top of page

Protecting personal data world wide: Convention 108+

Almost one year after the General Data Protection Regulation (GDPR)

entered into force in the European Union (EU), the question often arises

about what could other countries around the world do to protect their

citizens' personal data. Although there are countries that have data

protection laws in place, many still do not, or have laws that are only

partially adequate.

The need for a global data protection

Given the existing (and increasing) data flows, having different degrees

of data protection in different regions is a threat to those countries

and regions that are advanced in their legislations (such as EU,

Uruguay, Argentina, and Japan). Harmonisation is also key to ensuring

that enforcement is equally strong everywhere, and companies have no

possibility to engage in “forum shopping”.

Currently, the global standard for data protection could be the updated

Convention 108 (“Convention 108+”). This Convention, even though it was

developed by the Council of Europe, can be signed and ratified by any

country around the world. The modernised Convention 108 brings a number

of improvements to the previous text:

- Any individual is covered by its protection, independently of their

nationality, as long as they are within the jurisdiction of one of the

parties who have ratified the Convention.

- Definitions are updated, and the scope of application includes both

automated and non-automated processing of personal data.

- The catalogue of sensitive data has been extended to include genetic

and biometric data as well as trade-union membership or ethnic origin.

- There are now requirements to notify without undue delay any security


- Data subjects are granted new rights, namely the right not to be

subject to a decision which affects the data subject which is based

solely on an automated processing.

How to get there

While working to improve data protection at national or regional levels,

an additional effort should be made to be sure that signing and

ratifying Convention 108+ is part of any agenda. On 9 April 2019, the

European Council adopted a decision that authorises EU Member States to

ratify Convention 108+. This should be done without undue delay. At the

same time, the possibilities the Convention 108+ offers for a global

data protection campaign will be discussed with activists from around

the world during the RightsCon 2019 conference.

Modernised Convention for the Protection of Individuals with Regard to

the Processing of Personal Data – Consolidated text

The modernised Convention 108: novelties in a nutshell

Explanatory Report to the Protocol amending the Convention for the

Protection of Individuals with regard to Automatic Processing of

Personal Data

(Contribution by Diego Naranjo, EDRi)


bottom of page