Whether we are aware of it or not, our personal data is used, collected, and processed virtually every moment of our lives. Personal data, ranging from your name to your IP address or location data, includes any data that can be linked to you and convey information about your characteristics, habits, and more. It goes without saying that such information must be adequately protected, an endeavour in which both the EU and the Council of Europe share a universal standard-setting commitment.
On 20 September 2020, the Committee of Ministers adopted a declaration on the occasion of Convention 108’s 40th anniversary. It underlined the Convention’s potential to become an “international and widely shared standard with a global remit on privacy and data protection in the digital age”.
The Council of Europe has long been recognised as a standard setter in this field. Most notably in this respect is Convention 108 on Data Protection. Forty years after its creation in 1981, 55 states, from the EU and other parts of Europe to Africa, South and Central America, are now parties to the Convention, and there are observers from all parts of the world. All 27 EU member states have ratified it.
In 2016, the EU adopted a regulation on data protection, thus creating the General Data Protection Regulation (GDPR), one of the world’s most far reaching and comprehensive data protection laws to date. It has two main objectives:
In doing so, the GDPR has modernised data protection rules, including the institutional framework for oversight and has reduced red tape for companies. It has also further developed and broadened the instruments for data transfers. It has brought about tangible impacts on the everyday lives of citizens, and dramatically increased their awareness of the rights from which they benefit. For instance, as a result of the GDPR, companies have to provide customers upfront with essential information as to how they will use their data, and with whom they intend to share it with. Individuals also have the right to ask for the erasure of their personal data in certain cases, including any links to, copies or replications of such data by others (the so-called “right to be forgotten”). The GDPR was established with the ambition of creating a comprehensive, pan-European framework for data protection on the continent. At the time, Sophie Kwasny, Head of the Data Protection Unit at the Council of Europe, recognised the Regulation as “a new global digital gold standard”. In many ways this was to pave the way for a new era of rights cooperation between the EU and the Council of Europe.
Moreover, Convention 108 has stood the test of time when it comes to digital modernisation. In 2018, drawing on the work of the GDPR, the Council of Europe drafted a modernised text known as Convention 108+. Convention 108+ will address challenges to privacy resulting from the use of new information and communication technologies. The scope of its application ranges from criminal law enforcement to national security. It will in turn strengthen obligations of controllers and the rights of individuals alike, including by incorporating “modern” data protection rights; making the creation of an independent supervisory authority mandatory for State parties; and creating a network of these authorities, with special rules on enforcement cooperation. The Council of Europe ensured the Convention’s consistency and compatibility with other data protection legal frameworks, including the EU’s GDPR. We welcome this commitment as it strengthens our common approach to data protection standards. Ahead of the anniversary celebrations this week, Ms Marija Pejčinović Burić, Secretary General of the Council of Europe, has called for more ratifications of Convention 108+. Considering The European Commission participated actively in negotiations for the modernised Convention, it should come as no surprise that the EU intends to ratify Convention 108+ should it receive such an invitation from the Convention Committee. It is expected that this could come about in late 2023 following its expected entry into force.
The Council Conclusions on EU priorities for cooperation with the Council of Europe 2020-2022 prioritise data protection in two keys ways:
To find out more about this timely issue, do not miss the special online event organised by the German Presidency of the Committee of Ministers today. Participants will explore the challenges of international data transfer from the perspective of Convention 108+ and GDPR. Guest speakers include Ms Marija Pejčinović Burić, Secretary General of the Council of Europe, Mr Thomas von Danwitz, Judge at the Court of Justice of the European Union, as well as Mr Tim Eicke QC, Judge at the European Court of Human Rights. You can find the full programme of the event here.