CYIL vol. 9 (2018)

CYIL 9 ȍ2018Ȏ PROTOCOL MODERNISING THE CONVENTION FOR THE PROTECTION OF INDIVIDUALS… state security or defence) are at stake. The Convention also regulates and restricts transborder flows of personal data to states where domestic legislation does not ensure adequate level of protection. The subsequent Additional Protocol (2001) 8 strengthened the protection of personal data and privacy by amending the original Convention in two areas: (i) it required setting up of national supervisory authorities responsible for ensuring compliance with laws or regulations adopted to comply with the Convention; (ii) as for transborder data flows to non-Party states, it required the recipient State or international organisation to guarantee an adequate level of protection. Despite the fact that the Convention was negotiated almost forty years ago and the landscape of data protection has been subject to a complex digital revolution since then, curiously enough the 2001 Additional Protocol has remained the only amendment that entered into force so far. 9 However, this is about to be changed, hopefully, by the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data [CETS No. 223], adopted at the 128 th Session of the Committee of Ministers at Elsinore (Denmark) on 18 May 2018 (hereinafter as the “Protocol”). Hence, the modest aim of this article is to describe, rather than analyse, the process that led to the most ambitious modernisation of the Convention so far. We shall look first at the difficult negotiations of the Protocol, and then we shall introduce the main elements of the amendments contained in the Protocol and focus particularly on its relationship to the EU legal framework. Finally, we shall try to elaborate on some modalities of its signature, ratification / accession and entry into force. The modernised Convention framework would surely deserve a more detailed analytical study at a later stage, however, this article is limited more to “why and how we got there?” rather than “have we found there what we’ve been looking for?” Negotiations of the Protocol [CETS No. 223] The modernisation process of the Convention, which resulted in the adoption of the Protocol, was undertaken in several stages: (i) preparations of draft proposals by the Consultative Committee; (ii) discussions of the proposals in the ad hoc Committee on data protection (CAHDATA); (iii) discussions in the Rapporteur Group on Legal Co-operation (GR-J); and (iv) adoption by the Committee of Ministers. Further, at the stage when any draft convention / protocol is finalised, but before it is adopted by the Committee of Ministers, the text is regularly submitted to the Parliamentary Assembly of the Council of Europe (hereinafter as the “PACE”) for a non-binding opinion, 10 which might be nevertheless taken 8 Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows (Strasbourg, 8 November 2011, ETS No. 181). 9 There were amendments approved by the Committee of Ministers of the Council of Europe on 15 June 1999 in Strasbourg, enabling the then European Communities to become a party to the Convention, which, however, never entered into force. According to Art. 21(5) of the Convention, such amendments would have required acceptance by all Parties to the Convention, which did not happen at that time, with only 33 member States of the Council of Europe having expressed their acceptance after the amendments were officially forwarded to all Parties. 10 Procedure under Art. 23.a of the Statute of the Council of Europe (London, 5 May 1949, ETS No. 1, hereinafter as the “Statute”). II.

145