Explanatory Report
I.

Introduction

1.
In the 35 years that have elapsed since the
Convention for the Protection of Individuals with
regard to Automated Processing of Personal Data, also
known as Convention 108 (hereafter also referred to
as “the Convention”) was opened for signature, the
Convention has served as the foundation for international data protection law in over 40 European
countries. It has also influenced policy and legislation
far beyond Europe’s shores. With new challenges to
human rights and fundamental freedoms, notably to
the right to private life, arising every day, it appeared
clear that the Convention should be modernised in
order to better address emerging privacy challenges
resulting from the increasing use of new information
and communication technologies (IT), the globalisation of processing operations and the ever greater
flows of personal data, and, at the same time, to
strengthen the Convention’s evaluation and followup mechanism.
2.
A broad consensus on the following aspects of
the modernisation process emerged: the general and
technologically neutral nature of the Convention’s
provisions must be maintained; the Convention’s
coherence and compatibility with other legal frameworks must be preserved; and the Convention’s
open character, which gives it a unique potential as
a universal standard, must be reaffirmed. The text
of the Convention is of a general nature and can be
supplemented with more detailed soft-law sectoral
texts in the form notably of Committee of Ministers’
recommendations elaborated with the participation
of interested stakeholders.
3.
The modernisation work was carried out in the
broader context of various parallel reforms of international data protection instruments and taking due

account of the 1980 (revised in 2013) Guidelines on the
Protection of Privacy and Transborder Flows of Personal
Data of the Organisation for Economic Cooperation
and Development (OECD), the 1990 United Nations
Guidelines for the Regulation of Computerized Personal
Data Files, the European Union’s (EU) framework1
since 1995, the Asia-Pacific Economic Cooperation
Privacy framework (2004) and the 2009 ”International
Standards on the Protection of Privacy with regard to
the processing of Personal Data”.2 With regard to the
EU data protection reform package in particular, the
works ran in parallel and utmost care was taken to
ensure consistency between both legal frameworks.
The EU data protection framework gives substance and
amplifies the principles of Convention 108 and takes
into account accession to Convention 108, notably
with regard to international transfers.3
4.
The Consultative Committee set up by Article
18 of the Convention prepared draft modernisation
proposals which were adopted at its 29th Plenary meeting (27-30 November 2012) and submitted to the
Committee of Ministers. The Committee of Ministers
subsequently entrusted the ad hoc Committee on
data protection (CAHDATA) with the task of finalising
the modernisation proposals. This was completed on
the occasion of the 3rd meeting of the CAHDATA (1-3
December 2014). Further to the finalisation of the EU
data protection framework, another CAHDATA was
established with a view to examine outstanding issues.
1.
2.
3.

General Data Protection Regulation (EU) 2016/679 (“GDPR”)
and Data Protection Directive for Police and Criminal Justice
Authorities (EU) 2016/680 (“Police Directive”).
Welcomed by the 31st International Conference of Data
Protection and Privacy Commissioners, held in Madrid 4-6
November 2009.
See in particular Recital 105 of the GDPR.

Convention 108+ ► Page 15

Select target paragraph3