1. Introduction
1. At its 1291st meeting on 5
July 2017, the Committee of Ministers invited the Parliamentary
Assembly to submit as soon as possible an opinion on the draft Protocol
amending the Convention for the Protection of Individuals with regard
to Automatic Processing of Personal Data (ETS No. 108, hereafter
“Convention 108”) and its explanatory report.
On 5 September 2017, the Committee
on Legal Affairs and Human Rights appointed me as rapporteur. The
committee invited the Vice-Chair of the Consultative Committee of Convention
108, Mr Jean-Philippe Walter, to an exchange of views at the committee’s
meeting on 9 October 2017. I wish to thank Mr Walter, who outlined
for the committee the challenges inherent in the revision of Convention
108 and the points on which, after years of negotiation at all stages
of the modernisation exercise (work within the Consultative Committee
of the Convention, then in the Ad hoc Committee on Data Protection, and
then in the Committee of Ministers’ Rapporteur Group on Legal Co-operation)
there was still no unanimity in the Committee of Ministers (while
at the same time highlighting the progress made on a number of these points).
2. Convention 108 – a key Council of Europe
convention
2. Convention 108, opened for
signature in Strasbourg on 28 January 1981, was the first and is
still today the only binding international legal instrument in the
field of data protection.
3. Convention 108 is open to all countries in the world and currently
has 51 States Parties, namely the 47 Council of Europe member States
plus Uruguay, Mauritius, Senegal and Tunisia (by order of accession, Tunisia
becoming a Party on 1 November 2017). Argentina, Burkina Faso, Cape
Verde and Morocco have also been invited to accede and Mexico has
recently submitted an accession request.
4. At his exchange of views with our committee, Mr Walter pointed
out that Convention 108 and its additional protocol were the only
“legally binding instruments in the world in the field of the protection
of personal data and because of their open nature had a universal
scope.” He emphasised the need for the revision process in order
to respond to developments in information and communication technologies
and strengthen the right to data protection.
5. In its
Resolution
1732 (2010) on reinforcing the effectiveness of Council of Europe
treaty law, the Assembly laid broad emphasis on the fact that “if
Council of Europe treaty law is to retain its relevance and value,
its conventions must reflect the realities of present-day society”.
6. In its
Recommendation
2102 (2017) on technological convergence, artificial intelligence
and human rights, the Assembly more specifically called on the Committee
of Ministers to finalise without further delay the modernisation
of Convention 108 “in order to have new provisions making it possible
to put rapidly in place more appropriate protection”. As pointed
out by our committee’s rapporteur, Boriss Cilevičs, in his opinion
on the report on this subject drafted by the Committee on Culture,
Science, Education and Media: “Obviously there have been tremendous
evolutions since 1981 in the field of new information and communication
technologies, especially when it comes to the automatic processing
of data. These evolutions bring new challenges for privacy. … Modernisation
has therefore become necessary in order for Convention No. 108 to
reflect new realities and to continue to provide adequate protection
in the light of evolving and emerging technologies.”
In its
reply to
Recommendation
2102 (2017),
the Committee of Ministers “took
note of the Assembly’s invitation” asking it to finalise the modernisation
of Convention 108, specifying that it was “well aware of the urgency”.
3. Purpose
of the revision and the main areas of modernisation
7. The modernisation process was
launched in September 2009 by the Consultative Committee of Convention
108. The work on revising Convention 108 subsequently formally began
with the opening of a public consultation in 2011, coinciding with
the 30th anniversary of its opening for signature. On 30 November 2012,
the Consultative Committee of Convention 108 unanimously adopted
a draft modernisation text. The Committee of Ministers then instructed
the competent intergovernmental committee (the Ad hoc Committee
on Data Protection – CAHDATA) to finalise the draft. In June 2016,
the CAHDATA approved a draft amending protocol (differing very little
from the draft drawn up by the Consultative Committee in 2012).
Although it would have been desirable for the Committee of Ministers
to complete its revision work at the end of 2016, which ideally
would have made possible the entry into force of the modernised
convention in 2018, the discussions are still ongoing to this day.
8. Modernisation of Convention 108 pursues two main goals: to
provide a response to the challenges associated with the development
of the new information and communication technologies and to enhance
the implementation in practice of the Convention.
9. The draft protocol amending Convention 108 seeks primarily
to introduce a number of changes to the Convention in order to:
1) address the challenges to privacy resulting from the use of information
and telecommunication technologies; 2) strengthen the right to data
protection as a fundamental right that is essential for the exercise
of other rights and fundamental freedoms when processing personal
data; 3) reconcile the right to the protection of personal data
with the exercise of other rights and fundamental freedoms (especially
freedom of expression); 4) enhance the Convention’s monitoring mechanisms; 5) maintain
the general and technologically neutral nature of the Convention’s
provisions; 6) preserve the Convention’s consistency and compatibility
with other applicable legal frameworks, particularly that of the European
Union; and 7) preserve, reassert, strengthen and promote the universal
scope and open character of Convention 108.
