24 May 2018
The Council of Europe (‘CoE’) adopted, on 18 May 2018, the Protocol (CETS No. 223) to amend the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (‘Convention 108’) (‘the Protocol’), following a seven year process, and issued an explanatory report (‘the Report’) on the same. The Protocol seeks to modernise Convention 108 in light of new information and communication technologies, as well as strengthen its effective implementation.
The Report states, ‘[Convention 108] has served as the foundation for international data protection law in over 40 European countries. It has also influenced policy and legislation far beyond Europe’s shores. With new challenges to human rights and fundamental freedoms, notably to the right to private life, arising every day, it appeared clear that [it] should be modernised in order to better address emerging privacy challenges […] and, at the same time, to strengthen [its] evaluation and follow-up mechanism […] The general and technologically neutral nature of Convention 108’s provisions must be maintained; [its] coherence and compatibility with other legal frameworks must be preserved; and [its] open character, which gives it a unique potential as a universal standard, must be reaffirmed.’
Convention 108’s open character, which gives it a unique potential as a universal standard, must be reaffirmed
The amendments introduced by the Protocol include the replacement of the term ‘automatic processing’ with ‘data processing,’ which encompasses automated and non-automated processing, and the introduction of the terms ‘recipient’ and ‘processor.’ Moreover, the conditions for the legitimacy of data processing and quality of data have been expanded to include the data subject’s consent or any other legitimate basis laid down by law, such as the fulfilment of a contract, the vital interest of the data subject or a legal obligation of the controller, as well as the scope of sensitive data to include genetic and biometric data. The Protocol also introduces a data breach notification requirement in cases where the fundamental rights and freedoms of the individual may be seriously affected.
The Report explains, ‘Where such a data breach has occurred, the controller is required to notify the relevant supervisory authorities of the incident, subject to the exception permitted under Article 11 paragraph 1. This is the minimum requirement. The controller should also notify the supervisory authorities of any measures taken and/or proposed to address the breach and its potential consequences.’
Moreover, the Protocol provides for a right to obtain knowledge of the reasoning behind the processing of data of an individual, which will be essential in terms of profiling. In addition, the Protocol establishes the right to object at any time to the processing of data unless the controller demonstrates compelling legitimate grounds for the processing which override those of the data subject’s. Furthermore, parties will no longer be able to exclude certain types of processing from Convention 108’s scope, as was previously the case, while facilitation of transborder data flows is established by two means: either by law, or by ad hoc or approved standardised safeguards. Finally, supervisory authorities will have a duty to take decisions and impose sanctions on data controllers and processors as well as to promote public awareness on data protection matters.
The Protocol will be open for signature on 25 June 2018 in Strasbourg during the third part-session of the Parliamentary Assembly.
NIKOS PAPAGEORGIOU Junior Privacy Analyst