29/11/20

Convention 108 and the GDPR: Trends and perspectives in Latin America

 https://doi.org/10.1016/j.clsr.2020.105516

Over1,2 the past twenty years, several countries in Latin America have enacted their own data protection laws.3 In many cases, these laws have followed standards that were and still are being developed in the European Union. In spite of that, only a few of those countries -namely, Uruguay, Argentina and Mexico- have acceded to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (hereinafter Convention 108), an international commitment approved by the Council of Europe in 1981 and has recently been modernized (hereinafter Convention 108+).4 Moreover, fewer countries -only Uruguay and Argentina- have been granted by “adequacy decisions” which are regularly determined by the European Commission and approved by the European Union. The benefits for those who obtained these decisions, are, among others, that enable free data flows between the EU and those countries in accordance to the Data Protection Directive 95/46/EC (hereinafter Directive).5

It may not be a coincidence that two of the three countries that have ratified the treaty (Convention 108) have also been considered adequate by the European Union. This is not only theoretically but practically relevant, because both Argentina and Uruguay are currently undergoing a new adequacy revision process under Regulation (EU) 2016/679 (hereinafter General Data Protection Regulation or GDPR), which may come to an end during 2020.6 In this sense, it might be important to analyse whether Convention 108 and the GDPR are intertwined. What are precisely the links between these two regulations? Could the accession to Convention 108 influence an adequacy decision by the European Commission?

In this essay, we will attempt to approximate to these questions by establishing: (i) the connections between GDPR and Convention 108; and (ii) how those connections might have an impact on adequacy decisions in light of recent and undergoing experiences in Latin America. Considering that most adequacy decisions under the GDPR -except for Japan7- are pending, some of our findings may be provisional or speculative and should be read as such. Nonetheless, these insights might be a starting point to examine in more detail the relationship between the most important multilateral treaty on data protection so far and the GDPR, which seems to have become not only a global model, but also a standard of standards, a rule of recognition to identify what is -and what may not be- an appropriate data protection law.

The links between convention 108 and GDPR

Regulation (EU) 2016/679, better known as the General Data Protection Regulation or GDPR, was issued in April 2016 and became implemented two years later, in May 2018. This regulation superseded the Data Protection Directive 95/46/EC and incorporated new features such as the extraterritorial scope, the privacy impact assessment, the data protection officer, the accountability principle, the right to data portability and the right to object. However, adequacy decisions were maintained in the new regulation as the primary mechanism to enable free data flows between the members of the European Union and foreign countries. It should be remembered that an adequacy decision -both under the old Directive and the GDPR- is determined by the European Commission after establishing, through a consultative process, that a non-European country has laws, practices and institutions that ensure that personal data of European citizens will be duly protected.8

Because it implied such a paradigm shift, GDPR also established in its Article 97 that adequacy decisions taken so far under the Directive would be reviewed according to the new stricter regulation. In effect, that Article says that

1

By 25 May 2020 and every four years thereafter, the Commission shall submit a report on the evaluation and review of this Regulation to the European Parliament and to the Council. The reports shall be made public.

2

In the context of the evaluations and reviews referred to in paragraph 1, the Commission shall examine, in particular, the application and functioning of:

Chapter V on the transfer of personal data to third countries or international organisations with particular regard to decisions adopted pursuant to Article 45(3) of this Regulation and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC;

Pursuant to Article 45(2) of the GDPR, when assessing the level of protection of a non-European country the European Commission shall take account of the following elements: (a) rule of law, protection of human rights and specific data protection rules, provided by law and jurisprudence; (b) the existence of an independent data protection authority that ensures the rights of the data subjects and enforces compliance; and (c) international commitments, in particular related to the protection of personal data.9 Regarding this last point, Recital 105 of the GDPR further notes that

Apart from the international commitments the third country or international organisation has entered into, [when assessing the level of protection of a third country] the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account.

As it is widely known, the Convention 108, is a treaty enacted by the Council of Europe in 1981 and the only comprehensive and binding data protection framework at international level. It has been amended three times: the first time in 1999, by an Amendment that allowed European Communities to join the treaty; the second time in 2001, by an Additional Protocol that incorporated new obligations related to the existence of supervisory authorities and transborder data flow; and the third time on May 2018, a few days before the GDPR was implemented, by an Amending Protocol that revised the text integrally.10 This new version of the treaty is regarded as a “modernization” and has been labelled “Convention 108+”.

