The Pan-European General Principles on Data Protection in the Public Sector
(compiled by Ulrich Stelkens)
III. Precursors of 'Convention 108'
V. The CoE handbook "The administration and you"
VI. Venice Commission, Rule of Law Checklist (CDL-AD(2016)007) of 18 March 2016
On "European data protection law" in general: European Union Agency of Fundamental Rights and Council of Europe (ed.), Handbook on European data protection law (2018 edition)
I. Delineation of the Scope of the Pan-European General Principles on Data Protection in the Public Sector
The pan-European general principles on data protection in the public sector deal with the protection of the indivduals with regard to the processing of their personal data by public authorities.
Following Article 2 (b) of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) as amended by the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223) "data processing" means
"any operation or set of operations performed on personal data, such as the collection, storage, preservation, alteration, retrieval, disclosure, making available, erasure, or destruction of, or the carrying out of logical and/or arithmetical operations on such data."
However, protection of personal data with regard to the disclosure of personal datas to the public, other individuals or private bodies by public authorities, either on request or as the result of an active dissemination policy is an issue to be dealt with in the context with the pan-European general principles of freedom of information and transparency (for these principles click here).
Furthermore,
- the right of the 'data subject' to access to 'one's own data' held by public authorities in data protection law (as provided for in Article 8 lit. b of 'Convention 108') and Article 9 (1) lit. b of 'Convention 108' as it will be amended by Protocol CETS No. 223) is concieved as as an instrument of the 'data subject' to check compliance with the obligations arising from data protection law (click here and click here for these additional safeguards of the 'data subject'). However, this right may also be used by the 'data subject' to gain access to information held about him - and to make use of it in a completely different context. Thus, this right can strengthen the rights to access one's own data or facilitate their practical enforcement. Therefore it could also be considered as an element of transparency (on the pan-European general principles of freedom of information and transparency click here)
- the right to access to information and data of parties of administrative (court) procedures is a specific issue related to individual rights in administrative procedures (cf. Principle II of Resolution (77)31 on the protection of the individual in relation to the acts of administrative authorities (on the pan-European general principles in this regard click here) and the right to be heard in administrative court procedures (cf. Principle No. 4 of Recommendation Rec(2004)20 of the Committee of Ministers to member states on judicial review of administrative acts (on the pan-European general principles in this regard click here).
-
the "right not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration" and its limits (cf. Article 9 (1) (a) and (2) of 'Convention 108' as amended by the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223) is an issue to be dealt with in connection with the pan-European general principles on automated administrative decision-making (click here).
Case Law of the ECtHR on data protection started "only" in 1987 when the ECtHR (in ECtHR, jugdement Leander v. Sweden (9248/81) 26 March 1987) analysed, for the first time, the question of the storage by a public authority of an individual’s personal data:
"48. It is uncontested that the secret police-register contained information relating to Mr. Leander’s private life.
Both the storing and the release of such information, which were coupled with a refusal to allow Mr. Leander an opportunity to refute it, amounted to an interference with his right to respect for private life as guaranteed by Article 8 § 1 (art. 8-1)."
Thus, the fact that Article 8 ECHR protects against the storing and release of personal data by public authorities was neither doubted nor argued by the ECtHR. The European Commission of Human Rights in its report adopted of 17 May 1985 on this case at para. 54 referred to its decision X v. Austria of 4 May 1979 (8170/78) at para. 25. However, in both decisions, also the Commission does not justify this assumption. Therefore the foundation of the pan-European general principles on data protection in the public sector where not laid down by the ECtHR but by other works of the CoE, namely the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and its precursors. The principles laid down in this 'Convention 108' are therefore 'absorbed' to a large degree by the case law of the ECtHR.
ECtHR, Drelon v. France (3153/16) 8 September 2022:
"82. La Cour a résumé les principes applicables à l’examen de la nécessité de la collecte et de la conservation de données à caractère personnel dans l’affaire S. et Marper (arrêt précité, §§ 101-104). Une telle mesure doit être proportionnée au but légitime poursuivi et reposer sur des motifs « pertinents et suffisants ». La législation interne doit, par ailleurs, ménager des « garanties appropriées » pour empêcher toute utilisation de données à̀ caractère personnel qui ne serait pas conforme aux garanties prévues à l’article 8 (ibidem, § 103). À cet égard, la Cour prend en considération les stipulations de la Convention pour la protection des personnes à l’égard du traitement automatisé des données à caractère personnel (« Convention de 1981 ») (Z c. Finlande, 25 février 1997, § 95, Recueil des arrêts et décisions 1997‑I, et S. et Marper, précité, §§ 103 et 107). Pour contrôler si une mesure portant atteinte à la protection des données à caractère personnel est « nécessaire dans une société démocratique », la Cour examine si elle respecte l’une ou l’autre des exigences énumérées par l’article 5 de cette Convention, à savoir, notamment, les exigences de minimisation des données stockées, d’exactitude des données, de limitation de leur utilisation et de limitation de leur durée de conservation. En particulier, le droit interne doit assurer que les données traitées sont pertinentes et non excessives par rapport aux finalités pour lesquelles elles sont enregistrées, et qu’elles sont conservées sous une forme permettant l’identification des personnes concernées pendant une durée n’excédant pas celle nécessaire aux finalités pour lesquelles elles sont enregistrées (ibidem, § 103). Ces considérations valent tout spécialement lorsqu’est en jeu la protection de catégories particulières de données plus sensibles visées à l’article 6 de la Convention de 1981 (ibidem).
[...].
95. Eu égard à la sensibilité des données personnelles litigieuses, qui comportent des indications sur les pratiques et l’orientation sexuelles du requérant (paragraphe 86 ci-dessus), la Cour considère qu’il est particulièrement important qu’elles répondent aux exigences de qualité prévues à l’article 5 de la Convention de 1981. Il importe en particulier qu’elles soient exactes et, le cas échéant, mises à jour, qu’elles soient adéquates, pertinentes et non excessives par rapport aux finalités du traitement, et que leur durée de conservation n’excède pas celle qui est nécessaire. Par ailleurs, la Cour constate que les données litigieuses, qui touchaient à l’intimité du requérant, ont été collectées et conservées sans le consentement explicite du requérant – ce que le Gouvernement défendeur ne conteste pas."
