Back The European Parliament recommends EU Member States to apply Convention 108+ for the processing of personal data by intelligence and security services

The European Parliament recommends EU Member States to apply Convention 108+ for the processing of personal data by intelligence and security services

On 15 June, the European Parliament adopted, in Brussels, a Recommendation regarding Pegasus spyware. This important work followed an in-depth investigation carried out on alleged contraventions and maladministration in the application of Union law in relation to the use of Pegasus and equivalent surveillance spyware. It also echoes the Council of Europe report on Pegasus spyware. The EP calls on the European Commission and the MS to implement those recommendations as, as of now, “Not one victim of spyware abuse has been awarded justice. Not one government has really been held accountable”.

This Recommendation makes several references to Convention 108, and the modernised Convention known as “Convention108+” stressing that the Convention 108 applies to processing of personal data for state (national) security purposes, including defence, and that all EU Member States are parties to Convention 108. In this respect, the European Parliament notably:

  • urges all EU Member States to ratify Convention 108+, without delay, as it lays down standards and obligations for the protection of individuals concerning the processing of personal data, including for national security purposes;
  • points out that Convention 108+ is a binding European framework dealing with the processing of data by intelligence and security services;
  • emphasises that exceptions and restrictions to a limited number of provisions of the convention are only permitted when they are in accordance with the requirements referred to in Article 11 of the convention, meaning that when implementing Convention 108+, each specific exception and restriction must be provided for by law, must respect the essence of the fundamental rights and freedoms, and must justify that it ‘constitutes a necessary and proportionate measure in a democratic society’ for one of the legitimate grounds listed in Article 11 and that such exceptions and restrictions must not interfere with the “independent and effective review and supervision under the domestic legislation of the respective Party”;
  • considers that effective review and supervision implies binding powers where the impact on fundamental rights is the greatest, particularly in the accessing, analysis and storage phases of processing personal data;
  • considers that the lack of binding powers of oversight bodies within the domain of national security is incompatible with the criterion laid down in Convention 108+ as this “constitutes a necessary and proportionate measure in a democratic society”;
  • points out that Convention 108+ allows for a very limited number of exceptions with regard to its Article 15 but it does not allow such exceptions, notably regarding paragraph 2 [awareness-raising duties], paragraph 3 [consultation on legislative and administrative measures], paragraph 4 [requests and complaints by individuals], paragraph 5 [independence and impartiality], paragraph 6 [necessary resources for the effective performance of tasks], paragraph 7 [periodic reporting], paragraph 8 [confidentiality], paragraph 9 [possibility of appeal] and paragraph 10 [no power regarding bodies when acting in their judicial capacity].

And the European Parliament also calls for “the EU to sign up to Convention 108+.”

As a reminder, Convention 108 gathers 55 State Parties and some 40 observers from all over the world. Convention 108 remains the only international and multilateral legally binding instrument on the protection of privacy and personal data. It is a principles-based approach, transposable and easy to adapt scheme, open to the ratification of countries all over the world, creating the conditions necessary for a digital society based on trust and respect for human dignity and the human rights for all. The modernised Convention, Convention 108+, sets the commonly acceptable level of protection that an individual would seek to have in an ever-expanding digital era, in order to safeguard an intimate private sphere and to fully enjoy the right to informational self-determination. Convention 108+ can be seen as a unique opportunity to re-instating the human being in the position of subject, and not a mere object of algorithmic deduction, control or surveillance while giving the necessary reassurance for data controllers in the public and private sectors to process personal data on a daily basis.

Convention 108+ has currently 26 ratifications, and needs 12 more to enter into force, which is expected sometime in 2024.

Brussels 23 June 2023
  • Diminuer la taille du texte
  • Augmenter la taille du texte
  • Imprimer la page