The UK government has ratified the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, commonly known as Convention 108, that is aimed at strengthening the principles and rules for the protection of personal data at international level.
Along with the UK, nineteen other European countries, namely Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Ireland, Latvia, Lithuania, Luxembourg, Monaco, the Netherlands, Norway, Portugal, Russia, Spain, and Sweden have also signed the convention along with six non-European countries including Uruguay.
“The modernised convention will allow states to share a robust set of principles and rules to protect personal data, and will provide a unique forum for co-operation in this field at the global level. States parties to “Convention 108” should sign and ratify the protocol so it can enter into force as soon as possible,” said Thorbjørn Jagland, Secretary General of the Council of Europe.
According to the Council, Convention 108 will allow the transfer of personal data across borders with appropriate safeguards and its terms are compatible with data security legislation of signatory countries, including the European Union’s General Data Protection Regulation.
Convention 108, which was first introduced in 1981 and has now been modified, will enforce the processing of data as per legal standards of each country, will obligate member states to disclose data breaches, will ensure greater transparency of data processing, ensure strong accountability of data controllers, include genetic and biometric data, trade union membership and ethnic origin within the definition of sensitive data, and require institutions to apply “privacy by design”.
At the same time, the convention will ensure that data protection principles will apply to all processing activities, including for national security reasons, and all such activities will have independent and effective review and supervision. Data protection authorities of each member state will also be empowered with reinforced powers and independence.
Welcoming the ratification of Convention 108 by the UK government, the Information Commissioner’s Office (ICO) said that the convention will better address the privacy challenges arising from the increasing use of information and communication technologies, the globalisation of processing operations and ever greater cross-border flows of personal data.
“When it enters into force (after ratification by at least 5 member states), the modernised Convention will enhance protections for individuals’ personal data – including genetic and biometric data – strengthen transparency and accountability and add a requirement for notification of security breaches. It will also strengthen evaluation of law and practice in individual member states to ensure that its provisions are being implemented effectively.
“For supervisory authorities such as the ICO, the modernised Convention will reinforce their role and the importance of having robust powers. In addition to their powers to intervene, investigate, engage in legal proceedings or raise violations of data protection provisions with judicial authorities, supervisory authorities will also have a clear duty to raise awareness, provide information and educate all involved in processing personal data as well as the ability to take decisions and impose sanctions.
“The modernised Convention will also strengthen international co-operation and mutual assistance between supervisory authorities, with a requirement to co-ordinate investigations, conduct joint actions and to share information. This will be facilitated by a new network of supervisory authorities from Convention member states,” the data privacy watchdog added.