english francais deutsch

IRIS 2018-7:1/5

Committee of Ministers

Protocol amending Convention 108 on protection of personal data

print add to caddie Word File PDF File

Ronan Ó Fathaigh

Institute for Information Law (IViR), University of Amsterdam

On 18 May 2018, the Committee of Ministers of the Council of Europe adopted a Protocol amending the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”) (see IRIS 2012-2/6). The purpose of the Protocol is to modernise Convention 108 in order to better address emerging privacy challenges resulting from the increasing use of new information and communication technologies, the globalisation of processing operations and the ever-greater flows of personal data, and to strengthen the Convention’s evaluation and follow-up mechanism.

The Protocol includes amendments to nearly all the Articles in Convention 108; a number of substantial amendments should be briefly mentioned. Firstly, a new Article 10 is added to the Convention, which requires that personal data processing apply the “privacy by design” principle: data controllers and, where applicable, processors, must examine the likely impact of intended data processing on the rights and fundamental freedoms of data subjects prior to the commencement of such processing, and shall design the data processing in such a manner as to prevent or minimise the risk of interference with those rights and fundamental freedoms. Secondly, a new Article 8 (on the transparency of processing) is also added to the Convention; that Article provides that data controllers must inform data subjects of the legal basis and the purposes of the intended processing, together with any necessary additional information, in order to ensure the fair and transparent processing of the personal data in question. Thirdly, the old Article 8 of the Convention is now replaced by a new Article 9 -renamed the “Rights of the data subject” - which sets out a list of rights that individuals enjoy. These rights include (i) the right of an individual not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration; and (ii) the right of an individual to obtain, upon request, knowledge of the reasoning underlying data processing where the results of such processing are applied to him or her.

Furthermore, in relation to the processing of special categories of data, the Protocol provides that the processing of the following types of data shall only be allowed where appropriate safeguards are enshrined in law (complementing those of the Convention): genetic data; personal data relating to offences, criminal proceedings and convictions, and related security measures; and biometric data uniquely identifying a person; personal data related to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life. Notably, under the Protocol, the Convention now specifies that each signatory state to the Convention shall ensure that data controllers notify without delay at least the relevant supervisory authority of data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects. Furthermore, the Protocol also seeks to strengthen the Conventions’ Consultative Committee (now named the “Convention Committee”), which will evaluate compliance with the Protocol on the part of parties to the Convention. Under the Protocol, each state party undertakes to allow the Convention Committee to evaluate the effectiveness of the measures it has taken under its law to give effect to the provisions of this Convention

Lastly, it should be noted that in a recent Communication, the European Commission stated that in the light of the updating of Council of Europe Convention 108, the Commission will actively promote the swift adoption of the modernised text of the Convention with a view to the EU becoming a party to it (see IRIS 2018-4/10).

The Protocol was opened for signature on 25 June 2018.

Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), CM(2018)2-final, 18 May 2018 EN
Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) Explanatory report, 18 May 2018 EN