Luxembourg anticipates the GDPR - Abolition of authorisation for several critical data processing activities and for SCC bas…

On 31 August 2016 a law proposal was submitted to the Luxembourg Parliament in order to abolish several authorisation regimes that are currently foreseen in the 2002 Luxembourg Data Protection Act ("Loi luxembourgeoise du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel").

Cutting red tape in anticipation of the GDPR

This law proposal, once adopted, will anticipate the as from 25 May 2018 applicable Regulation (EU) n° 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"). Indeed, one of the key objectives of the GDPR consists of cutting red tape by, amongst others, abolishing the several authorisation regimes that EU Member States are allowed to adopt under the current Data Protection Directive 95/46/EC for critical data processing activities and for data transfers to countries outside the EU/EEA without adequate protection (to the extent that such transfers do not benefit from a derogation).

Which authorisation regimes are concerned?  

Mid-September, the Luxembourg Data Protection Authority ("CNPD") published its annual report for the year 2015. The figures published speak for themselves. The number of authorisation requests does not cease to increase, yet the CNPD’s staff number has not been increased proportionally (2 persons to handle 969 authorisation requests in 2015). Given the resulting workload for the CNPD, the competent minister decided to submit a law proposal in order to abolish the following authorisation regimes:  

  • The authorisation regime for interconnection. 'Interconnection' is not defined in the current version of the 2002 Data Protection Act, but it is clear that it includes what was understood under 'interconnection' within the meaning of the initial version of the same act, i.e., the correlation of data that are processed for a given purpose with data processed for another purpose and/or by another controller. Even when the law proposal intends to abolish the authorisation requirement, interconnection of personal data remains subject to some specific rules of the 2002 Data Protection Act.
  • The authorisation regime for surveillance in general and in the workplace. 'Surveillance' is  defined as "any activity which, carried out using technical instruments, consists of observing, collecting or recording in a non-occasional manner the personal data of one or more persons, concerning behaviour, movements, communications or the use of electronic computerised instruments". Even though the GDPR exceptionally allows EU Member States to adopt stricter data protection rules in the context of an employment relationship and thus enables Luxembourg to uphold the authorisation regime for surveillance in the workplace, the authorisation requirement for this type of processing is likely to disappear in the near future. Nonetheless, the 2002 Data Protection Act will still contain restrictions for surveillance in general and the Luxembourg Labour Code for surveillance in the workplace in particular (specific information requirement vis-à-vis staff delegation and individual employees, etc.). 
  • The authorisation regime for credit and solvency related personal data processing carried out by controllers which are not financial or insurance service providers. The abolition of this authorisation regime will be welcomed by those undertakings that acquire distressed consumer debt from foreign banks via Luxembourg special purpose vehicles and which are likely to be subject to the said authorisation regime in the current state of things.
  • Finally, save in some exceptional circumstances foreseen by the Luxembourg 2002 Data Protection Act (e.g. data subject consent, transfer necessary for the performance of a contract, etc.), the transfer of data to non-EU/EEA countries without an adequate level of data protection is prohibited unless adequate safeguards (such as the use of the so-called standard contractual clauses ("SCC") issued by the European Commission) are provided and the CNPD has authorised the transfer. The law proposal, if adopted, will not subject transfers to non-EU/EEA countries to an authorisation anymore if they are based on SCCs.

The processing activities concerned are not subject to authorisation but will prior to 25 May 2018 still need to be notified

The initiative to cut red tape by abolishing some authorisation regimes, whose effectiveness was regularly called into doubt, must be welcomed and is fully in line with one of the principal GDPR objectives. 

However, it is very likely that most of these types of data processing will nevertheless remain subject to a prior notification to the CNPD, so that the undertakings concerned will still have to deal with paperwork. On a positive note, this notification requirement will in any event disappear on 25 May 2018, the date of application of the GDPR.