Contributed By Wildgen S.A.
Laws and Regulations in Relation to the Cloud
In Luxembourg, the cloud is mainly regulated by circulars issued by the Luxembourg Financial Sector Supervisory Commission (Commission de Surveillance du Secteur Financier – CSSF).
CSSF circulars are applicable to all professionals in the financial sector (Professionnels du Secteur Financier – PSF), which are classified into the three following categories: investment firms, specialised PSF and support PSF. In addition to PSF, circulars related to cloud computing apply to payment institutions, electronic money institutions and investment fund managers.
The following are the main CSSF circulars that are relevant to the cloud:
An outsourced function, activity or service in the cloud may be considered material if it meets the following conditions:
Finally, this circular introduces the obligations for the PSF to create a register containing all items processed in a cloud environment.
For completeness, Article 567 of the Commercial Code, amended by the law of 9 July 2013, must be mentioned. The new version of Article 567 expressly covers the right of reclaiming non-fungible tangible personal property (biens meubles corporels non fongibles), particularly in the event of bankruptcy of the cloud computing service provider. In this event, a client using the cloud can retrieve the relevant data and files.
Specific Industries with Greater Regulation
Due to the CSSF circulars mentioned above, the financial sector is subject to specific rules. Moreover, Article 41 of the law of 5 April 1993 has been amended by the law of 27 February 2018 and now facilitates outsourcing, with an extension of the exceptions to banking secrecy. For instance, confidential data may be available to another PSF bound by professional secrecy obligations as follows:
The Processing of Personal Data in the Context of the Cloud
The processing of personal data in the cloud context is subject to the General Data Protection Regulation 2016/679 of 27 April 2016 (GDPR), and shall be ensured through provisions foreseen in a Data Processing Agreement (DPA) on the cloud computing service contract. It has to be concluded between the client (ie, the data controller that decides the processing of personal data) and the cloud provider (ie, the data processor that processes personal data under the instructions of the data controller).
Before going into detail on the provisions of the contract, relying on an outsourcing policy and filing a pre-outsourcing risk assessment analysis could be recommended, in practice, as a preliminary step and to select the right cloud provider.
The Luxembourgish data protection authority (Commission Nationale pour la Protection des Données – CNPD) has also issued a guideline titled ‘International transfers of personal data’, pursuant to which, among other elements, the data controller must determine the processing of personal data respecting all the GDPR provisions, such as the lawfulness of processing and the data minimisation principle. In addition, the location of the supplier’s country is relevant for determining the applicable requirements.
In its 2012 recommendations, the French data protection authority (Commission Nationale de l’Informatique et des Libertés – CNIL) stated that "the cloud contract [should have] a clear and complete indication of the countries hosting the service provider data centres where the data will be processed." Moreover, point 31 of CSSF circular 19/714, mentioned above, notes that, "in the event that the processing, data and systems are distributed to different data centres around the world, at least one of the centres must be located in the European Union and must be able to take over the distributed processing, data and systems if necessary to operate autonomously the cloud computing services." Consequently, it is recommended to determine the geographical scope as the location of the service provider data centre where the data is processed.
When the service provider data centre is located within the European Economic Area (EEA) (EU, Norway, Liechtenstein and Iceland), personal data can be transferred freely if the GDPR’s provisions are respected; outside the EEA, personal data can only be transferred in accordance with Article 44 and seq. of the GDPR in a transfer to countries for which an adequacy decision has been taken by the European Commission. If there is no adequacy decision, appropriate safeguards shall be implemented as standard contractual clauses, binding corporate rules (used in a group) and codes of conduct or certification mechanisms.
Obligations of Article 28 of the GDPR
Regardless of the location of the storage, some provisions apply to personal data transfer to the data processor and sub-processor. A written agreement must be concluded before the processing that specifies the following, among other things:
Launching or using blockchain provides many opportunities from a technical point of view; however, many legal challenges remain. The doctrine considers that blockchain consists of "technology for storing and transmitting information that is transparent, secure and operates without a central control body. By extension, a blockchain constitutes a database that contains the history of all the exchanges carried out between its users since its creation."
