Convention 108: What and who?

Graphic showing the words: Council of Europe Convention 108

As we have written about elsewhere on this site, Convention 108 was the first enforceable Data Protection transnational legislation globally.  As the Council of Europe (CoE) describes it “This Convention is the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data and which seeks to regulate at the same time the transfrontier flow of personal data.” In that description we can see  the two primary purposes of data protection regulation at the European level.  On the one hand, there is a regime to protect personal data. On the other hand, there is a regime to permit the free flow of data across borders.The original treaty was negotiated in 1980 and opened for signing in 1981.

What drove the adoption of 108?

The rapid evolution of information technology in the 1960s, drove a perception that detailed rules were required to safeguard individual’s personal data. In 1968, the CoE’s Parliamentary Assembly endorsed Recommendation 509 asking the Committee of Ministers to examine if the European Human Rights Convention and/or member States domestic offered adequate protection for personal privacy given this rapid evolution.

The resultant study point out wide deficiencies in respect to personal data protection when “Electronic Data Banks” (Cloud computing and storage?) were involved.  Which explains why the CoE had issued two resolutions previously:

  • Resolution (73) 22 on the protection of the privacy of individuals vis-à-vis electronic data banks in the private sector
  • Resolution (74) 29on the protection of the privacy of individuals vis-àvis electronic data banks in the public sector

These resolutions were written with the cooperation of the OECD in Paris and laid out recognisable principles of data processing, and are a key link in origin of modern EU data protection law.

It is worth noting that the “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data” issued in 1980 enumerating the following 8 principles which still under pin European Data protection law today.

  1. Collection Limitation Principle
  2. Data Quality Principle
  3. Purpose Specification Principle
  4. Use Limitation Principle
  5. Security Safeguards Principle
  6. Openness Principle
  7. Individual Participation Principle
  8. Accountability Principle

Updates to 108

Convention 108 finalised in 1980 stood the test of time very well, but by 2010 it was time for a revamp and a “Consultative Committee” was established to revise the text. This updated version was opened for signature late in 2018 and is commonly termed “Convention 108+”, “The modernised Convention 108” or more formally Protocol CETS No. 223 .The reason for the updates to 108 are primarily driven by a need to stay aligned with the GDPR issued by the other European Supranational Order, the EU. This introduced a few new ideas like adding biometric and genetic data to the category of sensitive.  These differences are well explained in a CoE document, “The modernised Convention 108: novelties in a nutshell.”

The other great advance with 108+ is the improvement in readability.  Comparing the two opening articles below, it is clear that this was a great advance!

Original: Article 1 – Object and purpose

The purpose of this Convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (“data protection”).

Updated: Article 1 – Object and purpose

“The purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy.”

Ireland and 108

Ireland brought the Convention into domestic law with the Data Protection Act 1988.This first data protection act laid down the key principles governing the protection of personal data, enshrined the rights of access, rectification and erasure in legislation, and imposed a duty of care on data controllers and processors. It also established the office of the Data Protection Commissioner, an independent statutory authority, with responsibility for the enforcement of data protection law.It made provision for the enforcement of data protection, through the conduct of investigations by the Commissioner and by criminalising certain offences relating to the unauthorised disclosure of data. It also provided for the creation of a register for certain types of data controllers.


Today, Convention 108 is open for accession by non-Contracting Parties of the CoE and has 55 signatories 8 of whom are not members of the CoE. Namely Argentina, Cabo Verde, Mauritius, Mexico, Morocco, Senegal, Tunisia & Uruguay. The updated Convention 108+ has 30 signatories of whom Tunisia & Uruguay are not members of the CoE.

States who have signed either the original Convention 108 or the modernised 108 on The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Shown as a world map with different colours for those countries who are in the 108 compared to 108+ and differentiating between CoE and non CoE member states.
Convention 108 signatory states

Learn more

If you want to learn more about this topic, follow this link

Leave a Reply