RENEWING DATA PROTECTION CONVENTION 108: THE COE S GDPR LITE INITIATIVES

Similar documents
Conven&on 108 and Conven&on 108+ Instruments of universal voca1on

UNHCR, United Nations High Commissioner for Refugees

PROTOCOL RELATING TO AN AMENDMENT TO THE CONVENTION ON INTERNATIONAL CIVIL AVIATION ARTICLE 45, SIGNED AT MONTREAL ON 14 JUNE parties.

100+ Data Privacy Laws: Their Significance and Origins

Macroeconomics+ World+Distribu3on+of+Income+ XAVIER+SALA=I=MARTIN+(2006)+ ECON+321+

STATUS OF THE CONVENTION ON THE PROHIBITION OF THE DEVELOPMENT, PRODUCTION, STOCKPILING AND USE OF CHEMICAL WEAPONS AND ON THEIR DESTRUCTION

( ) Page: 1/12 STATUS OF NOTIFICATIONS OF NATIONAL LEGISLATION ON CUSTOMS VALUATION AND RESPONSES TO THE CHECKLIST OF ISSUES

PROTOCOL FOR THE PROHIBITION OF THE USE IN WAR OF ASPHYXIATING, POISONOUS OR OTHER GASES, AND OF BACTERIOLOGICAL METHODS OF WARFARE

10. International Convention against Apartheid in Sports

Contracting Parties to the Ramsar Convention

Regional Scores. African countries Press Freedom Ratings 2001

A) List of third countries whose nationals must be in possession of visas when crossing the external borders. 1. States

CUSTOMS AND EXCISE ACT, AMENDMENT OF SCHEDULE NO. 2 (NO. 2/3/5)

Copyright Act - Subsidiary Legislation CHAPTER 311 COPYRIGHT ACT. SUBSIDIARY LEGlSLA non. List o/subsidiary Legislation

UNITED NATIONS. Distr. GENERAL. FCCC/KP/CMP/2009/7 15 June Original: ENGLISH. Note by the secretariat

Antipersonnel Mine Stockpile Destruction (Article 4)

LIST OF CONTRACTING STATES AND OTHER SIGNATORIES OF THE CONVENTION (as of January 11, 2018)

A) List of third countries whose nationals must be in possession of visas when crossing the external borders. 1. States

Country pairings for the second cycle of the Mechanism for the Review of Implementation of the United Nations Convention against Corruption

Proforma Cost for national UN Volunteers for UN Partner Agencies

The CAP yesterday, today and tomorow 2015/2016 SBSEM and European Commission. 13. The Doha Round Tomás García Azcárate

No Blue Cards/CLC Certificates 1969 and 1992 Civil Liability Conventions December 1999

Per Capita Income Guidelines for Operational Purposes

The global diffusion of data privacy laws and their interoperability

TD/B/Inf.222. United Nations Conference on Trade and Development. Membership of UNCTAD and membership of the Trade and Development Board

NOTE BY THE TECHNICAL SECRETARIAT STATUS OF PARTICIPATION IN THE CHEMICAL WEAPONS CONVENTION AS AT 14 MARCH SUMMARY

Mechanism for the Review of Implementation of the United Nations Convention against Corruption: country pairings for the second review cycle

7. International Convention on the Suppression and Punishment of the Crime of Apartheid

Proforma Cost for National UN Volunteers for UN Partner Agencies for National UN. months) Afghanistan 14,030 12,443 4,836

8. b) Optional Protocol to the Convention on the Elimination of All Forms of Discrimination against Women. New York, 6 October 1999

Country pairings for the first cycle of the Mechanism for the Review of Implementation of the United Nations Convention against Corruption

Proposal for a COUNCIL DECISION

Proforma Cost Overview for national UN Volunteers for UN Peace Operations (DPA/DPKO)

APPENDIX 2. to the. Customs Manual on Preferential Origin

2017 BWC Implementation Support Unit staff costs

Country pairings for the first review cycle of the Mechanism for the Review of Implementation of the United Nations Convention against Corruption

Diplomatic Conference to Conclude a Treaty to Facilitate Access to Published Works by Visually Impaired Persons and Persons with Print Disabilities

Countries 1 with risk of yellow fever transmission 2 and countries requiring yellow fever vaccination

