30 Years on: The Review of the Council of Europe Data Protection Convention 108
International Association of IT Lawyers (IAITL)
University of New South Wales (UNSW) - Faculty of Law
University of New South Wales, Faculty of Law
Lee A. Bygrave
University of Oslo
affiliation not provided to SSRN
School of Law, University of Southampton; International Association of IT Lawyers
November 2, 2011
Computer Law and Security Review (CLSR), Vol. 27, pp. 223-231, 2011
UNSW Law Research Paper No. 2011-50
The Council of Europe celebrates in 2011 the 30th Anniversary of its Data Protection Convention (usually referred to as Convention 108) which has served as the backbone of international law in over 40 European countries and has influenced policy and legislation far beyond Europe. It is the only legally binding international treaty dealing with privacy and data protection. With new data protection challenges arising regularly, the Council is revising Convention 108 to attempt to meet and overcome these challenges. This paper was a joint submission by its authors on behalf of Computer Law and Security Review (CLSR), the International Association of IT Lawyers (IAITL) and ILAWS, University of Southampton, in response to the Expert Committee’s public consultation on the Convention.
Some of the main submissions made are:
•The Convention should remain a simple, concise and technologically neutral instrument, while at the same time recognizing and addressing some new characteristics of the present and future technological environment.
•It would not be helpful to try to define the right to privacy in a data protection Convention. It would be helpful to include “collection” in the definition of automatic processing so that all of the principles apply, where relevant, to collection. Both the proportionality principle (which should apply to all operations carried out on the data) and the data minimization principle (which aims at limiting the collection of personal data to a strict minimum or even to cease personal data collection when possible) are significant principles which could valuably be added, and we strongly support their inclusion.
•A right to be forgotten in respect of online data (that is, people should be able to give informed consent to every site or service that processes their data, and they should also have the right to ask for all of their data to be deleted).
•The concept of consent, if it is used, it needs to be expressly defined as meaning free, voluntary, informed and revocable at any time, and not bundled with other consents.
•Compatibility (of secondary uses) is a subjective concept, and would be better expressed as 'uses or disclosures' which are within the reasonable expectations of the data subject (to which a 'reasonable person' test would be applied).
•Full application of privacy principles to the behavior of private individuals would be onerous and oppressive e threatening other important freedoms and rights, but some controls and restrictions are justified. This is best handled by a broad statement of privacy protection in the ECHR and similar human rights instruments, at the international level.
•A right for data subjects to be informed of data breaches affecting them that meet specified threshold criteria should stand alone as a separate principle.
•There would be no need for separate principles or rules for traffic or location data if personal data is defined as expressly including any information which enables or facilitates communication with a person on an individualized basis, whether or not it meets the current definition of personal data.
•There should be an obligation to demonstrate that measures have been taken to ensure full respect for data protection rules, but 'accountability' cannot be and must not become an alternative to data export restrictions.
•Allowance for anonymity should be made a basic data protection principle in itself, with pseudonymity as the first fall-back option when anonymity cannot be achieved for legal or technical reasons.
•One particular task of a supervisory authority that needs to be spelled out is the obligation to account for their performance of their complaint investigation obligations, including by reporting to the public, on objectively determined criteria, of cases investigated (anonymized to the extent necessary to protect privacy but not otherwise), and by statistics including those on outcomes and remedies.
•It remains appropriate to require an adequate level of protection as a condition of cross-border transfer.
Number of Pages in PDF File: 9Accepted Paper Series
Date posted: December 15, 2011 ; Last revised: November 12, 2012
© 2013 Social Science Electronic Publishing, Inc. All Rights Reserved.
This page was processed by apollo6 in 0.485 seconds