Strengthening the Protection of Cross-Border Internet Personal Data Council of Europe

27 September 2011 - A Workshop on Security in Nairobi, Kenya


The Council of Europe celebrates this year the 30th Anniversary of its Data Protection Convention (Convention 108) which has served as the backbone of international law in over 40 European countries and has influenced policy and legislation far beyond Europe’s shores. Opened to signature to non-European countries, Convention 108 is one of the possible responses to the need for global standards in the field of data protection which will address unexplored challenges and potential new risks for the protection of human rights and fundamental freedoms.

With increased use of internet, new data protection challenges arise which have to be addressed, notably in the framework of the modernisation of Convention 108.

The workshop will discuss how to complement Convention 108’s protection scheme in order to better satisfy the legitimate expectations of individuals and concerned professionals. Key questions addressed will include : the need for new principles such as the ones relating to proportionality, to data minimisation and to privacy by design. Should the notion of “transborder data flows” be reviewed in light of the instantaneous nature of internet cross-border data flows? What about agreeing on internationally minimum rules to ensure cross-border privacy?


A brief substantive summary and the main events that were raised:
The workshop on "strengthening the protection of cross-border internet personal data" aimed at enabling global and multistakeholder exchanges on privacy issues currently addressed at regional level in the context of the modernisation of Convention 108 of the Council of Europe.

Internet and 'instant-ubiquitous' data have made the need for worldwide discussions on privacy issues more pressing and discussions indicated that despite their cultural and legal differences, countries around the globe agree to the need of ensuring a better privacy protection.

It was noted that several protection frameworks co-exist, whether normative or self-regulatory, and ways to fully reconcile them and guarantee protection as well as legal certainty for businesses were explored. A clear definition of the applicable law seemed to appear as one of the pieces of the puzzle, as would be a set of commonly agreed principles.

Principles such as accountability, privacy by design, data minimisation, anonymity were clearly considered as means to further secure an effective protection. International technical standardisation such as ISO certification was also proposed as a supplementary protective tool, which would enable standardisation of the protection at global level. Minimisation and proportionality principles were also underlined as key protections considering that the use of consent as a legitimate basis for data processing is not always protective. It is finally worth noting that diverging views were expressed on the issue of the ownership of data and the relevance of this criteria in light of the changing nature of data disseminated by individuals and processed.


Conclusions and further comments:
The workshop provided an excellent multi-stakeholder and global dimension platform to address the identified questions - which have been recurrently addressed in each of the privacy events of IGF 2011. The outcome of the discussions will be fed into the Council of Europe work on the modernisation of its Convention 108.