10. The aims of the revision include ensuring the consistency
of the Convention with European Union law. In point of fact, while
Convention 108 is the reference text for many national and international
texts, beginning with
Directive
95/46/EC and the
General
Data Protection Regulation (GDPR)
due to replace it with effect from 25 May 2018, it is necessary
to update Convention 108 to ensure that it is consistent and compatible
with the European Union legal framework. By its very nature, the
revised Convention 108 will remain “relatively general and abstract”
and will not achieve the level of detail of the European regulation.
But, as Mr Walter explained to us, together with its explanatory
memorandum, it will cover “explicitly and implicitly all the principles
and rules set out in European Union law, while at the same time
allowing Parties some margin for manoeuvre”. Mr Walter describes
it as a “link between the legal framework of the European Union
and other existing legal frameworks”.
11. The effect of the main innovations introduced into Convention
108 by the amending protocol would be to:
- focus more effectively on the objective of the Convention,
namely to protect all natural persons, whatever their nationality
or wherever they live, with regard to the processing of their data
in order to ensure respect for their other rights and fundamental
freedoms, in particular their right to privacy (Article 1 Convention
108 revised);
- extend the scope to all automated and non-automated processing
of personal data which are subject to the jurisdiction of a Party.
The scope continues to cover the processing of personal data in
both the private and public sector, and this is one of the strengths
of Convention 108 (Articles 2 and 3 Convention 108 revised);
- ensure that Convention 108 no longer applies to the processing
of personal data by a natural person for purely personal or household
activities (to avoid the imposition of unreasonable obligations
in the private sphere having no commercial or professional purpose)
(Article 3 Convention 108 revised);
- eliminate the possibility for States Parties to make declarations
that they will not apply the Convention to certain categories of
personal data processing (Article 3 Convention 108);
- clarify or update certain definitions (such as the concept
of “processor”) (Article 2 Convention 108 revised);
- strengthen the effectiveness of data protection by providing
that the Convention Committee can assess the efficacy of the measures
taken in national legislation to give effect to the provisions of
the Convention (which is not of direct application) (Article 4 Convention
108 revised);
- clarify the application of the principle of proportionality (Article
5 Convention 108 revised);
- stipulate that data may not be processed unless the data
subject has given his or her free, specific, informed and unambiguous
consent, or on some other legitimate basis laid down by law (Article
5 Convention 108 revised);
- supplement the list of sensitive data by adding genetic
data, biometric data uniquely identifying a person, and data relating
to trade union membership (Article 6 Convention 108 revised);
- introduce the obligation to report (at least to the data
protection supervisory authorities) serious data breaches, i.e.
breaches which may seriously interfere with the rights and fundamental
freedoms of data subjects (Article 7 Convention 108 revised);
- introduce the obligation to ensure the transparency of
data processing (identity, residence or place of establishment of
the data controller, the purposes of the processing, the recipients
of the data, the period for which the data will be stored, and the
means of exercising the rights of data subjects (Article 7 bis Convention
108 revised);
- strengthen the rights of data subjects to enable them
to have greater control over their data and guarantee respect for
the right to human dignity and non-discrimination (by means of right
of access to more extensive information and a right to know the
reasons underlying the processing of data where the results thereof
are applied to them) (Article 8 Convention 108 revised);
- place additional obligations on those who process data
or order data to be processed, in particular by requiring them to
be able to demonstrate that their activities comply with the provisions
in force and to incorporate data protection considerations from
the design stage and by default, and by carrying out impact studies
(Article 8 bis Convention 108 revised);
- enable transborder flows of data between Parties to the
Convention and tighten the regulations governing data transfer to
non-Parties to the Convention in order to ensure the appropriate
protection of individuals with regard to the processing of personal
data (Article 12 Convention 108 revised);
- supplement the list of the powers of the authorities (powers
of intervention, investigation, initiation of legal proceedings
or to bring to the attention of the competent judicial authorities
violations of the applicable provisions, together with a duty of
awareness-raising, information and education vis-à-vis the relevant
players) (Article 12 bis Convention 108 revised);
- strengthen the role and powers of the Consultative Committee
of the Convention which, above and beyond its hitherto merely consultative
role, will assume an evaluation and follow-up role. In addition,
it will be renamed the “Convention Committee” (Articles 18 to 20
Convention 108 revised).
12. With regard to the right to be forgotten in the online environment,
it was felt that the existing guarantees (period of data storage,
the right of rectification and erasure of data) as well as the right
to object and the right to an effective remedy offered enough protection
and were sufficient even online to guarantee the right to be forgotten
and therefore it was not necessary to introduce such a right into
the Convention.
