Protecting personal data world wide: Convention 108+
Almost one year after the General Data Protection Regulation (GDPR)
entered into force in the European Union (EU), the question often arises
about what could other countries around the world do to protect their
citizens' personal data. Although there are countries that have data
protection laws in place, many still do not, or have laws that are only
The need for a global data protection
Given the existing (and increasing) data flows, having different degrees
of data protection in different regions is a threat to those countries
and regions that are advanced in their legislations (such as EU,
Uruguay, Argentina, and Japan). Harmonisation is also key to ensuring
that enforcement is equally strong everywhere, and companies have no
possibility to engage in “forum shopping”.
Currently, the global standard for data protection could be the updated
Convention 108 (“Convention 108+”). This Convention, even though it was
developed by the Council of Europe, can be signed and ratified by any
country around the world. The modernised Convention 108 brings a number
of improvements to the previous text:
- Any individual is covered by its protection, independently of their
nationality, as long as they are within the jurisdiction of one of the
parties who have ratified the Convention.
- Definitions are updated, and the scope of application includes both
automated and non-automated processing of personal data.
- The catalogue of sensitive data has been extended to include genetic
and biometric data as well as trade-union membership or ethnic origin.
- There are now requirements to notify without undue delay any security
- Data subjects are granted new rights, namely the right not to be
subject to a decision which affects the data subject which is based
solely on an automated processing.
How to get there
While working to improve data protection at national or regional levels,
an additional effort should be made to be sure that signing and
ratifying Convention 108+ is part of any agenda. On 9 April 2019, the
European Council adopted a decision that authorises EU Member States to
ratify Convention 108+. This should be done without undue delay. At the
same time, the possibilities the Convention 108+ offers for a global
data protection campaign will be discussed with activists from around
the world during the RightsCon 2019 conference.
Modernised Convention for the Protection of Individuals with Regard to
the Processing of Personal Data – Consolidated text
The modernised Convention 108: novelties in a nutshell
Explanatory Report to the Protocol amending the Convention for the
Protection of Individuals with regard to Automatic Processing of
(Contribution by Diego Naranjo, EDRi)