Data Protection Convention Undergoes a Rewrite

A 30-year old international treaty covering data protection is undergoing a partial rewrite to reflect new concerns in the age of the Internet.

The long-titled treaty, called the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, is the only legally binding international treaty covering data protection issues. For simplicity, it’s also referred to as the Data Protection Convention or Convention 108.

It was adopted by the Council of Europe, an organization of 47 European countries, in 1981. But with passing decades and the rise of the Internet, some of its notions — that revolved around the physical transfer of data rather than electronic transfer that is commonly done today — are dated, said Jrg Polakiewicz, head of the human rights policy and development department of the Council of Europe.

The Council is using the 30th anniversary as an occasion to “modernize and revise the convention,” Polakiewicz said. “Some countries may not want to sign a treaty that is that old and so influenced by technology.”

This week, parties to the convention took a first look at the amendment proposals. Those proposals cover issues such as the rights of people whose data is stored, notification to authorities and the public of data breaches and the accountability of data processors. Other issues include the right of people to delete their data.

The amendments do not aim to set specific guidelines on how those issues should be dealt with, but set out the “broad principles,” Polakiewicz said. “The merit would be to provide what we hope to be a global framework for discussion of the issues.”

To be a party to the convention, countries must have in place laws that comply with its tenets. Forty-three countries are a party to the treat and three others have signed it. States outside the Council of Europe can be invited to accede.

Polakiewicz said that the Council is working closely with the European Commission, which is expected to publish a revised Data Protection Directive in January. The goal is for both the convention and European Union regulation to be compatible.

The most intense discussions this week concerned how data is transferred across national borders and what protections are in place, Polakiewicz said.

On another issue, participants were in universal agreement that data breaches should be reported. But Polakiewicz said discussions would continue on aspects such as who should be notified and when. “The exact wording will still have to be refined,” he said.

Looking ahead, the Council of Europe will hold a meeting in Brussels on Jan. 27, a day before Data Protection Day. The meeting is intended to gather opinions on the amendments from stakeholders such as private businesses and other interested parties. Confirmed participants include Peter Fleischer, Google’s global privacy counsel and Marc Rotenberg, executive director of the Electronic Privacy Information Center.

The hope is for the amendment process to be complete by the end of next year. Legal advisers, however, are still discussing how the amendments will be approved by countries, Polakiewicz said.

Send news tips and comments to jeremy_kirk@idg.com