Convention 108+: the protection of personal data as the cornerstone of the digital age
Digital transformation has radically changed the way people interact, consume services, and exercise their rights.
Making a bank transfer, paying with digital means, hiring a service or buying in an online store, generates personal data that is collected, analyzed and shared on a large scale, through multiple actors and technological platforms.
In this context, Data protection has ceased to be a technical issue or one exclusive to the legal field, and has become a pillar of digital trust..
But without clear rules, the risks of abuse, leaks, algorithmic discrimination, or undue surveillance increase exponentially.
It is in this scenario where the Convention 108+ This takes on special relevance. An international treaty that proposes a structural response to the challenges of the digital age, establishing common principles that seek Protecting people without hindering technological innovation.
Understanding its scope is key to anticipating the direction that data regulation will take in the coming years.
But before beginning the analysis of Convention 108+, it is important to understand the current framework for personal data protection. This is a scenario in which generative artificial intelligence directly impacts data governance.
Data governance & AI: a contemporary challenge
The AI integration It can be complex and generate internal resistance, in addition to requiring high-quality and well-structured data.
Facing this challenge for effective data management And by creating a data-driven culture, it is possible to improve the data infrastructure and form interdisciplinary teams to develop reliable models.
“The biggest challenge is managing the exponential growth of data, ensuring its quality and security, and aligning it with increasingly strict regulations,” says our partner., Pablo Mlynkiewicz, Head of Data Governance at Data Governance Latam, CDO & co-founder of Kosmic Voice and Academic Coordinator of the Data Governance Diploma from the University of CEMA.
The expansion of generative artificial intelligence highlights a new dimension of risks and opportunities in the protection of personal data.
Unlike traditional AI, these systems learn from massive volumes of automated information. This means that the data feeding the models can travel through various stages of processing, sharing, analysis, and reuse, without clear control over its entire lifecycle.
In this context, Governing data is not just about adopting technical security measures, but to establish a strategic framework that articulates transparency, quality, ethics and responsibility in the use of data within and outside of AI systems.
That is why efficient data governance requires:
- Disciplines such as information classification and labeling.
- Internal policies that regulate who can use what data and for what purposes.
- Continuous monitoring mechanisms.
- Integration of privacy and human rights criteria at all stages of the processing chain.
This approach becomes especially relevant when connected with the principles of Convention 108+, which seek to ensure that data protection is not undermined by technological innovations.
In particular, the privacy by design and privacy by default approaches are fundamental to:
- Facing the challenges posed by generative AI.
- Ensure that the initial configuration of any automated platform provides maximum protection for people's information.
Therefore, data governance in the generative era involves establishing clear criteria for informed consent, data minimization, and the ethical use of data in automated processes. It also requires aligning with the principles of transparency, proportionality, and accountability promoted by Convention 108+.
What is Convention 108+?
Convention 108+ is an international treaty on the protection of personal data, promoted by the Council of Europe, which updates and replaces the historic Convention 108 of 1981.
Unlike many national regulations, it is legally binding, which means that States that ratify it assume specific legal obligations.
Its purpose is clear: to guarantee respect for fundamental rights and freedoms, particularly the right to privacy, in the face of automated processing of personal data. This includes both the public and private sectors and covers all stages of the data lifecycle.
The new version of the convention not only modernizes definitions, but also introduces new obligations, expands rights and adapts the regulatory framework to phenomena such as big data, artificial intelligence and international information flows.
Convention 108+ in the international arena
One of the most strategic aspects of Convention 108+ is its global scope. Although it originated within the Council of Europe, The treaty is open to accession by any country in the world., differentiating itself from other regional schemes.
This makes it an international benchmark, especially relevant for countries seeking to integrate into the global digital economy without losing regulatory sovereignty.
Moreover, in a world where data knows no borders, and where having common rules is essential to facilitate trade, cooperation and the protection of rights.
In any case, we must keep in mind that Convention 108+ will fully enter into force when it reaches 38 signatory countries.. At the beginning of 2026, only 4 more members are needed, indicating that its activation is imminent.
This fact reinforces the idea that the agreement is not a future hypothesis, but a near reality.
Argentina and Convention 108+: current status
Argentina occupies a prominent position in this process. In 2022, The National Congress approved Convention 108+, which was promulgated as the Law 27.699, following a legislative process promoted by the Public Information Access Agency.
With this ratification, Argentina not only reaffirmed its membership in the original Convention 108, but also formally committed to its modernized version.
This step has strong symbolic and practical value: This places the country within the group of states that adopt high standards of data protection..
Although the Law 25.326 The protection of personal data remains in force, Convention 108+ introduces a new framework of interpretation that impacts the actions of authorities, public bodies and companies.
Convention 108+: the regulatory framework that is coming
Convention 108+ should be understood as the new international regulatory framework for data protection. Its objective is not to replace national laws, but to establish common minimum principles that all States Parties must respect.
In practice, it works like a roadmap for regulatory modernization. Countries with outdated legislation are encouraged to reform it, while those with more advanced frameworks find international support in the Convention.
