Modernisation of CoE Convention 108: EDRi's comments

By EDRi · June 6, 2012

This article is also available in:
Deutsch: [Europarat: EDRi-Stellungnahme zur Modernisierung der Konvention 108 | https://www.unwatched.org/EDRigram_10.11_Europarat_EDRi-Stellungnahme_zur_Modernisierung_der_Konvention_108?pk_campaign=edri&pk_kwd=20120606]

EDRi submitted last week its comments on the proposal for the
Modernisation of Council of Europe (CoE) Convention 108 for the
Protection of Individuals with Regard to Automatic Processing of
Personal Data.

EDRi reiterated its support to the overall objectives of the
Modernisation process, and expressed its satisfaction that most of its
earlier comments have been taken into account in subsequent versions
of the proposal. While EDRi generally welcomed this latest draft, some
provisions still need some revision.

For example, EDRi considers that the paragraph which allows any Party to
the Convention to apply it to legal persons, should be deleted. The
reasoning is first, that this is beyond the scope of the Convention,
which deals with the protection of “individuals”. Secondly, this
provision contradicts the very notion of “personal” data protection.
Furthermore, the paragraph raises major concern with respect to
freedom of information and the right to access to documents (where the
concerned legal person is a public entity) and with respect to the
principles of transparency and accountability that are necessary in a
democratic society (where the concerned legal person is a private entity).

Also, EDRi welcomes the inclusion of data breach notifications
provisions, but sees it as currently too weak to actually avoid possible
breaches of the fundamental rights and freedoms of the data subject or
his interests. In order to overcome this problem without imposing too
cumbersome and unnecessary obligations on the controller (especially
when the controller is an SME), EDRi suggests to consider a two-level
system of data breach notification obligation, so that (i) the
Supervisory Authority is notified in any case of data breach and
(ii) the data subject is also notified when the data breach presents
serious risks for him/her or when the Supervisory Authority decides so.

EDRi Comments on Modernisation of Convention 108
https://edri.org/files/EDRI-CommentsOnConvention108-30052012.pdf

Council of Europe – Modernisation of Convention No. 108
http://www.coe.int/t/dghl/standardsetting/dataprotection/modernisation_fr.asp

(Thanks to Meryem Marzouki – EDRi-member IRIS, France)