13. In contrast, as the rights of data subjects are not absolute,
Article 9 of the draft Protocol provides, in the same way as the
current Convention 108, for the possibility of restrictions where
such is provided for in law and constitutes a necessary measure
in a democratic society to safeguard legitimate interests.
14. As stated above, the Consultative Committee of the Convention
shall become the Convention Committee. As such, it will be able
to:
- formulate opinions prior
to the accession of a Party to the Convention, on the level of data
protection of the candidate for accession;
- carry out an evaluation of the conformity with the Convention
of the internal legislation of a Party;
- verify the effectiveness of the measures taken to implement
the provisions of the Convention;
- assess whether the legal rules governing data transfer
offer sufficient guarantees for the appropriate protection of data;
- draw up models of standardised legal measures;
- facilitate the friendly settlement of difficulties arising
in the application of the Convention.
15. The mechanism to verify the conformity of the Parties’ internal
legislation with the provisions of the Charter, provided for in
the amending protocol, will therefore enhance the effectiveness
of data protection.
4. Points
on which there is no unanimous agreement
16. Unusually, the draft amending
protocol provided to us by the Committee of Ministers is incomplete.
The Committee of Ministers has not finalised its work and a number
of points remain outstanding. There is still no consensus within
the Committee of Ministers on these issues after more than a year
of negotiations in the Rapporteur Group on Legal Co-operation.
17. Four points are still under negotiation. These points were
mentioned by Mr Walter. They are questions relating to the system
of exceptions (Article 9.3 of the revised Convention), transborder
flows (Article 12.1), voting rights within the Convention Committee
– in particular the voting rights of the European Union (Article 20)
and the arrangements for the entry into force of the protocol.
18. With regard to Article 9.3 relating to derogations from certain
provisions of the Convention, it should be noted that the draft
submitted by the CAHDATA to the Committee of Ministers extends significantly,
compared with the current text of the Convention, the possibilities
for resorting to such derogations. Extending still further the number
of exceptions would weaken data protection. The Committee of Ministers
should therefore agree not to extend the range of exceptions beyond
what has been proposed by the CAHDATA.
19. Article 12.1, which relates to the principle of the free movement
of data between Parties assuming an equivalent level of data protection,
provides for an exception to this principle where a Party to the
Convention is governed by harmonised, binding rules of protection
which are common to States belonging to an international regional
organisation; this refers to the system of the European Union. In
compliance with the adequacy mechanism provided for in EU law, the
Parties to the Convention which are EU member States cannot freely
exchange data with other Parties which are not EU members. This
provision, which had no equivalent in Convention 108 previously,
has been criticised, with certain States taking the view that this obstacle
to the free movement of data between Parties to the Convention would
make the revised Convention less attractive to States which were
not members of the European Union. Nonetheless, this provision reflects the
situation since the entry into force of Directive 95/46/EC (which
already provided for the possibility of transfers of personal data
to third countries offering a level of protection in compliance
with the adequacy mechanism).
It is therefore
crucial for the attractiveness of the Convention that the European
Union place the Convention at the forefront of its relationships
and negotiations with third countries, especially as the Convention
applies to both the private and the public sector. Ideally, the
European Union should undertake, by means of a declaration of intent,
to make accession to Convention 108 (and even more so to the revised Convention)
a key factor in recognition of adequacy.
Consideration by the European
Union, as a favourable factor, of accession to the Convention by
a State applying for an adequacy decision provided for by the GDPR (
General
Data Protection Regulation) is a step in this direction which should be welcomed
and which should be accompanied by efforts to promote the Convention.
20. With regard to Article 20, which lays down the voting arrangements
in the Convention Committee, the CAHDATA had not been tasked with
addressing this issue and the draft amending protocol submitted
to the Committee of Ministers in June 2016 therefore contained no
proposal in this respect. It had been considered that the voting
issue went beyond the specific framework of data protection and
that it was a political and strategic matter for the Organisation
as a whole and for the European Union’s participation in the work
of the Council of Europe. As Mr Walter explained to the committee,
there were two views: some would like the principle of “one Party,
one vote” to be maintained, while others wanted the European Union
to vote on behalf of its member States, if necessary with a mechanism
preserving decision-making balance, essentially using “super majorities”
(i.e. qualified majorities with a high threshold) and a rule that
if a Party is in the process of being evaluated, it should abstain.
