The Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data of 1981 (The CoE Convention)

The CoE’s Convention 108 (Legally Binding Treaty, 1981)

First legally binding international treaty drafted by the Council of Europe (CoE) and opened for signature in 1981.
Contains foundational data protection principles that are still relevant and present in the GDPR.
Requires member states to adopt domestic laws that give effect to the principles in Convention 108.
Reaffirms the CoE’s prior commitments in Resolutions 73/22 and 74/29 on protecting privacy while promoting transborder data flow.

Structure of Convention 108:

Objectives (Chapter I):
- To secure individual right to privacy with respect to data processing in Member States’ territories.
Basic Principles (Chapter II):
- State parties must adopt domestic laws to give effect to data protection principles in the Convention.
- Core data processing principles
  - lawfulness and fairness,
  - purpose limitation,
  - data minimization,
  - accuracy,
  - storage limitation,
  - safeguards for special categories data
  - integrity and confidentiality
- Exceptions carved for state security, public safety, criminal investigations.
Transborder data flow (Chapter III):
- No additional privacy related barriers or special provisions by Parties on transborder flow of personal data
- Some national derogations permitted
Mutual Assistance (Chapter IV):
- Parties to designate a supervisory authority to implement Convention in their territory
- Supervisory authorities of other member state parties to provide mutual assistance including assistance to data subjects resident abroad

In 2001, Additional Protocol to Convention 108 added further requirements for Supervisory Authorities in Member States.

Origins and Historical Context of Data Protection Law