ECtHR (GC), L.B. v. Hungary (36345/16) 9 March 2023:
"103. The Court notes that the right to protection of personal data is guaranteed by the right to respect for private life under Article 8. As it has previously held, the protection of personal data is of fundamental importance to a person’s enjoyment of his or her right to respect for private and family life as guaranteed by Article 8 of the Convention. Article 8 thus provides for the right to a form of informational self-determination, allowing individuals to rely on their right to privacy as regards data which, albeit neutral, are collected, processed and disseminated collectively and in such a form or manner that their Article 8 rights may be engaged (see Satakunnan Markkinapörssi Oy and Satamedia Oy v. Finland [GC], no. 931/13, § 137, 27 June 2017). In determining whether the personal information retained by the authorities involves any private-life aspects, the Court will have due regard to the specific context in which the information at issue has been recorded and retained, the nature of the records, the way in which these records are used and processed and the results that may be obtained (see S. and Marper, cited above, § 67).
[...].
(ii) Data protection principles
123. With regard to the limitations on the States’ margin of appreciation resulting from the above requirement to afford appropriate safeguards, it is equally noteworthy that, when assessing the processing of personal data under Article 8 of the Convention, the Court has frequently had regard to the principles contained in data protection law [...]. These have included:
(α) The principle of purpose limitation (Article 5 (b) of the Data Protection Convention), according to which any processing of personal data must be done for a specific, well-defined purpose and only for additional purposes that are compatible with the original purpose (see, as examples, M.S. v. Sweden, cited above, § 42; Z v. Finland, cited above, § 110; and Biriuk v. Lithuania, no. 23373/03, § 43, 25 November 2008). Thus, in some instances the Court has found that broad entitlement allowing the disclosure and use of personal data for purposes unrelated to the original purpose of their collection constituted a disproportionate interference with the applicant’s right to respect for private life (see Karabeyoğlu v. Turkey, no. 30083/10, § 118, 7 June 2016, and Surikov v. Ukraine, no. 42788/06, § 89, 26 January 2017).
(β) The principle of data minimisation (Article 5 (c) of the Data Protection Convention), according to which personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (see S. and Marper, cited above, § 103), and the excessive and superfluous disclosure of sensitive private details not related to the purported aim of informing the public is not justified (see Khadija Ismayilova v. Azerbaijan, nos. 65286/13 and 57270/14, § 147-49, 10 January 2019).
(γ) The principle of data accuracy (Article 5 (d) of the Data Protection Convention). The Court has emphasised that the inaccurate or false nature of the information contained in public registers can be injurious or potentially damaging to the data subject’s reputation (see Cemalettin Canlı v. Turkey, no. 22427/04, § 35, 18 November 2008; Khelili v. Switzerland, no. 16188/07, § 64, 18 October 2011; and Rotaru v. Romania [GC], no. 28341/95, § 44, ECHR 2000‑V), requiring statutory procedural safeguards for the correction and revision of the information (see Cemalettin Canlı, cited above, §§ 41-42; see also Anchev v. Bulgaria (dec.), nos. 38334/08 and 68242/16, 5 December 2017).
(δ) The principle of storage limitation (Article 5 (e) of the Data Protection Convention), according to which personal data are to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed. The Court has held that the initially lawful processing of accurate data may over time become incompatible with the requirements of Article 8 where those data are no longer necessary in the light of the purposes for which they were collected or published (see, to this effect, M.L. and W.W. v. Germany, nos. 60798/10 and 65599/10, §§ 99 and 106, 28 June 2018, and Sõro v. Estonia, no. 22588/08, § 62, 3 September 2015)."
III. Precursors of 'Convention 108'
1. PACE Recommendation 509(1968) on Human Rights and modern scientific and technological developments
"The Assembly [...]
3. Believing that newly developed techniques such as phone-tapping, eavesdropping, surreptitious observation, the illegitimate use of official statistical and similar surveys to obtain private information, and subliminal advertising and propaganda are a threat to the rights and freedoms of individuals and, in particular, to the right to privacy which is protected by Article 8 of the European Convention on Human Rights;
4. considering that the law in the majority of the member States does not provide adequate protection against such threats to the right of privacy, and that there is in consequence danger of violation of Article 8 of the Convention on Human Rights;
5. Noting that some member States of the Council of Europe are planning to revise their legislation on this subject and that it would be desirable for any such reform to tend towards a greater harmonisation of the law;
6. Considering that it would be useful to make a detailed study of the legal problems arising in connection with the right to privacy and its violation by modern technical devices, with special reference to the European Convention on Human Rights; [....]
8. Recommends that the Committee of Ministers instruct the Committee of Experts on Human Rights:
8.1. to study and report on the question whether, having regard to Article 8 of the Convention on Human Rights, the national legislation in the member States adequately protects the right to privacy against violations which may be committed by the use of modern scientific and technical methods;
8.2. if the answer to this question is in the negative, to make recommendations for the better protection of the right of privacy."
The report recommended in 8.1. of the PACE Recommendation 509(1968) was published in 1973, cf. Report of the Committee of Experts on Human Rights to the Committee of Ministers on the Right to Privacy (DH (73) 17) of 8 May 1973.
2. Resolution (74)29 on the protection of the privacy of individuals vis-à-vis electronic data banks in the public sector
"The Committee of Ministers, [...]
