The first bill of law complementing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") was issued on 12 September 2017 (the "Bill of Law").

In spite of its direct effect, the GDPR, which will apply to all the EU Member States as of 25 May 2018, gives the Member States a certain flexibility to take additional local provisions. The Bill of Law was issued in this context.

The current Luxembourgish legal framework regarding the protection of personal data, based on the transposition of the European Directive 1995/46/CE of 24 October 1995, mainly relies upon the amended law of 2 August 2002 concerning the protection of individuals with regard to the processing of personal data (the "Law of 2002").

However, the fast evolution, since 1995, of information and communication technologies has given rise to new concerns with regard to the processing of personal data and the protection of privacy in a global environment.

Therefore, with the ever-growing concern of preserving the protection of the EU citizens' personal data, the European Commission initiated in 2012 a reform to adapt European rules to the issues raised by the globalization of communications and the evolution of technologies. This reform, conducted under the Luxembourgish Presidency, led to the adoption of the GDPR and the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

Given the direct effect and wide scope of the GDPR, few room was left to EU Member States to supplement it using local legislations.

In this regard, the Bill of Law completes the GDPR by:

  • Adapting the Luxembourgish data protection supervisory authority to the requirements of the GDPR. Such authority remains the Commission Nationale pour la Protection des Données (the "CNPD"), but acquires new powers in order to carry out the missions defined under the GDPR (I), and;
  • Providing specific provisions on aspects for which the GDPR required the adoption of complementary national legislations (II).

I.The creation of a "new" CNPD (Chapter 1 of the Bill of Law):

First, the creation of a "new" CNPD stems from the "accountability" approach adopted by the GDPR. This approach creates an obligation of self-control for data controllers regarding the processing of personal data that they may carry out. It involves a change in the control process operated by national data protection authorities, moving from an ex ante control to an ex post control.

The powers vested in the CNPD, currently in charge of all matters in relation to the protection of personal data unless otherwise provided by law, hence had to be adapted to such approach.

However, the GDPR is not the only reason why the CNPD had to undergo some changes. Indeed, other changes in the European data protection legal framework – notably with regard to the protection of EU citizens' fundamental rights and the reinforcement of the independence of the EU Member States' judicial systems – also called for adaptations to be made1.

In this regard, the Law of 2002 created and provided a specific competence to the independent "Article 17 Supervisory Authority" to carry out the control of personal data processing in the criminal, State security, defense, and public safety areas. However, under the Law of 2002, judicial data remained outside the scope of competence of said Authority and was taken in charge by the CNPD.

The new requirements of independence of the judicial systems brought under EU law led to the adoption, on the same day as the GDPR, of the EU Directive n°2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

Owing to the necessity of implementing such Directive, Luxembourg presented bill of law No. 7168 on 10 August 2017. The main change carried out by this bill of law is the creation of an independent judicial data protection authority, and in parallel to this, the abrogation of the "Article 17 Supervisory Authority", which activity will be absorbed by the new CNPD.

Footnote

1 Cf. article 16§2 of the Treaty on European Union and the Treaty on the Functioning of the European Union and article 8§3 of the Charter of fundamental rights of the European Union

To view the full article please click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.