Transactions between the network’s users are grouped by block, and time and date stamped. Each block is validated by some users, called minors, and transmitted to the network nodes.
Risk and Liability
For a new technology like blockchain, one of the major legal risks is legal uncertainty. Fortunately, the Luxembourgish government was able to respond quickly to this risk through the creation of a legal framework for technologies including blockchain.
The law of 1 March 2019 amends the law of 1 August 2001 on the circulation of securities. Article 18bis of the law of 1 August 2001, as amended, allows financial market participants to bring transactions performed using distributed ledger technologies like blockchain.
Luxembourg is also involved in the International Organisation for Standardisation (ISO) committee to define a technical certification of blockchain, through the Luxembourg Institute for Normalisation, Accreditation Safety and Quality of Products and Services (Institut Luxembourgeois de la Normalisation, de l'Accréditation, de la Sécurité et Qualité des Produits et Services – ILNAS). ILNAS issued a whitepaper about blockchain on June 2018, which promoted a better understanding of the blockchain mechanism technologically, economically and in terms of privacy. It also indicated the application of data subject rights from the legal and technical points of view.
The financial sector is involved in addressing risk and liability. On 14 March 2018, the CSSF warned about cryptocurrencies and that "the absence of regulation means that cryptocurrencies could be used in illegal activities." However, the CSSF underlined that its warnings did not concern the blockchain technology used by cryptocurrencies, which it said "could bring certain advantages in their use in the financial sector and in different innovative projects."
The Luxembourgish government will need to update and adapt the legislation according to the blockchain evolution.
In the blockchain technology, a difference needs to be established between the following components:
Another legal risk is presented by smart contracts.
A smart contract is a blockchain-based contract that defines contractual obligations in a programming language. It is automatically executed when coded contractual obligations laid down between the participants are met. In practice, it results from the doctrine outlined below.
The first risk is related to the contract negotiation and formation.
The main question is whether the consent of the party to a contract that will be translated into programming code could be considered as informed consent as required by Article 1108 of the Civil Code. The consent requirement on contractual obligations negotiated shall be given before the transformation into programming language. A legal officer shall draft the contractual obligations, and then the draft shall be translated into programming language by a developer. Both have to co-operate in order to avoid any misunderstanding, and an obligation of means should be inserted into the developing contract.
The second risk is the contract drafting on the blockchain.
Once recorded and executed, it is usually difficult or nearly impossible to cancel a transaction, even in the case of non-compliant drafting regarding the applicable legal obligations. As a result, the automatic execution may create an illegal situation or circumstance that is undesired by one party.
During the phase of registration and recording in the blockchain, some bugs can occur. If this happens for substantive elements of the contract, Article 1109 of the Civil Code, related to defect of consent, could apply.
The third risk is the execution of contractual obligations in the blockchain.
During the application of a blockchain, the block validation to add into the chain is guaranteed by the consensus method. A risk is the withdrawal of a participant’s consent. As everybody must agree on the validation of a block, in such a case, a blockage could occur. The blockage’s consequences shall be mentioned in the smart contract.
Next, it is relevant to note that the blockchain provides the proof of any misconduct by a participant, with identification and date. No specific rule related to non-execution of smart contracts has yet been foreseen. As a result, the standard legal rules relating to non-execution of the contract and enforcement measures will be applied.
Blockchain may help artists in providing evidence for their copyright.
Based on Article 1 of the law of 18 April 2001 on copyright, related rights and databases, as amended, a literary and artistic work can be protected by copyright if the criterion of originality of the work is met. The code source, created by developers, can also be protected by copyright if the condition of originality is demonstrated, based on intellectual collaboration and considerable personalised effort.