Desiring to contribute to public understanding and confidence with regard to new administrative techniques which public authorities in the member states are using in order to ensure the optimal performance of the tasks entrusted to them;
Recognising that the use of electronic data banks by public authorities has given rise to increasing concern about the protection of the privacy of individuals;
Considering that the adoption of common principles in this field can contribute towards a solution of these problems in the memver states and can help to prevent
the creation of unjustified divergencies between the laws of the member states on this subject ;
Recalling its Resolution (73) 22 on the protection of privacy of individuals vis-à-vis electronic data banks in the private sector;
Bearing in mind Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms,
Recommends the governments of member states:
a. to take all steps which they consider necessary to give effect to the principles set out in the annex to the present resolution;
b. to inform the Secretary General of the Council of Europe in due course of any action taken in this field.
Annex to Resolution 74 (29)
The following principles apply to personal information stored in electronic data banks in the public sector.
For the purposes of this resolution, "personal information" means information relating to individuals (physical persons) and "electronic data bank" means any electronic data processing system which is used to handle such information.
1.
As a general rule the public should be kept regularly informed about the establishment, operation and development of electronic data banks in the public sector.
2.
The information stored should be:
a. obtained by lawful and fair means,
b. accurate and kept up to date,
c. appropriate and relevant to the purpose for which it has been stored.
Every care should be taken to correct inaccurate information and to erase inappropriate, irrelevant or obsolete information.
3.
Especially when electronic data banks process information relating to the intimate private life of individuals or when the processing of information might lead to unfair discrimination,
a. their existence must have been provided for by law, or by special regulation or have been made public in a statement or document, in accordance with the legal system of each member state;
b. such law, regulation, statement or document must clearly state the purpose of storage and use of such information, as well as the conditions under which it may be communicated either within the public administration or to private persons or bodies;
c. that data stored must not be used for purposes other than those which have been defined unless exception is explicitly permitted by law, is granted by a competent authority or the rules for the use of the electronic data bank are amended.
4.
Rules should be laid down to specify the time-limits beyond which certain categories of information may not be kept or used.
However, exceptions from this principle are acceptable if the use of the information for statistical, scientific or historical purposes requires its conservation for an indefinite duration. In that case, precautions should be taken to ensure that the privacy of the individuals concerned will not be prejudiced.
5.
Every individual should have the right to know the information stored about him.
Any exception to this principle or limitation to the exercise of this right should be strictly regulated.
6.
Precautions should be taken against any abuse or misuse of information. For this reason:
a. everyone concerned with the operation of electronic data processing should be bound by rules of conduct aimed at preventing the misuse of data and in particular by a duty to observe secrecy;
b. electronic data banks should be equipped with security systems which bar access to the data held by them to persons not entitled to obtain such information and which provide for the detection of misdirections of information, whether intentional or not.
7.
Access to information that may not be freely communicated to the public should be confined to the persons whose functions entitle them to take cognisance of it in order to carry out their duties.
8.
When information is used for statistical purposes it should be released only in such a way that it is impossible to link information to a particular person."
Explanatory report (drafted by the European Committee on Legal Co-operation (CCJ) – Addendum to the report on the 21st meeting of the CCJ (CM(74)171-add) 29 July 1974):
"Introduction
1. It is hardly necessary to emphasise how important it is that every individual in modern society is guaranteed satisfactory protection with regard to the electronic
processing of data concerning him.
In the early 1960s when computers made their first appearance as administrative aids, the need to protect citizens against possible risks for their privacy did not appear to be urgent. Computers were expensive and their use was limited to a small number of public services.
In recent years, however, the need to provide adequate safeguards for the individual has become more acute as a result of two parallel and interdependent processes : the growing complexity of the social fabric and the headway made by information technology.
2. In all fields of human activity, electronic data processing has been introduced as an efficient and powerful instrument to solve complex problems. In certain fields it has already become virtually indispensable.
The advantages derived from the use of computers in the public sector are very obvious. They can help to rationalise administrative work. In relieving the administration from tedious tasks such as copying, filing, keeping records up to date, issuing certificates, documentation, etc information technology raises administrative productivity.
Information technology improves the capacity of every administration to store, process and utilise data on which its decisions are to be based. It enables, moreover, several administrations, at different levels (central, regional,lecal), to pool their data.
Thus, automation, can raise the quality of public service notwithstanding the constantly growing volume, diversity and complexity of the tasks of the administration.
3. The main applications of information technology by the public administration will vary considerably from one state to another as a result of certain considerations such as the volume of the operations, their cost, administrative traditions, technical infrastructure, etc. Among the most common uses of computer technology by the European states are to be mentioned: statistics, postal accounts, social security, personnel management, financial administration, health services, land registers, criminal records, business firms’ registers, motor vehicle administration and internal revenue.
Information stored in population registers, which are now increasingly being computerised and which deserve special attention because they respond to the needs of all branches and levels of the public administration is a typical example of information used for more than one purpose.
4. The citizens who are seeing the gradual introduction of computers in public administration will form an opinion of its advantages or inconveniences. They will appreciate the speed, clarity and logic with which information is handled in administrative processes affecting them. But at times they may also be anxious about what may appear to them to be an increase in the power of the authorities as a result of computerised administration. First, there are fears that the use of computers will allow several administrations to exchange among themselves various kinds of information on the same persons and that it will be possible in this way for the state to compile and keep up to date a detailed "profile" on individual citizens. In fact, it is by no means a simple matter to build up such profiles; a number of technical difficulties stand in the way. Nevertheless, this potential capacity of modern public administration has awakened in some people a fear that their privacy is losing ground.
Furthermore, the possibility that the same information may be used for more than one purpose a s a result of several parts of the administration being able to obtain access to it has led to doubts about the real purposes for which the information is required and about the confidentiality aly of the information stored.
5. An inherent difficulty hovering over the debate on the protection of privacy vis-à-vis public electronic data banks stems from the delicate problem of the balance of interests. Governments arc confronted on the one hand by advocates of the rights of individuals who are asking for measures to secure the confidential nature of the data held by the state about citizens, and on the other hand by those who demand equal and free access of citizens to information hendled by public authorities.
