Protection of personal data and privacy

The Internet has made the access and exchange of information – including personal data – easier and faster than ever. Individuals are providing their personal data online, knowingly and sometimes unknowingly for many different purposes, such as purchasing goods and services, playing, e-learning or paying taxes.

Social interactions are also increasingly taking place over the net – notably in social media platforms, creating new opportunities, but also risks to privacy. The frontier-less nature of the internet, which enables the free flow of data across countries, also brings new challenges.

Personal Data Protection Convention

In 1981 the Council of Europe adopted the first international treaty to address the right of individuals to the protection of their personal data: Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, known as “Convention 108”.

The treaty was drafted in a technologically neutral style, which enables its provisions to be fully valid today, regardless of technological developments. In 2018, the treaty was updated by an amending protocol, not yet in force, aimed at ensuring that its data protection principles are still adapted to new tools and new practices.

To this day, “Convention 108” still remains the only legally binding international instrument with a worldwide scope of application, open to any country, and with the potential to become a global standard.

The treaty establishes a number of principles for states to transpose into their domestic legislation to ensure that data is collected and processed fairly and through procedures established by law, for a specific purpose, that it is stored for no longer than is required for this purpose, and that individuals have a right to have access to, rectify or erase their data.

An additional protocol requires each party to establish an independent authority to ensure compliance with data protection principles, and lays down rules on trans-border data flows.

So far, 55 countries have ratified “Convention 108” and many others have used it as a model for new data protection legislation.

In addition, the Council of Europe has adopted a number of recommendations aimed at applying the general principles set out in the convention to the specific requirements of various areas of society:

• protection of health-related data (2019)
• Guidelines to respect, protect and fulfill the rights of the child in the digital environment (2018)
• the roles and responsibilities of internet intermediaries (2018)
• the processing of personal health-related data for insurance purposes, including data resulting from genetic tests (2016)
• protecting and promoting the right to freedom of expression and the right to private life with regard to network neutrality (2016)
• the processing of personal data in the context of employment (2015);
• a Guide to human rights for Internet users (2014);
• protection of human rights with regard to social networking services (2013);
• protection of human rights with regard to search engines (2013);
• profiling (2010);
• on the protection of personal data collected and processed for insurance purposes (2002)
• privacy on the Internet (1999);
• personal data collected and processed for statistical purposes (1997);
• medical and genetic data (1997);
• personal data in the area of telecommunication services, telephone in particular (1995)
• communication to third parties of personal data held by public bodies (1991);
• payments and other related operations (1990);
• data used for employment purposes (1989)
• police files (1987);
• social security (1986);
• direct marketing (1985);
• scientific research and analysis (1983);
• automated medical data banks (1981).

In 2013 the Committee of Ministers adopted a Declaration on Risks to Fundamental Rights stemming from Digital Tracking and other Surveillance Technologies.