NOTE BY THE TECHNICAL SECRETARIAT STATUS OF PARTICIPATION IN THE CHEMICAL WEAPONS CONVENTION AS AT 25 MAY SUMMARY

Status of National Reports received for the United Nations Conference on Housing and Sustainable Urban Development (Habitat III)

A Partial Solution. To the Fundamental Problem of Causal Inference

Mechanism for the Review of Implementation of the United Nations Convention against Corruption: country pairings for the second review cycle

IMO MANDATORY REPORTS UNDER MARPOL. Analysis and evaluation of deficiency reports and mandatory reports under MARPOL for Note by the Secretariat

15. a) Optional Protocol to the Convention on the Rights of Persons with Disabilities. New York, 13 December 2006

Country pairings for the second review cycle of the Mechanism for the Review of Implementation of the United Nations Convention against Corruption

FREEDOM OF THE PRESS 2008

CONVENTION ON INTERNATIONAL INTERESTS IN MOBILE EQUIPMENT SIGNED AT CAPE TOWN ON 16 NOVEMBER 2001

Japan s s Strategy for Regional Trade Agreements

NOTE BY THE TECHNICAL SECRETARIAT STATUS OF PARTICIPATION IN THE CHEMICAL WEAPONS CONVENTION AS AT 17 OCTOBER 2015

NOTE BY THE TECHNICAL SECRETARIAT STATUS OF PARTICIPATION IN THE CHEMICAL WEAPONS CONVENTION AS AT 16 JUNE 2018

Rule of Law Index 2019 Insights

Voluntary Scale of Contributions

ANNEXES. to the. Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

INTERNATIONAL AIR SERVICES TRANSIT AGREEMENT SIGNED AT CHICAGO ON 7 DECEMBER 1944

Overview of the status of UNCITRAL Conventions and Model Laws x = ratification, accession or enactment s = signature only

GENTING DREAM IMMIGRATION & VISA REQUIREMENTS FOR THAILAND, MYANMAR & INDONESIA

GLOBAL PRESS FREEDOM RANKINGS

Sensitive to the wide disparities in size, population, and levels of development among the States, Countries and Territories of the Caribbean;

Bank Guidance. Thresholds for procurement. approaches and methods by country. Bank Access to Information Policy Designation Public

2018 Social Progress Index

NAP Global Network. Where We Work. April 2018

Global Environment Facility

World Heritage UNITED NATIONS EDUCATIONAL, SCIENTIFIC AND CULTURAL ORGANIZATION

Illustration of Proposed Quota and Voting Shares--By Member 1/ (In percent)

Country pairings for the first review cycle of the Mechanism for the Review of Implementation of the United Nations Convention against Corruption

Final Declaration and Measures to Promote the Entry into Force of the Comprehensive Nuclear-Test-Ban Treaty*

Committee for Development Policy Seventh Session March 2005 PURCHASING POWER PARITY (PPP) Note by the Secretariat

Proposed Indicative Scale of Contributions for 2016 and 2017

Convention on the Physical Protection of Nuclear Material

Governing Body Geneva, November 2006 LILS FOR INFORMATION. Ratification and promotion of fundamental ILO Conventions

**Certificate of Free Sale Request Form** B

Berne Convention for the Protection of Literary and Artistic Works

REGIONAL INTEGRATION IN THE AMERICAS: THE IMPACT OF THE GLOBAL ECONOMIC CRISIS

Entry into force: The Protocol entered into force on 6 August Status:

Nagoya, 29 October 2010

Bulletin /01 - Non-Acceptance of 1992 CLC Certificates Port Klang - Malaysia

Bahrain, Ecuador, Indonesia, Japan, Peru, Philippines, Republic of Korea, Serbia and Thailand.

A Practical Guide To Patent Cooperation Treaty (PCT)

Implementing legislation: Some elements

KYOTO PROTOCOL STATUS OF RATIFICATION

Trade Facilitation Agreement (TFA) Q&A

ASSOCIATION OF AFRICAN UNIVERSITIES BYELAWS

COUNTRIES/AREAS BY REGION WHOSE NATIVES ARE ELIGIBLE FOR DV-2019

The Henley & Partners - Kochenov GENERAL RANKING

CENTRAL AMERICA AND THE CARIBBEAN

It has been recognized at IMO that it is only at the interregional level that concerted efforts can be made:

