Remarks at the Venice Privacy Symposium 2023: Opening panel on Convention 108+ Opportunity and Paradigm Shift

April 17, 2023
Venice, Italy

Address by Philippe Dufresne
Privacy Commissioner of Canada

(Check against delivery)

---

It is a pleasure to be here today with all of you in beautiful Venice.

This is my first time at the Privacy Symposium, and I am honoured to be sitting alongside such distinguished co-panellists, including Dr. Nataša Pirc Musar, President of Slovenia; Professor Pasquale Stanzione, President of Garante; Mr. Bjørn Berge, Deputy Secretary-General of the Council of Europe; Beatriz de Anchorena, Director of the Agency of Access to Public Information in Argentina; Tiziana Lippiello from the Università Ca' Foscari Venezia; and Dr. Sébastien Ziegler, President of the International Internet of Things Forum and European Centre for Certification and Privacy.

I have been highly anticipating this Symposium, and am thrilled to have the opportunity to connect and exchange with exceptional privacy leaders from around the globe on these important issues.

As Canada’s federal Privacy Commissioner, my Office has the privilege of chairing the Global Privacy Assembly Working Group on Data Protection and Other Rights and Freedoms.

My remarks today on the Convention stem from the discussions and work of this group, which includes over two dozen data protection authorities from all over the world.

The crux of our work centres on the recognition that privacy and data protection are fundamental rights, and that respecting privacy rights is essential to our dignity and to the enjoyment of other fundamental freedoms.

I am pleased to be here today to contribute to the discussion about the potential and benefits of international instruments like Convention 108+.

I note that I am speaking to you as Canada’s data protection authority but that I do not represent the Canadian government which has the exclusive jurisdiction to negotiate and enter into international treaties.

From my perspective, and as a member of the Global Privacy Assembly, the ongoing interest that international data protection authorities have in the potential of the modernized Convention is three-fold.

First, there is the educational potential of the Convention, as both a reference point and regulatory benchmark. The expertise and support that has coalesced around the Convention, at the Council of Europe, via the Consultative Committee (or T-PD), through its meetings, plenaries, guidance, and papers is both deep and expansive.

For example, the T-PD work on inter-jurisdictional data protection represents a decades-long, continuous body of knowledge and research, which is no small accomplishment. Since 1981, the Convention and cross border transfer of personal data have been at the core of their deliberations, and the global data protection community has benefited greatly from these proceedings.

Secondly, there is the normative potential of a modernized Convention, as a landmark and waypoint. There are hundreds of national and territorial privacy laws in force around the world, and they are constantly subject to regulatory overhauls and legal reforms. Yet, at the same time, given data flows, there is a desire to harmonize approaches to data oversight and safeguards, and to strengthen regulatory alignment for privacy rights and compliance coherence.

What the Convention offers is shared language, to bridge these differences. It can be adopted in countries with all manner of market orientations, populations, legal histories, and cultural norms. Indeed, since 2018, states well beyond the European Union (EU) have followed with interest and even become signatories themselves.

There has been, and continues to be, a lot of discussion and debate about whether it is better to take a rights-based approach or a non-rights-based approach to privacy. Different countries take different approaches, with privacy being treated as an individual right, a consumer right, or a constitutional right depending on where you live.

In my view, you can treat and recognize privacy and data protection as fundamental rights regardless of how you approach them. We do not protect privacy simply because it is an individual right, or a consumer right, or a constitutional right – we protect privacy because it underpins so many other fundamental rights, like democratic rights (for example, Cambridge Analytica), and the right to be free from discrimination (for example, Clearview AI).

What matters is that privacy and data protection are treated as a priority and recognized as being fundamental, and the universality of that understanding is very clear when you look at the number of international legal instruments that explicitly codify privacy or data protection as a fundamental right and the number of signatories to each (for example, the Universal Declaration on Human Rights, the European Convention on Human Rights, and the International Covenant on Civil and Political Rights).

Thirdly, there is the advocacy potential, which we see in the text itself. For example, the express linkages made in the preamble and first articles highlighting the connection between data protection, the right to privacy, and other fundamental rights.

Even today, in many jurisdictions and regulatory environments, awareness of these linkages can be uneven – particularly with respect to how the right to privacy underpins other important rights and freedoms, as well as how fundamental these rights are, as recognized in international law, multilateral instruments, and in many domestic jurisdictions by privacy laws or the courts.

From the point of view of both the Global Privacy Assembly’s Working Group on Data Protection and Other Rights and Freedoms, but also as Canada’s Privacy Commissioner, I view those interdependencies as vital. Personal information is a core part of who we are as individuals, and respecting privacy rights is essential to our dignity and to the enjoyment of other fundamental freedoms.

The Convention presents a clear, concrete and fully materialized framework for the recognition and redress of global data protection issues. To me, that is a historic success, a very significant promise, and a crucial premise upon which we can and should build as well.

Thank you.