Authors: Ketevan Kukava, Nata Akhaladze
The Convention 108[1] for the protection of individuals with regard to automatic processing of personal data is the first and only legally binding international instrument concerning data protection.
The Parliament of Georgia ratified this Convention in 2005, which took effect on April 1, 2006. It was an important event in terms of approximation with the European data protection standard. As a result, Convention 108 became part of Georgian legislation.
In the face of growing challenges to the right to privacy, modernization of Convention 108 became necessary. The modernization process focused on two main issues: The Convention had to properly respond to the challenges of the digital age, and a mechanism for its effective enforcement had to be put in place.
The process of modernization of the Convention was carried out in parallel with other reforms to international data protection instruments, including the reform of EU data protection rules. The modernization preserved the convention's general and flexible character and reinforced its potential as a universal instrument on data protection law. [2]
It should be noted that Georgia was also actively involved in the modernization process of Convention 108. The State Inspector's Service (the successor to the Office of the Personal Data Protection Inspector) regularly participated in consultations and workshops related to the modernization process, prepared opinions and comments.
A modernization process of the Convention was completed with the adoption of amending Protocol CETS No. 223. The protocol (based on which the Convention is referred to as the "Convention 108+") was opened for signature on October 10, 2018. As of today, the document has a total of 32 signatures, and 11 states have ratified it. Georgia is among the eight member states of the Council of Europe that have not yet signed or ratified the protocol.[3]
Ratification of the modernised Convention is of great importance to Georgia, as it sets a higher standard of data protection, which will facilitate the implementation of internationally recognized principles and best practices at the national level.
The Convention 108+ envisages the following important innovations:[4]
- It reinforces the principle of proportionality and emphasizes the need to strike a fair balance between relevant interests at all stages of data processing. Also, the processing of personal data should be adequate, relevant, and not excessive in relation to the purpose for which the data is processed (the principle of data minimisation).
- It expands the concept of special categories of data and includes the genetic and biometric data uniquely identifying a person, also trade-union membership, and ethnic origin.
- Provides an obligation (of the controllers) to notify at least the competent supervisory authority of those data breaches which may seriously interfere with the rights and fundamental freedoms of data subjects, for instance, cause financial, reputational, physical harm, etc. [5]
- Ensures greater transparency of data processing, which means that controllers have to provide the data subject required set of information: their identity and habitual residence or establishment; the legal basis and the purposes of the processing; the recipients of data and the categories of personal data processed; the means of exercising the rights.
- Envisages the increased guarantees for the protection of the data subject's rights, in particular: The right not to be subject to a decision which affects the data subject which is based solely on automated processing, without the data subject having her/his views taken into consideration; the right to obtain, on request, information relating processing his/her personal data in an intelligible form; the right to object at any time to the processing of personal data concerning him or her.[6]
- Considers inadmissible a complete exception to data processing for national security and defense purposes. Exceptions are allowed for a limited number of provisions on condition that such exceptions are provided for by law, that they respect the essence of the fundamental rights and freedoms, and are necessary in a democratic society.[7] Despite the exceptions, the requirement that processing activities for national security and defense purposes be subject to an independent and effective review and supervision in terms of personal data protection is clearly laid down.[8]
- Establishes a clear legal regime of transborder flows of data, which aims to facilitate the free flow of information and ensure appropriate protection of personal data in this process. In particular, data flows between parties cannot be prohibited or subject to special authorization, except when there is a real and serious risk that such transfer would lead to circumventing the provisions of the Convention.
- Broadens the role of the Convention’s Committee,[9] which will monitor that the Parties implement the provisions of the updated treaty effectively. It no longer is limited to a "consultative" role but also has the power to monitor that the parties implement the provisions of the updated treaty effectively.
- The Convention provides a forum for the co-operation of the supervisory authorities, which will facilitate their fruitful activities by exchanging relevant and useful information and conducting joint actions.[10]
It is important to note that the State Inspector’s Service actively supports the acceleration of the signing process of the 108+ Convention, the entry into force of which will significantly contribute to the approximation of national data protection legislation to international standards.[11]
The legal framework governing the protection of personal data in Georgia should comply with the approaches and principles recognized throughout Europe. Ratification of the modernized Convention is important from a practical point of view as well. It should also be noted that the 2014-2020 National Human Rights Strategy aimed to guarantee the right to privacy and the protection of personal data, in accordance with international standards.[12]
By signing the Convention 108+, Georgia will undertake an international commitment to ensure a higher standard of data protection, greater accountability of the controller, and effective oversight of data protection, which, given modern technological advances, is essential in terms of building solid guarantees of human rights protection in the country. Particular emphasis should be placed on the obligation to ensure effective and independent oversight of data processing for national security and defense purposes, which will be an important step forward in terms of increasing the accountability of the security sector. Besides, the signing of the Convention will ensure the free flow of data with European countries, as well as facilitate cooperation and mutual assistance of supervisory bodies.
On the occasion of the 40th anniversary of Convention 108, the Committee of Ministers of the Council of Europe adopted a declaration emphasizing the importance of the modernized Convention in the age of digital technology and calling on all member states to ratify the new Protocol.[13]
Thus, in light of the current technological challenges, given the important innovations discussed above, Georgia should sign Convention 108+ promptly to ensure the protection of personal data at the national level in accordance with European standards.
The article is prepared within the scope of the project "Promoting Personal Data Protection in Georgia.“
The Project is funded by the Embassy of the Netherlands in Georgia. The views expressed in this article may not necessarily reflect the views of the Embassy of the Netherlands.
_____
[1] Available at: https://bit.ly/3wYFnsQ
[2] Handbook on European data protection law, p. 26.
[3] See, full list of signatory countries, available at:https://bit.ly/3ugQlHQ
[4] The modernised Convention 108: novelties in a nutshell, available at: https://bit.ly/3m71Pe6
[5]Explanatory Report of the Convention for the protection of individuals with regard to the processing of personal data, par. 64, available at: https://bit.ly/3dkJ4kC
[6] Unless the controller demonstrates legitimate grounds for the processing which override his or her interests or rights and fundamental freedoms.
[7]Convention 108+, art. 11.
[8]The modernised Convention 108: novelties in a nutshell,available at: https://bit.ly/3m71Pe6
[9]The committee is composed of the representatives of the member states and assesses whether the level of personal data protection complies with the provisions of the convention, is responsible for interpreting the Convention, and provides support for its implementation.
[10] The modernised Convention 108: novelties in a nutshell, available at: https://bit.ly/3m71Pe6
[11] 2020 Annual Report of the State Inspector’s Service of Georgia, p. 226, available at: https://bit.ly/3cPLszw
[12] Available at: https://bit.ly/3gz32uc
[13]Declaration by the Committee of Ministers on the 40th anniversary of Convention 108 – Safeguarding the right to data protection in the digital environment, 20 January 2021, available at: https://bit.ly/32e0ngP