Final straight for Luxembourg in implementing the European package on Data Protection
After years of discussion on how to adapt the Directive 95/46/EC to better fit the new challenges of our modern society and its massive technological evolution, the EU Members States finally adopted a European Package on Data Protection on the 27th April 2016.
This package, which is actually broader than just the very famous “GDPR” – contains indeed:
- the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) ;
- the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data for the purposes of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties and on the free movement of such data;
- the Directive 2016/681 on the use of passenger name record data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (PNR).
Though this package was adopted under Luxembourg’s presidency of the European Union, Luxembourg does not have, as yet, fully implemented these measures into its legal arsenal.
As for now, those three European measures are still in the form of three specific and distinct bills, even for the GDPR despite its direct effect. Indeed, the GDPR still gives to the Member States a certain flexibility to take additional local provisions and even requires the adoption of complementary national legislations in some cases.
The draft law was issued in this context.
Although having already on the 24th August 2016 introduced a bill (cf. projet de loi n°7049) aiming to adapt our current legal legislation on Data protection, this bill was never presented before the Parliament for vote and is actually been replaced by a new one (cf. projet de loi n°7184), presented officially on the 12th September 2017.
If this bill was to be adopted, it will end Luxembourg’s current legal framework on Data protection as it mainly relies on the amended Law of 2 August 2002, which is to be abrogated.
This draft law is to be read in conjunction with the GDPR and confines itself in supplementing this European Framework with the national provisions when necessary. In this regards, the draft bill completes the GDPR by:
- recreating the legal framework of our current data protection supervisory authority (given the fact it was created per the Law of 2002 that is due to disappear) and adapting it to the requirements of the GDPR by giving it a new orientation and new powers (I),
- providing specific provisions on aspects for which the GDPR allows/requires the adoption of complementary national legislations (I).
I. The new role CNPD (Commission Nationale de Protection des Données) (chapter 1 of the bill n°7184)
The accountability approach – that creates an obligation of self-control for data controllers and processors – being one of the major changes induced by the GDPR, it is only normal that the revised role of the CNPD follows and adjust to such an approach.
As a result, the control process operated by the CNPD is moving from an ex ante control to an ex post control, the bill suppressing the previous obligation for data controllers and/or processors to notify their data processing to or even to get prior authorization to process (when applicable) from the CNPD.
The bill also extends CNPD’s competence to the processing of personal data in criminal as well as national security matters.
Last but not least, the new bill strengthens the CNPD’s mission and powers in particular by introducing the possibility for the CNPD to impose administrative penalties, finally regaining a power that had initially been granted to them in the draft Law of 2002 but was suppressed in its final version.
II. The specific provisions required by the GDPR (chapter 2 of the bill n°7184)
1. According to article 85 of the GDPR, EU Member States must adopt local legislation to find a balance between the right to the protection of personal data and the rules regulating the right to freedom of expression and information, including processing for journalistic purposes as well as academic, artistic or literary expression purposes.
Therefore, article 56 of the bill introduces several derogations to the prohibitions and restrictions of the GDPR (both with regard to the data itself (article 9 and 10 of the GDPR) and the rights and obligations relating thereto (article 13 and 14, chapter V of the GDPR)).
2. According to article 89 (2) of the GDPR, EU Member States may foresee derogations for certain rights of the data subject when personal date are processed for scientific or historical research or statistical purposes.
Article 57 and 58 of the bill are meant to implement such derogations under Luxembourg Law. Otherwise it is likely that data subject’s rights would seriously impair the achievement of those purposes.
In order to be able to process data for such purposes, one must put in place appropriate safeguards measures which are quite extensively listed in the law (for instance: mandatory DPO, performing an analysis of the impact of the contemplated processing on the protection of personal data, anonymizing and encrypting personal data, implementing log files that establish the purpose, the date and the hour the files were consulted and by who, etc.).
3. Finally, the last specific provision under this bill concerns the processing of special categories of data by “health services”.
Indeed, if article 9 (1) of the GDPR instates a general prohibition to process “special categories of data”, article 9 (2) provides a list of exemptions to this prohibition and article 59 of the bill was taken in order to adapt such exemptions under Luxembourg law.
The primordial criteria on which is based this permission of treatment is necessity.
Thus, processing data such as the ones listed in article 9 (1) of the GDPR can be done when necessary (i) for the purpose of preventive medicine, medical diagnosis and cares and treatments, (i) for medical or scientific research and (iii) for managing health services.
The categories of the admissible controllers, which depend on the reasons of processing, are also identified in article 59 of the bill: medical authorities, public bodies, insurances, companies managing pension funds, etc.
More surprisingly, the bill states that, provided their processing to be lawful, such kind of data can be communicated to third parties.
The bill n°7184 being in its first version one must outline to be complete that it is likely to be amended throughout the legislative process.
But for now, these are the specificities of Luxembourg’s data protection law, the rest of it being the GDPR itself.
Article provided by: Cécile Porcher, Avocat à la Cour (Etude Reding)