Public anxiety has arisen not because many abuses of information technology have actually been discovered but rather from the possibility of abuse and also from the fact that computers are being used to store certain categories of information about which individuals are traditionally sensitive.
Finally, the public is not sufficiently informed about the new information technology. The reason for this is the novelty of the medium and the fact that the public authorities have not yet adopted a firm policy with regard to it.
In the absence of general rules and of a proper information of the public, the discussion is apt to flare up on the occasion of each new project for the use of information technology. In this connection, it should be kept in mind that the success with which computers can be used in public affairs will depend very much on the decree of confidence the public is willing to give to their use."
In other parts, the Explanatory report highlights the differences and commonalities of data protection in the public and in the private sector:
"V. THE OPERATIVE PART OF THE RESOLUTION
10. With regard to the scope of the present resolution, the question was raised whether it was possible and indeed necessary to adopt a definition on what is understood by "public sector".
It was observed that, in view of lack of uniformity between the notions of "public sector" as they are understood in the laws of the several European states, and in view of the fact that the problem of outlining the scope of the resolution does not seem to have posed any difficulty when the private sector was examined, it seems preferable not to embark on a search for the precise boundaries of the public sector.
On the basis of such considerations and in order not to run the risk of leaving bare a zone of "non-law", it is left to the states concerned by the present resolution to fix the exact perimeters of their public sector.
It should be recalled that in all European states certain tasks are the exclusive province of public authorities.
To those traditional tasks new tasks have later been added with the development from the "policeman state"’ to the "entrepreneur state" or the "welfare state". This development has been different from one stage to another. We may therefore conclude on the one hand that public authorities are fulfilling in certain fields (national defence, maintenance of order, justice, public finance) a special task which has no equivalent in the private sector. On the other hand, in view of the diversity existing between the states where certain functions, are sometimes entrusted to the public sector and sometimes left to the private sector, it is advisable to take as a point of departure the principles already examined in the framework of the private sector. The text of the present resolution therefore has been developed along these two lines of thought."
IV. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108 - "Convention 108") and its Protocols
On the CoE Conventions on data protection in general cf. CoE's Data Protection website "Convention 108 and Protocols".
All CoE Conventions on data protection regulate both, data protection in the public and private sector, in the same articles (seemingly for the reasons explained in para. 10 of the Explanatory report to Resolution (74)29 (cited above)).
1. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108)
The 'Convention 108' is signed and ratified by all 46 Member States of the CoE. Its scope of application covers "to automated personal data files and automatic processing of personal data in the public and private sectors." (Article 3 (1)).
b) Main substantive principles of 'Convention 108'
c) Additional safeguards for the data subject as provided for in Article 8 'Convention 108'
d) Transnational mutual assistance (Chapter IV of 'Convention 108')
a) Object of 'Convention 108'
Summary of the CoE's Treaty office:
"This Convention is the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data.
In addition to providing guarantees in relation to the collection and processing of personal data, it outlaws the processing of "sensitive" data on a person's race, politics, health, religion, sexual life, criminal record, etc., in the absence of proper legal safeguards. The Convention also enshrines the individual's right to know that information is stored on him or her and, if necessary, to have it corrected.
Restriction on the rights laid down in the Convention are only possible when overriding interests (e.g. State security, defence, etc.) are at stake.
The Convention also imposes some restrictions on transborder flows of personal data to States where legal regulation does not provide equivalent protection."
"Introduction
Data Protection
1. The object of this convention is to strengthen data protection, i.e. the legal protection of individuals with regard to automatic processing of personal information relating to them.
There is a need for such legal rules in view of the increasing use made of computers for administrative purposes. Compared with manual files, automated files have a vastly superior storage capability and offer possibilities for a much wider variety of transactions, which they can perform at high speed.
Further growth of automatic data processing in the administrative field is expected in the coming years inter alia as a result of the lowering of data processing costs, the availability of "intelligent" data processing devices and the establishment of new telecommunication facilities for data transmission.
2. "Information power" brings with it a corresponding social responsibility of the data users in the private and public sector. In modern society, many decisions affecting individuals are based on information stored in computerised data files: payroll, social security records, medical files, etc. It is essential that those responsible for these files should make sure that the undeniable advantages they can obtain from automatic data processing do not at the same time lead to a weakening of the position of the persons on whom data are stored. For this reason, they should maintain the good quality of the information in their care, refrain from storing information which is not necessary for the given purpose, guard against unauthorised disclosure or misuse of the information, and protect the data, hardware and software against physical hazards."
New challenges for data protection were discussed at the "14th Colloquy on European Law" in Lisbon (26–28 September 1984) organised by the CoE. Its proceedings are published in CoE (ed.), Beyond 1984: The Law and Information Technology in Tomorrow's Society (1985). In the address of M. O. Wiederkehr (representing the Secretary General of the CoE) the idea of this 'Colloquy' was
"to take advantage of the symbolic year 1984, for critical examination and stocktaking of the upheavals in information technology with a view to assessing, in particular, the changes in society likely to result and the desirability of making new legal rules to this changes."
b) Main substantive principles of 'Convention 108'
"Article 5 – Quality of data
Personal data undergoing automatic processing shall be:
a. obtained and processed fairly and lawfully;
b. stored for specified and legitimate purposes and not used in a way incompatible with those purposes;
c. adequate, relevant and not excessive in relation to the purposes for which they are stored;
d. accurate and, where necessary, kept up to date;
e. preserved in a form which permits identification of the data subjects for no longer than is required for the purpose for which those data are stored.
Article 6 – Special categories of data
Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions.
Article 7 - Data security
Appropriate security measures shall be taken for the protection of personal data stored in automated data files against accidental or unauthorised destruction or accidental loss as well as against unauthorised access, alteration or dissemination."
Explanatory Report on Article 5 to 7:
"40. The provisions of this article are largely identical to the corresponding principles laid down in Resolutions (73) 22 and (74) 29 and can also be found in very similar terms in the national data protection laws enacted prior to this convention.
