Convention 108 (Council of Europe) – A Comprehensive Guide for CIPP/E Exam Preparation
Introduction
Convention 108, formally known as the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, is one of the most foundational instruments in European data protection law. Adopted by the Council of Europe in 1981, it was the first legally binding international treaty dedicated to data protection and privacy. Understanding Convention 108 is essential for the CIPP/E exam, as it represents the origins of many principles that later shaped the EU Data Protection Directive (95/46/EC) and the General Data Protection Regulation (GDPR).
Why Is Convention 108 Important?
Convention 108 holds a unique and critical place in the landscape of data protection for several reasons:
1. First Legally Binding International Data Protection Treaty: Before Convention 108, data protection rules existed only at the national level in a handful of countries. Convention 108 was the first international instrument that created legally binding obligations on signatory states to protect personal data. This was groundbreaking in 1981 and set the tone for decades of data protection development.
2. Established Core Data Protection Principles: Convention 108 enshrined fundamental data protection principles that remain at the heart of modern data protection law. These include the principles of fair and lawful processing, purpose limitation, data quality, proportionality, and data security. These principles directly influenced the OECD Guidelines, the EU Data Protection Directive, and ultimately the GDPR.
3. Broad Geographic Reach Beyond the EU: Unlike EU instruments such as the GDPR, Convention 108 is open to any country in the world, not just Council of Europe member states. This makes it a truly international framework. Countries outside Europe, such as Uruguay, Mauritius, Senegal, Tunisia, and others, have acceded to the Convention, giving it a global dimension.
4. Bridge Between Human Rights and Data Protection: Convention 108 is rooted in Article 8 of the European Convention on Human Rights (ECHR), which protects the right to respect for private and family life. This connection firmly places data protection within the broader human rights framework and reinforces the idea that data protection is a fundamental right, not merely a regulatory compliance obligation.
5. Foundation for Adequacy Assessments: Adherence to Convention 108 is one of the factors the European Commission considers when assessing whether a third country provides an adequate level of data protection for the purposes of international data transfers under the GDPR.
What Is Convention 108?
Convention 108 was opened for signature on 28 January 1981 in Strasbourg, France. This date is now celebrated annually as Data Protection Day (in Europe) or Data Privacy Day (in the United States and other countries).
The Convention was adopted under the auspices of the Council of Europe, an international organization with 46 member states that is distinct from the European Union. The Council of Europe focuses on upholding human rights, democracy, and the rule of law across Europe and beyond.
Key Features of Convention 108:
- Scope: Convention 108 applies to the automatic processing of personal data in both the public and private sectors. Signatory states may also extend its application to non-automated (manual) data processing and to data relating to legal persons (not just natural persons), although this extension is optional.
- Core Data Protection Principles (Article 5): The Convention establishes that personal data undergoing automatic processing shall be:
(a) Obtained and processed fairly and lawfully;
(b) Stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
(c) Adequate, relevant, and not excessive in relation to the purposes for which they are stored;
(d) Accurate and, where necessary, kept up to date;
(e) Preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.
- Special Categories of Data (Article 6): Convention 108 provides that personal data revealing racial origin, political opinions, religious or other beliefs, as well as personal data concerning health, sexual life, or criminal convictions, may not be processed automatically unless domestic law provides appropriate safeguards. This concept of sensitive or special category data was later expanded in the GDPR.
- Data Security (Article 7): Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorized destruction, accidental loss, unauthorized access, alteration, or dissemination.
- Rights of the Data Subject (Article 8): Any person shall be enabled to:
(a) Establish the existence of an automated personal data file, its main purposes, and the identity of the controller;
(b) Obtain confirmation of whether personal data relating to them is stored and have that data communicated in an intelligible form;
(c) Obtain rectification or erasure of data that has been processed contrary to the provisions of the Convention;
(d) Have a remedy if a request for confirmation, communication, rectification, or erasure is not complied with.
- Restrictions and Exceptions (Article 9): The rights and principles in the Convention may be restricted only where such a restriction is provided for by law and constitutes a necessary measure in a democratic society in the interests of state security, public safety, the monetary interests of the state, the suppression of criminal offences, or the protection of the data subject or the rights and freedoms of others. This mirrors the structure of limitations found in the ECHR.
