10 Jun, 2020

Serbia signs and ratifies the so-called Convention 108+

Whenever you leave your home, buy something, apply for a job or pay bills these days – pretty much almost whatever you do –  your personal information is used, collected or processed.  In order to protect your right to private life regarding the automatic processing of your personal data, the Council of Europe adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data – ETS No. 108 (“Convention 108”).

(No) Need to Modernize the Convention

Convention 108 is the first binding international instrument protecting the individuals against abuses which may accompany collection and processing of personal data.  At the same time, Convention 108 seeks to regulate the transborder flow of personal data.  In addition to providing guarantees in relation to collection and processing of personal data, it outlaws processing of “sensitive” data regarding person’s race, political persuasion, health, religion, sexual life, criminal record, and similar, in the absence of proper legal safeguards. The Convention also stipulates an individual’s right to know that data related to them has been stored and, if necessary, that it can be corrected. Restrictions on the rights prescribed in Convention 108 are only possible when overriding interests (state security, defense, etc.) are at stake. Some restrictions are also imposed on transborder flows of personal data to states where legal regulation does not provide equivalent protection.

However, Here Comes the Convention 108+!

While the core principles contained in Convention 108 have endured the test of time, because of their technologically neutral approach, the Council of Europe considered it necessary to modernize its “landmark” instrument. The modernization of Convention 108 pursues two main objectives: dealing with challenges resulting from use of new information and communication technologies and strengthening effective implementation of the Convention. Thus, Convention 108 was updated in 2018 in order to adapt to new realities of an increasingly connected world. The Protocol amending Convention 108 – CETS No. 223 (“Protocol”) was opened for signatures on October 10, 2018 in Strasbourg.  Since then, it has been signed by 35 Council of Europe member states, and three countries have gone through with the ratification of the Protocol. Serbia, as a member of the Council of Europe has signed (on November 22, 2019) and ratified (on May 26, 2020) the Protocol making it the fourth member state to do so. Convention 108, along with the amendment by the Protocol, is now referred to as Convention 108+ (available here).

The aim of the Protocol was to modernize and improve Convention 108, taking into account new challenges in protection of individuals with regards to processing of personal data that have emerged since Convention 108 was adopted in 1980. The update of Convention 108, the only existing legally binding international treaty with global relevance in this field, addresses the challenges to privacy arising from the use of new information and communication technologies, and also strengthens Convention 108’s mechanism to ensure its effective implementation.  However, Convention 108 is still based on two objectives – free flow of data and respect for human dignity. Convention 108+, on the other hand, is crucial in the digital age and many more ratifications are expected to take place soon to enable rapid entry into force of this updated personal data protection instrument.

The Protocol provides a robust and flexible multilateral legal framework to facilitate the flow of data across borders while providing effective safeguards when personal data is used.  It is the bridge between different global regions and different normative frameworks, including the new EU legislation – General Data Protection Regulation (“GDPR”) and which refers to Convention in the context of transborder data flows.

The Main Principles

Some of the innovations in the Protocol are the requirements regarding proportionality and data minimization principles, and lawfulness of data processing. The Protocol requires that data processing must be proportionate, that is, appropriate in relation to the legitimate purpose pursued and having regard to the interests, rights and freedoms of the data subject or the public interest. This approach to data processing should not lead to a disproportionate interference with these interests, rights and freedoms. The principle of proportionality is to be respected at all stages of processing, including the initial stage, i.e. when deciding whether or not to even carry out the processing.

It needs to emphasized that application of data protection principles is subject to all processing activities, including processing for national security reasons, with possible exceptions and restrictions under the conditions prescribed by the Convention 108, and in any case with independent and effective review and supervision.

“Sensitive” Data

Pursuant to the Protocol, the scope of sensitive data has been widened.  Consequently, sensitive data now includes genetic and biometric data, trade union membership, and ethnic origin. These types of data are included because their processing, or processing of certain data that can reveal sensitive information, may lead to encroachments on personal interests, rights, and freedoms. Furthermore, processing should only be permitted where appropriate safeguards, which complement other protective provisions of the Convention 108, are provided for by the law.

Obligation to Declare Data Breaches

On one hand, security measures are aimed at reducing risks of breaches, while on the other, there are  particular obligations in cases when data breach has nevertheless occurred and may seriously interfere with the fundamental rights and freedoms of an individual. When such breach occurs, the controller is required to notify relevant supervisory authorities about the event.  The controller should also notify supervisory authorities of any measures taken or proposed, to address the breach and its potential consequences.  At this point, we need to emphasize that the Protocol prescribes stronger accountability of data controllers, as well as reinforced powers and independence of data protection authorities which should enhance the legal basis for international cooperation between state authorities.

Transborder Data Flows

One of the main aims of the Protocol is to provide greater transparency of data processing and therefore enable a clear regime of transborder data flows.

A transborder data transfer occurs when personal data is disclosed or made available to a recipient who is subject to the jurisdiction of another state or international organization. The purpose of the transborder flow regime is to ensure that personal data originally processed (collected or stored) within the jurisdiction of a Party, which is subsequently under the jurisdiction of a state which is not party to Convention 108, continues to be processed with appropriate safeguards. It is important that data processed within the jurisdiction of a party always remains protected by the relevant data protection principles of the Convention.

On top of all these benefits, Convention 108+ provides for new rights for all individuals in an algorithmic decision-making context, which are particularly relevant in connection with the development of artificial intelligence.

“Privacy by Design”

Another innovation in the Protocol is the requirement that the “Privacy by Design” principle is applied.  Another name for this principle which is being used in practice is “Data Protection by Design”, which might help understand this how this concept is applied.

“Privacy by Design” postulate was coined as a development method for privacy-friendly systems and services: it goes beyond mere technical solutions and addresses organizational procedures and business models as well.  With the full applicability of the GDPR in the EU as of 25 May 2018, data protection by design and by default became an enforceable legal obligation that all those who process personal data under the EU law must comply with.  Article 25 of the GDPR, titled “Data protection by design and by default”, means that the controller has to implement appropriate technical and organizational measures, both at the design phase of the processing and at its operation, to effectively integrate data protection safeguards to comply with the GDPR and protect the fundamental rights of the individuals whose data is processed.

Author: Nadja Kosić and Žarko Popović