Council of Europe Privacy Convention

Council of Europe Privacy Convention

Top News


The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), drawn up within the Council of Europe by a committee of governmental experts under the authority of the European Committee on Legal Co-operation (CDCJ), was opened for signature by the Member States of the Council of Europe on 28 January 1981 in Strasbourg. The Convention is the first and only binding international legal instrument protecting data privacy. COE 108 is open to any country, including countries which are not Members of the Council of Europe.

In 2018, the Convention was updated to address emerging privacy challenges posed by new information and communication technologies, and to strengthening enforcement of the Convention. The update is known as the Modernized Convention 108, or Convention 108+.

Convention 108 (1981)

The object of the Convention is to strengthen data protection – the legal protection of individuals with regard to automatic processing of personal information. The 1981 Convention reflected the need for new legal rules in the face of increasing reliance on digital data due to higher storage capacity, lower costs of processing, and the skyrocketing growth in data transactions. Many national legal systems lacked comprehensive data protection general rules on the collection, storage, and use of personal information. Therefore, Council of Europe sought greater unity in the protection of “the individual against abuses which may accompany the collection and processing of personal data” and to manage the “transfrontier flow of personal data.”

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data was opened for signature in Strasbourg, France on January 28, 1981. Since 2006, 28 January has been celebrated annually around the world as Privacy Day. The COE 108 has been signed and ratified by all 47 members of the Council of Europe, and ratified by seven non COE countries.

As the explanatory memorandum states, the convention has three parts (1) substantive law provisions in the form of basic principles; (2) special rules on transborder data flows; (3) mechanisms for mutual assistance and consultation between the Parties.

The Convention requires requires parties to pass into domestic law the data protection principles sed out in the Convention. These include:

  • Data quality. Data must be: obtained and processed fairly and lawfully, stored for specific legitimate purposes and not used for incompatible purposes, be adequate relevant and not excessive in relation to purpose, accurate and up to date, preserved in identifiable form for no longer than required.
  • Ban on processing of special categories of data on a person’s race, politics, health, religion, sexual life, criminal record, in the absence of proper legal safeguards.
  • Data security.
  • Individual rights to access, correction, and erasure if rights are violated.
  • The Convention also encourages the free flow of data, preventing parties from requiring special authorization to other parties except for narrow circumstances. Finally, the Convention sets up a system of cooperation in implementing the system, and establishes a Consultative Committee to oversee and implement the convention.

    Convention 108+ (2018)

    A lengthy review process beginning in 2013 resulted in a 2018 amending protocol . This protocol the Modernized Privacy Convention or Convention 108+. The aim of the modernization was both to address privacy challenges from new technologies and to strengthen enforcement.

    Among other changes, the modernized Convention:

  • Requires prompt data breach notification.
  • Establishes national supervisory authorities to ensure compliance
  • Permits transfers to non-party states only when personal data is sufficiently protected
  • Provides new user rights around automated-decisionmaking, including algorithmic transparency.
  • Requires proportionality and data minimization.
  • The revisions were opened for signature on October 11, 2018. Thus far, twenty-six COE member and one non-member states have signed on to the amending protocol.

    EPIC’s Work

    EPIC has long campaigned for the United States to ratify the International Privacy Convention.

    In 2009, the U.S. Privacy Coalition including EPIC launched the campaign to urge the US Government to support the Council of Europe Privacy Convention and proposed a resolution for the U.S. Senate. The resolution reads:

    Expressing a need for the accession to the Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data

    Whereas privacy is a fundamental right, valued by all Americans;

    Whereas the increase of automatic processing and sharing of data continuously intensifies the need for more effective implementation and execution of legal instruments;

    Whereas data security breaches along with cases of identity theft continue to pose a substantial risk to American consumers and businesses;

    Whereas the continued transfer of personal data across national borders raises increasing concerns about the adequacy of privacy protection:

    Whereas the current sectoral approach of legislation in the United States is insufficient for appropriate privacy and data protection;

    Whereas the domain of privacy and data protection is international and requires an overarching framework in order to acknowledge and protect the fundamental rights of citizens;

    Whereas the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the most fundamental international instrument in the field: Now, therefore, be it

    Resolved, That the Senate-

    (1) requests accession to the Council of Europe’s Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data



    In 2010, twenty-nine members of the EPIC Advisory Board wrote to Secretary of State Hillary Rodham Clinton to urge that the United States begin the process of ratification of Council of Europe Convention 108. In 2011, EPIC President Marc Rotenberg addressed the European Parliament and European Commission at a high level meeting to call for U.S. ratification, and the Trans Atlantic Consumer Dialogue, a coalition of consumer groups, called for ratification to bridge the gap in EU-U.S. privacy protection.

    The complete text of the modernized Convention will be available in the 2018 edition of the Privacy Law Sourcebook, available at the EPIC Bookstore.


    Primary Documents