In January human rights defenders worldwide marked the 40th anniversary of the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data – known as “Convention 108”. This convention remains the only legally binding multilateral instrument on the protection of privacy and personal data. It is open for accession to any country in the world. It already brings together 55 states on four continents. Another 20 countries participate in its work. It provided the pillars for the EU’s work in this field, including the 2018 General Data Protection Regulation (GDPR).
When Convention 108 was opened for signature on 28 January 1981 Microsoft and Apple were just a few years-old start-ups. The other three of the big five IT companies were founded decades later: Amazon in 1994, Google in1998 and Facebook in 2004. Together they are inescapably shaping our lives, and we are inevitably feeding them with our personal data. That’s why the Council of Europe’s motto for this year’s Data Protection Day was “Safeguarding the right to data protection in the digital environment”. We need to build upon the ground-breaking treaty that the Council of Europe member states signed 40 years ago.
For forty years, with Convention 108 the Council of Europe has been trail-blazing the way for numerous international, regional and national privacy and data protection laws, facilitating data flows across national and regional frontiers and supporting respect for human rights and fundamental freedoms, including human integrity and dignity.
Today, our democratic societies, given their exponential digitalisation as well as the intensification and globalisation of data processing and data flows, need to modernise the system affording protection to individuals regarding the processing of personal data.
This requires international co-operation between data protection authorities, even – or rather in particular – in times of emergency. In 2018, a protocol to Convention 108 was concluded and opened for signature. The modernised Convention should in our view as well as in the view of specialists from all over the world become the international and widely shared standard of reference with a global remit on privacy and data protection in the digital age.
Such a common standard will help facilitating transborder flows of personal data while guaranteeing an appropriate level of protection and supporting better regulatory co-operation at the international level. It is important to secure a shared legal space fit for the digital age, to preserve the relevance of personal data protection for the decades to come. The time is now for states to ratify this protocol so that the modernised Convention could enter into force as soon as possible. To date, only eleven countries have done so, including Serbia.
Since 1981 we have seen rapid technological innovation. During the last years the most popular new data inventions, the smartphone and social media, although creating huge advantages and opportunities for users in access to information, leisure and business, have also induced numerous abuses of our democratic values and human rights. Their side-effects, such as the creation of powerful monopolies information disorders and surveillance capitalism as documented by abundant research became apparent. The emergence of Artificial Intelligence accelerated the exposure of our democracies to greater risks.
A recent study commissioned by the Council of Europe analysed potential negative impacts on human beings and society: discrimination, the advent of a surveillance society, the weakening of human agency, information distortion, electoral interference, digital exclusion and potentially harmful attention economy, are just some of the concrete concerns that people raise.
In light of this, on 28 January 2021, the Consultative Committee of Convention 108 issued a set of guidelines calling for the strict regulation of facial recognition technologies in order to address the risks they pose to human rights, especially the rights to privacy and to the protection of personal data.
At the same time, there is reason for technological optimism. The adoption of digital technologies during the pandemic raised hopes of a new era of social, economic and environmental progress. Effective use of medical data shall help us to confront the next public health challenge.
There is a realistic possibility of a new era of innovation that could lift living standards and help supporting the aim of the UN Sustainable Development Goals, if governments create a resilient regulatory framework that helps new technologies to support the realisation of fundamental rights and freedoms of the many, and not of the few. This is in the core of the discussion on a future legal framework for AI at the Council of Europe´s Ad hoc Committee on AI (CAHAI).
To raise awareness about these formidable challenges, the Council of Europe has created the Stefano Rodotà Award. Gabriel Kasper won the award 2021 for his work on “People analytics in private-law employment relationships – Proposals for a more effective enforcement of data protection law”. The subject could not be more topical and timely as Europe is planning its recovery from the pandemic which has turned our lives upside down. Protecting people’s rights and freedoms through data protection deserves to be central to these efforts.