The Luxembourg National Commission for the Protection of Data (CNPD) today presented its 2014 activity report in Esch-Belval, showing strong growth.

The Data Protection Authority received a record number of 207 complaints, 2,192 inquiries and 999 pre-authorisation requests for treatments presenting a particular risk to the privacy of citizens, such as monitoring in the workplace.

At the European level, the year was not only marked by the legislative review of work on data protection for which an agreement is planned for late 2015, but by two judgements of the EU Court of Justice that have a direct impact on the work of the CNPD. This is the judgment of 8 April 2014 on the retention of data and that of 13 May 2014 on the delisting in the search engines.

In the health sector, the CNPD reported that it had actively engaged with the eHealth agency to assess data security and analyse potential ricks to the agency's data exchange platform and the shared care record. This study was conducted in conjunction with the 'smart metering' programme of GIE Luxemetering. The CNPD stated that this was continued into 2015.

Since the draft European regulation on data protection prescribes a preliminary assessment for potentially intrusive treatment systems that may pose privacy risks, these projects require the adoption of a data protection approach through 'Privacy by Design'.

The CNPD reported that its new brochure on monitoring the workplace represented an additional monitoring device. The brochure was published in collaboration with the Chamber of Employees (CSL), as a means of informing the reader on the rights and obligations of both employee and employer.

With its judgment of 8 April 2015, the EU Court of Justice dismissed the directive on data retention, declaring it disproportionate and too intrusive. The CNPD stated its own opinion on the matter, analysing in-depth the conditions of validity to be met by national laws to regulate the obligation of privacy on the one hand and access to data by the authorities of other part.

The CNPD also referenced the notion of 'right to be forgotten' of citizens in search engines. Requests made by citizens in this respect were a direct conseuqence of the court judgement passed on 13 May 2014 against Google. If a request for 'right to be forgotten' is made by a citizen and denied by the search engine, the citizen is able to contact the CNPD or bring the matter directly to court.

The CNPD similarly reported success after an analysis conducted with the French data protection authority CNIL, concerning the contract of Microsoft services affecting European online public services users. Microsoft has reportedly since introduced a number of improvements in this regard. The CNPD has also collaborate with eight other European data protection authorities to moonitr the contractual clauses of Amazon Web Services.

2014 represented a year of change fro the CNPD in terms of management. On 7 November the Governing Council announced the appointment of Tine A. Larsen, Thierry Lallemang and Georges Wantz to the management team. CNPD stated that a principal challenge of the new committee would be modernising the internal procedures due to the requirements of the digital world and the obligationes of future European regulations.

 

Photo by CNPD