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

UNITED NATIONS FINANCIAL PRESENTATION. UN Cash Position. 18 May 2007 (brought forward) Alicia Barcena Under Secretary-General for Management

TABLE OF COUNTRIES WHOSE CITIZENS, HOLDERS OF ORDINARY PASSPORTS, REQUIRE/DO NOT REQUIRE VISAS TO ENTER BULGARIA

Millennium Profiles Demographic & Social Energy Environment Industry National Accounts Trade. Social indicators. Introduction Statistics

Return of convicted offenders

Development Cooperation

Global Access Numbers. Global Access Numbers

Embassies and Travel Documents Overview

List of eligible countries/areas for the Diversity Visa 2018 Lottery

OVERVIEW OF THE NAGOYA PROTOCOL ON ACCESS TO GENETIC RESOURCES AND THE FAIR AND EQUITABLE SHARING OF BENEFITS ARISING FROM THEIR UTILIZATION

58 Kuwait 83. Macao (SAR China) Maldives. 59 Nauru Jamaica Botswana Bolivia 77. Qatar. 63 Bahrain 75. Namibia.

Global Prevalence of Adult Overweight & Obesity by Region

Joining the WTO. Membership of the WTO (as of 31 December 2013)

CONVENTION ON THE MARKING OF PLASTIC EXPLOSIVES FOR THE PURPOSE OF DETECTION DONE AT MONTREAL ON 1 MARCH 1991

Transcription:

University of New South Wales Law Research Series RENEWING DATA PROTECTION CONVENTION 108: THE COE S GDPR LITE INITIATIVES GRAHAM GREENLEAF (2016) 142 Privacy Laws & Business International Report, 14-17 August [2017] UNSWLRS 3 UNSW Law UNSW Sydney NSW 2052 Australia E: unswlrs@unsw.edu.au W: http://www.law.unsw.edu.au/research/faculty-publications AustLII: http://www.austlii.edu.au/au/journals/unswlrs/ SSRN: http://www.ssrn.com/link/unsw-leg.html

Renewing data protection Convention 108: The CoE s GDPR Lite initiatives Graham Greenleaf AM, Professor of Law & Information Systems, UNSW Australia * (2016) 142 Privacy Laws & Business International Report, 14-17, August 2016. In June 2016 the Council of Europe held two significant back- to- back conferences to further develop data protection Convention 108: the CAHDATA Conference (15-16 June) of state Parties to finalise the Modernisation of the Convention; and the Globalisation Conference (17 June) to encourage the expansion of the Convention s membership outside Europe. This article explains their significance, and how both initiatives inter- connect with the EU s finalisation of its General Data Protection Regulation (GDPR). Modernisation post-gdpr Council of Europe Convention 108 was open for signature in 1981. Its Additional Protocol of 2001 responded to the EU Directive of 1995 by a number of provisions (including requirements for a DPA, and for data export limitations based on adequacy ). The process to reform and update the Convention began in 2010, involved recommendations by the Convention s Consultative Committee (T- PD), 1 and the establishment of a Committee of State Parties (CAHDATA) with a mandate to finalise the terms of a modernised Convention which would then be open to ratification by State Parties. The near- final revisions 2 were agreed in 2014, subject to various reservations by the European Union and the Russian Federation. The final CAHDATA meeting was delayed until the EU s GDPR was finalised, with its mandate 3 being solely to finalise the clauses on which reservations had been expressed. Finalised despite the nyet- sayers The CAHDATA meeting on 15-16 June finalised the text of the modernised Convention (technically, the draft amending Protocol) to be submitted to the Committee of Ministers to consider adoption. The Report 4 on the conclusions of the meeting sets out the numerous technical amendments agreed to concerning the clauses which were still under consideration, as well as the EU s lifting of its reservations on other clauses (post- GDPR). Although none of the matters agreed constitute fundamental changes, many are non- trivial, such as: only purely personal activities are exempt; racial or ethnic origin is included in protected * Valuable comments have been received from Maria Michaelidou and Marie Georges. Responsibility for all content remains with the author. The Council of Europe funded the author s participation in the Conferences. 1 T- PD Modernisation of Convention 108 (T- PD(2012)4Rev3_en). Documents cited can be most easily found by searching for the Council of Europe document identifiers given in these footnotes. 2 They are most clearly seen in a consolidated draft of the proposed modernized Convention, with reservations noted (CAHDATA (2016)01). 3 CAHDATA Terms of Reference (CAHDATA(2016)ToR). 4 Ad Hoc Committee On Data Protection (CAHDATA) Abridged Report Strasbourg 15-16 June 2016 (CAHDATA(2016)RAPAbr)

