On the 27th of March France ratified the Modernised Convention for the Protection of Individuals with regard to the Automated Processing of Personal Data, also known as Convention 108+, making it the 22nd country to do so, of the total 38 required for this to enter into force.
Initially enforced in January 1981, Convention 108 was the first ever legally binding international legislation for the states that ratified it, that aimed to protect the personal data of individuals in the context of collection and processing as well as ensure proper cross-border data transfers.
With the changes brought to it, Convention 108 becomes Convention 108+, a more expanded version that both reaffirms and strengthens the principles of its predecessor and which adds new safeguards that take into account new challenges that have arisen in light of both changes made to what constitutes personal data and technological developments, such as AI.
Some key changes, included also in the European Council’s Overview of the Novelties, include:
- Cross-border data flows are facilitated, as it creates a bridge between different regulatory frameworks.
- Sensitive data now includes genetic and biometric data.
- Individuals have new rights as concerns algorithm-based decisions, namely they “entitled to obtain knowledge of the reasoning underlying the data processing, the results of which are applied to her/him” and “not to be subject to a decision which affects the data subject which is based solely on an automated processing, without the data subject having her/his views taken into consideration.”
- Supervisory authorities have their powers extended to include “a duty to raise awareness, provide information and educate all players involved” and to take decisions and impose sanctions. In addition to this, Article 17 establishes the need for these “to co-ordinate their investigations, to conduct joint actions and to provide to each other information and documentation on their law and administrative practices relating to data protection.”
- Data breach notifications are introduced as a requirement, unless exceptions outlined in Article 7 apply.
- The Convention Committee’s role in interpreting the Convention is reaffirmed and strengthened as it no longer holds a mere consultative role, but rather it will now be able to assess and monitor the effectiveness of data protection provided by either a state or an international organization before it would accede to the Convention. In addition to this, it would also be able to assess whether data transfers are governed by norms that guarantee an appropriate level of protection of the data.
It is expected that Convention 108+ will come into force sometime this year in October, if a total of 38 countries ratify it.