country’s participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country’s accession to the Council of Europe Convention 108 and its Additional Protocol should be taken into account.”
Pat Walshe, director of Privacy Matters, says this is important for any U.K. adequacy decision.
"If the Commission encourages accession to Convention 108, and Recital 105 recognizes Convention 108 re: adequacy, the U.K. is covered, because the Commission recognizes that 108 meets adequacy (equivalence), and it can’t go back on its word.”
He added, "The U.K.’s current Data Protection Act 2018 contains various provisions relating to Convention 108, including that the [Information Commissioner's Office] is the designated authority for Convention 108. It’s also important to note that national security falls outside the EU, and this is where Convention 108 fits in too."
Speaking at the International Conference of Data Protection and Privacy Commissioners, Bruno Gencarelli, head of the European Commission’s data protection unit in the Justice Department, said, “Convention 108 is not only a piece of paper, it is a living document and it provides for a standard setting process on a very wide range of issues. Even the EU’s data protection directive for law enforcement is inspired partly by Convention 108.”
A European Commission staffer not authorized to speak on the record said, "it's important in the context of Brexit because it’s the only international binding instrument and it is not only EU. It has elements of convergence and brings third countries much closer to the EU and therefore adequacy."
He added, “It has another important feature, which is also important in the context of Brexit: not only is Convention 108 the only international binding agreement, it covers all sectors including the security services. If post-Brexit we are to look at making an adequacy assessment of the U.K., the question of national intelligence will be a particularly important and sensitive issue, so the fact that they are bound by Convention 108 is advantageous. Being a member of the Council of Europe means they are also bound by the previous rulings of the Court of Human Rights, which has all the important judgements in relation to privacy.”
Signatories to the updated Convention no longer have the possibility to make declarations aimed at exemptions from the application of the Convention's requirements for data processing for national security and defense purposes. There is also a requirement that processing activities for national security and defense be subject to an independent and effective review and supervision.
“The big plus for the U.K. is that it has an independent regulator and rights of judicial and non-judicial remedy,” added Walshe. “On the key issue [of] U.K. surveillance, those laws are changing, so it shouldn’t be too much of an issue. So long as the U.K. doesn’t leave [the European Court of Human Rights]. In my opinion, the GDPR may work in the EU because of the political, legal and judicial structures. But for me, Convention 108+ is a good foundation on which to build a rights-based data protection framework for many countries."
The modernized convention does away with terms such as “controller of a file,” replacing it instead with “data controller,” the scope of application is extended to include both automated and non-automated processing of personal data, and the catalog of sensitive data has been extended to include genetic and biometric data.
So far, so GDPR.
Another new provision has been introduced to clearly lay down the legal basis for data processing, namely, consent of the data subject or legitimate interest. Data breaches must be notified to authorities “without delay,” and data subjects have the right not to be subject to a decision based solely on an automated processing. All in line with GDPR.
However, the rights laid down in Convention 108 are not absolute and may be limited on specific, limited grounds. “Essential objectives of public interest” as well as the right to freedom of expression are two new grounds in the revamped protocol.
According to the Council of Europe, “In the absence of harmonised rules of protection shared by states belonging to a regional international organisation and governing data flows (see for instance the data protection framework of the European Union), data flows between parties to the Convention should operate freely.”
The U.K. is not in hot water yet, and all bets are off until Brexit is actually agreed upon. But as a signatory of Convention 108+, cause for concern can be further abated.
photo credit: Free For Commercial Use (FFC) Brexit - Remain Or Leave via photopin (license)