By Diego Naranjo

Almost one year after the General Data Protection Regulation (GDPR) entered into force in the European Union (EU), the question often arises about what could other countries around the world do to protect their citizens’ personal data. Although there are countries that have data protection laws in place, many still do not, or have laws that are only partially adequate.

The need for a global data protection

Given the existing (and increasing) data flows, having different degrees of data protection in different regions is a threat to those countries and regions that are advanced in their legislations (such as EU, Uruguay, Argentina, and Japan). Harmonisation is also key to ensuring that enforcement is equally strong everywhere, and companies have no possibility to engage in “forum shopping”.

Currently, the global standard for data protection could be the updated Convention 108 (“Convention 108+”). This Convention, even though it was developed by the Council of Europe, can be signed and ratified by any country around the world. The modernised Convention 108 brings a number of improvements to the previous text:

  • Any individual is covered by its protection, independently of their nationality, as long as they are within the jurisdiction of one of the parties who have ratified the Convention.
  • Definitions are updated, and the scope of application includes both automated and non-automated processing of personal data.
  • The catalogue of sensitive data has been extended to include genetic and biometric data as well as trade-union membership or ethnic origin.
  • There are now requirements to notify without undue delay any security breaches.
  • Data subjects are granted new rights, namely the right not to be subject to a decision which affects the data subject which is based solely on an automated processing.

How to get there

While working to improve data protection at national or regional levels, an additional effort should be made to be sure that signing and ratifying Convention 108+ is part of any agenda. On 9 April 2019, the European Council adopted a decision that authorises EU Member States to ratify Convention 108+. This should be done without undue delay. At the same time, the possibilities the Convention 108+ offers for a global data protection campaign will be discussed with activists from around the world during the RightsCon 2019 conference.

Modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data – Consolidated text
http://search.coe.int/cm/Pages/result_details.aspx?ObjectId=09000016807c65bf

The modernised Convention 108: novelties in a nutshell
http://rm.coe.int/modernised-conv-overview-of-the-novelties/16808accf8

Explanatory Report to the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
https://rm.coe.int/cets-223-explanatory-report-to-the-protocol-amending-the-convention-fo/16808ac91a

(Contribution by Diego Naranjo, EDRi)