- Transborder Data Flows (Article 12): Convention 108 addresses international data transfers. A Party shall not, for the sole purpose of the protection of privacy, prohibit or subject to special authorization transborder flows of personal data going to the territory of another Party. However, derogations are possible when the other Party does not provide equivalent protection or when the transfer is made to circumvent domestic data protection law.
- Mutual Assistance and Consultative Committee: The Convention establishes a framework for cooperation between signatory states and creates a Consultative Committee (known as the T-PD Committee) to oversee the Convention's implementation and propose amendments.
Convention 108+ (The Modernized Convention)
Recognizing that technology and the data protection landscape had evolved dramatically since 1981, the Council of Europe adopted a modernized version of Convention 108 in 2018, known as Convention 108+ (formally the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, CETS No. 223).
Key updates in Convention 108+ include:
- Expanded Scope: The modernized Convention applies to all data processing activities (not limited to automatic processing) and covers both public and private sectors.
- New Principles: Convention 108+ introduces the principles of proportionality, accountability, data protection by design, and data minimization — aligning it more closely with the GDPR.
- Strengthened Rights: Additional rights for data subjects are included, such as the right not to be subject to a decision based solely on automated processing (including profiling) that significantly affects the individual.
- Enhanced Transparency: Controllers must provide more detailed information to data subjects about data processing.
- Data Breach Notification: Convention 108+ introduces obligations related to notifying competent supervisory authorities of data breaches that may seriously interfere with the rights of data subjects.
- Stronger Safeguards for Transborder Data Flows: Updated provisions require adequate levels of protection for international data transfers.
- Independent Supervisory Authorities: Convention 108+ requires each Party to establish one or more independent supervisory authorities responsible for ensuring compliance with data protection rules.
Convention 108+ is designed to remain technology-neutral and to be compatible with other data protection frameworks, including the GDPR, while maintaining its global, inclusive character.
How Does Convention 108 Work?
Convention 108 operates as an international treaty under public international law. Here is how it functions in practice:
1. Signature and Ratification: Countries sign and ratify the Convention, thereby committing to incorporate its principles into their domestic law. All 46 Council of Europe member states have ratified Convention 108, and non-member states may also accede to it by invitation.
2. Domestic Implementation: Each signatory state must enact national legislation that gives effect to the principles laid out in the Convention. The Convention sets minimum standards; states are free to provide a higher level of protection.
3. The Consultative Committee (T-PD): This committee, composed of representatives from all Parties, monitors the application of the Convention, makes recommendations, and proposes amendments. It also plays a role in evaluating whether non-member states seeking accession have adequate data protection frameworks.
4. No Direct Enforcement Mechanism: Unlike the GDPR, Convention 108 does not have a direct enforcement mechanism with fines or penalties at the international level. Enforcement depends on national authorities and the domestic legal framework of each signatory state. However, Convention 108+ strengthens this by requiring independent supervisory authorities.
5. Interaction with Other Instruments: Convention 108 works alongside other legal instruments, including the ECHR, the EU Charter of Fundamental Rights, the GDPR, and national data protection laws. It serves as a common baseline that facilitates international cooperation and the free flow of personal data among signatory states.
Convention 108 vs. the GDPR: Key Differences
While Convention 108 and the GDPR share many principles, there are important distinctions:
- Nature of the Instrument: Convention 108 is an international treaty of the Council of Europe; the GDPR is an EU regulation with direct effect in all EU/EEA member states.
- Geographic Scope: Convention 108 is open to countries worldwide; the GDPR applies primarily within the EU/EEA (though it has extraterritorial reach).
- Level of Detail: The GDPR is far more detailed and prescriptive than Convention 108, with specific provisions on data protection officers, data protection impact assessments, records of processing activities, and detailed enforcement mechanisms including substantial fines.
- Enforcement: The GDPR provides robust enforcement through national supervisory authorities with the power to impose administrative fines up to EUR 20 million or 4% of global turnover. Convention 108 relies on domestic implementation and does not prescribe specific penalties at the international level.
- Legal Bases for Processing: The GDPR specifies six legal bases for lawful processing (Article 6). Convention 108 takes a more principles-based approach without enumerating specific legal bases in the same way.
Key Facts to Remember for the CIPP/E Exam
- Convention 108 was adopted in 1981 and opened for signature on 28 January 1981.