For organizations operating in digital environments, this treaty marks a clear trend: data protection will become increasingly demanding, cross-cutting, and strategic.
Adapting early not only Reduces legal risks, but it strengthens the trust of users and business partners.
Direct impact in Argentina: requirements similar to the GDPR
One of the most relevant aspects of Convention 108+ is its strong alignment with the General Data Protection Regulation of the European Union (GDPR). Although it does not exactly replicate it, it shares core principles, approaches, and obligations.
This has a direct impact on Argentina, where organizations should begin to operate under standards similar to those in Europe.
A scenario that is especially relevant for companies that:
- They process large volumes of personal data
- They operate in international markets
- They provide digital or technology-based services
The message is clear: compliance can no longer be limited to the strictly local level.
Historical principles that remain valid
The original Convention 108 established principles that remain the backbone of the data protection system. 108+ reaffirms and strengthens them.
These include legality, specific purpose, data minimization, and time limitation of storage.
These principles seek to prevent abusive practices, such as the mass collection of personal information without a clear purpose or the indefinite retention of personal information.
Its continued relevance demonstrates that, although technology evolves, certain values — such as respect for privacy and proportionality — remain essential.
Key changes in Convention 108+: what makes it different
The real difference of Convention 108+ is not just in updating definitions, but in changing the logic with which organizations must approach the protection of personal data.
The agreement moves beyond a reactive approach, based on meeting minimum requirements or correcting problems once they have occurred, and It proposes a preventive, proactive, and responsibility-based model.
In this new scheme, data protection becomes integrated into the heart of technological and business decisions.
Concepts such as privacy by design, privacy by default, security incident reporting and the principle of accountability reflect this paradigm shift.
It is no longer just about complying with the rule, but about managing personal data in a conscious, transparent and demonstrable manner, in accordance with the risks and complexity of the digital economy.
Let's analyze each of the concepts mentioned:
– Privacy by design and privacy by default
The privacy-by-design approach implies a profound cultural shift: data protection must be integrated from the outset into the design of products, services, and processes. It's not about "fixing" later, but about preventing risks from the very beginning.
Privacy by default complements this idea, establishing that the initial system configuration should be as protective as possible. This reduces unnecessary data exposure and empowers users.
– Security incident notification
Convention 108+ introduces the obligation to report security incidents, recognizing that data breaches are a growing reality.
The key is no longer just to avoid incidents, but to manage them transparently and responsibly.
This requirement strengthens public trust and compels organizations to improve their detection, response, and communication capabilities in the face of security events.
– Accountability: demonstrable responsibility
How does he explain it? Facundo Malaureille Peltzer, co-founder and Privacy Manager of Data Governance Latam, This is a key principle that has been used since the entry into force of General Data Protection Regulation in Europe (GDPR).
It consists of a legal and ethical obligation that falls on organizations that process personal data, and that aims to assume responsibility for the protection of such data and compliance with applicable regulations and standards.
Today, one organization distinguishes itself from another, regardless of an office, a brand, or the rich coffee it may serve in a meeting room, by the ethical treatment of your personal data.
In other words, regardless of whether there is a law that requires the processing of personal data, it requires that each organization have internal policies that protect it.
The principle of accountability redefines regulatory compliance. It is not enough to simply declare that privacy is protected: organizations must demonstrate this with actions.
This involves documenting decisions, assessing risks, implementing internal policies, and training teams. In this way, data protection becomes a core component of organizational governance.
New rights and data categories
Convention 108+ significantly expands the traditional concept of sensitive data, explicitly incorporating categories such as genetic and biometric data, whose use has grown rapidly following the development of automated identification, authentication, and analysis technologies. This type of information, due to its unique and permanent nature, poses significant risks in the event of misuse, leaks, or unauthorized reuse.
In parallel, Directive 108+ strengthens the requirements related to the anonymization, pseudonymization, and destruction of personal data, establishing that the retention of information must be strictly limited to what is necessary for the purpose that justified its collection. This aims to prevent the indefinite accumulation of data and promote responsible management throughout its entire lifecycle, aligned with the principles of minimization, proportionality, and accountability.
International transfers and cooperation between States
In an interconnected world, data constantly crosses borders. Convention 108+ establishes clear rules for international transfers, seeking to guarantee an equivalent level of protection in destination countries.
It also strengthens cooperation between supervisory authorities, facilitating mutual assistance and the protection of individuals' rights, even when data processing involves multiple jurisdictions.
Convention 108+ as the basis of digital trust
Convention 108+ is not just a legal norm: it is a declaration of principles on how the digital economy should be developed while respecting human rights.
In relation to Argentina, it represents a strategic opportunity to consolidate its international integration and modernize its regulatory approach.
Regarding organizations, it is a clear sign of where data protection compliance is headed.
In the digital age, Trust is a key asset and Convention 108+ is presented as one of the fundamental pillars for building it sustainably and in the long term.
Schedule a meeting with our team of data governance specialists.