The different provisions of this article aim at the fulfilment of two fundamental legal standards.
On the one hand the information should be correct, relevant and not excessive in relation to its purpose. On the other hand its use (gathering, storage, dissemination) should likewise be correct.
41. The reference to "purposes" in litterae b and c indicates that it should not be allowed to store data for undefined purposes. The way in which the legitimate purpose is specified may vary in accordance with national legislation.
42. The requirement appearing under littera e concerning the time-limits for the storage of data in their name-linked form does not mean that data should after some time be irrevocably separated from the name of the person to whom they relate, but only that it should not be possible to link readily the data and the identifiers.
[...]
43. While the risk that data processing is harmful to persons generally depends not on the contents of the data but on the context in which they are used, there are exceptional cases where the processing of certain categories of data is as such likely to lead to encroachments on individual rights and interests. Categories of data which in all member States are considered to be especially sensitive are listed in this article.
[...]
46. [...]the expression "domestic law" may be taken in a wide sense, i.e. not only legislation but also appropriate or specific regulations or administrative directives, as long as the necessary level of protection is secured.
[...].
49. There should be specific security measures for every file, taking into account its degree of vulnerability, the need to restrict access to the information within the organisation, requirements concerning long-term storage, and so forth. The security measures must be appropriate, i.e. adapted to the specific function of the file and the risks involved They should be based on the current state of the art of data security methods and techniques in the field of data processing."
c) Additional safeguards for the data subject as provided for in Article 8 'Convention 108'
"Article 8 – Additional safeguards for the data subject
Any person shall be enabled:
a. to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file;
b. to obtain at reasonable intervals and without excessive delay or expense confirmation of whether personal data relating to him are stored in the automated data file as well as communication to him of such data in an intelligible form;
c. to obtain, as the case may be, rectification or erasure of such data if these have been processed contrary to the provisions of domestic law giving effect to the basic principles set out in Articles 5 and 6 of this Convention;
d. to have a remedy if a request for confirmation or, as the case may be, communication, rectification or erasure as referred to in paragraphs b and c of this article is not complied with."
Explanatory Report on Article 8:
"50. The provisions set out in this article are designed to enable a data subject to defend his rights vis-à-vis automated data files. Although in domestic legislation the contents of Article 8 clearly correspond to subjective rights, the present text expresses them in the form of safeguards which Contracting States offer to data subjects, in view of the non self-executing character of the convention. These safeguards include four main elements:
– knowledge about the existence of an automated data file;
– knowledge about the contents of the information, if any, stored about data subjects in a file;
– rectification of erroneous or inappropriate information;
– a remedy if any of the previous elements are not respected.
51. In order that these rights can be effective, the convention requires that with regard to every automated record it should be stated clearly who is the controller (littera a). The wording of this littera takes into account the variety of rules of domestic law giving effect to this principle. There are States where the name of the controller of the file is listed in a public index. In other States which have no such publicity rule, the law will provide that the name of the controller of the file must be communicated to a person at his request.
52. ln litterae b and c it has not been specified from whom a data subject may obtain confirmation, communication, rectification, etc. In most States this will be the controller of the file, but in some States this right is exercised through the intermediary of the supervisory authority.
53. The wording of littera b is intended to cover various formulas followed by national legislation: communication at the request of the data subject or at the initiative of the controller of the file; communication free of charge at fixed intervals as well as communication against payment at any other time, etc. The term "expense" means the fee charged to the data subject, not the actual cost of the operation.
54. In the case of rectifications obtained in conformity with the principle set out in littera c, national law or practice provides usually that where appropriate those rectifications should be brought to the recipients of the original information."
CoE (ed.), The administration and you (1st edition 1996/1997), pp. 35 f.
"D – Right to access and rectification
64. Any person has to be enabled :
(i) to establish the existence of an automated personal data file, its main purposes, as well as the identity and habitual residence or principal place of business of the controller of the file ;
(ii) to obtain at reasonable intervals and without excessive delay or expense, confirmation of whether personal data relating to her or him are stored in the automated data file as well as communication to her or him of such data in an intelligible form ;
(iii) to obtain rectification or erasure of personal data if these have been processed contrary to the provisions of domestic law giving effect to the basic principles set out above under A and B ;
(iv) to have a remedy if a request for confirmation or communication, rectification or erasure as referred to in (ii) and (iii) above is not complied with
64.1. Comment re (i): The "controller of the file" is the natural or legal person, public authority, agency or other body who is competent according to the national law to decide what should be the purpose of the data file, which categories of personal data should be stored and which operations should be applied to them.
64.2. Comment re (ii- iv): Restrictions on these rights may be provided by law with respect to files used for statistics or for scientific research purposes when there is obviously no risk of an infringement of the privacy of the persons concerned (see more details in Article 9 of Convention No. 108)."
d) Transnational mutual assistance (Chapter IV of 'Convention 108')
For transnational mutual assistance under Chapter IV of 'Convention 108' click here
2. Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (ETS No. 181)
The additional Protocol is signed and ratified by 36 CoE Member States. Its scope of application is identical to that of "Convention 108".
Summary of the CoE's Treaty office:
"The text will increase the protection of personal data and privacy by improving the original Convention of 1981 (ETS No. 108) in two areas. Firstly, it provides for the setting up of national supervisory authorities responsible for ensuring compliance with laws or regulations adopted in pursuance of the convention, concerning personal data protection and transborder data flows. The second improvement concerns transborder data flows to third countries. Data may only be transferred if the recipient State or international organisation is able to afford an adequate level of protection."
Click here for the pan-European general principles on supervisory authorities in the field of data protection.
3. Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223)
The Protocol has not yet entered into force. For a consolidated text of the 'Convention 108' as it will be amended by the Protocol CETS No. 223 upon its entry into force click here. See furthermore "The modernised Convention 108: novelties in a nutshell"
a) Object of the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 223)
The Protocol will change Article 3 (1) of 'Convention 108' and, thus, enlarge its scope of application:
"Each Party undertakes to apply this Convention to data processing subject to its jurisdiction in the public and private sectors, thereby securing every individual’s right to protection of his or her personal data."
