Convention 108+ and New Regulations Introduced by This Convention
1. Introduction
“Protocol Amending the Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data”, better known as the Convention 108+, introduces new regulations to “Convention No. 108” (Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, hereinafter referred to as “the Convention”), which is the first internationally binding Convention regulating the collection, processing and cross-border transfer of personal data. These new regulations are generally gathered at the point of privacy problems arising from the increasing use of information and communication technologies, the globalization of personal data processing activities and the increasing personal data flows. Convention 108+ is not a new Convention itself, but rather it is a protocol amending the Convention No. 108.
2. Historical Process
Convention No. 108, which is the first internationally binding Convention on the collection, processing, and cross-border transfer of personal data, was opened for signature by states on 28/01/1981 and entered into force on 01/10/1985.
It should be noted right away that Convention 108+ is not the first protocol amending the Convention. Convention No. 108 was first amended on 15/06/1999 by the Committee of Ministers of the Council of Europe. With this amendment, along with the states, the European Community was allowed to become a party to Convention No. 108.
Afterwards, an additional protocol amended the Convention No. 108 on 08/11/2001, on two main issues. The first of these issues is the establishment of a national control mechanism responsible for ensuring compliance with laws and regulations on the protection of personal data and cross-border transfers enacted in accordance with the Convention. This additional protocol obliges states to establish one or more competent authorities responsible for ensuring the compliance with the second and third sections (Section Two-Basic principles of data protection, Section Three- Cross-border data flow) of Convention No.108 and the compliance to the measures of its own domestic laws which ensure the entry into force of the principles laid down in the said protocol. The second main issue that has been introduced is that data transfer to one of the countries that are not party to the Convention can only be made if adequate protection is provided for the intended data transfer.
Finally, on 10/10/2018, the Convention 108+ was opened for signature. The date on which this convention will enter into force has been determined as the date on which all the states that are party to the Convention no. 108 ratified the protocol, or on 10/10/2023 if 38 states have signed the protocol. It should also be noted that with the Convention 108+, it has been made possible for international organizations and the European Union to become a party to the convention.
1. What’s New with the Convention 108+
Since the Convention 108+ introduces new regulations on many issues, the important introductions will be reviewed under sub-headings.
a) Definitions
First of all, with the Convention 108+, the definitions article of the Convention was amended. The concept of "file" in the previous definition has been removed from the definitions. For example, while the definition of "controller of the file" was used in the previous version of the Convention, only the definition of "controller" was used in the Convention 108+. There was no fundamental change in the meanings of these two concepts, only the concept of "file" was removed from the definitions. In addition, the concepts of "recipient" and "processor" were introduced into the Convention as new concepts in the Convention 108+.
b) Scope
While it is possible for the parties to declare their exemption from the Convention in certain situations with the scope article of the Convention, such a situation is no longer possible with the Convention 108+. The only case exempted from the Convention by the Convention 108+ is data processing that takes place solely during personal or household activities.
c) Legal Basis for Processing Personal Data
With the Convention 108+, the processing of personal data "upon the explicit consent of the data subject or upon another legal basis" is regulated, which is not clearly stated in the Convention. In other words, while the processing of personal data upon the explicit consent of the data subject is not clearly regulated in the Convention, it is regulated in the Convention 108+ that consent of data subject will form the legal basis for data processing if there is no other legal basis.
d) Special Categorized Personal Data
With the Convention 108+ the concept “Sensitive Data”, which is not used in the Convention, has been introduced to the Convention and the scope of the data whose processing is subject to specific strict conditions has been expanded. The most important change made at this point is the introduction of "biometric and genetic data" into the Convention. Apart from these, the processing of trade union information and ethnic origins of individuals is also included in the scope of those type of personal data.
e) Amendments on Data Security
With the Convention 108+, data controllers are obliged to take all necessary measures, including administrative and technical measures, even if the data processing activity takes in a place elsewhere, that is to say, data processing activities take place by data processors. According to the Convention 108+, data controllers, in order to taking these measures, are required to assess the impact of data processing on the rights of data subject and to minimize the risk of violation of data processing processes.
One of the most important new regulations introduced by the Convention 108+ is the obligation of data controllers to report the breach, when occurs. Although it is obligatory for the parties to take the necessary measures to ensure data security by the data controllers in the Convention; the issue of notification of data breach was not regulated therein. With the Convention 108+, the parties are obliged to ensure that data controllers report the breach.
f) Transparency of Data Processing
The issue of ensuring the transparency of data processing activity has gained even more importance with the Convention 108+. With Convention 108+, the right to learn;
•On what legal reason their personal data is processed,
•Which category of data is processed,
•Parties to whom their personal data is transferred,
•Means of exercising these rights
has been introduced. With the Convention 108+, as an exception to this issue is introduced. In case the data subject already has the information above, in cases where the personal data is not obtained from the data subject, but the processing of personal data is expressly regulated in the law, or it is impossible to fulfil this right or requires excessive effort the obligation to provide this information to the data subject, it is regulated that there is no obligation to give this information to the data subject.
g) Rights of the Data Subject
With the Convention 108+, the rights of data subjects have been expanded in line with the conditions of the day. These rights are;
•Not to be subject to a decision that significantly affects him/her based solely on the automatic processing of his/her data, without taking into account the opinions of the data subjects,
•Learning which personal data about him/her is processed and the retention periods of the processed personal data and other relevant information,
•Objecting to the processing of personal data in cases that violate fundamental rights and freedoms, unless a legitimate justification is given by the data controller
•Objecting to the processing of personal data in cases that violate fundamental rights and freedoms, unless a legitimate justification is given by the data controller,
•In cases where the Convention is violated, to have the legal remedies listed in the Convention and to benefit from the help of the supervisory authority regardless of nationality or residence.
h) Exceptions
It is regulated in the Convention 108+ that certain provisions (transparency of data processing, notification of data breach, some provisions regarding data subject's rights) may be limited in cases prescribed by law and if they constitute a necessary measure in a democratic society on the basis of specific and limited grounds. In addition, if these provisions protect the fundamental rights and freedoms of the data subject or any other person, it may also be limited,e specially in the situation of “freedom of speech”.
i) Cross-Border Data Transfer
With regard to cross-border data flow in the Convention 108+, it is aimed to facilitate the free flow of information regardless of borders, while ensuring the appropriate protection of individuals in relation to the processing of personal data. With this regime envisaged in the Convention 108+, it is aimed to ensure that data processed within the jurisdiction of a party to the Convention are always protected within the framework of appropriate data protection principles.
As the parties to the Convention adopt the common data protection provisions specified in the Convention and offer an appropriate level of protection, cross-border data transfer flows between the parties cannot be prohibited or subject to special authorization, except in cases where there is a serious risk that the Convention provisions will be circumvented.
In cases where data is to be transferred to a state that is not a party to the Convention, it is obligatory to guarantee an appropriate level of protection in the receiving state or organization.
j) Supervisory Authorities
The Convention 108+ obliges parties to establish a supervisory authority to enforce the Convention. These authorities are endowed with various rights, and indeed obligations, such as investigation, intervention, enforcement of violations and participation in proceedings. In addition, these authorities need to create social awareness about their duties, the rights of the data subjects and the obligations of data controllers.
The Convention 108+ regulates that these supervisors should cooperate with each other. The exchange of personal data between supervisors can only be made in cases where such data is necessary for cooperation or where the data subject has given free will and informed consent on a particular issue.
Finally, it is regulated that the supervisory authorities of the parties will form a network to ensure their cooperation and fulfil their duties specified in the Convention.
k) Convention Committee
While an "advisory committee" was foreseen in the Convention No. 108, it was decided that a Convention Committee would be established with the Convention 108+. Accordingly, the Committee is no longer limited to an "advisory" role but is also equipped with many powers such as evaluation. This Committee will play an important role in the interpretation of the Convention by promoting the exchange of information between the parties and improving data protection standards.
One of the most important duties of the Committee is to provide an opinion on the level of data protection provided by that state or international organization before a state or international organization be a party to the convention, and to evaluate the appropriateness of the domestic law of the relevant party and determine the effectiveness of the measures taken. In addition, this Committee may evaluate whether the legal norms governing data transfers provide an appropriate and sufficient level of data protection.
The Convention 108+ imposes an additional obligation on the parties in this regard. In addition to taking the necessary measures in their domestic laws for the implementation of the basic principles of the Convention; they shall allow the Convention Committee to evaluate the adequacy of these measures and contribute actively to this evaluation process.