Council of Europe modernises Convention 108



The Council of Europe adopted, on 18 May, an Amending Protocol which updates its data protection convention, known as “Convention 108”.

The modernisation brings the Convention into line with the EU Data Protection Regulation (GDPR) and now requires organisations to notify data breaches, strengthens the accountability of data controllers and the transparency of data processing, and introduces the Privacy by Design principle, as well as additional safeguards for the processing of personal data in the context of algorithmic decision-making.

Furthermore, the protocol strengthens the role of the convention committee, which will evaluate compliance by parties to the convention, and opens the treaty for accession by the European Union and other international organisations.

The GDPR recognises the importance of the Convention. The accession and implementation of a country outside the European Economic Area to Convention 108 will be an important factor when the European Commission and EU Council of Ministers assess whether this country offers an adequate level of protection for data transfers.

Convention 108 is the sole international treaty to address the right of individuals to the protection of their personal data, and is open for any country to sign and ratify. Current parties to the Convention are the 47 member states of the Council of Europe and Mauritius, Senegal, Tunisia, and Uruguay, while Argentina, Burkina Faso, Cap Verde, Mexico and Morocco have been invited to accede to the treaty. Many other countries have used it as a model for new data protection legislation.

See the explanatory report of the Amending Protocol.

The modernised Council of Europe Convention 108 will be an important reference point in the EU adequacy sessions at Privacy Laws & Business 31st Annual International Conference, Navigating GDPR: The art of the possible, 2-4 July 2018, Cambridge.