To mark Data Protection Day (28 January), the Council of Europe (CoE), CPDP Conferences and the European Data Protection Supervisor (EDPS) are co-organising a one-day event focused on exploring the current and future landscape of data protection.
Data Protection Day this year arrives at a pivotal moment, as new EU political mandates begin to shape the policy landscape, with the recent election of the European Parliament and subsequent appointment of a new European Commission. These changes also coincide with the new mandate of Council of Europe’s Secretary General. At the same time, current technological developments in areas such as Artificial Intelligence and neuroscience bring new challenges to the right to the protection of personal data and other fundamental rights. The 2025 edition of CPDP Data Protection Day invites everyone to reflect on and discuss the evolving mandate of data protection, particularly its essential role as safeguard of our democratic society against excessive intrusions in individuals’ privacy by public or private actors and their impact on human rights, the rule of law and democracy.
The conference will be opened – alongside with the representatives of the two other co-organisers – by Matthias Kloth, head of Digital Governance and Sport Division which will be succeeded by a key-note speech delivered by Ms Beatriz de Anchorena (Argentina), as newly elected chair of the Committee of Convention 108. The programme also features a panel by the Council of Europe which will take place at 1200-1300 on data protection and neuroscience. The panel will explore the concepts of mental data, cognitive data, neural data and mental privacy and how to mitigate privacy challenges by the existing legal frameworks and regulatory initiatives or by Europe’s top court, the European Court of Human Rights. The event will be broadcasted here: CPDP - Data Protection Day - 28.01.2025
It is also in this spirit that the chair of the Committee of Convention 108 as well as the independent Data Protection Commissioner of the Council of Europe has issued respectively a statement and the compilation of activities carried out this day in the Parties to Convention 108 has been published.
Speech from Beatriz de Anchorena, chair of the Committee of Convention 108
I will introduce myself: I am Beatriz de Anchorena, Head of the DPA in Argentina, and I recently assumed as Chair of the Committee of Convention 108, so new winds from the south are coming to Convention 108.
I am not a lawyer, I am a political scientist with a master in public policy, so my views will come from that angle, and as I say this, I want to take the opportunity to stress the importance of having multidisciplinary debates and dialogues around data protection.
So to start, before we dive in the future plans of Convention 108, I would like to share with you my perspective as an Argentinian Chair of this international Committee that, for so long, was perceived as European, but it hostes 55 countries that adhere to this Convention, 8 countries that are observers and 21 institutions that are also observers to the convention.
My first step into this committee was in November 2022 (I took office in March of that year in Argentina) and from the beginning I had the full commitment to add value to this global instrument.
In that path, I pushed the approval of Convention 108+ through Congress in Argentina and in June 2023, I personally deposited the instrument of ratification to the authorities of the Council of Europe.
So in that year, Argentina became the 23rd state to ratify Convention 108 +. Now we have 31 ratifications, 31 states and we need 7 more in order to come into force (various are from European Union.)
To briefly recap our history in data protection, Argentina was the first Latin American country to have a Data Protection Law in the year 2000.
Now, we are involved in an incremental modernization of regulations regarding data protection. This process, involves in one hand, a project for a new Personal Data Protection Law with the aim of harmonizing with international standards (extraterritoriality and new legal bases for example). This project was sent to Congress in 2023 after an open, transparent, and participatory process with 11 roundtable discussions and a public consultation with strategic sectors of society.
On the other hand, through ratification of Convention 108+, our country has made considerable changes in its domestic legislation and will continue to do so, for example, enlarge the definition of sensitive data, introduce new data subject rights, introduce accountability requirements and obligations for controllers (notably in case of a data breach). It also has strengthened the DPA’s autonomy.
Also Argentina was the first Latin American country to have an adequacy decision in 2003. And now, since the renewed adequacy decision from the European Commission in January 2024, we are still a safe country for the personal data transfers from the European Union.
In addition we have contractual clauses for data flows since 2016 and in 2023 we adopted the modern Iberoamerican Network contractual clauses. Soon we will adopt the clauses from Convention 108, having a set of instruments to implement data flow with trust.
There is no doubt, therefore, that Convention 108, although it has the ´Brussels effect´ on its trajectory (we cannot deny this), it is also a guiding framework for countries with different realities.
We have this heterogeneity represented in our Bureau of the TPD: we have Germany, Italy, Croatia, Senegal, Uruguay and Argentina.
And if we want to get global, we must continue working to embed more visions that want to add value to this common ground.
This doesn’t mean that all countries will have the same reality or the same vision: of course, there are different regulation paradigms: varieties of data protection regulation.
