European authorities have called for member states to strengthen the protection of personal data in the context of digital surveillance carried by intelligence services.

In a joint statement issued today, the chair of the Council of Europe’s data protection committee, Alessandra Pierucci, and its data protection commissioner, Jean-Philippe Walter, sought to promote a new international legal instrument providing more effective safeguards.

"Countries must agree at international level on the extent to which the surveillance performed by intelligence services can be authorised, under which conditions and according to which safeguards, including independent and effective oversight," the statement stressed.

It suggested that the development of a new legal standard could be based on the numerous criteria already developed by the courts, including the European Court of Human Rights and the US Supreme Court.

Referring to the European Court of Justice’s recent judgment on Schrems II, concluding that the EU-USA Privacy Shield agreement does not provide an adequate level of protection to personal data transferred across the Atlantic, because of insufficient human rights safeguards arising in the context of the access to data by US government surveillance programmes, the statement warned of its implications beyond EU-US data transfers - adding that it provides an opportunity to strengthen the universal data protection framework.

The statement noted the role that the Council of Europe’s modernised data protection treaty - not yet in force - could play in providing a robust legally binding agreement for the protection of privacy and personal data globally.

While the convention already provides an international legal framework for the protection of personal data - and specifically addresses the need for an independent and effective review and supervision of restrictions to data protection justified by national security or defence - it does not fully and explicitly address some of the challenges posed at international level by the mass surveillance capacities, which the Council of Europe said requires the drafting of a new specific international legal standard.

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, also known as Convention 108, is the only legally binding instrument on the protection of privacy and data protection open to any country in the world. Adopted in 1981, the treaty was updated in 2018 by an amending protocol ensuring that its data protection principles are still adapted to today’s tools and practices.

So far, 55 countries have ratified Convention 108 and many others have used it as a model for new data protection legislation throughout the world.

Share Story: