In studying for my CIPP/E Certification, I had to learn about a myriad of treaties and directives that existed in Europe prior to the GDPR. One of those was Convention 108, the first legally binding international instrument in the area of data protection. Convention 108 was first opened for signature on January 28, 1981, and was adopted because of the Council of Europe’s view that if data processors were going to hold information in computerized form, and allow automated decisions about people to be made based on that computerized information, that the data processors had an obligation to safeguard that information. It was meant to “extent the safeguards for everyone’s rights and fundamental freedoms . . taking into account the increase transfer across frontiers of personal data undergoing automatic processing.” The Convention was also opened to countries outside Europe. The United States never signed it.
In 2018, perhaps for want of something to do after GDPR was finalized, or perhaps because GDPR provided such robust additions to the language and the obligations around data processing, the Council of Europe decided to update Convention 108, now calling it Convention 108+. Again, it is open to signature by countries outside the EU, and acceding to the Convention can be a strong step towards being deemed an “adequate” country for data transfer by the European Data Protection Board. The language mostly tracks with the GDPR. But let’s take a look at the differences in Article 5, which in the 1981 Convention is titled “Quality of Data” and in the 2018 Convention is titled “Legitimacy of Data Processing and Quality of Data.
|1981 Convention 108||2018 Convention 108+|
|Article 5 – Quality of data
Personal data undergoing automatic processing shall be:
a ) obtained and processed fairly and lawfully;
b) stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
c) adequate, relevant and not excessive in relation to the purposes for which they are stored;
d) accurate and, where necessary, kept up to date;
e) preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.
|Article 5 – Legitimacy of data processing and quality of data
1. Data processing shall be proportionate in relation to the legitimate purpose pursued and reflect at all stages of the processing a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake. (emphasis mine)
2. Each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.
3. Personal data undergoing processing shall be processed lawfully.
4. Personal data undergoing processing shall be:
a. processed fairly and in a transparent manner;
b. collected for explicit, specified and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is, subject to appropriate safeguards, compatible with those purposes;
c. adequate, relevant and not excessive in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date;
e. preserved in a form which permits identification of data subjects for no longer than is necessary for the purposes for which those data are processed.
Paragraphs 1-4 are new. Paragraph 5 in 2018 is essentially a re-print of the entirety of what Article 5 was in 1981
But the second half of paragraph 1 in 2018 is not just new, but out of place, and on an entirely different trajectory from the first half of the paragraph. I do not suggest that the “interests of all parties” does not have a place in the decisions made about data processing. But I am suggesting that the body of law that exists in the EU, including and especially the GDPR, never until Convention 108+ in 2018 and after the the phrase “reflect at all stages of the processing a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake.” Privacy professionals have been trained since the earliest conversations about GPDR in 2016 to tell their clients and departments that data should processed in a manner “proportionate to the legitimate interest pursued,” not to try to strike a “fair balance” between the processor and the data subject. This language does two things. It adds new vocabulary into the data protection discussion that we need like a hole in the head right now. Also, it suggests an expansion of rights of the data processor that is not borne out in the remaining language of the Convention. And this Convention is not just an esoteric document. Countries that accede to this put this language in their own data protection laws, in part so that data can be transferred smoothly between the EU and the US. Uruguay has signed on so far, but on the last convention at least half a dozen South American countries were signatories to the Convention. So will we now be facing more regulations that require a balancing test that is antithetical to how we are counseling clients with respect to other territories?
Why? Where did that phrase come from?
I don’t know that I would have found the problem if the Future of Privacy Forum1 hadn’t distributed posters of their most recent infographic at the recent IAPP Global Privacy Summit, entitled “Personal Data and the Organization: Stewardship and Strategy,” with that one particular paragraph of Article 5 on it under the heading “Responsible Use of Data,” without any other context.
For people bringing this poster back to their companies and their CEOs to talk about data processing, what’s going to be done with this “fair balancing” idea? Businesses by their nature take the path of least resistance (see, e.g., all the discussions around the “legitimate interest” data processing ground and how far that can be taken). And if they aren’t aware that this is incongruous language that isn’t supported by anything else in the source document, basing a company policy on the fair balancing of the processor’s interests with the subject’s interests probably sounds perfectly reasonable.
If anyone can tell me how this new expansive language ended up in Convention 108+, I’m all ears. I put the question to the FPF panel at the Summit, but I didn’t get an answer. I was told that it came from Convention 108. I think we should be very thoughtful about what we import from EC Conventions into infographic posters meant to guide the data protection policies of companies everywhere.
Data protection law is confusing and complex enough. Don’t add “fair balancing” tests to a regime that has never been about that, without any explanation. It’s not fair.