On 30 January 2023, the Restena Foundation and the University of Luxembourg co-organised the 6th edition of the Data Privacy Day dedicated to personal data protection. After two years online, due to the COVID-19 pandemic, the event was held for the first time in hybrid mode. No less than 240 participants, a record for the event since its first edition in 2018, gathered around key themes of international data transfers, with a focus on the research context, privacy culture and health data protection, privacy by design, as well as the Data Governance Act and the applicability of the General Data Protection Regulation (GDPR).

Opened by Raoul Winkens, Data Protection Officer at Maastricht University, Data Privacy Day 2023 brought together speakers from the European Commission, the National Commission for Data Protection (Commission nationale pour la protection des données - CNPD), BEE SECURE, the Association for Data Protection in Luxembourg (APDL) and the University of Luxembourg joined this year by the law firm Togouna & Tome Avocats.

Strengthened requirements for transfer and health

The RGPD, which defines the main framework for the processing of personal data in the European Union since May 2018, was discussed from the very first minutes. Like other legislation, the RGPD, by establishing rules to allow the free movement of personal data and protect the rights and freedoms of natural persons, is notably necessary to guide and steer innovation and development.

Research knows no borders. Related activities often require transferring data outside the European Union and the European Economic Area. While complex legal instruments are already applicable, the Court of Justice of the European Union provides new requirements (Schrems II judgment) in the context of the use of Standard Contractual Clauses (SCC) as recommended by the European Data Protection Board (EDPB). The EDPB has published 'Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’. So far it is not possible to sign the CCTs and apply Binding Corporate Rules (BCRs), it should be examined whether the transfer of data can be carried out through the derogations provided for in Article 49 ’Derogations for specific situations’.

In addition to research, the processing of health-related data also deserves special attention. Regarding the specific nature of this category of personal data, a stricter data processing regime applies. Their use raises many concerns, including loyalty and transparency of algorithms, secondary use and loss of control over personal data, and ethical issues. Reducing the privacy risks inherent in the use of digital technologies in the health sector is crucial.

Privacy: a matter to be protected

If privacy is an important concept, respecting it is even more. Every product or service user is entitled to expect that its privacy is respected. So, product designers are encouraged to consider and fully integrate this concept from the very beginning, from a Privacy by Design perspective. To do so, minimising the collection and storage of data and proving the privacy of their data to the persons concerned is essential.

In the future, a TOolkit DAta Protection CompLiance SupporT will be launched in Luxembourg. This tool, developed within the framework of a European project led by a consortium composed of the CNPD and the Luxembourg House of Cybersecurity (LHC), will facilitate the implementation of GDPR obligations for very small, small and medium-sized enterprises in Luxembourg.

A new European Data Governance Act proposed by the European Commission as part of its data strategy will also interact with the GDPR. Applicable from September 2023, the Act will impact data protection experts and data protection officers. They will inevitably have to respect the considerations of this new document.