On 12 September 2017, the Luxembourg Government introduced a bill of law (the Bill) to complement the General Data Protection Regulation EU) 2016/679 (the GDPR). The Bill is planned to enter into force simultaneously with the GDPR, on 25 May 2018, and will repeal and replace the currently applicable Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data (the Law of 2 August 2002).
Unlike other European countries, the Luxembourg legislator has not taken the opportunity to add many local specificities, but has taken a very minimalistic approach to complement the GDPR by focusing on implementing those provisions into Luxembourg law, that are mandatory under the GDPR.
This approach will be welcomed by those who will have to comply with the GDPR, as it will make compliance for multi-national businesses simpler.
The Bill comes after a first attempt in November 2016 to pass a law whose aim was to facilitate the transition from the current data protection regime to the new GDPR. However, such a law never became reality, notably due to political discord on repealing the prior authorisation procedure by the Commission Nationale pour la Protection des Données (the CNPD) for certain processing activities of personal data.
The new organic law of the CNPD will include the required accommodations to comply with the GDPR. As a consequence, the CNPD will no longer be doing any prior control of processing activities, but will focus its mission on raising awareness and enforcing the law. For that matter, the authority has been given increased powers to investigate and has now also the power to impose administrative sanctions where necessary. The CNPD will also be vested with specific regulatory powers. Criminal penalties, however, have been vastly reduced and under the proposed law only those that knowingly prevent or impede, in whatever manner, the accomplishment of the missions of the CNPD, shall be punished by imprisonment of eight days to one year or shall be given a fine of 251 to 125.000 euros, or both.
In regard to the specific rules, the Bill extends the existing exception for data processing within the freedom of expression of journalists, artists, and writers, to “academic expression” as well. Otherwise, the exception does not change significantly and the concerned persons remain exempt from the prohibition of processing special categories of data, from the limitation to process public judicial data, from the rules applicable to transfers to third countries, from the obligation to provide certain information to the concerned persons, and from the obligation to give access to data subjects in certain circumstances.
The processing for scientific or historical research purposes or statistical purposes, however, is subject to an entire new set of rules. The Bill provides in that respect that a number of rights of the data subject may be limited if they would prevent or seriously hinder the realisation of the research project. A number of requirements are imposed on the data processing for scientific research purposes to guarantee the privacy of data subjects, such as the use of anonymised or pseudonymised data sets, access restrictions or log files. Those additional measures purport to set a minimum standard of protection and any decision not to apply one of the listed measures must be based on valid reasons.
As for the processing of sensitive data by health services, the existing rules have not substantially been changed, except for the fact that the wording has been adapted to the GDPR and changed from “data pertaining to health and sex life” to “special categories of personal data.
All in all, it seems that the Luxembourg legislator has taken a minimal approach in complementing the GDPR. The procedure for prior authorization and notification has been dropped altogether and criminal penalties have been substantially reduced while at the same time increasing the powers of the CNPD including the possibility to impose administrative fines. Moreover, the specific rules in the Bill provide clarity rather than unnecessarily burdening data protection compliance.