University of New South Wales Faculty of Law Research Series
Last Updated: 1 June 2013
'Modernising' Data Protection Convention 108: A Safe Basis for a Global Privacy Treaty?
Graham Greenleaf, University of New South Wales
This paper is available for download at Available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2262296
This paper may be referenced as  UNSWLRS 33.
Proposals for the reform or
‘modernisation’ of Council of Europe Data Protection Convention 108
have now been forwarded
from the Convention’s Consultative Committee for
consideration by the Council of Ministers. In most respects, the proposed
changes greatly strengthen the Convention, and incorporate within it the
provisions currently in its Additional Protocol.
The ‘globalisation’ of Convention 108 (developing it into a global data privacy agreement, open to all countries providing the required level of data protection) is also now underway, and Uruguay has become the first non-European state to become a Party to the Convention. The two processes are symbiotic, with the attraction of globalisation to non-European states (and to the current European member States) depending on the modernisation process establishing a level of data protection that is ‘just right’. It can’t be too hot (setting standards to high) or too cold (setting standards too low so that it requires exports of personal data to other countries offering little data protection). Modernisation must pass the Goldilocks Test.
This paper assesses the changes proposed to the Convention at this stage of the process, It strengthens the obligations of Parties to implement the Convention as a matter of effective practice, not just as a law on paper. It tightens most of the existing data protection principles, and adds new ones which better align the Convention with the EU Directive (and proposed Regulation). Stronger powers for supervisory authorities, and ‘judicial and non-judicial’ sanctions and remedies for violations increase the domestic enforcement requirements. The Convention Committee (as it will now be called) is given explicit new functions including assessing candidates for accession, and periodically reviewing implementation by existing parties, making it more like the EU’s Article 29 Working Party. The procedures for accession by non-European states are clarified. Overall, these proposals seem to be ‘just right’.
However, while the proposals concerning the required standard for data export limitations seem to be a reasonable compromise in some respects, but in other respects as are so ill-defined that they are dangerous for data subjects. The existing standard that (in general) personal data can only be exported if the recipient provides ‘adequate’ protection, adhered to by the Committee as recently as mid-2012, has been abandoned in favour of an undefined requirement of ‘appropriate’ protection. Other aspect of the data export provisions are also ill-defined. For anyone whose main interest is strong data protection standards, such as civil society organisations, these are the key provisions of the Convention. If they are faulty, this cannot be compensated for by otherwise strong provisions, because accession would then mean a commitment to export personal data to places which offer low protection.
The paper situates the risk of abandoning meaningful data export restrictions in the context of the current strategy of the USA to push for ‘interoperability’ of very different data protection standards, even where such standards do not arise from legal instruments of comparable types or embodying comparable standards. Those who support data protection need to help stiffen European resolve to confront the challenges presented by American pressure to prematurely adopt ‘interoperability’, and the ideologies that drive it.