© Eric Ebstein
Luxembourg's National Data Protection Commission (CNPD) faces new responsibilities under the EU's AI Act while continuing to handle hundreds of public queries and data breach notifications, with video surveillance remaining a key concern.
At the end of last year, the CNPD was designated as the national authority in charge of coordinating and implementing the EU's new AI Act. This legislation, already adopted at European level, still needs to be transposed into national law. This development presents new challenges for the CNPD, as highlighted in its latest annual report.
According to commissioner Alain Herrmann, the CNPD will have two key responsibilities: firstly, to oversee services developing AI systems before they reach the market and, secondly, to ensure the protection of personal data once these systems are in use. As Herrmann underlined, artificial intelligence, and the entities running it, inevitably process private data.
To carry out these new tasks, CNPD president Tine Larsen explained that while budgetary resources are not lacking, the commission currently faces restrictions on hiring new staff. Even if the funds are available, government approval is needed, and this will only be possible once a new law is passed. For now, the draft bill for implementing the AI Act is still making its way through the legislative process.
Strong public interest in video surveillance
Beyond artificial intelligence, the CNPD continued its usual activities, including issuing opinions, providing training, and offering guidance. Last year, the commission received nearly 600 requests for advice. A recurring theme is video surveillance.
Commissioner Florent Kling noted that the CNPD cannot comment on individual investigations, but common issues include cameras filming beyond their intended scope or footage being stored for too long, he said.
Many citizens contact the commission for information before filing a complaint, and in some cases, issues can be resolved at that stage, Larsen added. Employers also frequently seek advice before introducing monitoring measures.
In 2024, the CNPD additionally received 442 notifications of data protection breaches, ranging from hacking incidents to cases where information was sent to the wrong recipients.