- It was created by the Council of Europe (not the European Union).
- It is the first legally binding international treaty on data protection.
- 28 January is celebrated as Data Protection Day / Data Privacy Day.
- Convention 108 is open to non-Council of Europe member states.
- It covers the automatic processing of personal data (Convention 108+ extends this to all processing).
- It establishes principles of fair and lawful processing, purpose limitation, data quality, data security, and individual rights.
- Article 6 addresses special categories of data.
- Article 8 provides individual rights (access, rectification, erasure, and remedy).
- Article 12 addresses transborder data flows.
- Convention 108+ was adopted in 2018 to modernize the original Convention.
- Convention 108+ introduces accountability, data protection by design, breach notification, and independent supervisory authorities.
- Convention 108 is linked to Article 8 ECHR (right to respect for private life).
Exam Tips: Answering Questions on Convention 108 (Council of Europe)
1. Do Not Confuse the Council of Europe with the European Union: This is one of the most common mistakes. The Council of Europe is a separate international organization from the EU. Convention 108 is a Council of Europe instrument, not an EU instrument. The GDPR is an EU instrument. If a question asks about the origins of Convention 108, always reference the Council of Europe.
2. Remember the Date — 1981: The year 1981 is frequently tested. Convention 108 predates both the EU Data Protection Directive (1995) and the GDPR (2016/2018). If a question asks about the chronological development of data protection law, Convention 108 comes before EU legislation.
3. Know the Distinction Between Convention 108 and Convention 108+: If the exam asks about modernization or updates, the answer is Convention 108+ (2018). Be clear about what Convention 108+ added: accountability, data protection by design, breach notification, stronger individual rights including rights related to automated decision-making, and the requirement for independent supervisory authorities.
4. Focus on Principles, Not Detailed Rules: Convention 108 is a principles-based instrument. When answering exam questions, emphasize the high-level principles (fair and lawful processing, purpose limitation, data quality, security, individual rights) rather than the detailed procedural requirements found in the GDPR.
5. Understand the Global Dimension: A distinctive feature of Convention 108 is that it is open to non-European countries. This is a key differentiator from EU-specific instruments. If a question involves international data protection cooperation or the global reach of data protection standards, Convention 108 is likely relevant.
6. Link to Human Rights: Convention 108 is rooted in the ECHR, specifically Article 8. If an exam question asks about the human rights basis for data protection or the connection between privacy and data protection, reference Convention 108 and its link to the ECHR.
7. Transborder Data Flows: Remember Article 12 and its approach: Parties should not restrict data flows to other Parties solely on data protection grounds, provided equivalent protection exists. This is conceptually similar to the GDPR's adequacy framework but operates differently.
8. Use Process of Elimination: If a multiple-choice question presents options that include both Council of Europe and EU instruments, carefully consider whether the question is asking about binding international treaties (Convention 108), EU regulations (GDPR), or EU directives (Data Protection Directive 95/46/EC). The wording of the question usually contains clues.
9. Data Protection Day: If a question asks about 28 January, it relates to the opening for signature of Convention 108. This is a quick recall fact that appears periodically in exams.
10. Adequacy Considerations: Remember that ratification of Convention 108 is a factor considered by the European Commission when evaluating the adequacy of a third country's data protection framework. This connects Convention 108 to GDPR Chapter V on international transfers.
11. Practice Contextual Reasoning: Some exam questions may present a scenario and ask you to identify which legal instrument applies. If the scenario involves a non-EU Council of Europe member state, or asks about the earliest international data protection standards, Convention 108 is your answer.
12. Read Questions Carefully for Keywords: Look for keywords like international treaty, Council of Europe, 1981, first binding, automatic processing, and Convention. These are strong indicators that the question is about Convention 108.
Conclusion
Convention 108 is a cornerstone of international data protection law. Its principles laid the groundwork for the modern data protection framework in Europe and beyond. For the CIPP/E exam, a solid understanding of Convention 108's origins, core principles, its relationship with the ECHR and the GDPR, and the updates introduced by Convention 108+ will equip you to confidently answer questions on this topic. Always remember to distinguish between the Council of Europe and the European Union, focus on the principles-based nature of the Convention, and appreciate its unique global reach.
