Council of Europe Privacy Convention
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), drawn up within the Council of Europe by a committee of governmental experts under the authority of the European Committee on Legal Co-operation (CDCJ), was opened for signature by the Member States of the Council of Europe on 28 January 1981 in Strasbourg.
The object of the Convention is to strengthen data protection, i.e. the legal protection of individuals with regard to automatic processing of personal information relating to them. There is a need for such legal rules in view of the increasing use made of computers for administrative purposes. Compared with manual files, automated files have a vastly superior storage capability and offer possibilities for a much wider variety of transactions, which they can perform at high speed. Further growth of automatic data processing in the administrative field was expected in the years ahead as a result of the lowering of data processing costs, the availability of "intelligent" data processing devices and the establishment of new telecommunication facilities for data transmission.
"Information power" brings with it a corresponding social responsibility of the data users in the private and public sector. In modern society, many decisions affecting individuals are based on information stored in computerized data files: payroll, social security records, medical files, etc. These files should not grant an undeniable advantage through automatic data processing and lead to a weakening of the position of the persons on whom data are stored. Therefore, good quality of information must be maintained and storage of information which is not necessary for the given purpose must be refrained. Those in charge of the data must also guard against unauthorized disclosure or misuse of the information, and protect the data, hardware and software against physical hazards.
The established legal systems of many countries are not entirely devoid of rules which can help to accomplish these aims. They have laws on privacy, tort, secrecy or confidentiality of sensitive information, etc. However, there is a lack of general rules on the storage and use of personal information and in particular, on the question of how individuals can be enabled to exercise control over information relating to themselves which is collected and used by others.
Additionally, in most countries the data protection law has, or will have a wide scope and apply to data processing in the public sector as well as the private sector. In some countries, moreover, not only automated files but also certain categories of manual files fall within its area of application. In all countries the legislation covers data relating to natural persons, but in some it also covers data concerning legal persons. Where, for reasons of public interest, certain restrictions or exceptions from the general rules are necessary, these are generally spelled out by the law itself.
It should make no difference for data users or data subjects whether data processing operations take place in one or in several countries, protection of persons grows weaker when the geographic area is widened. Concern has been expressed that data users might seek to avoid data protection controls by moving their operations to countries which have less or no data protection laws. In order to counter this risk some countries have built into their domestic law special controls, for example in the form of a license for export. However, such controls may interfere with the free international flow of information which is a principle of fundamental importance for individuals as well as nations. A formula had to be found to make sure that data protection at the international level does not prejudice this principle.
Even between States which have a very similar system of data protection law, it may not always be easy to determine which State has jurisdiction and which national law applies. Furthermore, persons resident in one country may encounter difficulties when they want to exercise their rights with regard to automated data files in other countries. Such problems can only be satisfactorily solved through international co-operation.
The aim of the Council of Europe was to achieve greater unity between its members based on the respect for the rule of law, human rights and fundamental freedoms and found it desirable to extend the safeguards for everyone's rights and in particular the right to the respect for privacy especially taking account of the increasing flow across frontiers of personal data undergoing automatic processing.
Therefore, the Member States of the Council of Europe signed the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” in Strasbourg, France on January 28, 1981 with the objective of securing in the territory of each nation for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him.
To this day, the Convention still remains the only binding international legal instrument with a worldwide scope of application in the field of data privacy, open to any country, including countries which are not Members of the Council of Europe. In addition, this Convention has withstood the test of time by being adaptive and fairly rigorous. Today the principles of this agreement are being examined for their applicability to the collection and processing of biometric data.
At present, forty-one Member States of the Council of Europe have ratified the Convention. A coalition organized by the Public Voice is starting a campaign to request national governments to support for the Council of Europe Privacy Convention and adopt comprehensive privacy legislation based in that standard.
In the United States, the US Privacy Coalition (including EPIC) is launching the campaign to urge the US Government to support the Council of Europe Privacy Convention and has proposed a resolution for the U.S. Senate. The resolution reads:
Expressing a need for the accession to the Council of Europe's Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data
Whereas privacy is a fundamental right, valued by all Americans;
Whereas the increase of automatic processing and sharing of data continuously intensifies the need for more effective implementation and execution of legal instruments;
Whereas data security breaches along with cases of identity theft continue to pose a substantial risk to American consumers and businesses;
Whereas the continued transfer of personal data across national borders raises increasing concerns about the adequacy of privacy protection:
Whereas the current sectoral approach of legislation in the United States is insufficient for appropriate privacy and data protection;
Whereas the domain of privacy and data protection is international and requires an overarching framework in order to acknowledge and protect the fundamental rights of citizens;
Whereas the Council of Europe Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the most fundamental international instrument in the field: Now, therefore, be it
Resolved, That the Senate-
(1) requests accession to the Council of Europe's Convention 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data
Many countries around the world are discussing or have signed the Council of Europe Convention on Cybercrime. The Cybercrime Convention expanded law enforcement authority without oversight or accountability in spite of being opposed by many human rights organizations and NGOs around the world. Now, the Council of Europe Privacy Convention should have the support of all organizations interested in human rights and civil liberties.
- Explanatory Report
- Graham Greenleaf, "Accession to Council of Europe privacy Convention 108 by non-European states"
- Karel Neuwirt, "Convention 108 new challenge for data protection in non-European states"
- Data Protection Factsheet (Word Document)
- The Public Voice
- International Privacy Day - Facebook Event
- The Privacy Coalition
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,