Privacy & Information Security Law Blog

On October 10-12, 2011, the Council of Europe’s Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (known as the “T-PD-Bureau”) met in Strasbourg, France, to discuss, among other things, amending the Council of Europe’s Convention 108 and Additional Protocol. Convention 108 (together with the Protocol), which underlies the European Union’s legal framework for data protection, is the only legally-binding international convention that addresses data protection. Amendment of the Convention is also closely linked to the current review of the EU data protection framework.

On June 28-30, 2011, the Council of Europe’s Bureau of the Consultative Committee of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (known as the “T-PD-Bureau”) met in Strasbourg, France, to discuss, among other things, amending the Council of Europe’s Convention 108.  Convention 108, which underlies the European Union’s legal framework for data protection, is the only legally-binding international convention that addresses data protection.  Amendment of the Convention is thus closely linked to the current review of the EU data protection framework, and many of the same actors are involved in both exercises.

As reported yesterday, on June 16 and 17, 2011, the Hungarian Presidency of the Council of the European Union hosted a high-level international data protection conference in Budapest.  The following are some highlights from the second day’s events:

• During the “New principles in the field” panel, Professor Paul De Hert of the Vrije Universiteit Brussel gave an explanation of the case I v. Finland, which was decided by the European Court of Human Rights on July 17, 2008, and which both he and European Data Protection Supervisor Peter Hustinx agreed was a key document for the concept of accountability in European data protection law.  Endre Szabó of the Hungarian Ministry of Public Administration and Justice noted that the principle of accountability had not yet been fully accepted by all members of the European Council.

On June 16, 2011, the Hungarian Presidency of the Council of the European Union hosted the first day of a high-level international data protection conference in Budapest.  The conference was attended by approximately 150 people, most of whom are representatives of EU governments, data protection authorities (“DPAs”), the European Commission, and other governmental groups such as the Council of Europe.

The Committee of Experts on New Media (the “Expert Committee”) of the Council of Europe (“CoE”) has issued draft recommendations and guidelines regarding the protection of human rights by search engines and social networking providers. The draft recommendations and guidelines observe that the way in which search engines and social networking providers operate impacts various human rights, especially the rights to freedom of expression and information and the right to privacy and data protection. Current drafts of both sets of recommendations and guidelines are open for public consultation and comments until March 18, 2011.

On January 13, 2011, a Bill (Projet de loi organique relatif au Défenseur des droits) containing several amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly.  If enacted, the Bill would amend several key provisions of the French Data Protection Act, including revisions regarding the powers of the French Data Protection Authority (the “CNIL”), and the role of Chairman of the CNIL.  The amendments are summarized below.

On November 25, 2010, the Council of Europe’s Committee of Ministers adopted a recommendation (the “Recommendation”) on the protection of individuals with regard to the automatic processing of personal data in the context of profiling.  View the press release.

The Recommendation is designed to set up safeguards for profiling activities by applying the principles established in Convention 108 to the challenges raised by profiling and by defining new principles.  It defines profiling as “an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”  The term ‘profile’ refers to a set of data characterizing a group of individuals which is intended to be applied to an individual.  Interestingly, Members States may decide to exclude the public sector under certain conditions.

The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (generally referred to as “Convention 108”), enacted in 1981, is the only legally-binding international treaty dealing with privacy and data protection.  The Convention is also of fundamental importance in providing the underlying legal framework for instruments such as the EU Data Protection Directive 95/46.  So far, 42 countries have become parties to Convention 108.

As the European Commission reviews the EU Directive, the Council of Europe also is preparing to review Convention 108.  The review will be conducted by the Council of Europe’s Consultative Committee on data protection (referred to as T-PD) in a process that will likely take several years.  The T-PD, which meets at the Council of Europe’s headquarters in Strasbourg, is primarily composed of representatives of national governments and data protection authorities, with the International Chamber of Commerce being the only private-sector entity with formal observer status.  The group has commissioned a legal study from an outside consultant to analyze Convention 108 and provide any recommended revisions by the end of 2010, and the T-PD will begin discussions at its upcoming meeting in November.