Accessibility to quality data is often a deciding factor for the success of many data centric projects. But the way data is managed and shared is even more crucial to maintain the privacy of individuals and their trust. Luxembourg is balancing data protection with innovation by prioritising ethical and responsible data use, anonymisation, and collaboration between various institutions.
To ensure that this balance is struck, a draft law on the valorisation of data in an environment of trust sets strict conditions, which need to be met for a secondary use of the data to be authorised. It must be carried out for one of the purposes exhaustively listed in the law. Moreover, personal information will have to be anonymised or pseudonymised prior to its reuse.
Luxembourg’s stable economic and research environment, and its state-of-the-art facilities also make it a very attractive destination for data-centric entities
If those conditions are met, the Government Commissioner’s Office – acting as Data Authority – will grant a permit, which entitles its holder to reuse the data in a secure processing environment provided by the Government IT Centre (CTIE). This will ensure that data can be reused effectively, while also ensuring that no personal data can be exported by the user.
“Altogether, these measures ensure that individuals cannot be re-identified or singled out in the data set and, thus, constitute a strong set of safeguards within the meaning of data protection regulations” points out Max Spielmann, Government Commissioner for Data Protection with the Luxembourg State.
Responsible data processing
The legal landscape for data protection is both comprehensive and evolving. “While the EU General Data Protection Regulation provides overarching rules, data use frameworks are complex and multilayered,” he explains. “On the international level, you have some key treaties and agreements such as the European Convention on Human Rights which set the stage. European regulations and directives tailor those principles to fit the needs of specific sectors. On the national level, you have legislation that vary depending on the context.”
EU provisions on personal data processing by competent authorities have already been implemented into national law by the Act of 1st August 2018. Other specific provisions further regulate data management practices. For example, the regulation on the European Health Data Space, which will govern the re-use of health data for research, policymaking or healthcare, and the Data Governance Act on the secondary use of data.
It simplifies procedures and reduces the administrative burden for citizens, businesses and State administrations, while enhancing data protection.
A noteworthy endeavour in this regard is the “once-only” principle, which is part of a legislative proposal recently presented to Parliament under the impulse of Luxembourg’s Minister for Digitalisation Stéphanie Obertin. “It simplifies procedures and reduces the administrative burden for citizens, businesses and State administrations, while enhancing data protection by limiting unnecessary data collection and storage”, he adds. Additionally, this draft law foresees conditions for the secondary use of data to be lawful. “Altogether these constitute a strong set of safeguards,” affirms Mr Spielmann.
A robust data infrastructure
The Grand Duchy’s data infrastructure extends beyond the legal data frameworks supporting public entities, businesses and researchers. “Luxembourg’s stable economic and research environment, and its state-of-the-art facilities also make it a very attractive destination for data-centric entities,” asserts Mr Spielmann, referencing the number of tier IV data centres in the country.
Altogether, these measures ensure that individuals cannot be re-identified or singled out in the data set.
A comprehensible legal framework, which is interpreted coherently and pragmatically, paired with, both, the availability of quality data and Luxembourg’s advanced data infrastructure is crucial to drive innovation and research across all industries, particularly those dependent on processing and exchanging large volumes of data. “To name a few, financial institutions, especially in the field of fintech, healthcare providers, telecommunication operators, retail manufacturers, and all IoT-based activities can really profit the most from the very good infrastructure that we have in Luxembourg,” he concludes.