It is certainly not a coincidence that Convention 108+ was born alongside the GDPR. The Explanatory Report11 of Convention 108+ clarifies that “[t]he modernization work was carried out in the broader context of various parallel reforms of international data protection instruments [including the GDPR]” (2018, p. 15). It further notes that

With regard to the EU data protection reform package in particular, the works ran in parallel and utmost care was taken to ensure consistency between both legal frameworks. The EU data protection framework [i.e. GDPR] gives substance and amplifies the principles of Convention 108 and takes into account accession to Convention 108, notably with regard to international transfers (2018, p. 15).

Interestingly, Article 14 of Convention 108+ specifies that being a party to Convention 108+ does not automatically enable free flows of data between non-European countries and the members of the European Union, because “[a] Party may [restrict international transfers of personal data], if bound by harmonised rules of protection shared by States belonging to a regional international organisation”. This restriction to the free flows of data that should otherwise arise between the parties of Convention 108+ seems like a tailor-made exception for the European Union, since, to date, the GDPR is the most important and well known example of “harmonised rules of protection shared by States belonging to a regional international organisation”. However, the Explanatory Report further clarifies that

a third country's accession to Convention 108 and its implementation will be an important factor when applying the EU's international transfer regime, in particular when assessing whether the third country offers an adequate level of protection (which in turn allows the free flow of personal data) (2018, p. 27).

In effect, even if Convention 108+ does not cover all the innovations that the GDPR brought along, such as the data protection officer, the privacy impact assessment or the principle of accountability of data controllers, it is consistent with most of the GDPR requirements. In this sense and noting the similarities, but also the differences, between the two regulations, Greenleaf (2018) has pointed out that

Because 108+ includes most important GDPR innovations (in less prescriptive form), accession to 108+, coupled with proper enforcement should indicate that most aspects of the GDPR requirements are met. However, 108+ does not include all GDPR innovations, and it is as yet uncertain how EU institutions will interpret the adequacy provisions of the GDPR. It is possible that GDPR ‘adequacy’ will not require any of these elements not found in 108+, but on the other hand some might be required or strongly desirable. ‘Adequate’ did not mean ‘identical’ under the Directive, and will not under the GDPR. It is therefore uncertain, but possible, that compliance with the standards found in 108+ may also in practice approximate what it meant by ‘adequate’ under the GDPR. If so, the 108+ standards (which we can call ‘GDPR Lite’) may become the new global standard by 2023 (p. 3).12

In summary, there are enough links between the modernized Convention 108 and the GDPR to consider that these two instruments are close-knit and that the accession to the former should have an important weight in the adequacy to the latter. On one hand, from the standpoint of non-European countries, Convention 108 could be seen as an efficient mechanism to achieve or at least facilitate a favourable adequacy decision. On the other hand, from the standpoint of the members of the European Union, Convention 108 could be conceived as a means to ensure the globalization of most of GDPR rules and, thus, a sufficient level of protection to allow free data flows. Both sides of the coin are certainly connected.

As we will see in the next section, Latin American countries became notably more interested in Convention 108 once the GDPR was launched in May 2018.

The data protection scene in Latin America

The first Latin American country that acceded to the original Convention 108 and its first Additional Protocol was Uruguay in April 2013. Uruguay had requested an invitation to accede in 2011 and the Council of Europe granted such invitation the same year. Mexico followed in June 2018 and Argentina a bit later, in February 2019. Both Mexico and Argentina had requested an invitation to accede in 2017, which is only one year after the GDPR had been issued.13 It is indeed likely that the reform of the European data protection framework motivated the governments of these countries to become parties to the treaty in order to preserve -in the case of Argentina- or obtain -in the case of Mexico- the status of “adequate” under the GDPR.

When Convention 108+ came along, Uruguay and Argentina signed it very quickly. The former in 2018 and the latter in 2019.14 At the time, both countries were undergoing the adequacy revision process that is enshrined in Article 97 of the GDPR and the signature of the modernized treaty might have been conceived as a strategic move to preserve adequacy and get aligned with the new regulation. This revision process has recently come to a formal end on 25 May 2020 and soon enough we will learn if the signature of Convention 108+ and the approval of old Convention 108 has had any weight in the decisions of the European Commission.

Both Uruguay and Argentina have also done regulatory efforts to modernize their general data protection frameworks in order to match the new international standards set by the GDPR. In 2019, through Law No. 19.670, Uruguay introduced the following modifications to its general data protection law: (i) it establishes an obligation to designate a DPO whenever the main business of the controller involves the processing of data on a large scale, or the processing of sensitive data; (ii) the scope of application of the data protection law has been extended to controllers who are outside of Uruguay whenever their processing activities are related to the offering of goods or services to individuals in Uruguay; (iii) the notification of data breaches to the data subject as well as to the data protection authority is now mandatory; (iv) the accountability principle has been expressly acknowledged in the law.15

In Argentina perhaps the most important legislative change was the creation of its new national data protection authority, the Access to Public Information Agency (“AAIP”), which enjoys a substantial higher degree of independence than its predecessor. Other important efforts to modernize its legal framework include (i) the Draft Bill sent to Congress by Argentina's Executive Branch on September 2018, which contained a comprehensive reform to the current general data protection law, and (ii) AAIP's Resolution No. 4/2019 which sets forth a definition of biometric data and also recognizes the possibility of data subjects to request information on the logic applied on decisions based on automated data processing.16 It is worth noting that, despite the fact that in March 2020 the Draft Bill lost its status as such, it proposed a series of changes that were certainly influenced by the GDPR, among other modern data protection legislations in the world.

It should also be noted that Brazil, recently passed a new data protection law (the “LGPD”) that took inspiration from the GDPR and joined the Consultative Committee of Convention 108 as an observer in October 2018.17 Brazil's LGDP, in force as of February 2020, reproduces most of the GDPR's rules and structure very closely: the extraterritorial scope of application of the law, the requirement of a legal basis to process personal data and to allow international transfers, the penalties system, the obligation to designate a data protection officer, and the duty to notify data breaches, among others.18 This may anticipate Brazil's wish both to accede to the treaty and to be declared adequate by the European Commission in the near future.

In August 2019, Colombia also initiated “discussions about the possibilities of joining the Committee of Convention 108 as observers, as a first step into Convention 108+”.19 Additionally, in 2018, during a recent meeting of data protection authorities belonging to the organisation of American States, the President of Costa Rica “stated that [the country] had a strong commitment with the [data protection] issue and announced his willingness to have Costa Rica adopt Convention 108 of the Council of Europe in the near future”.20

In 2018, Chile's Constitution was amended in order to include data protection as a fundamental right, whose exercise will be regulated by law.21 Another news that clearly shows the direction Chile is taking in data protection matters is the fact that in July 2019, its Ministers of Finance and of Justice and Human Rights issued a joint press statement with Commissioner Věra Jourová on data protection cooperation, where they agreed to “work towards global solutions to digital challenges and further facilitate mutual data flows, including the possibility of exploring the use of all available instruments, such as adequacy”, and where Commissioner Jourová welcomed the decision of Chile to join the Convention 108 as an observer.22

It is important to highlight that both Europe and Latin America -as whole regions- seem to be engaged in mutual efforts to get closer to each other with respect to data protection. As a matter of fact, the Consultative Committee of Convention 108 is a member of the Ibero-American Data Protection Network,23 an international data protection platform that integrates many Latin American countries together with Spain and Portugal since 2003. This Network has made important contributions to spread the European view of data protection. In its agenda for the period of 2015–2018, the Network sought explicitly to promote the European data privacy rules in Ibero-American countries, noting “the benefits that such adoption would bring to Spanish companies that desire to transfer an increasing volume of personal data with such countries.”24

Additionally, in June 2017, after the GDPR had been issued, the Network published the Standards for Data Protection for the Ibero-American States, aligning itself with the new European rules and explicitly taking inspiration not only from the GDPR, but also from Convention 108.25 Since participation in multilateral or regional systems related to the protection of personal data is a relevant factor in adequacy decisions, the Standards for Data Protection for the Ibero-American States could be regarded as an additional move of the Latin American region to approximate to the GDPR, but also as a move of the European Union –represented in the Network by the Consultative Committee of Convention 108, Spain and Portugal- to globalize its own data protection standards.

Conclusion

This brief description of the links between Convention 108 and the GDPR and their impact on the Latin American scene allow us to affirm that both instruments have had a great deal of influence in the region and that this influence might increase in the near future, since adequacy standards have changed with the emergence of GDPR and Convention 108+ and these two regulations are closely related to each other.


1

I thank Mauro Meloni and Juan Agustin Otero who assisted me in writing this article. They did part of the research and drafted some parts of the article under my supervision. Meloni and Otero obtained their Law degree from Universidad de San Andrés School of Law, Argentina. They are currently Legal Advisors at the Access to Public Information Agency, the Data Protection Authority in Argentina.