As the blockchain structure stores the time, location and identity of the creator, it can constitute a proof of the property of an original work, idea, concept or process put into the blockchain. This mechanism can constitute an alternative to i-Depot granted by Benelux Office for Intellectual Property. However, specific attention has to be paid to the copyright’s ownership. Consequently, any modification of information before the encryption into the record could be impossible to certify/monitor if the holder of an intellectual property right is actually the author or right holder.
The patentability of the software developed to host blockchain can also be analysed in Luxembourgish laws. The patent is only granted if the conditions provided by Article 4 of the law of 20 July 1992, amending the system of patents for inventions, as amended – pursuant to which "new inventions involving an inventive step and susceptible of industrial application" are patentable – are respected.
Different legal challenges occur at any moment of the processing of personal data.
Even the processing itself and the structure of the blockchain shall be implemented following the principle of “privacy by design/by default”.
It is generally admitted that the participants to the blockchain are considered as data controllers (defined in 1 Cloud Computing:The Processing of Personal Data in the Context of the Cloud), and as independent controllers or joint controllers if they work together to determine the specific purpose of the processing of personal data done in the blockchain. Persons who have to check and validate the registration of the transactions, called minors, are considered data processors.
As mentioned under 1 Cloud Computing:The Processing of Personal Data in the Context of the Cloud, the relationship between the data controller and data processor shall be contractually settled on a DPA, with mention of obligations provided by Article 28 of the GDPR. On its blockchain solution analysis, the CNIL provides that, whether they are minors or not, participants can be located in countries outside of the EU; this raises the question of obligations for transfers outside of the EU. Consequently, the geographical scope can be related to the location of the participant. For a private blockchain, the participants should be identified easily. A block validation outside the EEA shall respect the adequate safeguards as developed in 1 Cloud Computing. If the parties have been considered as joint controllers, the agreement must respect the provisions of Article 26 of the GDPR. For public blockchain, "the CNIL observes that these safeguards are harder to implement (…), given that the data controller has no real control over the location of minors."
In its blockchain whitepaper, ILNAS has issued some information concerning data protection rights foreseen by the GDPR.
The immutability characteristic of the blockchain is opposite to some GDPR principles. Indeed, as data cannot be removed retroactively from the blockchain, the following points, among others, can be mentioned:
In practice, for private blockchain, processed data can be deleted. For public blockchain, in order to have the possibility of deleting personal data, the French data protection authority (CNIL) recommends that "personal data should not be stored in the blockchain itself, but only information that makes it possible to prove the existence of the personal data in question (using, for example, a cryptographic commitment or a fingerprint from a key hash function). The removal of the link between the personal data stored outside the blockchain and the information that proves the existence of the personal data in question could be sufficiently similar to an outright deletion of the data."
The identities of the parties involved in a transaction should not be revealed to an unauthorised third party from the information written to the blockchain. Personal and transaction data are not available to unauthorised parties unless one of the counterparties chooses to disclose this information.
Creating huge data repositories on a blockchain increases the risk of security breaches. Blockchain operators will need to take cybersecurity particularly seriously to avoid potential regulatory and liability actions and reputational damage. Provisions foreseen by the Directive on security of network and information systems (NIS) and the GDPR should be followed, particularly regarding the obligation of notification in case of cybersecurity breach and personal data breach.
Based on Article 509-1 and seq. of the Penal Code and Luxembourgish authors, the blockchain contains data that is exploited in an automatic data processing system in such a way that any attempt to interfere with the operation of the system and modify a blockchain without authorisation constitutes a computer crime.
No major legal jurisdictional issue has been issued so far. Blockchain can be an interesting means to avoid some litigation – for instance, in the art market, it is considered a protection against counterfeiting. Indeed, blockchain has recorded protected transactions, including the history of the transactions. Art experts authenticate artwork, and this decision is identified with certainty in a unique and tamper-proof manner. This could replace an authenticity certificate.
The smart contract shall include a dispute resolution provision mentioning the applicable law and competent jurisdiction. The legitimacy of a judge could be questioned because of the automatic execution, and the recourse to arbitration could be a relevant solution to settle potential disputes.
