Publication Of The First Draft Bill Complementing The European General Data Protection Regulation

The first draft bill complementing the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR") was issued on 12 September 2017 (the "Draft Bill").

In spite of its direct effect, the GDPR, which will apply to all the EU Member States as of 25 May 2018, gives the Member States a certain flexibility to take additional local provisions. The Draft Bill was issued in this context.

The current Luxembourgish legal framework regarding the protection of personal data, based on the transposition of the European Directive 1995/46/CE of 24 October 1995, mainly relies upon the amended law of 2 August 2002 concerning the protection of individuals with regard to the processing of personal data (the "Law of 2002").

However, the fast evolution, since 1995, of information and communication technologies has given rise to new concerns with regard to the processing of personal data and the protection of privacy in a global environment.

Therefore, with the ever-growing concern of preserving the protection of the EU citizens' personal data, the European Commission initiated in 2012 a reform to adapt European rules to the issues raised by the globalisation of communications and the evolution of technologies. This reform, conducted under the Luxembourgish Presidency, led to the adoption of the GDPR and the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.

Given the direct effect and wide scope of the GDPR, few room was left to EU Member States to supplement it using local legislations.

In this regard, the Draft Bill completes the GDPR by:

Adapting the Luxembourgishdataprotection supervisory authority tothe requirements of the GDPR. Such authority remains the Commission Nationale pour la Protection des Données (the "CNPD"), but acquires new powers in order to carry out the missions defined under the GDPR (I), and; Providing specific provisions on aspects for which the GDPR required the adoption of complementary national legislations (II). I The creation of a "new" CNPD (Chapter 1 of the Draft Bill):

First, the creation of a "new" CNPD stems from the "accountability" approach adopted by the GDPR. This approach creates an obligation of self-control for data controllers regarding the processing of personal data that they may carry out. It involves a change in the control process operated by national data protection authorities, moving from an ex ante control to an ex post control.

The powers vested in the CNPD, currently in charge of all matters in relation to the protection of personal data unless otherwise provided by law, hence had to be adapted to such approach.

However, the GDPR is not the only reason why the CNPD had to undergo some changes. Indeed, other changes in the European data protection legal framework - notably with regard to the protection of EU citizens' fundamental rights and the reinforcement of the independence of the EU Member States' judicial systems - also called for adaptations to be made1.

In this...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT