The CNPD presented its annual report with the key figures for the year 2021 at a press conference in Esch/Belval today.
First decisions by the CNPD on the outcome of investigations
In 2021, the CNPD issued its first decisions following investigations initiated since the entry into force of the GDPR (General Data Protection Regulation). In total, no less than 49 cases had been closed. 37 investigations resulted in corrective measures (e.g. issue warnings or reprimands, bring into compliance, impose a temporary or definitive limitation including a ban on processing, etc.), including 25 with fines.
In total, 48 decisions related to national cases, with an overall amount of 319,500 euros in administrative fines and one decision was taken within the European cooperation and consistency mechanism against Amazon Europe Core Sàrl, with an administrative fine of 746 million euros.
The majority of decisions (25 in total) were taken as part of the thematic campaign on the role of the Data Protection Officer. There were 20 decisions on video surveillance and geolocation. Finally, 4 decisions were on various topics, including one on the unlawful use of the JU-CHA database in the context of a procedure for the recruitment of a state employee in the judicial administration.
Covid-19 and data protection
As in 2020, the pandemic continued to have a significant impact on Luxembourg citizens. The CNPD was asked to provide citizens with answers about their rights in relation to the conditions under which their personal data, particularly data concerning health, may be used. In addition, the CNPD regularly updated its recommendations to help professionals in the pursuit of their activities and established a list of FAQs related to the use of the CovidCheck app. The CNPD, as in 2020, also continued to advise the Government on successive Covid-19 bills.
Key figures of 2021
- 618 written requests for information (compared to 655 in 2020) —The three main categories were the COVID-19 pandemic (contact tracing, body temperature measurement, teleworking, homeschooling, etc.), monitoring at the workplace and the rights of data subjects (right of access, right of erasure, etc.).
- 33 opinions on draft laws or regulations (compared to 24 in 2020) — In addition to those relating to the fight against Covid-19, the opinions focused on video surveillance of public spaces for public safety purposes (VISUPOL), open data and re-use of public sector information, the control of the acquisition and possession of weapons, the European electronic communications code and the Central Database of the Police.
- 512 complaints from individuals who considered that the law had not been respected or that their rights had been violated (compared to 485 in 2020) —Over one quarter (26%) of the complaints were based on non-compliance with the right of access by controllers, 24% were requests for erasure or rectification of data and 14% were related to the lawfulness of the processing.
- 333 data breaches notified to the CNPD (compared to 379 in 2020) —The CNPD receives approximately 29 notifications of data breaches per month. The main cause remains human error in 62 % of cases. More than half of the incidents are detected within 5 days of their occurrence.
- 18 on-site investigations (compared to 8 in 2020) — The CNPD carried out on-site investigations mainly on video surveillance.
- 6 investigations as part of an audit on transparency — The CNPD continued its investigations as part of its thematic campaign “transparency in the online services sector” which was launched in 2020 among 6 companies in this area.
Future prospects
The rapid emergence and development of new technologies such as artificial intelligence, machine learning, smart sensors and blockchain is a major regulatory challenge.
The CNPD, like its European counterparts in the European Data Protection Board (EDPB), monitors new and emerging technologies, as well as their potential impact on fundamental rights and citizens’ daily lives. The EDPB has already developed or is preparing guidance on the use of biometric data, the use of facial recognition, blockchain and other technologies as part of its biannual work programme.
Another major challenge arises from new European initiatives such as the Data Governance Act, the Digital Services Act, the Data Act, the Digital Markets Act or the Artificial Intelligence Act. The challenge is to integrate these new initiatives into existing national legislation while maintaining the same level of protection of personal data.
It will be necessary to ensure a coherent implementation of these texts and a good coordination between the national authorities to be designated by the EU Member States at both European and national level.