Before going any further, definitions and interactions of the different terms must be provided. The expression "Big Data" refers to a large set of various data obtained at a fast rate and technologies associated with processing data. Data is processed with the help of technology solutions/concepts like artificial intelligence (AI), comprising subfield technology approaches like machine learning.
In practice, computers will often be ahead of the data management legal framework. As a result, Luxembourg shall rely on existing rules for the processing of data (ie, GDPR and the law of 1 August 2018 on the organisation of the CNPD and the general regime on data protection) and shall adapt itself through strategies and specific regulations.
Luxembourg strategy for AI
At a national level, the government issued its strategic vision for AI on 24 May 2019.
Luxembourg's vision of AI is one of technology that can "easily apply and improve the lives of all citizens" on the one hand, and "consolidate the regional pole of excellence in AI research, at an international level" on the other.
Considering this documentation, the legal challenges that can arise relate to the following topics:
One of the main technical issues is the large volume of processed data; the processing capacity and storage are overrun. As a consequence, data controllers and data processors shall process this large set of various data respecting the data minimisation privacy principle.
Privacy by design/by default
According to Article 25 of the GDPR, all products developed with technologies based on Big Data shall be developed according to the principle of privacy by design/by default from the beginning of the project. For instance, if a chatbot (an automated conversation service based on AI) is put in place, the user, who is the data subject, shall (i) give his/her consent, and (ii) be informed about:
Assimilation to profiling
One of the objectives of Big Data is to detect and anticipate new opportunities that have been influenced by the GDPR – for instance, based on user experiences enabling profiling.
Based on Articles 15.1 and 22 of the GDPR, the data subject has the right to obtain information about the existence of automated decision-making processing and the right not to be subject to this kind of processing.
Contractual clauses and liability
In the absence of a specific legal regime or case law to date, this question has to be solved through contractual provisions related to intellectual property and its ownership and transfer.
For now, in Luxembourgish law, a robot or any process created by AI has no legal personality. As a consequence, in practice, the standard liability foreseen by the Civil Code is applicable.
The aim would be to focus the liability on the person with the ability to minimise the risk of damage, whereby the liability would be proportional to the degree of autonomy of the robot.
In the contractual relationship between the programmer of the AI and the user, liability may arise either because the user has received a product that does not correspond to the qualities he/she could have expected or because the AI has caused him/her damage.
Regarding third parties, the Civil Code provides for liability for the fact of things (Article 1384 al. 1 of the Civil Code). The notion of a thing must here be understood as also covering the object incorporating AI. The producer of the object incorporating the AI is liable here. The difficulty lies in that neither the user nor the producer of the thing can ensure total control of it, since an object with AI is autonomous.
Copyright granting is conditioned by a creation from a human mind, which the system created with AI will never be able to possess. As a consequence, the status of an original literary and artistic work cannot be granted to something created by AI.
Machine-to-machine Communications, Communications Secrecy, Data Protection, etc
Restrictions affecting a project's scope
The Internet of Things (IoT) has been defined by the Article 29 Working Party (WP29), in its opinion 8/2014, as "an infrastructure in which billions of sensors embedded in common, everyday devices – things as such, or things linked to other objects or individuals – are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities."
The term covers "smart things" – wearable computing objects and clothes, quantified-self objects, home automation (domotics) – that communicate with homes, cars, the work environment and physical activities. Examples include heating systems that are switched on remotely with a smartphone, refrigerators that signal the expiration of food, transport systems that can automatically increase the number of runs based on registered access to turnstiles, and smart watches that alert the wearer’s doctor to any body abnormalities.
The possibility for things to "dialogue" and interact with each other through sensors, without human intervention and through electronic communication networks, presents undoubted advantages for everyday life, but it also involves risks that should not be underestimated.
The IoT triggers various legal issues relating to data protection, security and contractual or non-contractual liability that need to be considered.
