Tuesday, May 27, 2014, the National Commission for Data Protection presented its 2013 activity report at a press conference in Esch-Belval.
A record number of 177 complaints or requests for verification of citizens, 26 investigations, 2054 declarations of organizations handling personal data including 833 subject to prior authorization, 2077 inquiries, these are the key figures of the CNPD in 2013. The year was marked by a particularly intense activity and the rise of complex technology issues, often with an international dimension.
The year started with the celebration of the 10th anniversary of the CNPD in its new offices with a conference of the President of the European Court of Human Rights Dean Spielmann.
An increasing demand
The significant increase in complaints (33% compared to 2012) and inquiries (22%) addressed to the CNPD reflect the growing public concern for privacy and personal data protection issues. The numerous meetings with stakeholders in the private and public sectors reflect their need to be assisted in their efforts to achieve compliance. The strong growth in activity of the DPA is reflected in the high number of adopted cases (+ 63%).
One of the missions of the CNPD is to advise the Luxembourgish government on topics in relation with privacy and data protection. 10 formal opinions on laws and regulations were issued in 2013. The main topics were: the organization of the national intelligence service; the status, the designation procedure and the powers of the coordinating doctor ("médecin coordinateur"); the reform of the law concerning the public service; the reform on the execution of the sentence and the penitentiary administration; the cross-border exchange of information on road safety related traffic offences; the national cancer register. In addition to these formal opinions, the DPA has been consulted by various ministries and public organizations on compliance of their practices or projects.
Some major projects
The CNPD faces more and more complex technological issues with cross-border implications. Together with the CNIL (France), the CNPD performed a review of the "Microsoft Services Agreement" and the "Microsoft Online Privacy Statement" at the request of the Article 29 Working Party after the company changed its contractual terms of use. Previous examples, where companies like Google or Facebook modified their terms of use, have shown that these changes can have European wide effects and that they could potentially weaken the protection of personal data and privacy of individuals. This review was conducted in a satisfactory manner and led Microsoft to introduce a number of improvements.
After the revelations in the international press concerning the PRISM-Program, the Luxembourgish DPA received two requests of European citizens to verify if Skype and Microsoft Luxembourg had processed their data lawfully and if the companies had shared their data with the US National Security Agency. It also examined the organization and procedure of processing of personal data carried out by other international companies established in Luxembourg.
In the field of smart metering, the CNPD is assisting Luxmetering with the implementation of their operating processes and procedures as part of a Privacy Impact Assessment (PIA). Luxmetering is an economic interest group ("Groupement d'intérêts économique") composed of 7 Luxembourgish electricity and gas network operators. It is responsible for the implementation of the infrastructure and the national deployment of approximately 350,000 smart meters.
A similar exercice is currently carried out to evaluate the risks and protective measures provided by the future "eHealth"-platform ("eSanté") and the respect of the individual rights in the context of the implementation of the electronic health records in Luxembourg.
The CNPD also drew the attention of the government - in its opinion on the draft law No. 6566 implementing a European Directive concerning the cross-border exchange of information on road safety related traffic offences - on the lack of transparency and the need of improvement in the field of data protection legislation in the context of police and international judicial cooperation. The absence of a specific provision transposing the Framework Decision of 27 November 2008 (2008/977/JHA) into Luxembourgish law and the dispersion of the data protection provisions in 20 different legal texts are not likely to promote or facilitate the effective exercise of the rights of those involved.
Stimulating a culture of data protection within organisations
The creation the first association on privacy and data protection APDL ("Association pour la protection des données au Luxembourg") at the end of 2013 reflects a significant step forward in the development of a culture of data protection within companies, private organizations and public agencies.
A key role will be played in the future by executives, compliance officers, specialists in computer systems and communication technologies in companies, as well as by the consultants and lawyers who advise them to ensure compliance to data protection law. As the data protection officers, these knowledgeable professionals play a vital role in preparing to meet the expectations of the future European legislation.
In anticipation of the new European legal framework
The reform of the EU legislation on data protection has been ongoing since January 2012, and aims to give the legal framework the necessary effectiveness in the age of globalisation, digital communications, Big Data and the Internet of Things. The European Commission has focused its efforts on clarifying individual rights, on promoting the concept of accountability for public and private entities that handle personal data and on strengthening the role of supervisory authorities.
The different actors will have to rely on the CNPD to guide, advise and assist them in this delicate process. For this reason, one of the main tasks of the CNPD will be to further develop this part of its activity. The extension of its investigative capacity and control will also be a priority.