The CNPD presented its annual report with the key figures for the year 2020 at a press conference in Esch/Belval today.
Ensuring the protection of personal data in the COVID-19 era
Since March 2020, the daily lives of citizens from Luxembourg have been disrupted by the coronavirus pandemic. Whether in the private or the professional sphere, the pandemic has had an impact on all aspects of our lives.
Across Europe, governments as well as public and private organisations have taken steps to curb and mitigate the spread of COVID-19. New data processing operations have been implemented to respond to the health emergency, such as contact tracing, body temperature measurement at the entrance of premises or the large scale testing of the population.
The CNPD, together with its European counterparts, has played an important role in ensuring that these measures are implemented in accordance with data protection rules.
Throughout Luxembourg and Europe, there have been vigorous debates on data protection and privacy in the context of the COVID-19 pandemic, reflecting the importance of these issues for civil society, business and policy-making.
The Government, aware of the challenges, repeatedly sought the opinion of the CNPD on the COVID-19 draft laws. On each occasion, the National Commission promptly replied, highlighting the need for safeguards for the protection of citizens’ data.
Not surprisingly, the year 2020 was marked by numerous requests from private and public actors. They questioned both the measures taken to limit the spread of the virus and ensure the safe continuation of activities, as well as the conditions under which personal data, particularly data concerning health, may be used. The CNPD regularly updates its recommendations to guide professionals in the pursuit of their activities and answers citizens’ questions about their rights.
Invalidation of Privacy Shield and Brexit
While international news was dominated by the pandemic, other data protection issues addressed in 2020 were the invalidation of the “Privacy Shield” (transfer of data between the EU and the US) by the Court of Justice of the European Union (“Schrems II” case) and Brexit, which had an impact on international data transfers.
Key figures of 2020
- 655 written requests for information (compared to 708 in 2019) — As in previous years, a large number of requests were related to the exercise of data subjects’ rights, in particular the right of access to personal data and the right to erasure. These requests demonstrate that citizens make greater use of the rights granted by the GDPR and that data protection continues to be a major concern.
- 24 opinions on draft laws or regulations (compared to 16 in 2019) — In addition to those relating to the fight against COVID-19, the opinions focused on the combat of money laundering and terrorist financing, video surveillance of public spaces for public safety purposes (VISUPOL), the creation of the National Security Authority and the automated control and sanctioning system (red light radars).
- 485 complaints from individuals who considered that the law had not been respected or that their rights had been violated (compared to 625 in 2019) — Among these, the most frequent complaints were requests for erasure or rectification of data with 26 %. Almost a quarter of the complaints (23 %) were based on non-compliance with the right of access by controllers and 11 % of complaints related to the right of opposition, particularly in the field of marketing.
- 379 data breaches notified to the CNPD (compared to 354 in 2019) — A total of 905 data breaches have been notified to the National Commission since the entry into force of the GDPR. The main cause remains human error in 64 % of cases.
- 8 on-site investigations (compared to 33 in 2019) — The CNPD finalised its campaign on video surveillance and geolocation and launched a campaign to assess the legality of the processing of personal data in the context of the fight against COVID-19, based on a sample of 20 organisations.
- 6 investigations initiated as part of an audit on transparency — Companies from the e-commerce sector were targeted as transparency is very important in this sector, which experienced an exceptionally strong growth during the pandemic and during the confinement.
Future prospects
2020 was an exceptional year in many respects. With the COVID-19 crisis that will continue to be present in our lives throughout this year and, most likely, for longer still, the challenges touching on data protection that our society will face will not diminish.
Whether with citizens, private companies or public bodies, the CNPD will pursue its objective of promoting a data protection culture in Luxembourg while also ensuring compliance with the GDPR. With the resources allocated, the CNPD will be able to use the legal means granted to it by law to strike the right balance between the information society and the protection of privacy.
The Luxembourg supervisory authority will thus continue to implement its work programme 2020-2022 with 2021 seeing the first decisions taken following investigations opened in previous years.