Skip to main content

Italy signs the Protocol amending the Convention 108

The Convention 108, concluded in Strasbourg on 28 January 1981 within the framework of the Council of Europe, represents the first legal instrument adopted at European level on the protection of personal data, and is also the only international treaty on this matter to be legally binding.
The adoption of the Convention was the result of the awareness, by the Council of Europe Member States, that art. 8 of the ECHR (“right to respect for private and family life”) could not, on its own, provide adequate protection for individual rights in the context of the processing of personal data. In this perspective, Convention 108 represents one of the main stages in the emancipation process of personal data protection from the right to respect for private life; this process has been concluded with the adoption of EU Regulation 2016/679 (GDPR) and, before that, with the adoption of the Charter of Fundamental Rights of the European Union in 2001, which treats privacy and data protection as two separate rights.
In recent years, the Convention has undergone two evolutionary processes. On the one hand, a process of internationalization, opening up to the signing and ratification of states which are not Council of Europe members; in this sense, the Convention contributes to the convergence of national legislations towards the European model (the so-called “Brussels Effect”), given that the ratification of the Convention is an element in favour of the finding of adequacy by the European Commission, pursuant to art. 45 GDPR.
On the other hand, the Convention has undertaken a process of modernization by means of the adoption of a protocol amending to the original text (which has become largely obsolete). This amendment brings the Convention closer to the obligations established by the GDPR, thus further strengthening the process of convergence of national laws towards the European model.
On 5 March Italy, already a signatory to the original text of the Convention, has signed the protocol amending the Convention.
Find out more in the new article by ICT Legal Consulting and ICT Cyber Consulting.

Read this article by ICT Legal Consulting, an international law firm with offices in Milan, Bologna, Rome and Amsterdam and presence in nineteen other countries specialized in the fields of ICT, Privacy, Data Protection/Security and Intellectual Property Law.


On March 2019 Italy signed the Protocol amending the Convention for the Protection of Individuals with regard to Automated Processing of Personal Data.

As reported by the Italian Data Protection Authority (Garante per la protezione dei dati personali) “the adoption of the Protocol marks the conclusion of the modernization process of Convention 108, currently the only binding international instrument on data protection”.


Convention 108 (hereinafter “the Convention”), signed in Strasbourg on 28th January 1981, is the first and the most important conventional instrument on data protection until today. The Guidelines on data protection of OECD (updated in 2013, here the link of the original text and the updated one) has anticipated the Convention 108 and has been an important guideline, but without being legally binding .

Convention 108 has been ratified by 54 Countries all over the world (here you can find the complete list of countries) and has been revised once in order to allow the European Union (hereinafter “EU”) to join. The EU ratified the Convention in 1999.

Italy signed Convention 108 on 2 of February in 1983 and it came into force on July 1997 (here the source Council of Europe website).

It is worth noting that Convention 108 is open both to European States and non-member states of the Council of Europe, thus enabling the creation of a common legal framework on data protection. Countries such as Mexico, Uruguay and Tunisia have signed the Convention 108.

On January 2011, the Advisory Committee, established pursuant to Art. 18 of the Convention, started the revision of the Convention, considering it a necessity to better face the challenges deriving from the use of the new information and communication technologies.  The final version of the amending Protocol was approved on 18th May 2018 by the Committee of Ministers of the Council of Europe. The modernised version of the Convention 108 has been called “Convention 108+”.

At the time of the publication of this article, the amending Protocol has been signed by 26 States.

Main aspects

Convention 108+ maintains the original spirit and the objective pursued by the original Convention 108 and reinforces its principles in a more affirmative tone. The reinforcement is evident from Article 1, which now defines the protection of individuals’ personal data as an integral part of fundamental human rights by mentioning that “the purpose of this Convention is to protect every individual, whatever his or her nationality or residence, with regard to the processing of their personal data, thereby contributing to respect for his or her human rights and fundamental freedoms, and in particular the right to privacy”.

The main innovations of the Convention 108+ concern, among others, the need for specific legal basis of the processing provided for by law, starting from the consent of the data subject (Art. 5. 2), the extension of the special categories of personal data to genetic data, biometric data and personal data that may reveal information relating to ethnic origin, or trade-union membership, (Art. 6.1), the implementation of the obligation of data breach notifications (Art. 7. 2), the introduction of transparency on the information provided to data subjects (Art. 8), the creation of further data subject rights (Art. 9), the implementation of the evaluation (Art. 10.2) comparable to Data Protection Impact Assessment, as per Art. 35 of the GDPR, and the transfer of personal data to countries that are non-signatory parties of Convention 108+.

It is important to underline that the common purpose and the fact that all the principles of the Convention 108+ are reproduced, extended and detailed by the Regulation EU 2016/ 679 (“GDPR”) proves that there is a common direction shared by a lot of EU and non-EU countries, towards a more consistent and uniform legislation on data protection.

For example, with reference to the transfer of personal data to non-signatory parties of Convention 108+, according to Art. 14, the transfer is considered legal only if the recipient country guarantees an adequate level  of protection to the standards established by Convention 108+.  It is difficult not to notice that the GDPR establishes a similar principle in Art. 45, providing adequate decisions in order to evaluate if the protection level offered by a country is adequate (as already provided by the Art. 25, c.6 of the Directive 95/46/CE).

Furthermore, Recital 105 of the GDPR indicates the joining to the Convention 108 as a fundamental element of the evaluation of third countries with reference to adequacy decisions under Art. 45 of the GDPR, which allow the transfer to third countries that receive such decision (the last country that received this kind of decision is Japan, even if it is not a signatory party of the Convention 108).

Practical implications

On the one hand, given the nature of Convention 108+, it does not have immediate practical consequences on the daily operation of companies. Furthermore, the provisions of Convention 108+ are mainly contained in the GDPR, and comply with the accountability principle as well as with other principles contained therein may be deemed also as being in compliance with the Convention 108+.

On the other hand, considering the medium and long-term effects of Convention 108+, it would be advantageous if this modernised version of Convention 108 received a similarly a broad consensus as the previous version. It is reasonable to assume that the greater the number of States signing and ratifying Convention 108+, also including countries that are not included in the territorial scope of the GDPR, the nearer the objective of a standardised protection of personal data of individuals as a fundamental right will be.

Moreover, from a practical point of view, as seen above the accession to Convention 108+ facilitates the obtaining of an adequacy decision by non-EEA countries, thus allowing the transfer of personal data to that country and fostering their trade. If the data protection legislation was uniform in many countries, it is without a doubt that all the data-driven economy but also the entire world economy would benefit greatly.

Continue reading here.

In collaboration with

ICT Legal Consulting is an international law firm with offices in Milan, Bologna, Rome and Amsterdam and presence in nineteen other countries specialized in the fields of ICT, Privacy, Data Protection/Security and Intellectual Property Law.

ICT Legal Consulting

Author ICT Legal Consulting

ICT Legal Consulting is an international law firm founded in 2011 with offices in Milan, Bologna, Rome and Amsterdam, and presence in nineteen other countries (Australia, Austria, Belgium, Brazil, China, France, Germany, Greece, Hungary, Mexico, Poland, Portugal, Romania, Russia, Slovakia, Spain, Turkey, United Kingdom and USA). The firm was established by Paolo Balboni and Luca Bolognini, who have successfully assembled a network of trusted, highly-skilled lawyers specialized in the fields of Information and Communication Technology, Privacy, Data Protection/Security and Intellectual Property Law.

More posts by ICT Legal Consulting