Sure, you have heard of varieties of capitalism or varieties of democracies, well now we have varieties of data protection regimes.
I also have the strong conviction that currently, the protection of privacy and personal data is growing in the international agenda and more than ever, if we think about convergence or interoperability, Convention 108 + is very necessary to have a global answer to the challenges that come.
In this context, we must address old and new challenges. If we think about long-standing challenges, we must point out that technological progress and access to new technologies is not homogeneous in all parts of the world. As we know, there are diverse geographical, cultural, and regulatory contexts that result in varying approaches to technology adoption.
In other words, there are digital and educational gaps and consequently unequal access to rights that demand us to focus on vulnerable populations.
If we think about new challenges, these are enormous, but in my point of view, the challenge is the data protection governance in times of strong geopolitical changes.
Some of the questions are: how can we close the gap between developed countries and developing countries? Is data protection a milestone to measure development? If so, it is important that developed countries do not throw out the ladder (as Chang points out). Developing countries must be able to climb the same ladder, to have the same opportunities. How can we achieve a common ground for people to be safe (no matter their nationality) in the digital era?
The answer is in a global instrument, and we have it in our hands: Convention 108+. We do not pretend full homogeneity, but a common floor and the respect for the diverse sovereign countries decisions. As we move towards the challenges of the future, this common ground and convergence floor today, is Convention 108 +.
This is possible because of a long history that began 44 years ago with Convention 108: the first binding treaty to set out the basic principles for ensuring privacy and data protection based on respect for the rule of law, human rights and fundamental freedoms.
As in Argentina, Convention 108+ has been essential in updating the domestic legislation, the same will happen in other places. It is a trigger to modernize many local legislations around the world, being a reference and an inspiration for countries with different levels of privacy regulations.
For that purpose, my role is to chair this truly international open and inclusive group of experts and state representatives in a multilateral setting, to contribute to an appropriate protection of human dignity in the digital age and facilitate free flow of data between like-minded countries.
There is a quite robust work done in the past years, which remains equally ambitious for the rest of the work programme.
Just to mention one remarkable achievement, to which many of you, who I see in the room, have actively contributed, is the adoption of 3 modules of Model Contractual Clauses for the transfer of personal data from Parties to Convention 108 to non-parties. In this way, Standard Contractual Clauses are an increasingly valuable instrument that lead towards the convergence of tools.
Our committee is also taking a leading role on some highly relevant knowledge issues through expert reports on Privacy Enhancing Technologies (PETs). Also has recently launched a new workstream on Large Language Models (LLMs) that are becoming increasingly relevant tools to promote the responsible deployment of AI and safeguard individual rights.
Moreover, the committee has already started developing guidelines on data protection in neuroscience, these are all reasons to be proud of the work done till today.
But International Data Protection Day is also a great opportunity to have a look at our next steps. To follow our common goals we need to plan strategically and prospectively.
And one of our common goals must be continue building a strong, binding, enforceable and global Convention 108+ to end up with the double standard of the big technological companies.
In this sense, strengthening data protection and privacy requires broadening multilateral dialogue and public-private articulation with multiple stakeholders: companies, civil society, academic, international networks and the public sector, so that the discussion results in a beneficial change to achieve institutional agreements.
Furthermore, this means updating our social contract were democracy and data protection goes hand in hand.
Also, in a time of increasing integration of artificial intelligence systems in different social fields, we must continue building new knowledge to address the ethical, regulatory, social and technical challenges of the future and strength capacity building, to face the new challenges of future, such as neurotechnologies.
There is also significant work being done in this field by the Committee to study the impact of neurotechnology on privacy and the protection of personal data under the framework of Convention 108, its potential privacy breaches, and how to mitigate them.
So the following panel (“what is in your mind? Neuroscience and data protection”) is a sample of this work, to broaden knowledge and reflect about the risks and opportunities that emerging technologies can offer to society.
To close up, I will tell you what is on my mind today: to bring Convention 108 + into force. And for that we need the ratification of more European countries. Of course, GDPR has undoubtedly set a model and a benchmark for data protection, but if we want to go global, the instrument is Convention 108 +.
I am convinced that there are more countries willing to make the necessary commitments and efforts to bring their domestic legal frameworks in line with this global and multilateral standard.
I invite you all to join us, engage and follow our work: today, it is more important than ever to redouble our efforts and continue strengthening our impact to make better lives for our people.
I want to thank my predecessors in the chair of Convention 108, Alessandra Pierucci and Elsa Mein (we are all women!) they did a fantastic job! And Peter Kimpian our Committee Secretary that does the hard work!
Thank you very much for your attention and have a nice Data Protection Day!
