events

Refine, Don't Reset: Convention 108+ Chair on Building Data Protection Infrastructure

Mark Lizar

Mark Lizar

4 min read
Share
Refine, Don't Reset: Convention 108+ Chair on Building Data Protection Infrastructure

For 0PN Lab Blog + Technical Community

At the European Commission's Data Protection Day 2026 conference, the central question was: Reset or Refine?

Beatriz de Anchorena, Chair of the Convention 108 Committee, made the case for refinement—incremental modernization that preserves the human rights foundation while adapting to new realities.

Her argument matters because Convention 108+ is five ratifications away from becoming binding international law.And when it does, the question won't be whether we have the legal framework. It will be whether we have the technical infrastructure to make it work.

That's where 0PN Lab comes in.

Convention 108+ as Constitutional Framework

Beatrice opened with a powerful framing:

"Convention 108+ functions as a 'constitution' of data protection—fundamental principles that crystallize universal consensus. It also serves as a 'compass' for finding solutions to new questions while maintaining those principles."
"The Convention contains almost exclusively fundamental rules, providing much-needed clarity on core versus ancillary requirements."

This matters because it distinguishes core principles from implementation details. The principles are non-negotiable. The implementation is where innovation happens.

Core Principles Convention 108+ Makes Non-Negotiable

Beatrice identified the design requirements for any legitimate data processing system:

  • Clear objectives and balance of interests
  • Purpose limitation
  • Adequacy and relevance
  • Data minimization
  • Enhanced protection for sensitive data
  • Security measures
  • Transparency and accountability

These aren't theoretical. They're the design requirements for Digital Public Transparency Infrastructure (DPTI).

The Data Minimization Paradox

Beatrice addressed the criticism that data protection hinders AI development:

"The criticism that data protection hinders development is an old song and it's not true. Companies already comply with complex rules in tax, accounting, social protection, and consumer law."
"Convention 108+ principles are not enemies of AI but often its allies—forcing consideration of data quality and relevance. LLMs trained on smaller, higher-quality datasets may be most effective."
"Bad AI is good for no one: hallucinations, false diagnoses, biased screening tools are unacceptable to everyone long-term."

Data minimization isn't a constraint on AI. It's quality control for training data.

Cross-Border Data Flows Require Technical Infrastructure

Beatrice emphasized that:

"Free flow of data requires similar levels of data protection across countries."

GDPR tools (adequacy decisions, BCRs, SCCs) are pragmatic but produce "mediocre results in a fragmented landscape." Convention 108+ is the best tool to achieve necessary alignment.

But legal alignment alone isn't enough. We need technical infrastructure that makes compliance verifiable, scalable, and interoperable.

From Principles to Practice: What 0PN Lab Launched on January 28

ISO/IEC 27560-1 is the transparency-by-default implementation of Convention 108+ Article 8.2 (pre-collection notice) and Article 11 (Code of Conduct authorization).

Part 1: Universal Notice Receipts (UNR)

  • Controller disclosure at /.well-known/notice.txt
  • Machine-readable Controller Identification Record (CIR)
  • Legal basis agnostic—works for all 6 Convention 108+ Article 5 legal bases

Part 2: Exchange Points

  • Cryptographic assurance
  • Integration with wallets, verifiers, and AI agents

Part 3: TATA (Digital Trust) Privacy Risk Framework

  • 24 transparency contexts: 6 legal bases × 4 assurance levels
  • 72 total configurations: × 3 control vectors (Personal Control, Data Protection, Co-Regulation)
  • Risk-proportional assurance—self-assertion for low-risk, active state for high-assurance

Part 4: Implementation Guidance

  • AI transparency patterns
  • Dynamic signalling protocols
  • Privacy-enabling architecture patterns

Introduces Mandatory Notice Event Logs: Bilateral Transparency (Digital Privacy Policy)

Beatrice emphasized the importance of transparency and accountability as core principles. Notice Event Logs operationalize this:

Like finance tracks money:

  • Bank accounts provide transparent audit trail
  • Both parties hold synchronized records
  • Verifiable at any point

DPTI tracks data:

  • Notice Event Logs provide transparent audit trail
  • Both parties hold synchronized Notice Receipts
  • Verifiable authorization state

Controller-ID First architecture:

  • Controller discloses identity via CIR before data collection
  • Individual verifies controller transparency before sharing data
  • Two-Factor Notice: Notice layer precedes authentication layer

Multi-Jurisdictional Evidence at Scale

Seven jurisdictions (Convention 108+, GDPR, UK, AU, NZ, CA, Quebec) share common transparency requirements mapped to four Transparency Performance Indicators (TPI-R).

Single TPI-R assessment provides evidence for multi-jurisdictional enforcement.

Example: Chrome TPI-Report enabled 28 collective complaints with one assessment. Sal D'Agostino (IDmachines) demonstrated real-time AI-powered TPI report generation during our January 28 launch event.

This scales regulatory capacity without scaling headcount—preventive enforcement replaces reactive breach response.

Five Ratifications from International Law

Beatrice's keynote emphasized the urgency:

"We are five ratifications away from binding international data protection law."

Greece and Monaco became the 32nd and 33rd ratifications in March 2025. Senegal is targeting June 2026. Five parties are already applying Convention 108+ provisions voluntarily.

When 38 ratifications are reached:

  • Article 15: Convention Committee gains authority to monitor implementation
  • Article 11: Codes of Conduct gain treaty-authorized regulatory recognition
  • Article 14: Cross-border data governance becomes operational
  • Multi-lateral enforcement: Evidence collected in one jurisdiction supports enforcement in others

ISO/IEC 27560-1 is positioned to be one of the first Article 11-authorized Codes of Conduct.

Call to Action: Join the Infrastructure Build

Convention 108+ provides the constitutional framework. ISO/IEC 27560-1 provides the technical implementation.

Join 0PN Lab's AuthC Discussion Group

First meeting: February 12, 2026

Authority with Consent & Permission working group

Register here

Implement Early: Founding Member Rate

50% discount through March 31, 2026

Tier 1 membership = TATA Level 1 (Self-Assertion):

  • Controller deploys notice.txt, notice event log, and CIR
  • GitHub access and materials library
  • Working group participation
  • Sandbox environment early access (Q1 2026)

Details at lab.0pn.org

"In a changing world, binding international commitments provide sustainability, legal certainty, and trust."
— Beatriz de Anchorena, Chair, Convention 108 Committee

Resources:

  • Full keynote summary: [Jan 28 Meeting Notes]
  • Executive Report: [0PN Lab Launch — International Data Protection Day 2026]
  • Blog Recap: [International Data Privacy Day]
  • Event Recording: [0PN Labs Jan 28 Audio]

Read more