The right to privacy and the protection of personal data: Convention 108 as a universal and timeless standard for policymakers in Europe and beyond Acta Iuris Stetinensis

It is widely recognised that the first binding legal act regarding the protection of personal data of an international nature is Convention 108, adopted on 28 January 1981. By virtue of the Convention, the Parties are required to apply in their domestic legal order the principles introduced by the Council of Europe to ensure guarantees for the fundamental human rights of all individuals with regard to the processing of personal data. This paper refers to Convention 108 as the foundation for European and international data protection laws in a number of European countries. It has influenced policies and legislation far beyond Europe’s borders. However, due to the development of ICT tools that permit establishing new data-driven business models based on data-processing systems, Convention 108 has become subject to modernisation. At the same time, intensive negotiations were conducted in the EU concerning a new data-protection package to reform the data-protection system, and many other countries around the world have introduced provisions related to the processing of personal data. This paper analyses the impact of the standards set out in Convention 108 on the decision-making process and its global dimension.


Introduction -the origin of European privacy and data protection standards
In 2018, the year in which the 70th anniversary of the adoption of the Universal Declaration of Human Rights was celebrated, was also the time of key changes in the European system of personal data protection. As of 25 May 2018, new provisions on the protection of personal data -the General Data Protection Regulation (GDPR)and from 10 October 2018, the modernised Convention 108+ 1 became applicable. Without doubt, we are witnessing a process of updating the European legal dataprotection system, which demonstrates the timelessness of data-protection standards. The European data-protection legal framework significantly influences other legislation outside the EU, for example, in Japan, Mauritius, or Georgia. The 'gold' standard, as the EU regulation is called, has become a reference point for works carried out worldwide on the implementation of legal instruments in the field of data protection. 2 However, according to some experts, implementation of the principles established by Council of Europe standards may cause problems that are difficult to overcome. Professor Graham Greenleaf presents his opinion that 'the task of attracting accessions to Convention 108+ is likely to be more difficult because of the higher standards that acceding countries must meet, but this may be offset by more countries being attracted by the prospect of a global convention' . 3 The Universal Declaration of Human Rights ('the Declaration') 4 considered to be the foundation of human rights, adopted on 10 December 1948, became a source of inspiration for many international treaties and declarations regarding human rights and for numerous regional documents and national laws. The Declaration has a significant impact on issues such as combating injustice, resolving conflicts and problems of societies experiencing repression, or efforts to ensure universal respect for human rights. It is impossible to imagine a modern, rapidly developing world without this legal act that establishes equality, dignity, and the value of every human being. From the point of view of the European standards on the protection of personal data, it is essential that the Declaration is also the foundation for the promotion of and education about the protection of human rights. It confirms that the basic duty of each State is to promote such standards of living that allow citizens to enjoy their dignity and equality in conditions of freedom and liberty.
Looking for the basis of the right to privacy and the protection of personal data, it is chronologically appropriate to refer to the Declaration, which in its Article 12 states that no one should arbitrarily interfere in anyone's private, family, or domestic life, or in a person's correspondence or to offend the person's honour or good name.
The notions of the Declaration were further developed by the Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) adopted on 5 November 1950, in particular regarding the concept of privacy protection. 5 In Article 8 ECHR, the right of respect for private and family life was guaranteed. However, with the massive increase in the use of information and communication technologies (ICT), further development of the guarantees provided by the law was required. The Council of Europe 6 adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ('Convention 108') 7 , which is widely recognised as a basic act of international law. The objective of the Convention is to protect the right to privacy stipulated in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms. Convention 108 defines a series of core principles that have become universally recognised. Its legally binding standards are consistent with non-binding texts adopted by the Organisation for Economic Co-Operation Development ('Guidelines on the Protection of Privacy and Transborder Flows of Personal Data'). 8 As emphasized, Convention 108 'was one of the main sources of inspiration for the development of the EU acquis in the area of data protection' . 9 This is pointed out by J. Borecka, who emphasizes that 'The signatories of this legal act have confirmed their commitment to the freedom of information flow regardless of borders and recognized the need to reconcile fundamental values, such as respect for privacy and freedom of information flow between people' . 10 The right to privacy and to data protection in the EU legal framework Under EU law, the rights to privacy and to data protection are recognised as fundamental rights, enshrined in Articles 7 and 8 of the EU Charter of Fundamental Rights and Article 16 of the Treaty on the Functioning of the EU (TFEU), as regards the right to the protection of personal data. 11 The major legal act within the EU acquis concerning privacy and data protection was adopted by the European Parliament and the Council of the European Union in October 1995. 12 According to Recital 11, one of the objectives of the Data Protection Directive was that 'the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data' . 13 Data-protection standards that were introduced by the Data Protection Directive have had great influence on different legal data-protection systems outside the European Union for two decades. As clearly confirmed by the EU, 'the protection of personal data has been central to EU law for more than 20 years, from the Data With the decision by the European Union in April 2016 that resulted in a reform of the data-protection legal framework through a package of data protection provisions, including the GDPR replacing the 20-year-old Data Protection Directive, the European Commission clearly voiced that protection of privacy is a core element of European citizenship. 18 Currently, global privacy standards are close to those of the European data protection regime (both the EU and Council of Europe). 19 The European Commission seconds the practical impact of these standards, welcoming third countries acceding to the Council of Europe Convention 108 and its additional Protocol. 20

