Convention 108: the first big step to protect our data

Today we’re talking about laws and treaties, but don’t fall asleep: what I’m about to tell you is quite interesting. It turns out that, long before the GDPR existed and before we were bombarded with cookie notices, there were already people in Europe worried about what was happening with our personal data.

And that’s how the Convention 108 of the Council of Europe was born, signed in 1981. Yes, in the eighties, when we were still using floppy disks and many of us had no idea what the Internet was. Even so, European governments saw that digitalization and computers could endanger something as basic as privacy.

What did this convention say?

Basically, it established a series of minimum rules for all the countries that signed it. Some of them sound very modern:

  • Personal data had to be collected fairly and lawfully.

  • It could only be used for a clear and legitimate purpose.

  • No more information than necessary could be stored.

  • It had to be kept accurate and up to date.

  • And of course, security was essential: no leaving data lying around without protection.

In addition, the convention already referred to “sensitive” data: health, sexual life, political opinions, religious beliefs… All of this required even more care.

Rights for individuals

The text also included something fundamental: that citizens could access their own data, correct it if it was wrong, or even delete it in some cases. What we now call ARCO rights (access, rectification, cancellation and objection) was already outlined there.

For 1981, this was quite groundbreaking. Let’s remember that many countries still didn’t have specific data protection laws, and this treaty served as a model.

And what about data that travelled?

Another very advanced idea: the convention regulated the cross-border flow of data. Because of course, if your data crossed the border, what happened then? The agreement said it could only be transferred to countries offering an adequate level of protection.

If this sounds like the GDPR and the current discussions about sending data to the U.S., it’s because it all started here.

Why is it still important?

Convention 108 was the first international treaty in this field. Over time, it was modernized (now there is what’s known as Convention 108+), but it remains the foundation of how we understand privacy in Europe and beyond.

In short: thanks to those in the eighties who thought our data needed protection, today we have a much stronger framework to defend our digital privacy.

Conclusion

Convention 108 may sound like old history, but it’s actually the origin of everything. It’s like the grandfather of the GDPR. Without it, we would probably be much more exposed to companies and governments that want to know everything about us.

So yes, sometimes rules anticipate problems before they explode. And in this case, it was a textbook success.