As early as 1981, the Council of Europe adopted the first and so far only intergovernmental agreement in the field of data protection, the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” – better known as Convention No. 108 or the European Data Protection Convention. The European Data Protection Convention has since been modernised. The new Convention 108 was also ratified by Switzerland on 7 September 2023. The following article briefly outlines the changes that Convention 108 brings for Switzerland.
The purpose of the original 1981 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (European Data Protection Convention) is to protect the rights and fundamental freedoms with regard to the automatic processing of personal data (“data protection”), in particular the right to “privacy”. It is the only legally binding international instrument for the protection of personal data. With its technology-neutral and principles-based approach, the Convention has – quite successfully – pursued its purpose, but now had to be adapted to the “new realities of the online world”.
Goals of modernisation
The modernisation of the European Data Protection Convention 108 pursued two objectives: Firstly, to overcome challenges arising from the use of new information and communication technologies and, secondly, to strengthen the effective implementation of the Convention.
Convention 108 aims to strengthen the promotion of the right to privacy and is intended as a response to increasing digitalisation. In addition to the original safeguards of the European Data Protection Convention 108, new safeguards such as the principles of transparency, proportionality, accountability and data limitation are recognised as “key elements of the protection mechanism” and integrated into the modernised version.
Innovations “in a nutshell”
The most important changes brought about by Convention 108 are summarised in detail below:
Article 1 clearly emphasises the objective of the Convention, which is to guarantee to any person under the jurisdiction of one of the Contracting Parties (regardless of their nationality or place of residence) the protection of their personal data during processing, thereby contributing to respect for their rights and fundamental freedoms and, in particular, their right to privacy. With this wording, the Convention emphasises the fact that the processing of personal data can have a positive impact on the exercise of other fundamental rights and freedoms, which can thus be facilitated by guaranteeing the right to data protection.
The scope of application of the Convention, which results from Article 3, continues to apply to data processing in the public and private sectors. The scope includes both automated and non-automated processing of personal data that falls within the competence of a Party to the Convention. However, the contracting parties no longer have the option of making declarations aimed at exempting certain types of data processing (e.g. for national security and defence purposes) from the application of the Convention.
Each Contracting Party must take the necessary measures in its domestic law to implement the Convention. In addition, each Party should demonstrate that these measures have actually been taken and are effective, and accept that the Convention Committee may review compliance with these requirements. This evaluation process of the Contracting Parties (“follow-up mechanism“) is necessary to ensure that the level of protection laid down in the Convention is actually granted by the Contracting Parties.
Article 5 clarifies the application of the principle of proportionality to the effect that it should apply to all processing and in particular to the means and methods used for processing. It is further reinforced by the principle of data minimisation. According to the newly introduced provision in Article 5, the legal basis for processing must be specified. The consent of the data subject or another legitimate ground (contract, interest of the data subject, legal obligation of the controller, etc.) is necessary.
In addition, the catalogue of sensitive data has been expanded and now also includes genetic and biometric data as well as data processed on the basis of their information on trade union membership or ethnic origin.
Article 8 then requires that the transparency of the processing must be guaranteed. To this end, controllers must provide a range of information, in particular about their identity and usual place of residence or domicile, the legal basis and purposes of the processing, the data recipients and the categories of personal data processed. They should also provide any additional information necessary for fair and transparent processing.
Article 9 grants data subjects new rights so that they have more control over their data in the digital age: The modernised Convention extends the catalogue of information to be provided to data subjects when they exercise their right of access. In addition, data subjects have the right to know the reasons for data processing, the results of which are applied to them. This new right is particularly important with regard to the profiling of individuals. This is because it is linked to a further innovation, namely the right not to be subject to a decision concerning the data subject that is based solely on automated processing without taking the data subject’s point of view into account. Data subjects have the right to object to the processing of their personal data at any time.
Exceptions and restrictions:
The rights enshrined in the Convention are not absolute and can be restricted if this is required by law and is a necessary measure in a democratic society on the basis of specific and limited grounds. These limited grounds now also include “essential public interest objectives” and a reference to the right to freedom of expression.
It should be noted once again that, unlike the previous provisions of Convention 108, the parties to the modernised Convention will no longer be able to exclude certain types of processing from the scope of the Convention.
More effective enforcement
Building on Article 1 of the Protocol, the modernised Convention adds a provision to the list of powers of the authorities, according to which, in addition to their powers to intervene, conduct investigations, initiate legal proceedings or report breaches of data protection rules, the authorities also have a duty to raise awareness, inform and educate all actors involved (data subjects, controllers, processors, etc.). The authorities can also take decisions and impose sanctions.
The modernised agreement also addresses the issue of cooperation between the supervisory authorities, whereby investigations are to be coordinated and joint measures implemented.
Ratification as an important step towards international cooperation
Convention 108 has now also been ratified in Switzerland in order to incorporate the modernisations described above into Swiss law and, in particular, to strengthen international cooperation. This certainly represents an important step towards improving international cooperation in the area of data protection in the light of increasing digitalisation. However, it is not yet foreseeable that the convention will enter into force, as this will only happen once 36 contracting states have ratified the convention(current status: 28 states).
Sources:
- Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981 (European Data Protection Convention 108);
- Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108 ; BBl 2020 599);
- Council of Europe, Modernisation of Convention 108 (last accessed on: 26.09.2023);
- Council of Europe, The modernised Convention 108: novelties in a nutshell (last accessed on: 26.09.2023).
- Newsflash of the FDPIC from 8 September 2023: Switzerland ratifies Convention 108 (last accessed on: 26.09.2023).