CYIL vol. 9 (2018)

EMIL RUFFER CYIL 9 ȍ2018Ȏ the function of an independent supervisory authority within the meaning of Art. 15 of the Convention; at the same time, the Office is also the competent authority in terms of applicable EU legislation on data protection. Relationship to the EU framework The Convention is a legal instrument designed not just for data protection within the jurisdictions by the member States of the Council of Europe, but far beyond. Indeed, it has universal aspirations and from its conception, it has been opened for accession by non- member States, upon invitation from the Committee of Ministers. 31 The international appeal was partly successful and so far the Convention has 51 State Parties – apart from the 47 member States of the Council of Europe also Mauritius, Senegal, Tunisia and Uruguay, with Cabo Verde and Mexico becoming Parties very soon following the deposit of their instruments of ratification. 32 However, any aspiration for setting universal standards would be doomed to fail without taking into account the well-advanced EU framework for the protection of personal data. The current EU legislation consisting of a general regulation (GDPR) 33 and specific directive (for the area of law enforcement) 34 was negotiated and adopted prior to the finalisation of the Protocol, which enabled the Council of Europe to ensure the compatibility and consistency of the two regimes to highest possible extent. 35 The EU data protection legislation follows and amplifies the principles of the revised Convention and on this basis provides for a more detailed framework consisting of the legislation to be applied in a uniform manner in EU 31 Art. 23 of the Convention (in its original wording). The Protocol amends the procedure for invitation by the Committee of Ministers, by extending it also to international organisations and introducing an obligatory opinion by the Convention Committee. (New) Art. 27 of the Convention now stipulates as follows: “ After the entry into force of this Convention, the Committee of Ministers of the Council of Europe may, after consulting the Parties to this Convention and obtaining their unanimous agreement, and in light of the opinion prepared by the Convention Committee in accordance with Article 23.e, invite any State not a member of the Council of Europe or an international organisation to accede to this Convention by a decision taken by the majority provided for in Article 20.d of the Statute of the Council of Europe and by the unanimous vote of the representatives of the Contracting States entitled to sit on the Committee of Ministers. ” 32 Cabo Verde deposited its instrument of ratification on 19 June 2018, Mexico did so on 28 June 2018. For both states the Convention will enter into force on 1 October 2018 in accordance with its (original) Art. 23: “ In respect of any acceding State, the Convention shall enter into force on the first day of the month following the expiration of a period of three months after the date of deposit of the instrument of accession with the Secretary General of the Council of Europe. ” 33 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance), OJ L 119, 4.5.2016, p. 1. The GDPR entered into effect (became applicable) in accordance with its Art. 99(2) on 25 May 2018. 34 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119, 4. 5. 2016, p. 89. The transposition deadline for the Directive (duty for Member States to adopt domestic laws, regulations and administrative provisions necessary to comply with it) expired under its Art. 63(1) on 6 May 2018, with possible derogations with regard to automated processing systems set up before 6 May 2016. 35 A useful overview of the current EU legislative framework is to be found in Handbook on European data protection law (2018 edition) , EU Agency for Fundamental rights and Council of Europe, 2018, pp. 27-36. IV.

150