Summary of the CoE's Treaty office:
"The aim of the Protocol of amendment is to modernise and improve the Convention (ETS No. 108), taking into account the new challenges to the protection of individuals with regard to the processing of personal data which have emerged since the Convention was adopted in 1980.
The modernisation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, the only existing legally binding international treaty with global relevance in this field, addresses the challenges to privacy resulting from the use of new information and communication technologies, and strengthens the convention’s mechanism to ensure its effective implementation.
The Protocol provides a robust and flexible multilateral legal framework to facilitate the flow of data across borders while providing effective safeguards when personal data are being used. It constitutes a bridge between different regions of the world and different normative frameworks, including the new European Union´s legislation that will become fully applicable on 25 May 2018 and which refers to Convention 108 in the context of transborder data flows.
Some of the innovations contained in the Protocol are the following:
-
-
Stronger requirements regarding the proportionality and data minimisation principles, and lawfulness of the processing;
-
Extension of the types of sensitive data, which will now include genetic and biometric data, trade union membership and ethnic origin;
-
Obligation to declare data breaches;
-
Greater transparency of data processing;
-
New rights for the persons in an algorithmic decision making context, which are particularly relevant in connection with the development of artificial intelligence;
-
Stronger accountability of data controllers;
-
Requirement that the "privacy by design" principle is applied;
-
Application of the data protection principles to all processing activities, including for national security reasons, with possible exceptions and restrictions subject to the conditions set by the Convention, and in any case with independent and effective review and supervision;
-
Clear regime of transborder data flows;
-
Reinforced powers and independence of the data protection authorities and enhancing legal basis for international cooperation."
-
b) Main substantive principles of 'Convention 108' as it will be amended by the Protocol CETS No. 223
"Article 5 – Legitimacy of data processing and quality of data
(1) Data processing shall be proportionate in relation to the legitimate purpose pursued and reflect at all stages of the processing a fair balance between all interests concerned, whether public or private, and the rights and freedoms at stake.
(2) Each Party shall provide that data processing can be carried out on the basis of the free, specific, informed and unambiguous consent of the data subject or of some other legitimate basis laid down by law.
(3) Personal data undergoing processing shall be processed lawfully.
(4) Personal data undergoing processing shall be:
a. processed fairly and in a transparent manner;
b. collected for explicit, specified and legitimate purposes and not processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is, subject to appropriate safeguards, compatible with those purposes;
c. adequate, relevant and not excessive in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date;
e. preserved in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which those data are processed.
Article 6 – Special categories of data
(1) The processing of:
– genetic data;
– personal data relating to offences, criminal proceedings and convictions, and related security measures;
– biometric data uniquely identifying a person;
– personal data for the information they reveal relating to racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life,
shall only be allowed where appropriate safeguards are enshrined in law, complementing those of this Convention.
(2) Such safeguards shall guard against the risks that the processing of sensitive data may present for the interests, rights and fundamental freedoms of the data subject, notably a risk of discrimination.
Article 7 - Data security
(1) Each Party shall provide that the controller, and where applicable the processor, takes appropriate security measures against risks such as accidental or unauthorised access to, destruction, loss, use, modification or disclosure of personal data.
2 Each Party shall provide that the controller notifies, without delay, at least the competent supervisory authority within the meaning of Article 15 of this Convention, of those data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects."
See, furthermore the Explanatory memorandum on the new Article 5 - 7 (para. 40 ff.).
c) Additional safeguards for the data subject as provided for in Article 9 of 'Convention 108' as it will be amended by the Protocol CETS No. 223
"Article 9 – Rights of the data subject
(1) Every individual shall have a right:
a. not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration;
b. to obtain, on request, at reasonable intervals and without excessive delay or expense, confirmation of the processing of personal data relating to him or her, the communication in an intelligible form of the data processed, all available information on their origin, on the preservation period as well as any other information that the controller is required to provide in order to ensure the transparency of processing in accordance with Article 8, paragraph 1;
c. to obtain, on request, knowledge of the reasoning underlying data processing where the results of such processing are applied to him or her;
d. to object at any time, on grounds relating to his or her situation, to the processing of personal data concerning him or her unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms;
e. to obtain, on request, free of charge and without excessive delay, rectification or erasure, as the case may be, of such data if these are being, or have been, processed contrary to the provisions of this Convention;
f. to have a remedy under Article 12 where his or her rights under this Convention have been violated;
g. to benefit, whatever his or her nationality or residence, from the assistance of a supervisory authority within the meaning of Article 15, in exercising his or her rights under this Convention.
(2) Paragraph 1.a shall not apply if the decision is authorised by a law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights, freedoms and legitimate interests."
For Article 9 (1) a and (2) of 'Convention 108' as it will be amended by the Protocol CETS No. 223 click here. Cf., furthermore, the Explanatory memorandum on the new Article 9:
71. This article lists the rights that every individual should be able to exercise concerning the processing of personal data relating to him or her. Each Party shall ensure, within its legal order, that all those rights are available for every data subject together with the necessary legal and practical, adequate and effective means to exercise them.
72. [...].
76. Littera b. Data subjects should be entitled to know about the processing of their personal data. The right of access should, in principle, be free of charge. However, the wording of littera b. is intended to allow the controller in certain specific conditions to charge a reasonable fee where the requests are excessive and to cover various approaches that could be adopted by a Party for appropriate cases. Such a fee should be exceptional and in any case reasonable, and not prevent or dissuade data subjects from exercising their rights. The controller or processor could also refuse to respond to manifestly unfounded or excessive requests, in particular because of their repetitive character. The controller should in all cases justify such a refusal. To ensure a fair exercise of the right of access, the communication "in an intelligible form" applies to the content as well as to the form of a standardised digital communication.
