The Data Protection Convention that We All Need

Once upon a time, in a faraway land (Europe), some countries decided that it would be worth setting in stone (in an international treaty) the protection of persons when information on them were being used (automatically processed by computer).

The Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention 108”) was open for signature on 28 January 1981 in order to better protect people through the development and implementation of national data protection laws based on the basic principles and guidelines of the Convention.

To date it is still the only international legally binding instrument in the field, and is open for accession to any country across the globe. It currently includes 50 countries and not all of them are European ones—Uruguay, Mauritius and Senegal have already acceded to it. Morocco, Tunisia and Cape Verde have been invited to join and will hopefully be the next Parties, meanwhile Burkina-Faso has recently expressed its interest to accede.

How is Convention 108 relevant to us in Asia?

Convention 108 is the oldest—and still the sole— binding multilateral instrument on data protection, which is open to the Asian countries’ ratifications. There is no other equivalent.

Convention 108 has several implications for the Asian stakeholders.

Firstly, the core understanding of privacy as a human right in the Convention can be of inspiration for Asian data privacy legislation.  Privacy is no longer mere etiquette and social norms in the Asian culture.  As we see Asian privacy legislations, reforms and drafts across Asia, privacy becomes a human right and a part of a legal protection based on the common principles enshrined in the Convention.

Secondly, the Council of Europe offers leadership in approaching to timely and complex issues with a series of recommendations and reports on data protection, which can be understood in a global context and are as relevant to Asia as they are to Europe and to the rest of the world.  Most recently the Committee of the Convention (adopted Guidelines on Big Data)  issued an opinion on the processing of Passenger Name Records. The Organisation’s decision-making body (the Committee of Ministers) adopted several recommendations which specifically address the issue of privacy in a particular context or environment, for instance, the recommendation on Network Neutrality and the recommendation on personal data in the context of employment. In Japan, some scholars have referred to the recommendation on profiling in a big data context. 

Thirdly, and most practically, Convention 108 is a clear international benchmark for an appropriate level of data protection.  The European Commission (based in Brussels in Belgium, and belonging to the European Union which is a different entity than the Council of Europe), in its January 10 2017 Communication on Exchanging and Protecting Personal Data in a Globalised World, underlines that accession to Convention 108 and its additional Protocol is to be taken into account for the adequacy assessment. Since Korea and Japan expressed interest in the EU adequacy scheme, the “international commitment” that represents accession to the Convention should not be neglected.

Modernising the Convention 

In light of the latest developments in the field of privacy, this Convention has a great role to play in providing answers to the challenges which are faced globally. Not only will it continue to provide a uniform basis of common principles but it will also bring closer the competent authorities of each of the countries which have acceded to it, offering them a cooperation and exchange platform.

This is what is at the core of the current modernisation of Convention 108: reinforcing the applicable legal frameworks, making sure that our data protection principles are fit for new situations (right to know the logic of fully automated decisions, applying purpose specification in a big data context, data minimisation, etc.), contributing to the balanced approach of the various fundamental rights and seizing the potential of technological opportunities to enable a better protection of each of us (privacy enhancing technologies, privacy by design, etc.). The ultimate objective is to secure trust in the relationship in our on-line and off-line lives. 

How do we do to join or contribute to this work?

50 countries have already joined the Convention, and more are on their way. Any country with legislation that complies with the principles of the Convention is welcome to join.

Why not your country? If you are defending human rights, as an academic, civil servant, politician, activist, private lawyer or in any other capacity, make your competent/relevant? authorities aware of the Convention and importance of joining! If you focus on private sector interests, put forward the convergence of the principles of Convention 108 with the legal framework of the EU as an incentive to develop closer ties with the EU framework.

If Japan and Sri Lanka have already become Parties to another global Convention of the Council of Europe (the Convention on cybercrime), and the Philippines have been invited to accede to it, why would they not illustrate their commitment to providing strong safeguards for the respect of human rights when fighting such crimes, by also acceding to Convention 108 (or adopting the necessary legal system to this end as a first step)?

The first and most simple way to start participating in the work of the Committee of the Convention is to be granted ‘observer’ status. Korea and Indonesia have already formalised the necessary steps and are participating in the work and benefiting from the forum of exchange and cooperation that the Committee offers.    

It can also be beneficial for each Asian country to use and translate the recent developments carried out in Europe.  The “Handbook on European data protection law” gives a comprehensive knowledge of the European data protection legislation, including the case-law in the field of the highest European courts. 

28 January is Data Protection Day.  It is no longer a European day only. For years, it has been celebrated in Asia too, as Data Privacy Day.  In Japan for instance, the event is celebrated with the Privacy Mark forum (JIPDEC). 

Every year on this day, Asia, Europe and other regions of the world are all together with a common goal, on the same privacy bridge, celebrating the protection of persons when personal data is processed. This year’s edition of data protection day gave us the perfect occasion to stand on the longest and oldest bridge in the field: Convention 108.

This feature is part of a Digital Asia Hub Data Protection Day specialFor permission to republish or for interviews with the authors please contact Dev Lewis.

Sophie Kwasny

Sophie Kwasny

Head of Data Protection Unit at Council of Europe
Sophie Kwasny is the Head of the Data Protection Unit of the Council of Europe and is responsible for standard-setting (notably the current modernisation exercise of Convention 108) and policy on data protection and privacy, including with regard to new technologies and the Internet.
Sophie Kwasny

Latest posts by Sophie Kwasny (see all)

Hiroshi Miyashita

Hiroshi Miyashita

Associate Professor of Law at Chuo University
Hiroshi Miyashita is Associate Professor of Law, Chuo University.He served on the Cabinet Office of Japan for promoting international relations in data protection and the writer of the chapter on Convention 108 of the Japanese government report on the international law reform on the protection of personal information.
Hiroshi Miyashita

Latest posts by Hiroshi Miyashita (see all)