Current picture of the scope of Convention 108
The number of states ratifying Convention 108 is constantly growing: 55 countries so far. 21 Based on a constantly updated source of information available on the  Since 1981, when the Convention was adopted, the world has changed dramatically, especially thanks to the widespread use of the internet, not only by military and economic users, but also widespread commercial use by everyday consumers.
With the introduction of the principles laid down in the Convention, in the past several decades an effective system of rights and obligations regarding the processing of personal data based on the Strasbourg model has been established in more than 50 countries in and outside Europe.
Convention 108 is called 'the backbone of personal data protection legislation' worldwide and, as constantly repeated by the Council of Europe, it contains provisions of a 'technologically neutral style, which enables [them] to be fully valid today, regardless of technological developments' . 23 The fact that the states really take Convention 108 as a model when creating their own internal regulations can be seen within the framework of the legislative process conducted by those countries in Europe that do not belong to the European Union and by non-European countries, in which Convention 108 is treated as both a model and a standard. Analysis of the data protection legislation done by the experts show that various provisions are being adapted to the standards set out in the provisions of the Convention. For example, the opinion on the Draft laws of Georgia relating to Surveillance Activities of Law Enforcement Authorities and National Security Agencies prepared by acknowledged experts for the Directorate General Human Rights and Rule of Law Data Protection Unit refers to the comparison of the requirements set out in the Convention 108 with regard to Georgian national regulations. 24 Due to the fact that Convention 108 was ratified by Georgia in May 2012, the Georgian government should ensure that the data protection provisions adopted in Georgia shall be in line with the Convention.
It should be underlined that the fact of the accession to Convention 108 is one of the main aspects that should be taken into account by the European Commission when assessing the level of protection in accordance with the GDPR procedure. The authors of the report prepared for the European Commission assessing the level of protection of personal data under Japanese law stated that 'the "core" of data protection "content" principles and "procedural/enforcement" requirements, which could be seen as a minimum requirement for protection to be adequate, are derived from the EU Charter of Fundamental Rights and the GDPR. In addition, consideration has been given to other international agreements on data protection, such as the Council of Europe Convention 108' . 25 Given the fact that Japan was granted observer status to the Convention 108, it becomes even more significant that in the course of the adequacy procedure under the GDPR, reference to the Convention also appears as one of the elements taken into account when assessing the adequacy of the level of protection. 26

Modernised Convention 108+
On 18 May 2018, the Committee of Ministers of the Council of Europe adopted an amending protocol to modernise Convention 108 27 and aimed at responding to 'challenges to privacy resulting from the use of new information and communication technologies, and to strengthen the Convention's mechanism to ensure 25 Study: An assessment of the level of protection of personal data provided under Japanese Law.
Final Report Implementing the Framework Contract JUST/2014/DATA/FW/0038 concerning research services in relation to issues pertaining to the protection of personal data. its effective implementation' . 28 Since its opening for signature on 10 October 2019, Convention 108+ signatories number more and more States. The worldwide general consensus that people must exercise online the same rights as they exercise offline is undoubtedly a condition of the modern digital world. However, when it comes to the protection of privacy and personal data, there is no global consensus on how to provide control to private individuals over their personal data. As a response to that need, Convention 108 can establish the minimum, adequate, and satisfactory level of privacy and data protection worldwide.
The EU data protection system is based on Regulation 2016/679 of the European Parliament and of the Council, and provisions for the effective protection of personal data laid down by Directive (EU) 2016/680 of the European Parliament and of the Council. The global hegemony of the GDPR and Convention 108 can, however, be challenged by the existing data-driven business models that are compliant with the laws of countries from all over the world. 29 A clear consensus has emerged that the general and technologically neutral nature of the Convention's provisions should be maintained, that the coherence and compatibility with other relevant legal frameworks such as that of the European Union should be preserved, and that the Convention's open character, which gives it unique potential as a universal standard, should be reaffirmed.
Similar updates of data-protection legal frameworks were also undertaken within the same period by the OECD and the EU, and synchronisation with Union reform measures enabled maintaining consistency between both frameworks.
The modernised Convention 108 acquires a global dimension given the fact that there are now 126 countries that have data privacy laws, and more than 30 additional countries that have official bills at some stage of the legislative process. 30 The modernisation of Convention 108 is aimed at better addressing the challenges resulting from the use of ICT tools, but it also has another purpose, which is to strengthen the implementation of Convention 108, as mentioned by some authors. 31 These objectives are directly expressed in the text of the explanatory memorandum: 'in the 35 years that have elapsed since the Convention (…) was opened for signature, the Convention has served as the foundation for international data-protection law in a number of European countries. It has also influenced policy and legislation far beyond Europe's borders. With new challenges to human rights and fundamental freedoms, notably to the right to private life, arising every day, it appeared clear that the Convention should be modernised to better address emerging privacy challenges resulting from the increasing use of new information and communication technologies (ICT), the globalisation of processing operations and the ever greater flows of personal data, and, at the same time, to strengthen the Convention's evaluation and follow-up mechanism' . 32 To achieve the above-mentioned goals, the existing basic data-protection principles laid down in the Convention as well as the open character of the Convention have been maintained, while some new key elements were introduced to ensure greater effectiveness of the provisions. In a nutshell, the main novelties can be summed up with the statement that 'the principles of transparency, proportionality, accountability, data minimisation, privacy by design, etc. are now acknowledged as key elements of the protection mechanism and have been integrated in the modernised instrument' . 33 The Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data has already been signed by more than 30 countries and the number is constantly growing, according to information available from the Chart of signatures and ratifications of Treaty 223. 34