77. Littera c. Data subjects should be entitled to know the reasoning underlying the processing of data, including the consequences of such a reasoning, which led to any resulting conclusions, in particular in cases involving the use of algorithms for automated-decision making including profiling. For instance in the case of credit scoring, they should be entitled to know the logic underpinning the processing of their data and resulting in a "yes" or "no" decision, and not simply information on the decision itself. Having an understanding of these elements contributes to the effective exercise of other essential safeguards such as the right to object and the right to complain to a competent authority.
78. Littera d. As regards the right to object, the controller may have a legitimate ground for data processing, which overrides the interests or rights and freedoms of the data subject. For example, the establishment, exercise or defence of legal claims or reasons of public safety could be considered as overriding legitimate grounds justifying the continuation of the processing. This will have to be demonstrated on a case-by-case basis and failure to demonstrate such compelling legitimate grounds while pursuing the processing could be considered as unlawful. The right to object operates in a distinct and separate manner from the right to obtain rectification or erasure (littera e.).
79. Objection to data processing for marketing purposes should lead to unconditional erasing or removing of the personal data covered by the objection.
80. The right to object may be limited by virtue of a law, for example, for the purpose of the investigation or prosecution of criminal offences. In this case, the data subject can, as the case may be, challenge the lawfulness of the processing on which it is based. When data processing is based on valid consent given by the data subject, the right to withdraw consent can be exercised instead of the right to object. A data subject may withdraw his or her consent and subsequently have to assume the consequences possibly deriving from other legal texts such as the obligation to compensate the controller. Likewise where data processing is based on a contract, the data subject can take the necessary steps to revoke the contract.
81. Littera e. The rectification or erasure, if justified, must be free of charge. In the case of rectifications and erasures obtained in conformity with the principle set out in littera e., those rectifications and erasures should, where possible, be brought to the attention of the recipients of the original information, unless this proves to be impossible or involves disproportionate efforts.
82. Littera g. aims at ensuring effective protection of data subjects by providing them the right to an assistance of a supervisory authority in exercising the rights provided by the Convention. When the data subject resides in the territory of another Party, he or she can submit the request through the intermediary of the authority designated by that Party. The request for assistance should contain sufficient information to permit identification of the data processing in question. This right can be limited according to Article 11 or adapted in order to safeguard the interests of a pending judicial procedure."
d) Transnational cooperation and mutual assistance (Chapter V of 'Convention 108' as it will be amended by the Protocol CETS No. 223)
For transnational mutual assistance and cooperation under Chapter V of 'Convention 108' as it will be amended by the Protocol CETS No. 223 click here
V. The CoE handbook "The administration and you"
CoE (ed.), The administration and you (1st edition 1996/1997), pp. 32 ff.:
"III – Protection of personal data
60. Administrative authorities have a certain number of obligations as regards the collection, the processing and the storage of personal data concerning private persons. These obligations are designed to strike a fair balance between everybody’s basic "freedom to receive and impart information and ideas without interference by public authority and regardless of frontiers" (freedom of expression as enshrined in Article 10 of the European Convention on Human Rights) on the one hand, and the "right to respect for his [or her] private and family life, [...] home and [...] correspondence" (right to privacy, Article 8 of the Convention) on the other hand. Seventeen Council of Europe member states, by ratifying the 1981 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No.108), have undertaken to enact legislation which renders obligatory, for both the administrative authorities and private operators, the respect of the principles set out in the paragraphs hereafter ; most of the other Council of Europe member states also respect all or most of these principles.
60.1. Comment: "Personal data" means any information relating to an identified or identifiable individual. In many countries the private person’s voice and image are considered personal data and enjoy protection of the law. "Automatic processing" includes the following operations if carried out in whole or in part by automated means : storage of data, carrying out of logical and/or arithmetic operations on those data, as well as their alteration, erasure, retrieval or dissemination.
60.2. Comment : The administrative authorities seen as a whole (which may include police, statistics, social security and public health services, tax and customs authorities, schools, land registers, administrations providing public utilities such as water, gas or electricity or public transport, telecommunications, etc.) have an important "knowledge" about individuals. They have access to many kinds of data, most of which are obtained upon request by the administrative authorities, but some of which may have been given spontaneously to them (on the occasion of a complaint made to the police, for example). Given the privileged position of the administrative authorities, it is of the utmost importance that they be bound to handle their powers in compliance with the principles set out below. It is normal practice for such compliance to be monitored by an independent authority (see below section E – "Sanctions and remedies").
60.3. Comment: Since the conclusion of the above-mentioned Convention No.108, the issue of data protection has grown in importance. Public and other services (bank, credit, social security, social assistance, medical care, insurance, etc.) operate more and more with automated data files. It was felt that for many of these sectors the general principles contained in Convention No. 108 had to be refined. This is being done by means of Council of Europe Recommendations. The following recommendations have been adopted as of yet by the Committee of Ministers : No. R (81) 1 on regulations for automated medical data banks (23 January 1981) ; No. R (83) 10 on the protection of personal data used for scientific research and statistics (23 September 1983) ; No. R (85) 20 on the protection of personal data used for the purposes of direct marketing (25 October 1985) ; No. (86) 1 on the protection of personal data used for social security purposes (23 January 1986), No. R (87) 15 regulating the use of personal data in the police sector (17 September 1987) ; No. R (89) 2 on the protection of personal data used for employment purposes (18 January 1989) ; No. R (90) 19 on the protection of personal data used for payment and other related operations (13 September 1990) ; No. R (91) 10 on the communication to third parties of personal data held by public bodies (9 September 1991) ; and No. R (95) 4 on the protection of personal data in the area of telecommunication services, with particular reference to telephone services (7 February 1995). Other recommendations are under preparation in the fields of statistical data, medical data including genetic data and insurances. Moreover, a Council of Europe expert group was established to consider the problems of data protection raised by new technologies, such as the Internet."
Para. 61 ff. of the handbook deals with principles on "collection, use and quality of data" (para. 61 ff.), "sensitiive data" (para. 62), "data security" (para. 63 f.), "right to access and rectification" (para. 64 ff.) and "sanctions and remedies" (para. 65 ff.).
CoE (ed.), The administration and you (2nd edition 2018), pp. 22 f.:
"Principle 7 - Privacy and the protection of personal data
When processing personal data held in digital or any other format, public authorities shall take all necessary measures to guarantee the privacy of individuals and their right to the protection of personal data.
[...]
Commentary
Processing (including collecting) personal data by public authorities is of particular importance in the context of their relations with the public. Public authorities must respect the private life of individuals and their right to the protection of personal data.
Public authorities must ensure that people are allowed access to personal data held by them so individuals can check how their personal data is processed, its accuracy and, where appropriate, are given the opportunity to exercise other rights such as the rights to rectify or erase.
Access, rectification and erasure of personal data are rights recognised since 1981 in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108, hereafter "Convention 108"). Convention 108 aimed to enable individuals:
- to establish the existence of data processing, its main purposes, as well as the identity and habitual residence or principal place of business of the controller;
- to obtain at reasonable intervals and without excessive delay or expense, confirmation of whether personal data is stored and its communication in an intelligible form;
- to obtain rectification or erasure of personal data if it has been processed contrary to the provisions of domestic law giving effect to the basic principles of the Convention; and
- to have a legal remedy.
[...].
It is important that public authorities process personal data lawfully and fairly. To this end, they must take all necessary precautions. The data must be processed only for explicit, specified and legitimate purposes. These purposes for which it is processed must be adequate, relevant and not excessive. The data must be accurate and, where necessary, kept up-to-date. It must be preserved in a form that only allows the individual to be identified for as long as necessary for the purposes for which those data are processed. [...].
Certain types of personal data, called "sensitive data", may not be processed unless domestic law provides appropriate safeguards complementing those of Convention 108. These include notably the processing of:
-
- genetic data;
- personal data relating to offences, criminal proceedings and convictions, and related security measures;
- biometric data uniquely identifying a person;
- personal data revealing racial or ethnic origin, political opinions, trade-union membership, religious or other beliefs, health or sexual life.
Appropriate security measures have to be taken by public authorities for the protection of personal data held by them against risks such as accidental or unauthorised access to, destruction, loss, use, modification or disclosure of personal data.
A series of recommendations of the Committee of Ministers of the Council of Europe specify how the general principles of Convention 108 should be applied in the different areas of public authorities’ responsibilities, namely:
-
- employment data (Recommendation CM/Rec(2015)5);
- profiling (Recommendation CM/Rec(2010)13);6
- statistics (Recommendation No. R (97) 18);
- medical data (Recommendation No. R (97) 5);
- telecommunications (Recommendation No. R (95) 4);
- communicating data to third parties (Recommendation No. R (91) 10);
- police data (Recommendation No. R (87) 15);7
- social security data (Recommendation No. R (86) 1)."
Footnote 6: "See also the Guidelines on the protection of individuals with regard to the processing of personal data in a world of Big Data, adopted by the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, in January 2017."
Footnote 7: "See also the Practical guide on the use of personal data in the police sector, adopted by the Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, in February 2018.
VI. Venice Commission, Rule of Law Checklist (CDL-AD(2016)007) of 18 March 2016
"F. Examples of particular challenges to the Rule of Law
[...].
2. Collection of data and surveillance
a. Collection and processing of personal data
How is personal data protection ensured?
i. Are personal data undergoing automatic processing sufficiently protected with regard to their collection, storing and processing by the State as well
as by private actors? What are the safeguards to secure that personal data are:
- processed lawfully, fairly and in a transparent manner in relation to the data subject ("lawfulness, fairness and transparency");
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes ("purpose limitation")?
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimisation")?
- accurate and, where necessary, kept up to date ("accuracy")?
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed ("storage limitation");
- processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage ("integrity and confidentiality")?146
ii. Is the data subject provided at least with information on:
- the existence of an automated personal data file, its main purposes;
- the identity and the contact details of the controller and of the data protection officer;
- the purposes of the processing for which the personal data are intended;
- the period for which the personal data will be stored;
- the existence of the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data;
- the right to lodge a complaint to the supervisory authority and the contact details of the supervisory authority; the recipients or categories of recipients of the personal data;
- where the personal data are not collected from the data subject, from which source the personal data originate;
- any further information necessary to guarantee fair processing in respectof the data subject.147
iii. Does a specific independent authority ensure compliance with the legal conditions under domestic law giving effect to the international principles and requirements with regard to the protection of individuals and of personal data?148
iv. Are effective remedies provided for alleged violations of individual rights by collection of data?149117. The increasing use of information technology has made the collection of data possible to an extent which was unthinkable in the past. This has led to the development of national and international legal protection of individuals with regard to automatic processing of personal information relating to them. The most important requirements of such protection are enumerated above. These are also applicable mutatis mutandis to data processing for security purposes.
Footnote 146: An early document (of 1981) is Article 5 of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS 108) ; see also Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Articles 6, 7; in the meantime in the EU a "Proposal for a Regulation of the
European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" has been agreed on (Interinstitutional File 2012/0011 (COD) of Dec 15, 2015). Principles of data protection are enshrined in Art. 5. See also a "Proposal for a Directive of the European Parliament and the Council on the protection of individuals with regard to the processing of
personal data by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data" (Interinstitutional file: 2012/0010 (COD) of 16 December 2015. In 2013 the OECD adopted "The OECD Privacy Framework", with "principles" in Part 2.
Footnote 147: See the Proposal for a Regulation quoted in the previous footnote, Article 14; Directive 95/46/EC, Articles 10-11; CETS 108, Article 8
Footnote 148: CDL-AD(2007)014, § 83.
Footnote 149: Cf. Articles 8 and 13 ECHR.