Personal Data Protection: ratification of the Protocol of Amendment (CETS No. 223) to Convention 108 of the Council of Europe (Bill No. 1053 voted)

Bill no. 1053 approving ratification of the Protocol of Amendment to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108+’) was received by the National Council on 20 December 2021 and voted on 28 December 2024, at the same time as Bill no. 1054 reforming the personal data protection system (replacing Law 1.165 of 23 December 1993 on the protection of personal data as amended).

The Amending Protocol modernises and strengthens the effectiveness of Convention 108 of 28 January 1981 and its Additional Protocol concerning supervisory authorities and transborder data flows.

The reform of personal data protection legislation transposes the new requirements of the Council of Europe's Convention 108+ (whose ratification by Parliament is the subject of Bill 1053 presented here). The Amending Protocol modernised and strengthened the effectiveness of Convention 108 of 28 January 1981 and its Additional Protocol concerning supervisory authorities and transborder data flows.

In addition, the new Monegasque legislation is aligned with the standards of the European Union's ‘data protection package’ consisting of Regulation (EU) 2016/679 ‘RGPD’ / ‘GDPR’, and Directive (EU) 2016/680 ‘Police Justice’ (in order to obtain an adequacy decision from the European Commission and thus facilitate the transfer of personal data from the European Union to Monaco).

* * *

MORE ABOUT CONVENTION 108+

♦ Signature and ratification by Monaco, entry into force of Convention 108+

The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 28 January 1981 (ETS No. 108, known as ‘Convention 108’ ) and its Additional Protocol regarding supervisory authorities and transborder data flows (ETS No. 181) have been in force in Monaco since 1 April 2009 (Sovereign Orders no. 2.118 and no. 2.119 of 23 March 2009).

Monaco was one of the first signatories of the Protocol of Amendment (CETS no. 223) to Convention 108 in Strasbourg on 10 October 2018, the date on which it was opened for signature by the States Parties (members and non-members of the Council of Europe). 19 other member States of the Council of Europe (Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Ireland, Latvia, Lithuania, Luxembourg, Netherlands, Norway, Portugal, Russia, Spain, Sweden, United Kingdom) and Uruguay, a non-member State of the Council of Europe, signed the Protocol of Amendment on the same day as Monaco.

The Monegasque Constitution (C) requires that ratification of the Protocol amending Convention 108 must first be approved by the National Council:

• Article 14, 2nd paragraph, number 2° - international treaties and agreements whose ratification entails the modification of existing legislative provisions;
• and 4° - international treaties and agreements whose implementation has the effect of creating a budgetary charge relating to expenditure whose nature or purpose is not provided for in the budget law). Under Convention 108+ (new Article 11, last paragraph, introduced by Article 14 of the Amending Protocol), processing activities for national security and defence purposes (Articles 9 to 19 of Law 1.430 of 13 July 2016 on various measures relating to the preservation of national security) must be controlled and supervised by an independent Commission, which it is planned will be the subject of a specific line within the State budget to track its expenditure).

By 3 December 2024, the Protocol of Amendment had been ratified by 31 States. 22 States (including Monaco) must ratify the Protocol of Amendment for it to enter into force (Article 37).

♦ Convention 108+ and the European Union's General Data Protection Regulation (GDPR)

The Ad Hoc Committee on Data Protection (CAHDATA) responsible for finalising the modernisation, paid particular attention to ensuring that the amended Convention 108 was consistent with the European Union's General Data Protection Regulation (GDPR) which entered into force on 25 May 2018 and which ‘amplifies the principles of the Convention’ (Explanatory Report on Convention 108 as amended by the CETS Protocol No. 223, 10 October 2018).

Conversely, when assessing whether a non-EU country offers an adequate level of data protection substantially equivalent to that of the EU (if so, transfers of personal data to that non-EU country do not require authorisation), the GDPR takes account of its accession to the Convention (Recital 105 of the GDPR).

♦ New features introduced by the Protocol of Amendment

Preamble:

• Mention of human dignity (people must not be treated as mere objects) and the right to personal autonomy (to control one's own data and its processing).
• Role of the right to protection of personal data in society and reconciliation with other human rights and fundamental freedoms, including freedom of expression.
• The principle of the right of access to official documents.
• Intensification of international cooperation between supervisory authorities.

Object and purpose:

• The processing of personal data may positively enable the exercise of other fundamental rights and freedoms.

Definitions and scope:

• Removal of the concept of ‘file’.
• The ‘controller of the file’ becomes the ‘data controller’.
• Insertion of ‘processor’ and ‘recipient’.
• The processing of data by a natural person in the exercise of personal or domestic activities no longer falls within the scope of the Convention.
• Removal of the possibility of declaring that the Convention does not apply to certain types of processing listed by the State party.

Basic principles:

• Ensuring the effective application of the provisions of the Convention (domestic measures must have entered into force at the time of ratification of the Convention, evaluation by the Convention Committee of their effectiveness).
• Legitimacy of processing (principle of proportionality at each stage of processing, principle of data limitation, processing based on the ‘free, specific, informed and unequivocal’ consent of the data subject or other legitimate grounds provided for by law).
  
• Expansion of the list of sensitive data (genetic and biometric data, data processed for the information it reveals about trade union membership or ethnic origin).
  
• Respect for privacy by design.
• Obligation for data controllers to notify data security breaches, limited to cases where these are likely to seriously affect the fundamental rights and freedoms of the data subjects (‘without undue delay, at the very least to the supervisory authority’).
• Guaranteed transparency of processing by the controller, who is required to provide a range of information unless the processing is expressly provided for by law or unless this is impossible or would involve a disproportionate effort (identity and residence or usual place of business, legal basis and purpose of processing, categories of data processed, recipients, means of exercising rights).
• Granting of new rights to data subjects (extension of the information to be provided when exercising the right of access, right to obtain knowledge of the reasoning underlying the processing - profiling - and not to be subject to a decision based solely on automated processing, right to object to the processing at any time).
• Addition of exceptions and restrictions to rights (‘essential public interest objectives’, processing for national security and defence purposes subject to independent and effective control and supervision).
  

Transborder flows:

• Exception for data flows between Parties to the Convention (real and serious risk that the transfer will lead to circumvention of the provisions of the Convention).
• Clarification of the guarantee of an appropriate level of data protection for transfers to non-Party jurisdictions (‘rules of law’, ‘agreed ad hoc or standardised safeguards, established by legally binding and enforceable instruments’ and properly implemented).

Supervisory authorities:

• Raising public awareness, providing information and informing all stakeholders.
• Decisions on breaches of the provisions of the Convention and power to impose administrative penalties.

Cooperation and mutual assistance:

• Forms (exchange of information, coordination of investigations and interventions, joint actions)
• The supervisory authorities must form a network.

Convention Committee

• Power of assessment before ratification (opinion on the level of protection).
• Supervisory power (effectiveness of measures taken, legal standards governing data transfers).

* * *