The interconnection of things and systems – which affects not only smartphones and PCs but also wearable devices and home automation systems – involves the collection, recording and processing of the data of users, who are often unaware that this is being done. Such data not only allows the building of detailed profiles of people based on their behaviour, habits, tastes and even their state of health, but also enables particularly invasive monitoring of users’ privacy to be carried out, and the imposition of potential constraints on their freedom.
From the international survey titled Privacy Sweep 2016, conducted by 26 privacy authorities belonging to the Global Privacy Enforcement Network (GPEN) – of which the CNPD is also a part – it was found that, on more than 300 devices connected to the Internet (such as smart watches and bracelets, electronic meters and thermostats), more than 60% failed the scrutiny of the privacy authorities.
Under today’s legal framework, the collection of data that can directly or indirectly identify an individual – that is, personal data – involves the application of the GDPR and, when a data controller is established in Luxembourg or uses equipment situated in Luxembourg, the law of 1 August 2018 mentioned above.
The controller must carry out a data protection impact assessment according to Article 35 of the GDPR before any new applications are launched in the IoT. This assessment is aimed at identifying and adopting the appropriate measures and mitigating the risks to the rights and freedom of data subjects. In this regard, the principles of "privacy by design" and "privacy by default" have high priority.
Under Article 25 of the GDPR, the controller must adopt technological solutions to guarantee the privacy of users, starting from the design stage of services and products. Furthermore, to avoid any prejudice to the rights and freedoms of data subjects, the controller must implement appropriate technical and organisational measures, such as pseudonymisation and data minimisation, collecting and storing only necessary data, expelling redundant or marginal data, and keeping data for no longer than necessary in relation to the purpose for which it was collected or further processed.
Privacy protective settings of devices and apps require that, by default, personal data is not made accessible without the individual’s intervention, nor to an indefinite number of natural persons. Moreover, personal data not necessary for the services offered through the IoT should not be collected or stored.
Transparency must be ensured through clear information and granular consent of the users, which has to be free, informed and specific.
Finally, according to Articles 13 and 14 of the GDPR, the controller must provide the data subjects with an adequate privacy notice, containing clear information on data processing, the categories of data concerned, the purposes of processing, all the subjects involved in the data flow, the period for which the personal data will be stored and the existence of the right to request access to and rectification of personal data from the controller.
The IoT raises security issues that must be addressed by achieving the right balance between device security and battery efficiency.
Less secure connected devices represent potentially efficient new ways of attack. For example, devices using a wireless communications infrastructure and characterised by limited resources in terms of energy and computing power are vulnerable to physical attacks.
The controller must protect data against unlawful access or any other unlawful forms of processing.
According to Article 32 of the GDPR, the controller must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, perform security assessments of systems and apply principles of composable security. Therefore, it is necessary for the controller to do the following: (i) perform security assessments of systems as a whole, including at the components level; (ii) use certifications for devices; and (iii) align with internationally recognised security standards.
Finally, an adequate policy of data breach notification can also include the negative effects of software and design vulnerabilities.
Contractual and non-contractual liability
The unlawful use of smart devices raises questions relating to contractual or liability issues. Here, the reference should be to the provisions of the Luxembourg Civil Code (Articles 1146 et seq. and Articles 1382 et seq.) and the Luxembourg Law of 21 April 1989 concerning liability due to defective products.
Specific Features of the Local Legal Framework
Please see 1 Cloud Computing regarding the general provisions on cloud contracts.
IT service agreement on financial sector
Specific provisions for service providers are provided by Article 41 of the law of 5 April 1993 on the financial sector, as amended. Some IT providers can be qualified as support PSF, and are under the supervision of the regulator of the CSSF. Specific obligations are applied to them. IT outsourcing in the financial sector is regulated by Articles 29-3 and 29-4 of the law of 5 April 1993 on the financial sector, as amended. The law distinguishes between primary IT systems operators of the financial sector and secondary IT systems and communication network operators of the financial sector.
IT outsourcing may also be regulated as follows by the law of 1 August 2018, as mentioned above:
The common legal provisions are applicable to any contractual relationship, particularly provisions of the Civil Code.
The allocation of intellectual property rights shall be provided for in the contract as assigned rights and use of work performed.
Rules that are Typically Excluded
Based on the Civil Code, a contractual clause that is deprived of essential obligations on the substance of limited liability – as a failure of the execution of a corrective maintenance service for any product under contract – is deemed unwritten.
Core Rules Regarding Data Protection
The core rules regarding data protection are mentioned in the following texts:
Distinction Between Companies/Individuals
Personal data within a legal entity
The personal data of a person who is part of a legal entity (eg, members of the board, shareholders, employees) is regulated by the GDPR.
Business data regarding legal entities does not fall under the scope of the GDPR. Data that is considered confidential could be protected by a non-disclosure agreement.
Trade secrets could also be an effective means of protecting business data. The Luxembourg law of 26 June 2019 on the protection of know-how and undisclosed commercial information (trade secrets) against unlawful obtaining, use and disclosure is transposing the same named Directive 2016/943 of 8 June 2016. Article 2 of the law has defined a trade secret cumulatively as follows:
General Processing of Data
On 14 November 2018, a European regulation (2018/1807) on non-personal data was adopted. Based on its Article 3, non-personal data comprises data other than personal data as defined by the GDPR. This regulation lays down the principle of prohibition of the data location requirement, unless it is justified on grounds of public security. Consequently, by 30 May 2021, Luxembourg will have to repeal any existing data location requirements, laid down in a law, regulation or administrative provision, that do not comply with this principle.
Processing of Personal Data
In national law, there is no difference between the GDPR and the principles of transparency, fairness and lawfulness of personal data processing that have to be followed. The law of 1 August 2018 foresees specific provisions in the data processing of employees’ personal data.
Data Loss Prevention Tools, Web Traffic Monitoring, Extensive Private E-mail Use, etc
The CNPD took an interest in this topic and asserted its view on the balance of the fundamental rights to privacy of life at work for employees and the right to protect company assets, including business data. The main principle is the right for each employee to have a private life in the workplace. With the implementation of the GDPR, the Labour Code has been amended regarding the monitoring of employees. Indeed, the new Article L261-1 of the Labour Code foresees that the monitoring of the use of company computer resources shall be transparent, proportionate and made known to employees.
GDPR documentation requirement
In March 2019, the CNPD published a list of processing activities that require a data protection impact assessment ("DPIA"), including the regular and systematic monitoring of employees' activities.
Two conditions are provided by Articles 35 and 36 of the GDPR, which are as follows:
If the use of computer resources for private purposes cannot be forbidden, the tolerance of computer resource use for private purposes shall be determined by the employer. In any event, such use must remain reasonable and not affect the proper functioning of the company, including the integrity of its computer network and the productivity of its employees.
Information regarding the employees’ data processing shall be provided on an individual basis in the employment contract, and collectively in an appendix of the company’s internal rules, IT charter and privacy notice disseminated to the employee and the employee representatives (staff delegation or joint work committee), or the labour inspectorate (Inspection du Travail et des Mines) if no employee representation has been put in place.
It shall be noted that the staff delegation – or the employees if there is no staff delegation – may request a preliminary opinion from the CNPD within 15 days of the prior information notice. In turn, the CNPD has to adopt its opinion within one month of the request. If such a request is filed, processing must be suspended pending the opinion.
The employee shall be informed by the employer of the following:
The principle of proportionality requires any implemented monitoring system to be weighted according to the concrete risks that the employer intends to prevent.
