Luxembourgish parliament passes law to facilitate regulation’s flexible rollout
GDPR’s journey overcame its final hurdle in Luxembourg yesterday when parliament passed a law designed to put the regulation into action.
Although the General Data Protection Regulation (GDPR) was adopted by the EU in May 2016 and entered into force this spring, Thursday’s move determines what that rollout will look like on a practical level.
“Now that GDPR is a reality, individual countries have to adopt laws that define data protection authorities able to enforce it,” explained Nina Burmeister, Data Regulation Project Manager, Digital Luxembourg. “Concerning our national law, this was the last piece of the GDPR puzzle.”
Notably, the law outlines how the National Data Protection Authority (NDPA) will function and defines a flexible approach for how to handle specific data-dependent sectors: most notably, the new Luxembourg law made sure that research - both public and private research - can enjoy a proper and favorable framework in the context of GDPR, and continue to contribute to the overall benefit of society through valuable big data analytics.
Without certain exemptions, the professionals in these areas would face regulatory burdens too great to bear: “When dealing with a sample of thousands of pieces of ‘pseudonymized’ personal data, for example, researchers cannot be expected to give access to every individual, since it would hinder their ability to complete the research,” Nina Burmeister, Project Manager, Digital Luxembourg said. “But when we provide flexibility in these key areas, the data controller will have to compensate by providing additional protective measures.”
Through such legislation, Digital Luxembourg implements GDPR in line with its intended purpose – to protect citizens, not to hinder or worse, cripple, businesses.
To support new GDPR functions and an overall ramping up of data-related activity in Europe, the law restructures the NDPA, which has seen its budget and personnel grow significantly since 2014.
It also assigns a government commissioner dedicated to liaising with the data protection authority while helping national and regional government entities operate in a post-GDPR world.
GDPR, pushed through during Luxembourg’s presidency of the EU, brings with it two entirely new rights: the right to be forgotten and the right to data portability.
Perhaps its most noticeable impact involves its approach to enforcement. Before May, businesses and organizations had to present government authorities with data processing requests, which were either granted or denied.
Today, the approach is “risk-based,” meaning the onus is entirely on the business and subcontractor to assess and manage their own GDPR compliance. Failure to do so could result in hefty fines, up to €20 million or four percent of annual turnover.
While the data protection authority is nothing new, its responsibilities continue to evolve with modern needs.
Countries across Europe, including France, Germany, Ireland and Belgium, have adopted similar changes that put bodies into place with the power to enforce GDPR across all industries and levels of government.
Thursday’s vote encompassed two additional pieces of legislation clarifying how GDPR applies to law enforcement and flight passenger records, ensuring that a right to information does not obstruct investigations.
These national legal developments mark a shift from GDPR as a high-level concept to GDPR as a daily practice.