Renewing data protection Convention 108: The CoE s GDPR lite initiatives 2 sensitive data; grounds for objection to processing must relate to a person s particular situation. Exceptions in national laws must respect the essence of the fundamental rights and freedoms, but specific references to the European Convention on Human Rights (ECHR), or the jurisprudence of the ECtHR have been avoided, since the parties to the Convention are no longer limited to European States. No consolidated version of the final proposed modernised Convention is yet available. CAHDATA is to finalise the explanatory report on the Convention by written procedure, and the Secretariat has requested written submissions on the draft. Much time was absorbed by Russia s unsuccessful repeated attempts to move a category of State secrets (otherwise undefined) completely outside the Convention, and in similarly repetitious filibusters which appeared to be aimed at objecting to every EU position. The CAHDATA report noted Russia s special position on State secrets in relation to various articles, and its objections to a group of States obtaining a privileged position in relation to data exports. Russia also declared its objection to the EU exercising a block vote for all EU member states in the Convention Committee in future (Mod. CoE Art. 20(3), assuming the Committee of Ministers agrees), as it already does in effect by EU coordination of its member states votes. This gives it a majority that globalisation may erase. The privileged position referred to an EU- originated provision by which a group of Parties in a regional international organisation (such as the EU) can set a higher standard for data exports (in the EU s case, adequate protection) than is otherwise required by the modernised Convention (an appropriate level of protection). This is probably the major change in terms (but not in practice) between the old and new Conventions: what previously appeared to be the only maximum allowed standard in the old Convention has now become another minimum required standard in the new one, but only where it is a standard adopted by a group of parties (which makes some sense in relation to data exports). In force with the GDPR? The GDPR will come into force from 25 May 2018. If we assume (for example) that the modified Convention 108 is approved by the Committee of Ministers and open for signature on 1 January 2017 (which may be optimistic) then the final article of the amending Protocol will provide that, unless all existing Parties ratify it before 1 January 2019, it will come into force on that date (with a possible delay of up to a further three months if any party has notified objections by that date). So it may be realistic to assume that the modernised Convention will come into effect within a year of the GDPR coming into effect. Modernised 108 compared with the GDPR The relationship between the requirements of the modernised Convention 108 (abbreviated as Mod CoE ) and those of the GDPR fall into three categories. First, the modernised 108 includes three principles which were already included in the EU Directive (and are included in the GDPR), but were not included in the existing Convention 108 (or its 2001 Additional Protocol). They are:

Renewing data protection Convention 108: The CoE s GDPR lite initiatives 3 Additional restrictions on some sensitive processing systems, such as notifications to a DPA (Mod CoE Art. 8bis(2)); Limits on automated decision- making, including the right to know processing logic (Mod CoE Art. 8(a), (c)); The right to object to processing on legitimate grounds (Mod CoE 8(d)). Second, there are nine new requirements (or clarifications) included in the GDPR which are also included in the modernised Convention108. They are: Rights apply to all data subjects, irrespective of nationality/residence (Mod CoE Art. 3(1bis)); Proportionality required in all aspects of processing (Mod CoE Art. 5(1)); Stronger consent requirements ( unambiguous ) (Mod CoE Art. 5(2)); Mandatory Data Protection Impact Assessments (DPIAs) for high risk processing (Mod CoE Art. 8bis(2)); Data protection by design and by default (Mod CoE Art. 8bis(2), (3)); Direct liability for processors as well as controllers (Mod CoE Art. 7, 8bis); Data breach notification to DPA required for serious breaches (Mod CoE Art. 7.2); DPAs to make decisions and issue administrative sanctions including fines (Mod CoE Art. 12bis2(c)); Demonstrable accountability required of data controllers (Mod CoE Art. 8bis(1)). Third, there are a further nine new requirements (or clarifications) included in the GDPR which are not explicitly required by the modernised Convention108, though some can be considered to be implied. They are: requirement to cooperate in resolving complaints with international elements, with any other DPA; obligations to apply extra- territorially, if goods or services offered, or behaviour monitored locally; local representation required of such foreign controllers or processors; right to portability of data- subject- - generated content; right to erasure (right to be forgotten ); mandatory Data Protection Officers (DPOs) for sensitive processing; data breach notification to data subjects (if high risk); class actions before DPAs or courts by public interest privacy groups; and maximum administrative fines based on global annual turnover. The modernised Convention will therefore have considerably stronger requirements than the existing Convention, but these will still be far more general and modest than the GDPR s requirements. Accession and adequacy At present, only moderate privacy standards are required for accession to the existing Convention 108. In my opinion, these standards can be described as

Renewing data protection Convention 108: The CoE s GDPR lite initiatives 4 approximately what is required for EU adequacy, not full equivalence with the Directive. Such standards are what countries outside Europe have been enacting bottom up. This standard can be thought of as at least half way between the 1980s OECD standards and those of the Directive. 5 When both the GDPR and the modernised Convention 108 are in effect, the new Convention 108 accession standards will be higher, but will still be less demanding than those of the GDPR: not too hot, not too cold, a moderate global standard. Of course, we will not be sure how either CoE accession requirements, or EU adequacy requirements, will be interpreted until both new instruments are in operation. Accession to Convention 108 provides strong assistance for an EU adequacy finding, and will continue to do so. This is made explicit in GDPR recital 105 which says that in assessing the adequacy of a third country s data protection, the EU will in particular taken into account accession to Convention 108. At both Strasbourg Conferences, EU representatives stressed that all aspiring EU member states have been required to accede to Convention 108; that they were very satisfied that the standards of the modernised Convention 108 would be consistent with the GDPR although not a carbon copy ; and that Convention 108 accession was a key element in our assessment of adequacy and a bridge between the two. Council of Europe Secretary- General Jagland observed that accession to Convention 108 had the strong support of the EU. Globalisation gets more traction The globalisation of Council of Europe data protection Convention 108 beyond its European national origins has been underway since the start of this decade, when the first non- European accession (by Uruguay) was assessed and approved. It is a large step across the globe from Uruguay to Mauritius, so the global nature of this process was demonstrated by the completion of the second non- European accession with Mauritius formal deposit of its instrument of accession in a ceremony at the Conference. Four other non- European countries are now at various stages of the accession process. 6 The globalisation Conference on 17 June is the first time since 1981 that the Council of Europe has held a separate meeting on the question of globalisation. A very full programme of speakers discussed the issues from many perspectives. 7 Participants from 16 countries outside the Council of Europe 8 demonstrated there is increasing interest in accession by non- European countries, from both governments and NGOs. Many international organisations in such areas as policing, financial surveillance, humanitarian assistance and security, must 5 Greenleaf 'The Influence of European Data Privacy Standards Outside Europe (citation below); see also G Greenleaf Asian Data Privacy Laws: Trade and Human Rights Perspectives (OUP, 2014), Chapter 17. 6 Cape Verde, Morocco, Senegal, Tunisia. 7 Programme Convention 108: from a European reality to a global treaty, 17 June 2016 <http://www.coe.int/en/web/human- rights- rule- of- law/international- conference- convention- 108> 8 Australia, Belarus, Benin, Burkina Faso, Cape Verde, Ghana, the Holy See, Indonesia, Japan, Mauritius, Mexico, Morocco, Senegal, Tunisia, the USA and Uruguay.