The following may be stated as general principles:
In practice, it is recommended for the company’s documentation to mention, at least, the prohibition of the following:
Access to professional and private documents
To mitigate risks associated with the use of professional computer tools where a private use is authorised or at least tolerated, it is usually recommended to implement rules in the company concerning a mandatory separation between private and professional documents. For instance, Luxembourg case law provides that correspondences, documents and files of the employee that are generated or received on the business-owned computer tool of the employee are professional, unless there are specific clear indications included by the employee to the contrary (eg, "private" in the title subject of the message or file name). As a result, all documents not identified as such and stored outside this file should automatically be considered as professional; the employer’s access to professional documents is unrestricted.
If the employer is dealing with private documentation, it may not have access to the content without the presence of the employee. Unauthorised access to private documents by the employer may be subject to the sanctions specified in the GDPR, and may give rise to the employer being held civilly or even criminally liable.
Technologies Falling Within the Scope of Local Rules
Over ten years, the telecommunications regime has evolved through the European legislation framework. The Luxembourg law of 27 February 2011 on electronic communications networks and services (Telecom Act), as amended, is implemented in Directive 2009/140/EC for electronic communications networks and services and Directive 2009/136/EC for citizens’ rights.
The Telecom Act has been slightly modified in the following ways:
The Telecom Act will also be modified by the transposition of the European Electronic Communication Code, which will have to be done by 21 December 2020.
Technologies related to electronic communications networks (as "transmission systems which permit the conveyance of signals by wire, by radio") and electronic communications services ("service which consists (…) in the transmission of signals over electronic communications networks"), as defined by the law, fall within the scope of local rules. However, "services consisting of the provision of, or exercising editorial responsibility for, content using electronic communications networks and services" are excluded.
The Telecom Act does not specifically mention VoIP services. In principle, providers of VoIP services are exempt from the obligation to file a notification to the ILR.
Radio Frequency Identification tags ("RFID tags")
The Radio Equipment Directive (RED) sets standards for all radio-enabled devices, particularly covering Wi-Fi, Bluetooth and 5G devices. RED is also applicable to certain types of RFID products.
A piece of radio equipment is defined as an "electrical or electronic product, which intentionally emits and/or receives radio waves for the purpose of radio communication (…) which must be completed with an accessory, so as to intentionally emit and/or receive radio waves for the purpose of radio communication and/or radio determination." For instance, radio equipment that is marketed in EU Member States shall be certified CE.
According to the guide to RED issued by the EC, RFID tags "are radio equipment within the scope of the RED and the manufacturer is responsible for compliance. Due to the nature or size, CE marking, contact details and other required information may not be affixed on it. The RED is not applicable to passive RFID products, which is defined as RFID products without a battery, for instance, RFID cards, tokens and passports."
Requirements Prior to Bringing a Product/Service to the Market
Article 8 of the Telecom Act, as amended, has determined a general authorisation regime. A notification must be filed to the ILR "at least 20 days" before the initiation of a telecommunications service in Luxembourg, including "a description of the electronic communication networks or services and the launch date of the activities". All notified companies that provide telecommunications services must pay an administrative fee. According to Article 37 of the Telecom Act, as amended, all notified companies have the right to use "public facilities on the public state and municipalities domains" with "access to technical accommodation and equipment". The installation of resources must be carried out in the least damaging conditions for the public areas concerned, while respecting the environment and the aesthetic quality of the premises. If the domain is already used by another notified entity, an agreement on the sharing of the installations shall be submitted.
To guarantee the security of the electronic communications network or service, adequate technical and organisational measures shall be put in place. In case of a security breach or loss of integrity relating to a significant effect on the operation of networks or services, notification to the ILR is mandatory; the CNPD must be notified if the situation is related to personal data.
Notified companies providing electronic communications services shall make the technical data and equipment necessary for the fulfilment of their lawful communications monitoring tasks available to the competent authorities in the field, on their own initiative and free of charge.
The non-compliance of a company with the Telecom Act, as amended, and regulations and specifications adopted in its execution, as well as the institute's regulatory measures, is subject to payment of an administrative fine of up to EUR1 million or disciplinary sanctions.
Main Requirements for Providing an Audiovisual Service
The Luxembourg Independent Audiovisual Authority (Autorité Luxembourgeoise Indépendante de l’Audiovisuel – ALIA) is the public establishment in charge of the supervision of audiovisual and sound media services. It exercises its functions in the framework defined by the law of 27 July 1991 on electronic media, as amended.
"Audiovisual media" can be defined as any service that is either a media service or audiovisual service – ie, a radio or television. A media service is defined as a "service that falls under the editorial responsibility of a media and whose main purpose is the provision of audiovisual programmes for the purpose of informing, entertaining or educating the general public or for the purpose of ensuring commercial communication, through communications networks electronic media services."
Requirements are provided for in Article 3 and following the law of 27 July 1991 on electronic media, as amended.
Transmission of a television or radio service of any nationality is qualified as a broadcast service based on the following:
This permission is personal and not transferable. A copy is transferred to the Minister of Telecommunications.
The file for use to request a concession for the provision of a media service from Luxembourg is available on the Luxembourgish administrative guide (guichet.lu). Every licence comes with specifications stating the operating conditions to be respected.
Specifications vary depending on the type of licence obtained; it can contain, among other things, provisions on royalties to be paid to the Public Treasury or the surveillance of the content by the ALIA.
Requirements for Companies with Online Video Channels
The Audiovisual Media Services Directive 2018/1808 of 14 November 2018 has established new provisions on the Video-Sharing Platform Service (VSPS). Its purpose is to have service "devoted to providing programmes, user-generated videos, or both, to the general public, for which the video-sharing platform provider does not have editorial responsibility, in order to inform, entertain or educate (…)." A specific chapter is applied to the VSPS. The Directive introduces some obligations, including to provide "transparent, easy-to-use" and effective procedures for the handling and resolution of complaints between the platform provider and its users related to "hate speech", harmful advertising or the protection of minors. Use of the collected personal data of minors for commercial purposes is prohibited.
This Directive shall be transposed into national law before 19 September 2020.
Legal Requirements Governing the Use of Encryption
Encryption enables data to be unintelligible to any person who is not authorised to access it through the use of an encryption key of the sender and the corresponding decryption key of the recipient. On this topic, a balance shall be applied between security, confidentiality protection and the knowledge of the data content.
Encryption is one of the security measures required by Article 32 of the GDPR; its absence may be subject to the sanctions specified in the GDPR.
Luxembourg national legal framework
In the Luxembourgish legal framework, Article 3 of the law of 14 August 2000 on electronic commerce, as amended, foresees the freedom to use cryptographic techniques. Article 4 of the law of 30 May 2005, as amended, provides an obligation on operators and providers of electronic communications services to guarantee the confidentiality of electronic communications.
The law of 28 July 2011 transposes Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 on universal service and users' rights relating to electronic communications networks and services. In practice, it could be recommended to have information transfer policies and procedures in place, and to be aware of market possibilities in terms of the encryption category (ie, AES 256), secure attachments and data recovery capability.
For now, Luxembourg has no specific regulation concerning judicial authority authorisation to decrypt seized data obtained in a legal context. Pursuant to Article 66(4) of the Code of Criminal Investigation, the investigating judge would be able to order any person "of whom he considers that he has special knowledge" related to the encryption mechanism to allow the encrypted data to be understood. The designated person, who will be "required to assist", could be a user of the encryption software, its developer (regardless of whether the developer has thrown away the decryption keys) or any other third party specialised in the field.
Pursuant to Article 509-2 of the Penal Code, the fact of encrypting data of a third party, recorded on a third-party device, without consent constitutes a cybercrime intrusion, basically involving fraudulent access to or maintenance of the system.
Does the Use of Encryption Exempt an Organisation from Certain Rules?
Article 34 of the GDPR, Article 3 of the law of 28 July 2011 related to privacy and Article 30 of the law of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters foresee that the data controller shall not be required to inform the data subject about a personal data breach if the subject’s personal data was encrypted.