21. Last but not least of the issues on which no consensus has
been reached, are the provisions governing the entry into force
of the amending protocol. The draft prepared by the CAHDATA provides
for a “tacit” entry into force two years following the opening for
signature of the amending protocol, unless a Party gives notice of
an objection to its entry into force. Although such a clause has
already been used for other Council of Europe conventions – admittedly
those of a more technical nature (for example, very recently for
the Protocol amending the European Landscape Convention,
CETS
No. 219, 2016),
some governments were not in favour
as this failed to comply with the sovereign power of parliaments
regarding the ratification of international treaties. As a member
of parliament, I tend to agree with this point of view. However,
we must bear in mind the extremely cumbersome nature of the conventional
adoption procedure to have, in the case of an amending protocol,
it ratified by all States Parties to Convention 108, a total of
51 countries. Ten years could pass by without the amending protocol
entering into force. We all remember the almost four-year delay
involved in the entry into force of Protocol No. 14 to the European
Convention on Human Rights because a single State Party had not
ratified it. Stipulating ratification by all States Parties to the
European Convention on Human Rights (CETS No. 194) proved to be
such a major obstacle that the Committee of Ministers then decided
to draft Protocol No. 14 bis, designed as an additional protocol,
the ratification of which by all States Parties was not indispensable.
If, despite
everything, the Committee of Ministers managed to reach an agreement
on the text of the amending protocol with a conventional ratification
clause, it should at least include a procedure providing for an
assessment of the ratification process after a given period, for
example 15 months. If by that time there was no immediate likelihood
of ratification by all Parties, the Committee of Ministers should
go down another route.
5. The
possible need to move towards a new convention
22. Although, in order to ensure
that Convention 108 did not become obsolete, work on the amending protocol
began more than seven years ago, the negotiations have lasted so
long that the rapid entry into force of the revised Convention has
now become a necessity. If the entry into force of the revised version
of Convention 108 were to take several years, the Council of Europe
would lose its recognised role as lead player and point of reference
in the data protection field.
23. Consequently, and given the nature and duration of the disagreement
within the Committee of Ministers, it would perhaps be more judicious
at this stage to take note of the disagreement and therefore consider another
path.
24. If it proves impossible to agree on a clause for the entry
into force of the amending protocol enabling this to take place
as soon as possible, then revision of the Convention would become
meaningless. The “tacit entry into force” clause is somewhat problematic
– and justifiably so – bearing in mind parliaments’ powers regarding the
ratification of international treaties.
25. In these circumstances, the drafting of a new convention,
the text of which would simply be that of the revised Convention
as drawn up by the CAHDATA, to which I believe would have to be
added the proposals relating to voting rights put forward in the
meantime (the other outstanding issues – the system of exceptions and
transborder flows are close to being resolved), could be an alternative
solution.
26. Admittedly, the drafting of a new convention would result
in a two-speed system, with States Parties to Convention 108 and
others Parties to the revised Convention. For a number of years
at least, or perhaps a number of decades, if a particular State
remained unresponsive to the updated provisions, two Council of Europe
conventions on the same subject would be in force in parallel. Certain
structural complications would be inevitable (such as the fact that
there would be two convention committees dealing with the same issues). But
it would avoid a situation in which an amending protocol requiring
the ratification of 51 States Parties did not enter into force for
a period which could last for decades.
27. Faced with the choice between a single system comprising an
obsolete Convention 108, and an amending protocol which was admittedly
up-to-date but which was inoperative (as it was unlikely to enter
into force in the near future) and a two-speed system with the old
Convention 108 in force and a new, updated, convention which could
rapidly enter into force following a limited number of ratifications,
it seems to me that the adoption of a new convention is the most
reasonable solution. This would enable the Council of Europe to maintain
its position as lead player and reference point in the field of
the protection of personal data.
6. Conclusions
28. In conclusion, the Committee
of Ministers has submitted to us a quasi-complete and balanced draft amending
protocol which needs to be finalised as a matter of urgency. The
draft text has been carefully drawn up by the Consultative Committee
of Convention 108 and then by the CAHDATA, under the supervision
of the Committee of Ministers, and full explanations have been given
for the additions. The protocol should doubtless help modernise
Convention 108 in order to provide a lasting response to emerging
challenges in the field of data protection. I am therefore not proposing
any amendment to the text and believe that all the provisions submitted
to us for opinion should be welcomed.
29. Clearly, the real difficulty resides in the points for which
a consensus has not yet been reached and above all in the arrangements
for the entry into force of the amending protocol.
30. Given the urgency of reaching agreement, it would appear sensible
to consider transforming the draft protocol amending Convention
108 into a new convention. In this way, the major obstacles linked
to the arrangements for implementing the amending protocol would
be avoided. A conventional entry into force clause providing for
the entry into force of the new convention after, for example, five
ratifications, including at least three Council of Europe member
States,
or six
and four
respectively would no
doubt make it possible for the new treaty to enter into force rapidly,
particularly as there is every chance that the European Union would be
keen to see this new instrument enter into force promptly. The text
is already there and the modernisation proposals which have been
“carefully drafted”, in the words of the Committee of Ministers
in its reply to Assembly
Recommendation
2102 (2017), could be taken as they stand in the form of a new convention.
This, in all probability, would be the most rational and the most
effective solution at this stage of the discussions.