The chair of the Council of Europe’s data protection “Convention 108” committee and the Council of Europe’s Data Protection Commissioner have both called for the adoption of international legal standards for data protection following the Shrems II judgement.
Alessandra Pierucci and Jean-Philippe Walter have urged states to join “Convention 108+”. This refers to The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, a data privacy and protection convention open to all countries. So far, 55 countries have ratified “Convention 108” and many have used it as a model for their own data protection legislation.
“Convention 108+” was opened for signature in 1981 and has been recently modernised to reflect changes in data privacy and surveillance that have come with digitisation.
It focuses on two key objectives: facilitating data flows while human rights and fundamental freedoms. The adoption of “Convention 108+” by United Nation member states has already been recommended by the United Nations’ Special Rapporteur on the right to privacy.
The two organisations believe that the adoption of international standards is important to better protecting individuals from digital surveillance carried by intelligence services, highlighting that it is “up to policy makers and governments around the world to seize the potential of that Convention”.
In a joint statement, the “Convention 108” committee and the Council of Europe’s Data Protection Commissioner said:
“Countries must agree at international level on the extent to which the surveillance performed by intelligence services can be authorised, under which conditions and according to which safeguards, including independent and effective oversight”.
It emphasises that this is particularly relevant in the context of the current health crisis, which has “notably accelerated” digitisation.
This follows the “Schrems II” judgement in July in which the European Court of Justice decided that the EU-USA “Privacy Shield” is now invalid.
Prior to this, the privacy shield enabled companies to transfer data between the EU and the US after committing to higher privacy standards. However, the judgement ruled that individuals’ data was not being adequately protected from government surveillance under the agreement.
This has left many companies having to re-think their data transfer practices. However, the statement said that the judgement had provided “another opportunity to strengthen the universal data protection framework and to address the need for a global legal instrument on intelligence services”.
In order to “find consensus on this critical issue at global level”, the Council of Europe’s data protection “Convention 108” committee and the Council of Europe’s Data Protection Commissioner said:
“This is a key moment for countries around the world to set a path for the next 70 years of protection of human rights. Recognising the vital importance of data protection and the significance of transborder data transfers in today’s digital environment, they should accede to Convention 108+ and should also seize the unique potential offered by the Council of Europe, and the chance that is given to address the question of the operation of intelligence services, under the aegis of a globally respected human rights organisation.”