Renewing data protection Convention 108: The CoE s GDPR lite initiatives 5 develop procedures for data transfers and ensure that their members adhere to them. If a member is a party to Convention 108 this gives reassurance that international data protection standards are being met. The participation in the Conference of INTERPOL, Eurojust, the International Commission on Civil Status, Europol and the International Committee of the Red Cross are examples of this. Convention 108 s advantages for businesses in developing countries have also recently been espoused by UNCTAD. 9 At the Conference, the DPAs of Morocco and Tunisia explained two bilateral cooperation agreements on data transfers they had entered with Belgium. A French international expert explained the nature and content of cooperation between the CoE and countries such as Ukraine and Turkey. European DPAs are committed to assist less developed DPAs where desired and to collaborate on assistance projects. Globalisation s prospects The expansion of Convention 108 beyond Europe is now of greater importance, and makes more sense, because of the the global intensification of ICT, reflected in the expansion in recent decades of the number of countries with data privacy laws, and particularly of countries outside Europe. By June 2016, 111 countries had enacted data privacy laws, the most recent being Turkey and Sao Tome & Principe. Since 2015, the majority of these laws (57/111) are from outside Europe, and only a quarter of the laws are now from countries of the European Union. Europe s percentage share of data privacy laws will continue to shrink it cannot expand without a redefinition of Europe. 10 By 2011 the data privacy Acts outside Europe included on average about 7/10 of the higher European standards. 11 Within this average there is considerable variation. By 2016, with 57 laws now from outside Europe, about half are stronger 2nd generation revised laws, often from revisions since 2010. My unsystematic observation is that they are closer on average to the higher European standards than they were five years ago. 12 Most of the laws outside Europe include data export restrictions, often similar to the adequacy requirements of European laws, but with many significantly different forms of limitation which cannot be simply described as variations of adequacy. As a result, the issue of data export limitation is no longer a question of to where will Europe allow personal data to be exported. The plethora of 9 UNCTAD Data Protection Regulations and International Data Flows: Implications for Trade and Development, April 2016, <http://unctad.org/en/pages/publicationwebflyer.aspx?publicationid=1468> 10 Greenleaf, G 'Global data privacy laws 2015: 109 countries, with European laws now in a minority' (2015) 133 Privacy Laws & Business International Report, 14-17 <http://ssrn.com/abstract=2603529> 11 By higher is meant those data privacy principles which differentiate the Directive (and Convention 108 plus Additional Protocol) from the 1980 OECD Guidelines: see Greenleaf, G 'The Influence of European Data Privacy Standards Outside Europe: Implications for Globalisation of Convention 108' (2012) International Data Privacy Law, Vol. 2, Issue 2 <http://ssrn.com/abstract=1960299> 12 A systematic study is needed to assess whether this observation is correct on the eve of the GDPR, to follow up my 2011 study, 'The Influence of European Data Privacy Standards Outside Europe.

Renewing data protection Convention 108: The CoE s GDPR lite initiatives 6 export limitations outside Europe potentially have just as much impact on imports into Europe. The past 45 years of steady global expansion of data privacy laws is likely to continue. At least 24 more countries have official Bills for new data privacy Acts. 13 Some additional countries which do not have comprehensive data privacy laws do have e- commerce and/or consumer privacy laws of broad scope, including China and Indonesia. Nor do these proposed laws seem to involve a diminution in standards. Convention 108 has realistic prospects of globalisation, as it already has 49 parties (soon to be 53), nearly 50% of all countries with data privacy laws.. 14 This is an impressive start for any treaty. Council of Europe Conventions can become successful global conventions, as the Cybercrime Convention has shown, with 8 non- European ratifications among its 48 parties. 15 Convention 108 is likely to soon exceed it on both measures, despite having far fewer financial resources to support its globalisation than the funding made available in relation to the cybercrime treaty. Despite the expansion of laws outside Europe, it would be unrealistic to suggest that another 56 accessions to Convention 108 are either possible or desirable. Many of these laws fall outside the requirements of Convention 108, including for reasons of insufficient scope, democratic deficits, constitutional questions, lack of a data protection authority, and other matters not easily remedied. The number of potential Convention 108 candidates for accession has yet to be assessed, but the potential for greater globalisation is clear. Attractions of accession Why should countries outside Europe consider acceding to what has been, until recently, a treaty with only States from the Council of Europe as parties? At least thirteen distinct benefits can be identified: (i) realistic prospects; (ii) no realistic alternative; (iii) voluntary obligations; (iv) international best practice recognition; (v) reciprocal data exports; (vi) moderate standards; (vii) minimum standards; (viii) a whitelist substitute; (ix) adequacy assistance; (x) development assistance; (xi) business benefits with exports and imports; (xii) individual benefits from minimum protections; and (xiii) assistance to international organisations. My explanation of these benefits is available elsewhere. 16 Another can be added: the opportunity to participate in regular 13 The 24 countries known to have official Bills are Antigua & Barbuda; Barbados; Bermuda; Brazil; Cayman Islands; Chad; Dominica; Ecuador; Ethiopia; Falkland Islands; Grenada; Honduras; Indonesia; Jamaica; Kenya; Mauritania; Niger; Nigeria; Qatar; Saint Kitts and Nevis; Swaziland; Tanzania; Thailand (private sector); and Uganda. 14 The Brexit result, a week later, does not have a direct impact on the Convention because it is a Council of Europe treaty, and Britain s status as a Party will not be affected directly by its withdrawal from the EU. 15 Council of Europe Convention on Cybercrime (ETS 185); parties include Australia, Canada, Dominican Republic, Japan, Mauritius, Panama, Sri Lanka, and the United States. South Africa has signed but not ratified. <http://www.coe.int/en/web/conventions/full- list/- /conventions/treaty/185/signatures?p_auth=x0ew8rdc> 16 G Greenleaf Balancing globalisation s benefits and commitments: Accession to data protection Convention 108 by countries outside Europe Invited presentation to the Council of Europe