Conclusions -Convention 108 as a universal standard
Joseph A. Cannataci, UN Special Rapporteur on the right to privacy, underlined in his annual report the recommendation to all United Nations Member States 31 U. Góral to adhere to Convention 108+ 35 'as an interim minimum response to agreeing to detailed privacy rules harmonised at the global level' . 36 The Special Rapporteur's report that summarises his activities, underlined that in the context of intelligence oversight, the immediate deployment by UN Member States of the standards and safeguards outlined in Convention 108+ is recognised as 'appropriate for the protection of the fundamental right to privacy' . 37 Such a recommendation, by bringing the Council of Europe's work to the attention of a global audience, is a contribution to increasing the impact of European privacy standards worldwide. Additionally, accession to Convention 108+ is important because it contains safeguards largely similar to those contained within the EU data protection legislation (GDPR and the Police Directive). As stressed by the European Commission, Convention 108 has contributed to the promotion of EU data-protection standards around the world, as it is often used as 'a source of inspiration' by countries which are adopting or considering modernisation of their privacy laws. 38 From the perspective of the countries which are not members of the European Union it is also important that accession to Convention 108 is one of the stages towards initiation of the adequacy procedure in accordance with the GDPR. From the EU perspective, strengthening cooperation between the EU and third countries in the context of data protection and data flow issues is obviously crucial. The European Commission stressed the importance of the protection of personal data as a fundamental right and a central factor of consumer trust in the data economy, which also facilitates data flows outside the EU. The need to ensure a high level of privacy and data security is the core element of the negotiations between EU and third-country governments. In this respect, the European Commission is strongly advocating the development of adequacy instruments that are foreseen in EU law (GDPR), paying special attention to the fact of accession to the Council of Europe's Convention 108.
Recent reforms of respective privacy legislation have further increased the convergence between the EU and global data-protection systems, which rests 35 IJR Center, The Special Rapporteur on the right to privacy, https://ijrcenter.org/un-special-procedures/special-rapporteur-on-the-right-to-privacy/ (accessed 20.02.2020 notably on a core set of data-protection principles, enforceable individual rights and oversight by independent authorities. Convention 108 is called the 'mother' of the GDPR, a view which remains valid, and the growing number of countries acceding to the Convention shows that in an era of the development of sophisticated data-processing methods, information and communication technologies and international data flows, there is a growing need for data-protection guarantees at a global level. The Committee of Ministers of the Council of Europe 'stressed the importance of a speedy accession to the Protocol by the maximum number of the current States Parties to Convention 108 in order to facilitate the formation of an all-encompassing legal regime of data protection under the modernised Convention, as well as to ensure the fullest possible representation of States within the Convention Committee' . 39 At the beginning of 2020, the European Commission announced its new Digital Strategy and declared it would present a new piece of legislation -the Digital Services Act -and a European Democracy Action Plan. The Commission furthermore proposed a review of the eIDAS regulation, and stated that it would strengthen cybersecurity by developing a Joint Cyber Unit. 40 One of the documents is the 'White paper on Artificial Intelligence -a European approach to excellence and trust' 41 , which also refers to research done by the Council of Europe 'Study on the human rights of dimensions of automated data processing techniques (in particular algorithms) and possible regulatory implications' . 42 As data-protection legislation is a very dynamic process, new developments in the field of the data processing regulatory framework can be expected, and thus it is crucial that both regimesthe European Union and Council of Europe acquis -are developing in parallel in terms of personal data-protection standards. It is also desirable to promote European achievements worldwide, since 27 EU Member States and 55 parties to Treaty 108, which fall under the jurisdictions of the GDPR and Convention 108 regimes, are still not enough in terms of data-protection guarantees for citizens expecting trust and confidence in that regard. 43 According to statistics recorded by Professor Greenleaf, 'in 2017-18, the number of countries that have enacted data privacy laws has risen from 120 to 132, a 10 % increase. These 132 jurisdictions have data privacy laws covering both the private sector and public sector in most cases, and which meet at least minimum formal standards based on international agreements. At least 28 other countries have official bills for such laws in various stages of progress, including nine that have introduced or replaced bills in 2017-18. Many others, in the wake of the GDPR and "modernisation" of Convention 108, are updating or replacing existing laws' . 44