On 12 September 2017, a highly awaited bill implementing and complementing the EU General Data Protection Regulation or GDPR (Regulation No 2016/679) was submitted to the Luxembourg Parliament.
Since the GDPR is a European regulation, its provisions will be directly applicable in Luxembourg as from 25 May 2018. However, the Member States have a number of options when it comes to implementing the GDPR. Luxembourg has made use of some of these options, in particular concerning, on the one hand, the organisation of the Luxembourg data protection authority (CNPD) and the decriminalisation of data protection law and, on the other hand, the introduction of more specific material provisions for personal data processing for journalistic, research and healthcare purposes.
Furthermore, the bill will abolish the Act of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data, as amended, and thus the various notification and authorisation requirements contained therein.
Directive (EU) 2016/680 on the processing of personal data by competent authorities in criminal matters will be transposed into national law by means of a separate bill which was submitted to the Luxembourg Parliament on 10 August 2017.
Functioning of the CNPD
The bill designates the current data protection authority, the CNPD, as the competent authority for enforcement of the GDPR and confers on it the powers provided for by the GDPR. In addition, the following points are worth mentioning.
• From three to four effective members
This increase in the number of effective members can be attributed to the new procedural powers of the CNPD introduced by the bill, which are necessary to carry out the tasks assigned by the GDPR.
• Focus on investigation and enforcement
The bill specifies that all CNPD members, taken together, must have, in addition to solid legal, ICT and privacy experience, a proven track record in the field of prevention, investigation, detection and prosecution of criminal offenses.
The CNPD will also have the power to actively bring legal actions in the interest of enforcing the GDPR.
• Internal separation between investigation and decision-making powers
Another new feature is a separation between investigation and decision-making powers within the CNPD, which is very similar to that within the Luxembourg competition authority. When an investigation is started, a CNPD commissioner will be designated as the chief investigator. The chief investigator cannot take part in the process leading to a final decision once the investigation is closed.
• Accreditation of certification bodies
The CNPD will not only be the data protection authority but also the body responsible for accrediting the agencies competent to approve data protection certification mechanisms within the meaning of Article 42 GDPR.
The GDPR introduces significant administrative fines of up to EUR 20 million or, in the case of an undertaking, up to 4% of its total worldwide annual turnover. These fines can be imposed by the CNPD. In this regard, the bill further clarifies the following points.
• Public authorities can be subject to administrative fines
The Luxembourg government has decided to apply administrative fines to the public sector, which was an option provided for in the GDPR.
• No criminal sanctions can be imposed for data protection violations, only for intentional obstruction of the CNPD
The Act of 2 August 2002 provides for criminal sanctions for violations of substantive data protection provisions. This act will be abolished once the bill is adopted and the latter does not provide for criminal sanctions for such violations. The bill only stipulates criminal sanctions for the intentional obstruction of the CNPD in the accomplishment of its statutory tasks.
• Penalties to compel compliance with CNPD decisions
The CNPD has the power to impose penalty payments ("astreinte") on data controllers and processors in order to oblige them to comply with its decisions (unless the decision already imposes an administrative fine).
• Specific proceedings to suspend the unlawful processing of personal data
The bill introduces specific proceedings before the president of the Luxembourg District Court, who can order the suspension of personal data processing activities that are not compliant with (i) the GDPR, (ii) the law implementing Directive (EU) 2016/680, or (iii) the bill, once adopted. These proceeding are conducted as summary proceedings, but the suspension order is a decision on the merits.
Specific provisions for journalistic, research and healthcare related data processing
The GDPR leaves the Member States some discretion to adopt specific rules in particular sectors. The bill introduces such provisions for three distinct sectors, although other provisions may be added later on.
• Processing for scientific and historical research and for statistical purposes
The bill implements the requirement laid down in Article 89 GDPR to provide additional safeguards for the processing of personal data for scientific and historical research and for statistical purposes.
The bill contains a list of minimum safeguards that should be adopted taking into account the nature, scope, context, purposes and degree of risk of the processing. This list includes, amongst others, the appointment of a DPO, the realisation of a DPIA, the implementation of anonymisation and pseudonymisation measures, the adoption of a data management plan and a code of conduct, the use of logging files and encryption, the carrying out of a regular audit, and the respect for ethical standards.
The data controller must, for each research project, document if and how it has implemented these measures and provide a justification for the measures listed in the bill that it decides not to implement. It is likely that a justification for the non-implementation of a listed measure must be based on the nature, scope, context, purposes and/or low degree of risk of the processing.
If the data controller implements these measures, the bill provides that the data subjects' rights of access, rectification, restriction and to object can be made subject to necessary limitations insofar as the exercise of such rights are likely to render impossible or to seriously impair the achievement of the research or statistical purpose.
In principle there should be similar additional safeguards for the processing of personal data for archiving purposes in the public interest, but Luxembourg has yet to provide for such safeguards or derogations from data subjects' rights in the bill.
• Processing of sensitive data in the context of health-related services
Article 9(1) GDPR prohibits in principle the processing of so-called sensitive data (data related to race or ethnic origin, genetic data, health data, etc.) unless the controller can rely on the explicit consent of the data subject or on one of the other exhaustively listed legal bases set out in Article 9(2) GDPR.
The bill reinforces and further clarifies the legal bases for the processing of special categories of personal data (health data in particular) set out in Article 9(2)(h) (health or social care services and systems) and (j) (research and statistics). Reliance on these legal bases means the data controller need not seek the data subject's consent.
First, the bill allows various professional categories to process sensitive data where necessary for the "management of health services". These categories must be subject to a duty of professional secrecy as foreseen in Article 9(3) GDPR and thus include, in addition to healthcare professionals, social security organisations, companies managing pension funds and insurance companies, as already provided in the Act of 2 August 2002.
Second, sensitive data may be processed by both medical organisations and research institutions and researchers in the context of legally approved biomedical research projects to the extent the processing is necessary for medical or scientific research and provided they satisfy the additional safeguards for research.
Finally, to the extent there is a legitimate basis for the processing of sensitive data, further processing for research purposes is allowed in accordance with conditions to be laid down in a separate grand ducal regulation.
• Processing and freedom of expression
Luxembourg decided to avail itself of the option provided for in Article 85 GDPR and to include in the bill derogations from several key provisions of the GDPR if the processing of personal data takes place for journalistic purposes or in the context of freedom of academic, literary or artistic expression and provided such derogations are necessary to reconcile these purposes with the privacy rights of the persons concerned.
These derogations include a derogation from the restrictions on (i) the processing of sensitive data, (ii) the transfer of data to non-EU/EEA countries, and (iii) the right of the data subject to be informed of the processing of his or her data. The right of access cannot concern the source of information and must be exercised via the CNPD and the Press Council ("Conseil de Presse").
On a procedural level, the bill reinforces the paradigm shift brought about by the GDPR, i.e., a shift from ex ante and rather formal control (via notifications and authorisations) to robust ex post control and sanctioning based on the processing activities and procedures effectively pursued and/or put in place.
The separation between the investigation and decision-making powers within the CNPD clearly shows that audits and investigations will increase and be seriously pursued.
As far as the substantive provisions of the bill are concerned, there is a genuine intent to provide for greater flexibility in certain areas, such as research and health services.
However, given the impressive list of minimum safeguards to be complied with by the research community, it may be more difficult to conduct a research project than is now the case under the current legislation. Furthermore, researchers and research organisations will face, to a great extent, legal uncertainty as there is no body to provide prior validation for grounds for not implementing one or more measures on the list of minimum safeguards.
Finally, the legal basis for the processing of sensitive data in the context of the "management of health services" is quite vague and should be further clarified in the legislative process.