Explanatory Memorandum to COM(2018)449 - Authorisation of Member States to sign the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data

Please note

This page contains a limited version of this dossier in the EU Monitor.



1. SUBJECT-MATTEROFTHEPROPOSAL

The present proposal concerns the decision authorising Member States to sign, in the interest of the European Union, the Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) (‘the amending Protocol'). The Commission simultaneously submitted a proposal for a Council decision authorising Member States to ratify, in the interest of the European Union, the amending Protocol.

2. CONTEXTOFTHEPROPOSAL

2.1. Background

The Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data ("Convention 108") is the only legally binding multilateral agreement in the field of personal data protection. The objective of the Convention is to protect the right to privacy, recognised in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms. The rights to privacy and to data protection are also eshrined in Article 7 and 8 of the EU Charter of Fundamental Rights and Article 16 TFEU.

Convention 108 requires the Parties to incorporate into their respective national laws the necessary measures to ensure respect for the human right of all individuals with regard to the processing of personal data. It was one of the main sources of inspiration for the development of the EU acquis in the area of data protection. According to its recital 11, one of the objectives of Directive (EC) 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data was precisely to "give substance to and amplify [the principles and the rights] contained in [Convention 108]".

At present, 51 States have ratified Convention 108, including all 28 EU Member States, the four EFTA States, all countries of the Western Balkans, several neighborhood countries (e.g. Armenia, Georgia), the Russian Federation, Turkey and several non-European countries in both Africa (e.g. Senegal, Tunisia) and Latin America (Uruguay). Several applications (e.g. Argentina, Mexico, Morocco) are pending and a number of countries have observer status (e.g. Japan, South Korea).

Convention 108 was opened for signature in 1981, long before the era of the internet and electronic communications. The development of technology and globalisation of information poses new challenges in the field of protection of personal information. The purpose of the amending Protocol is the modernisation of Convention 108, in order to provide solutions to these challenges.

2.2. The amending Protocol

The modernised Convention (i.e. Convention 108 modified by the amending Protocol) will have a uniform scope of application for all Parties to the Convention, without the possibility to fully exclude sectors or activities (e.g. in the area of national security) from its application, as is the case with the text of the current Convention 108. It would thus cover all types of data processing under the jurisdiction of the Parties, in both the public and private sectors.

The amending Protocol significantly increases the level of data protection afforded under Convention 108. Notably, the modernised Convention will further specify the principle of lawful processing (in particular with respect to the requirements for consent) and further strengthen the protection of special categories of data (while also expanding the categories to those recognised as special categories of personal data in Union law). Furthermore, the modernised Convention will provide for additional safeguards for individuals when their personal data are processed (in particular, obligations to examine the likely impact of an intended data processing operation and to implement relevant technical and organisational measures; obligation to report serious data breaches) and will also strengthen their rights (especially with regard to transparency and access to data). New rights of data subjects have also been introduced, such as the right not to be subject to a decision significantly affecting the data subject based solely on automated processing, the right to object to the processing and the right to have a remedy in case of violation of an individual's rights.

The modernised Convention will include revised provisions (currently included in an Additional Protocol signed only by some Parties) requiring the Parties to establish one or more independent authorities responsible for ensuring compliance with the provisions of Convention 108. The position of these authorities would be strengthened by requiring the Parties to grant them additional powers, e.g. the power to issue decisions with respect to violations of Convention 108 and to impose administrative sanctions.

The system of derogations to the abovementioned rights and obligations as formulated in the amending Protocol meets three essential conditions: preservation of the comprehensive scope of Convention 108 (no general carve-outs), flexibility (permitting to reconcile high data protection standards with other important public interests, for example national security considerations) and overall coherence with the case law of the European Court of Human Rights (in particular no restriction affecting the essence of the fundamental right to data protection).

Overall, the modernised Convention would ensure a high level of protection, while leaving a margin of lexibility to the Parties as regards the implementation of its provisions in domestic law. As such, it would make accession to the modernised Convention 108 attractive to those countries, also outside Europe, which are contemplating establishing or strengthening their data protection systems. Its practical impact can be expected to be much greater than the impact of the currently Convention 108, both in terms of its scope and the obligations stipulated therein.

The amending Protocol, once it enters into force, introduces the possibility for the Union to become a Party to the (modernised) Convention. As concerns the voting rights in the Convention Committee, the agreed text secures the principle that the Union may vote in its area of competence casting a number of votes for the Union equal to the number of its Member States which are Parties to the Convention. In order to address concerns regarding the weight of the Union vote, a compromise solution was agreed whereby decisions may only be taken with a 'hyper-majority' (four-fifths) of Parties and, for the most important decisions concerning compliance with the Convention by a Party, the requirement for a 'double majority' (qualified majority together with simple majority of non-EU Parties).

The modernised Convention would also strengthen the effectiveness of data protection by providing that the Convention Committee can assess the efficacy of the measures taken in national legislation to give effect to the provisions of the Convention.

The text of the amending Protocol was coordinated with the Member States representatives in the competent Council Working Group and implements the Negotiating Directives of the Council. It is also fully in line with both Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation, 'GDPR') and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data (the data protection 'Police Directive'), thereby excluding that the Member States are subject to different, or even conflicting, obligations under Union and Council of Europe law. The adoption of a robust Convention, based on the same approach and principles as the (new) Union acquis, is of particular importance for the Union's international strategy in the area of data protection. Convention 108, which is also open to non-European States, has gained a lot of traction from countries around the world that are preparing or planning to adopt data protection legislation. In its Communication from January 2017 on 'Exchanging and Protecting Personal Data in a Globalised World' (COM/2017/07 final), the Commission referred to Convention 108, recognising that the modernised Convention would be based on the same principles as the EU data protection legislation and thus would "contribute to the convergence towards a set of high data protection standards" at global level. It therefore expressed a commitment to "promote the swift adoption" of the amending Protocol.

2.3. Existing Union law and policy in the area

The field governed by the amended Convention is now largely covered by the Union's data protection legislative framework. The GDPR, applicable since 25 May 2018, and the Police Directive, for which the transposition period ended on 6 May 2018, provide for a comprehensive system of rules in the field of data protection and ensure at least equivalent, and – in many cases – higher standard of protection. According to Article 13 of the modernised Convention, Parties may grant data subjects a 'wider measure of protection than that stipulated in this Convention', thus leaving them free to adopt stronger protections.

2.4. Reasons for the proposal

The amending Protocol will enter into force once all Parties have deposited their instruments of ratification, acceptance or approval with the Secretary General of the Council of Europe. Moreover, given the large number of Parties that need to ratify, the amending Protocol allows for 'partial entry' among a smaller group of Parties after five years once at least thirty-eight Parties have expressed their consent to be bound. The signing ceremony of the amending Protocol is envisaged to take place on 25 June 2018 in Strasbourg.

1.

The EU Member States (currently alone Parties to Convention 108) should take the necessary steps to ensure swift entry into force of the amending Protocol:


Firstly, given that the modernised Convention would contain largely similar safeguards as the GDPR and the Police Directive, (partial) entry into force will contribute to the promotion of Union data protection standards around the world. Indeed, Convention 108 has played a crucial role in spreading the 'European data protection model' globally as it is often used as a source of inspiration by countries which are considering adopting or modernising their privacy laws. This is even more important today given the growing number of countries enacting such legislation in many regions of the globe. Increasing the protection standards by

the Parties to the Convention would also facilitate data flows between the EU and the non-EU Parties to the Convention. For a number of countries, accession to Convention 108 has also proven to be a useful preparation for an eventual adequacy finding of the European Commission. The GDPR strengthens this aspect by expressly providing that accession to Convention 108 is an important factor to be taken into account by the European Commission in its adequacy assessment. Even without adequacy, a higher level of protection (especially as concerns availability of both judicial and non-judicial remedies, as well as effective oversight by supervisory authorities) would facilitate the exchange of data based on appropriate safeguards (notably because such safeguards might become easier to enforce in the legal systems of Parties).

Secondly, it is important to keep the modernised Convention in full compliance with the provisions of the GDPR and Police Directive, so as to enable EU Member States to remain Parties to the Convention and observe its provisions without breaching Union legislation. This concerns in particular the provisions on the free flow of data between the Parties, given that the modernised Convention (unlike the current text) contains an exemption from this rule for Parties "bound by harmonised rules of protection shared by States belonging to a regional international organisation". This will ensure compliance by EU Member States despite the conditions regarding international transfers stipulated under the Union data protection legislation.

Thirdly, the current Convention 108 does not provide for the possibility of accession by international organisations. The amending Protocol changes this and hence its entry into force is a condition for the future accession to the Convention by the EU.

3. LEGALBASIS

The proposed Council Decision is based on Article 218(5) TFEU, in conjunction with Article 16 TFEU.