2

Eduardo Bertoni (Phd, Buenos Aires University; MIPP, George Washington University) became the first Director of the Access to Public Information Agency (AAIP), a Secretary-level position after passing an open and transparent selection process that included a public hearing. Previously, he was the Director of the former National Data Protection Authority. He is the founder and was the first director of the Center for Studies on Freedom of Expression and Access to Information (CELE) at Palermo University School of Law, Argentina. He was the Executive Director of the Due Process of Law Foundation (DPLF) in Washington, D.C. (2005–2009) and the Special Rapporteur for Freedom of Expression of the Inter-American Commission of Human Rights at the Organization of American States (2002-2005).Bertoni currently teaches at Buenos Aires University School of Law and New York University School of Law (Global Clinical Professor). He published several opinion pieces on democracy, human rights, freedom of expression, and data protection in leading newspapers in the Americas and has written several publications on judicial reform, international criminal law, and human rights & the Internet.

3

See for example Law N° 25.326 (Argentina); Law N° 18.331 (Uruguay); Law N° 13.709/18 (Brazil); Federal Data Protection Law 05-07-2010 (Mexico); Law N° 1581/2012 (Colombia); Law N° 29.733 (Peru).

4

See the chart of signatures and ratifications of Convention 108 in: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/signatures?p_auth=O1ZGs4lK.

5

See the European Commission list of adequate countries regarding data protection in: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en#documents.

6

See Article 97 of the GDPR.

7

See the European Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information, available in: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32019D0419&from=EN.

8

See Article 25(6) of the Directive and Article 45 of the GDPR.

9

This is a simplified paraphrasis of the complete text of Article 45(2) of the GDPR.

10

See the list of amendments in: https://www.coe.int/es/web/data-protection/legal-instruments.

11

See the Explanatory Report in: https://rm.coe.int/16808ac91a.

12

Graham Greenleaf, ‘Modernised’ Data Protection Convention 108 and the GDPR (2018) 154 Privacy Laws & Business International Report 22-3 (2018). UNSW Law Research Paper No. 19-3

13

See the chart of signatures and ratifications of Convention 108 in: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/108/signatures?p_auth=O1ZGs4lK. Also see opinions by the European Council on the requests for accession by Argentina, Uruguay and Mexico in: https://www.coe.int/es/web/data-protection/convention108/parties.

14

See the chart of signatures and ratifications of Convention 108+ in: https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/223/signatures

15

See the modifications to Uruguay's data protection law introduced by Law No. 19.670 in: https://www.gub.uy/unidad-reguladora-control-datos-personales/comunicacion/publicaciones/cambios-recientes-legislacion-sobre-proteccion-de-datos-personales-en

16

See the complete text of Resolution AAIP No. 4/2019 in: https://www.boletinoficial.gob.ar/detalleAviso/primera/200224/20190116

17

See list of observers of Convention 108 in: https://rm.coe.int/list-of-observers-nov-2018-en/1680938538. Also see the Council of Europe news about Brazil joining the Consultative Committee as an observer: https://www.coe.int/en/web/data-protection/-/brazil-and-the-data-protection-commission-of-gabon-to-join-the-committee-of-convention-108-as-observers-.

18

See comparison of the GDPR and the LGPD in: https://iapp.org/news/a/gdpr-matchup-brazils-general-data-protection-law/

19

See the Council of Europe news about the discussions held with Colombia's authorities: https://www.coe.int/en/web/data-protection/-/colombia-a-first-step-towards-convention-108-

20

See the Informative Newsletter of the Organisation of American States regarding the Annual Meeting of Data Protection Authorities in 2018: https://www.oas.org/es/sla/ddi/boletines_informativos_DDI_proteccion_datos_personales_Encuentro_Anual_Costa_Rica_2018_Diciembre-2018.html.

21

See more about Chile´s Constitutional amendment in: https://iapp.org/news/a/personal-data-protection-is-a-constitutional-right-in-chile/

22

See Joint press statement by Commissioner Věra Jourová and Felipe Larraín Bascuñán, Minister of Finance, and Hernán Larraín Fernández, Minister of Justice and Human Rights of Chile on cooperation on data protection: https://ec.europa.eu/commission/presscorner/detail/en/STATEMENT_19_4029

23

See list of members of the the Ibero-American Data Protection Network in: https://www.redipd.org/es/la-red/entidades-acreditadas

24

Anu Bradford, The Brussels Effect, 153 Nw. U.L. Rev. 1 (2012).

25

See the Standards for Data Protection for the Ibero-American States in: https://www.redipd.org/sites/default/files/inline-files/Estandares_Esp_Con_logo_RIPD.pdf