Introduction

On March 2019 Italy signed the Protocol amending the Convention for the Protection of Individuals with regard to Automated Processing of Personal Data.

As reported by the Italian Data Protection Authority (Garante per la protezione dei dati personali) “the adoption of the Protocol marks the conclusion of the modernization process of Convention 108, currently the only binding international instrument on data protection”.

Background

Convention 108 (hereinafter “the Convention”), signed in Strasbourg on 28th January 1981, is the first and the most important conventional instrument on data protection until today. The Guidelines on data protection of OECD (updated in 2013, here the link of the original text and the updated one) has anticipated the Convention 108 and has been an important guideline, but without being legally binding .

Convention 108 has been ratified by 54 Countries all over the world (here you can find the complete list of countries) and has been revised once in order to allow the European Union (hereinafter “EU”) to join. The EU ratified the Convention in 1999.

Italy signed Convention 108 on 2 of February in 1983 and it came into force on July 1997 (here the source Council of Europe website).

It is worth noting that Convention 108 is open both to European States and non-member states of the Council of Europe, thus enabling the creation of a common legal framework on data protection. Countries such as Mexico, Uruguay and Tunisia have signed the Convention 108.

On January 2011, the Advisory Committee, established pursuant to Art. 18 of the Convention, started the revision of the Convention, considering it a necessity to better face the challenges deriving from the use of the new information and communication technologies. The final version of the amending Protocol was approved on 18th May 2018 by the Committee of Ministers of the Council of Europe. The modernised version of the Convention 108 has been called “Convention 108+”.

At the time of the publication of this article, the amending Protocol has been signed by 26 States.

Main aspects

Convention 108+ maintains the original spirit and the objective pursued by the original Convention 108 and reinforces its principles in a more affirmative tone. The reinforcement is evident from Article 1, which now defines the protection of individuals’ personal data as an integral part of fundamental human rights by mentioning that “the purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy”.

The main innovations of the Convention 108+ concern, among others, the need for specific legal basis of the processing provided for by law, starting from the consent of the data subject (Art. 5. 2), the extension of the special categories of personal data to genetic data, biometric data and personal data that may reveal information relating to ethnic origin, or trade-union membership, (Art. 6.1), the implementation of the obligation of data breach notifications (Art. 7. 2), the introduction of transparency on the information provided to data subjects (Art. 8), the creation of further data subject rights (Art. 9), the implementation of the evaluation (Art. 10.2) comparable to Data Protection Impact Assessment, as per Art. 35 of the GDPR, and the transfer of personal data to countries that are non-signatory parties of Convention 108+.

It is important to underline that the common purpose and the fact that all the principles of the Convention 108+ are reproduced, extended and detailed by the Regulation EU 2016/ 679 (“GDPR”) proves that there is a common direction shared by a lot of EU and non-EU countries, towards a more consistent and uniform legislation on data protection.

For example, with reference to the transfer of personal data to non-signatory parties of Convention 108+, according to Art. 14, the transfer is considered legal only if the recipient country guarantees an adequate level of protection to the standards established by Convention 108+. It is difficult not to notice that the GDPR establishes a similar principle in Art. 45, providing adequate decisions in order to evaluate if the protection level offered by a country is adequate (as already provided by the Art. 25, c.6 of the Directive 95/46/CE).

Furthermore, Recital 105 of the GDPR indicates the joining to the Convention 108 as a fundamental element of the evaluation of third countries with reference to adequacy decisions under Art. 45 of the GDPR, which allow the transfer to third countries that receive such decision (the last country that received this kind of decision is Japan, even if it is not a signatory party of the Convention 108).

Practical implications

On the one hand, given the nature of Convention 108+, it does not have immediate practical consequences on the daily operation of companies. Furthermore, the provisions of Convention 108+ are mainly contained in the GDPR, and comply with the accountability principle as well as with other principles contained therein may be deemed also as being in compliance with the Convention 108+.

On the other hand, considering the medium and long-term effects of Convention 108+, it would be advantageous if this modernised version of Convention 108 received a similarly a broad consensus as the previous version. It is reasonable to assume that the greater the number of States signing and ratifying Convention 108+, also including countries that are not included in the territorial scope of the GDPR, the nearer the objective of a standardised protection of personal data of individuals as a fundamental right will be.

Moreover, from a practical point of view, as seen above the accession to Convention 108+ facilitates the obtaining of an adequacy decision by non-EEA countries, thus allowing the transfer of personal data to that country and fostering their trade. If the data protection legislation was uniform in many countries, it is without a doubt that all the data-driven economy but also the entire world economy would benefit greatly.

For those wishing for further information on the topic, the European Data Protection Commission of the Council of Europe has published a table which compares the appropriate changes made to Convention 108 by the amending Protocol; plus, a summarised version of the relative news and changes have also been summarised in this document of the Council of Europe.

We also recommend to read this leaflet of the Council of Europe, that explains in details the single articles of the Convention 108+, and the website of the Convention 108, where you can find further information and explanatory documents.