Timely boost for European – and global – data protection
Events over the summer have brought into focus the need to balance the exciting opportunities offered by our rapidly-changing world with good old-fashioned notions of human rights and privacy.
Billions of e-mails, containing all kinds of information, now criss-cross the globe every day. Huge quantities of personal photos, videos and carefree comments are posted online. Handy apps allow us to manage our personal finances, plan our movements and follow whatever interests we have.
And all the time we are potentially being watched. Vast servers located who-knows-where diligently record details of who we are, where we go and what we do.
So how can we even begin to control who gets to see this information, and what is done with it?
Although the scale of data flows has increased, concerns about protecting our personal data – a fundamental aspect of our privacy – are nothing new.
In line with their international human rights commitments, European governments have been working together on data protection for more than three decades. As a result, it is reassuring to remember that significant safeguards are already in place. Furthermore, these are currently being strengthened and updated in the light of modern-day challenges.
The first international treaty on data protection – the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or “Convention 108” for short – was drawn up by the Council of Europe, the continent’s intergovernmental human rights watchdog, back in 1981. Although technology has obviously changed hugely since then, the underlying principles which inspired Convention 108 have not: Privacy is a basic human right, which must be protected by law.
The convention sets out a number of standards which signatory countries are obliged to uphold concerning the way in which both public and private organisations handle data information relating to individuals. It also defines the circumstances under which countries can exchange such information.
Over the last 30 years or so, Convention 108 has cemented its position as the world’s foremost international treaty in this area. On 1 September, Russia became the 45th European country to be legally bound by the convention. This represents a significant further boost for the convention in both pan-European and international terms.
As with many of the 200 or so Council of Europe conventions, Convention 108 has a global relevance. It is open to countries around the world – Uruguay became the first non-European state to sign up earlier this year – and has significantly influenced both policy and practice in many other parts of the globe.
The convention also acts as an international counterpart to the European Union’s data protection framework. All 28 member states of the European Union are also members of the Council of Europe and signatories to Convention 108. The convention allows them to exchange information and best practice on data protection issues with countries around the world on a multilateral basis founded on a clear set of legally-binding standards.
Existing EU rules on data protection and the Council of Europe convention are both now in the process of being updated. To ensure coherence between the two legal frameworks, the European Commission has been following the modernisation work at the Council of Europe very closely since the beginning and will take part in the political negotiations on behalf of the 28 EU member countries.
One of the main challenges in the modernisation process will be to strengthen the way in which the Council of Europe ensures that signatory countries are actually putting the convention into practice.
Different Council of Europe conventions have different monitoring mechanisms, the most well-known of which being the European Court of Human Rights. However, most of the monitoring bodies compile public reports on the extent to which conventions are being implemented, along with recommendations to governments which are then regularly followed up. Introducing such a system for convention 108 could be an important step in helping to ensure compliance.
Discussions should also cover the checks which are carried out on existing data protection arrangements before countries are allowed to sign up to the convention. Countries offering differing levels of protection can act as a barrier to the free exchange of information, as envisaged by Convention 108, so it is important for the system as a whole that countries can guarantee the required level of protection before joining.
It is true that improvements to international law often lag behind technological change, but when it comes to data protection, a) there are already important safeguards in place, b) these are based on timeless yet flexible principles based on human rights and privacy, and c) they are being strengthened to ensure that they continue to be fit for purpose as their global reach continues to expand.
It may sometimes feel like the Big Brother society has arrived, but if governments stick to their principles – and abide by their commitments under international law – then it should be possible to enjoy the opportunities of the 21st century whilst keeping the threats involved under control.