Renewing data protection Convention 108: The CoE s GDPR lite initiatives 7 Convention meetings (as Observer or Party) where data protection principles and implementations are debated by experts from over 50 countries, and sectoral and other guidelines developed. The significance of these potential benefits, or potential disadvantages, will vary between countries. For each country, they require a balanced assessment of the interests of that country and its government, of businesses operating within it, and of its citizens and residents. There is no need to suggest that every potentially eligible country should accede to Convention 108: only that they should give serious consideration to the potential advantages and implications of so doing. Need to increase transparency of accessions When a country accedes to Convention 108, it makes serious commitments. It must implement a law with the global- standard principles and enforcement mechanisms required by Convention 108. It should permit data exports to other Parties to the Convention (under the conditions described above), and may do so to third- party countries where the Convention standards for data exports are met (in short, an adequacy standard). It should not permit data exports outside those requirements. These commitments by acceding countries are only justifiable if the Convention bodies ensure that new accessions meet and enforce these standards, and that all parties ensure continuing enforcement. Because the national commitments are significant, the enforcement of the treaty must be equally so. The Convention bodies (Consultative Committee (T- PD), and Committee of Ministers, with the assistance of the Secretariat) have significant responsibilities to acceding countries (and all Parties) and their citizens and residents. It makes practical sense that they should do what is within their powers to ensure that Parties are only required to export their citizens data to other countries which have sufficiently high standards of data protection, and take an international standard approach to the enforcement of those protections. Unfortunately, the current Convention 108 does not explicitly recognise these responsibilities, and the current practice of the Convention bodies does not make it transparent enough that they are being carried out. The Opinions of the Consultative Committee (T- PD) make it appear that only the law on the books is assessed during the accession process, but not the key measures for its effective implementation (DPA resources, publication of enforcement activities etc). Such matters may well be routinely assessed during accession, but there is no public documentation of this. The Convention bodies all need to agree that this should be made transparent: on my reading there is nothing in the Convention, or in CoE treaty practice to prevent this, if the Committee of Ministers request it. Provided that full- scale evaluations were not requested, a routine requirement of a few basic checks of a DPA s effectiveness would not require a significant increase in the Secretariat s resources. Because accessions will occur for some years to come under the existing Convention 108, 17 it is important that this transparency Convention 108 Globalisation Conference, 17 June 2016, Strasbourg, France <http://ssrn.com/abstract=2801054> 17 Until the modernised Convention is completed and comes into force,

Renewing data protection Convention 108: The CoE s GDPR lite initiatives 8 should now be improved. Removing this transparency gap would increase the confidence of other countries (and their citizens and businesses) in the benefits of accession to Convention 108. Fortunately, these obligations are quite clear in the text of the modernised Convention 108, which explicitly allows the Convention Committee to assess both the strength of enforcement at accession, and continuing compliance with Convention obligations (Mod CoE Arts. 4(1) and 19(e), (f)). T- PD practice would also indicate that such evaluations will then be made public. Practice under the current Convention can and should, in my view, adjust to fit the first of these future requirements. Conclusion: GDPR lite but increasingly global Data protection Convention 108 is of increasing importance in a world in which the majority of data privacy laws already come from countries outside Europe, and in which the EU s GDPR will create the impetus for a third generation of data privacy standards to develop. The less demanding standards of the modernised Convention, coupled with advantages accession to it will give countries also seeking an EU adequacy assessment, make it a potential indicator of which elements of the GDPR will in reality become parts of a global standard. The globalisation of Convention 108 has implications for every country with existing or planned data privacy laws. It is good policy for each country to be well- informed and consider carefully the potential benefits of accession, and its relationship to the standards of the GDPR. Warning: GDPR Lite may be addictive.

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback