On 26 July 2018, during its last public session of the legislature, the Luxembourg Parliament adopted the Luxembourg bill implementing and complementing the EU General Data Protection Regulation or GDPR (Regulation No 2016/679) (click here for our comments on the initial version of the bill).
Since the GDPR is a European regulation, its provisions have been directly applicable in Luxembourg since 25 May 2018, the date of applicability of the GDPR. However, the Member States were left a number of options when it came to implementing the GDPR. Luxembourg has made use of some of these options, in particular concerning, on the one hand the organisation of the Luxembourg data protection authority (CNPD), including its administrative sanctioning powers, and on the other hand, the introduction of more specific material provisions on processing of health data and processing of personal data for journalistic, research and monitoring in a working relationship purposes. The adopted bill furthermore abolishes the Luxembourg Data Protection Act of 2 August 2002, as amended, and thus the various notification and authorisation requirements contained therein.
At the same session, the Luxembourg Parliament also adopted a Luxembourg law transposing the EU Directive 2016/680 on the processing of personal data by competent authorities in criminal matters.
The initial GDPR bill was submitted to the Luxembourg Parliament on 12 September 2017 (click here for our comments on the initial version of the bill) and has undergone significant changes throughout the legislative process.
The adopted bill applies (1) in terms of material scope to any processing of personal data that is neither covered by the GDPR nor by the Luxembourg law on the processing of personal data in criminal matters and in matters of national security and (2) in terms of personal scope to data controllers and processors established on the Luxembourg territory.
Functioning and enforcement powers of the CNPD
(i) Functioning of the CNPD
The adopted bill designates the current data protection authority, the CNPD, as the competent authority for enforcement of the GDPR, the Luxembourg GDPR Law and the Luxembourg law on the processing of personal in criminal matters and confers on it the powers provided for by the GDPR. In addition, the following points are worth mentioning:
- From three to four effective members
This increase in the number of effective members can be attributed to the new procedural powers of the CNPD introduced by the adopted bill, which are necessary to carry out the tasks assigned by the GDPR.
- Internal separation between investigation and decision-making powers
Another new feature is a separation between investigation and decision-making powers within the CNPD, which is very similar to that within the Luxembourg competition authority. When an investigation is started upon the CNPD's own initiative or upon a complaint of a data subject, a CNPD commissioner will be designated as the chief investigator. The chief investigator cannot take part in the process leading to a final decision once the investigation is closed. Such final decision must be taken with a majority of votes, whereby the President of the CNPD will have the casting vote and abstentions are inadmissible.
- Accreditation of certification bodies
The CNPD will not only be the data protection authority but also the body responsible for accrediting the agencies competent to approve data protection certification mechanisms within the meaning of Article 42 GDPR.
(ii) Enforcement powers of the CNPD
The GDPR introduces significant administrative fines of up to EUR 20 million or, in the case of an undertaking, up to 4% of its total worldwide annual turnover. These fines can be imposed by the CNPD. In this regard, the adopted bill further clarifies the following points :
- The CNPD will have the power to actively bring legal actions in the interest of enforcing the GDPR.
- The Luxembourg State and the Luxembourg municipalities cannot be subject to administrative fines.
The initial version of the bill decided to also apply administrative fines to the public sector, which is an option provided for in the GDPR. This was however mitigated so that the CNPD can now still impose sanctions upon legal persons governed by public law, yet not upon the Luxembourg State and municipalities.
- No criminal sanctions can be imposed for data protection violations, only for intentional obstruction of the CNPD.
The Luxembourg Data Protection Act of 2 August 2002 provided for criminal sanctions for violations of substantive data protection provisions. This act is abolished by the adopted bill and the latter does not provide for criminal sanctions for such violations. The adopted bill only stipulates criminal sanctions for the intentional obstruction of the CNPD in the accomplishment of its statutory tasks.
- Penalties to compel compliance with CNPD decisions.
The CNPD has the power to impose penalty payments ("astreinte") on data controllers and processors in order to oblige them to comply with its decisions (unless the decision already imposes an administrative fine).
- Limitation period of five years.
The general limitation period in relation to data protection breaches is five years as from the date the data breach came to an end, yet the running of such limitation period is interrupted by any act of the CNPD and suspended for as long as a procedure before the administrative court is pending regarding the decision of the CNPD. Furthermore, any imposed administrative sanctions and penalty payments are to be enforced within five years upon penalty of cancellation.
Specific provisions on health data processing and processing for journalistic, research and monitoring in a working relationship purposes
The GDPR leaves the Member States some discretion to adopt specific rules in particular sectors. The adopted bill introduces such provisions for three distinct sectors.
- Processing for scientific and historical research and for statistical purposes.
The adopted bill implements the requirement laid down in Article 89 GDPR to provide additional safeguards for the processing of personal data for scientific and historical research and for statistical purposes.
The adopted bill contains a list of twelve minimum safeguards that should be adopted by the data controller taking into account the nature, scope, context, purposes and degree of risk of the processing. This list includes, amongst others, the appointment of a DPO, the realisation of a DPIA, the implementation of anonymisation and pseudonymisation measures, the adoption of a data management plan and a code of conduct, the use of logging files and encryption and the carrying out of a regular audit.
The data controller must, for each research project, document and provide for a justification for the measures listed in the adopted bill that it decides not to implement whereby such justification must likely be based on the nature, scope, context, purposes and/or low degree of risk of the processing.
If the data controller implements these measures, the adopted bill provides that he may derogate from the data subjects' rights of access, rectification, restriction and to object insofar as the exercise of such rights are likely to render impossible or to seriously impair the achievement of the research or statistical purpose.
- Processing of sensitive data
Article 9(1) GDPR prohibits in principle the processing of so-called sensitive data (data related to race or ethnic origin, genetic data, health data, etc.) unless the controller can rely on the explicit consent of the data subject or on one of the other exhaustively listed legal bases set out in Article 9(2) GDPR. Several of these legal bases, however, require that the data controller can rely on a specific provision of EU or Member State law, so that they leave room for further national reinforcement and clarification and, where required, they can lay down additional safeguards for the protection of the rights and freedoms of the data subject. Article 9(4) GDPR enables the Member States to have further conditions in relation to the processing of genetic, biometric data or health data in general.
Contrary to the initial version of the bill, the adopted bill only makes very limited use of such option for national legislation. The adopted bill allows for the processing of sensitive data, such as health data, for archiving purposes in the public interest, scientific or historical research purposes or statistic purposes to the extent that the minimum safeguards mentioned under the previous heading are implemented by the data controller. Furthermore, the adopted bill clarifies in relation to genetic data that the processing of such data for the purposes of the exercise by the data controller of its rights in the areas of employment law and insurance is prohibited.
It is unfortunate that Luxembourg completely moved away from the initial bill which, in line with the former Luxembourg Data Protection Act of 2 August 2002, clarified under which conditions insurance companies can process sensitive data and health data in particular without having to obtain the prior consent of the data subjects. In this respect it is interesting to note that the Council of State ("Conseil d'Etat") considers in the parliamentary works that for obligatory insurance contracts, such as car insurance, the processing can be justified for reasons of public interest (Article 9.2(g) GDPR), whereas for all other insurance contracts the processing must be necessary for the execution of the insurance contract and the data subject must give his prior explicit consent.
- Processing and freedom of expression
Luxembourg decided to avail itself of the option provided for in Article 85 GDPR and to include in the adopted bill derogations from several key provisions of the GDPR if the processing of personal data takes place for journalistic purposes or in the context of freedom of academic, literary or artistic expression and provided such derogations are necessary to reconcile these purposes with the privacy rights of the persons concerned.
These derogations include a derogation from the restrictions on (i) the processing of sensitive data, (ii) the transfer of data to non-EU/EEA countries, and (iii) the right of the data subject to be informed of the processing of his or her data. The right of access cannot concern the source of information and must be exercised via the CNPD and the Press Council ("Conseil de Presse").
Specific provisions on processing for monitoring purposes in a working relationship context
The adopted bill, by amending Article L.261-1 of the Luxembourg Labour Code, allows for the putting in place by the employer of employee monitoring if one of the legitimate bases as per Article 6 of the GDPR can be relied upon (e.g. legitimate interest, except where overridden by the interests or fundamental rights and freedoms of the employee; consent is mostly problematic in an employment context).
Furthermore, without prejudice to the right to information towards the data subjects (Article 13 of the GDPR), the employer must in advance inform the staff representative bodies or in the absence thereof the Luxembourg Labour Inspectorate ("Inspection du Travail et des Mines"). Such information must consist of a detailed description of the purposes of the processing; the modalities of the monitoring system and the storage term or criteria of the personal data and contain a formal declaration by the employer that it will not use the personal data or any other purpose than explicitly mentioned. The staff delegation, or in the absence thereof, the concerned employees may within a term of 15 days after receipt of such prior information ask the CNPD for a prior advice on the compliance of the monitoring project. Such advice must be delivered in the same month of the request and has suspensive effect.
To the extent that the monitoring takes place for the purposes (1) of health and safety of the employees, (2) the control of the production or the performance of the employee provided such measure is the only means of determining the exact salary, or (3) within the context of flexiwork organization, the employer will have to run it by its staff delegation respectively joint committee (if still existing) beforehand via the co-decision process foreseen in the Luxembourg Labour Code.
Lastly, the concerned employees can also issue a complaint with the CNPD; such complaint cannot give rise to a dismissal.
On a procedural level, the adopted bill reinforces the paradigm shift brought about by the GDPR, i.e., a shift from ex ante and rather formal control (via notifications and authorisations) to robust ex post control and sanctioning based on the processing activities and procedures effectively pursued and/or put in place.
The separation between the investigation and decision-making powers within the CNPD clearly shows that audits and investigations will increase and be seriously pursued. With the increase in audits and investigations, it can be expected that the CNPD will put in place new procedures in order to reconcile the exercise of its powers and the rights of defence of the organisations concerned.
As far as the substantive provisions of the adopted bill are concerned, they are rather restrictive. Especially in the area of the processing of health data, the Luxembourg government missed the opportunity to offer some flexibility to important sectors. Some flexibility towards insurance companies in particular, meaning another legitimacy ground than the explicit consent of the insured person for the processing of sensitive data, would have meant a significant competitive advantage for Luxembourg in the current Brexit era.
Although the (intent of) flexibility does shine through (more) in the area of personal data processing for research and statistical purposes where the data controller is allowed to deviate from certain rights of the data subjects, such flexibility gets weighed down by the impressive list of twelve minimum safeguard to be complied with in order to benefit from such deviation. In practice, it may even be more difficult to conduct a research project now than was the case under the former legislation. Furthermore, researchers and research organisations will face, to a great extent, legal uncertainty as, unlike in some other Member States, there is no body to provide prior validation for grounds for not implementing one or more measures on the list of minimum safeguards.