On October 10, twenty-one European States signed a Council of Europe treaty aimed at strengthening the principles and rules for the protection of personal data at international level. The treaty was signed during a ceremony in Strasbourg by Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Ireland, Latvia, Lithuania, Luxembourg, Monaco, the Netherlands, Norway, Portugal, Russia, Spain, Sweden, the United Kingdom and the Uruguay, one of the six non-European states that have so far joined it.
The treaty, an Amending Protocol, updates the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, also known as “Convention 108”, which also constitutes the only existing international treaty addressing the right of individuals to the protection of their personal data.
Among the innovations of the Amending Protocol there are:
- Stronger requirements regarding the proportionality and data minimisation principles, and lawfulness of the processing;
- Extension of the types of sensitive data, which will now include genetic and biometric data, trade union membership and ethnic origin;
- Obligation to declare data breaches;
- Greater transparency of data processing;
- New rights for the persons in an algorithmic decision making context, which are particularly relevant in connection with the development of artificial intelligence;
- Stronger accountability of data controllers;
- Requirement that the “privacy by design” principle is applied;
- Application of the data protection principles to all processing activities, including for national security reasons, with possible exceptions and restrictions subject to the conditions set by the Convention, and in any case with independent and effective review and supervision;
- Clear regime of transborder data flows;
- Reinforced powers and independence of the data protection authorities and enhancing legal basis for international cooperation.