TMT 2020 Comparisons

Laws and Regulations in Relation to the Cloud

In Luxembourg, the cloud is mainly regulated by circulars issued by the Luxembourg Financial Sector Supervisory Commission (Commission de Surveillance du Secteur Financier – CSSF).

CSSF circulars are applicable to all professionals in the financial sector (Professionnels du Secteur Financier – PSF), which are classified into the three following categories: investment firms, specialised PSF and support PSF. In addition to PSF, circulars related to cloud computing apply to payment institutions, electronic money institutions and investment fund managers.

The following are the main CSSF circulars that are relevant to the cloud:

• Circular n° 17/655, dated 17 May 2017, updating the outsourcing provisions mentioned in Circular CSSF 12/552 on central administration, internal governance and risk management. This circular confirms that the requirements for outsourcing based on a cloud computing infrastructure are only governed by Circular 17/654.
• Circular n° 17/654, dated 17 May 2017, regarding IT outsourcing relying on a cloud computing infrastructure. This circular defines the legal regime applicable to the cloud computing outsourcing through several criteria mentioned in points 14–17 of the circular, which are as follows:
1. on-demand self-service;
2. broad network access;
3. resource pooling;
4. rapid elasticity;
5. measured service;
6. no access by the cloud computing service provider to data and systems held by the client in the cloud without (i) its prior and express authorisation and (ii) the existence of a monitoring system of such access made available to the client (exceptional); and
7. no manual interaction by the cloud service provider in the daily management of the cloud computing resources used by the client.
• Circular 19/714, dated 27 March 2019, updating Circular 17/654 regarding IT outsourcing relying on a cloud computing infrastructure. This circular introduces a distinction between material and non-material activities.

An outsourced function, activity or service in the cloud may be considered material if it meets the following conditions:

• from a technical point of view, the safety and availability of operations depend on it; and
• from a business point of view, it is considered critical or important for the company’s core business, and any malfunction may affect financial, regulatory or reputational elements.

Finally, this circular introduces the obligations for the PSF to create a register containing all items processed in a cloud environment.

For completeness, Article 567 of the Commercial Code, amended by the law of 9 July 2013, must be mentioned. The new version of Article 567 expressly covers the right of reclaiming non-fungible tangible personal property (biens meubles corporels non fongibles), particularly in the event of bankruptcy of the cloud computing service provider. In this event, a client using the cloud can retrieve the relevant data and files.

Specific Industries with Greater Regulation

Due to the CSSF circulars mentioned above, the financial sector is subject to specific rules. Moreover, Article 41 of the law of 5 April 1993 has been amended by the law of 27 February 2018 and now facilitates outsourcing, with an extension of the exceptions to banking secrecy. For instance, confidential data may be available to another PSF bound by professional secrecy obligations as follows:

• according to an outsourcing contract; and
• if the client has accepted – in accordance with the law or conditions agreed between the parties – the outsourcing of services, the type of information to be transmitted in the framework of the outsourcing and the country of establishment of the service provider.

The Processing of Personal Data in the Context of the Cloud

The processing of personal data in the cloud context is subject to the General Data Protection Regulation 2016/679 of 27 April 2016 (GDPR), and shall be ensured through provisions foreseen in a Data Processing Agreement (DPA) on the cloud computing service contract. It has to be concluded between the client (ie, the data controller that decides the processing of personal data) and the cloud provider (ie, the data processor that processes personal data under the instructions of the data controller).

Before going into detail on the provisions of the contract, relying on an outsourcing policy and filing a pre-outsourcing risk assessment analysis could be recommended, in practice, as a preliminary step and to select the right cloud provider.

The Luxembourgish data protection authority (Commission Nationale pour la Protection des Données – CNPD) has also issued a guideline titled ‘International transfers of personal data’, pursuant to which, among other elements, the data controller must determine the processing of personal data respecting all the GDPR provisions, such as the lawfulness of processing and the data minimisation principle. In addition, the location of the supplier’s country is relevant for determining the applicable requirements.

Geographical scope

In its 2012 recommendations, the French data protection authority (Commission Nationale de l’Informatique et des Libertés – CNIL) stated that "the cloud contract [should have] a clear and complete indication of the countries hosting the service provider data centres where the data will be processed." Moreover, point 31 of CSSF circular 19/714, mentioned above, notes that, "in the event that the processing, data and systems are distributed to different data centres around the world, at least one of the centres must be located in the European Union and must be able to take over the distributed processing, data and systems if necessary to operate autonomously the cloud computing services." Consequently, it is recommended to determine the geographical scope as the location of the service provider data centre where the data is processed.

When the service provider data centre is located within the European Economic Area (EEA) (EU, Norway, Liechtenstein and Iceland), personal data can be transferred freely if the GDPR’s provisions are respected; outside the EEA, personal data can only be transferred in accordance with Article 44 and seq. of the GDPR in a transfer to countries for which an adequacy decision has been taken by the European Commission. If there is no adequacy decision, appropriate safeguards shall be implemented as standard contractual clauses, binding corporate rules (used in a group) and codes of conduct or certification mechanisms.

Obligations of Article 28 of the GDPR

Regardless of the location of the storage, some provisions apply to personal data transfer to the data processor and sub-processor. A written agreement must be concluded before the processing that specifies the following, among other things:

• the obligations of each party in the case of a personal data breach;
• depending on the choice of the controller, the erasure or restoration of the data to the controller after the performance of the service; and
• assistance for the controller in ensuring compliance with its security obligations under Articles 32 to 36 of the GDPR, such as the notification of a personal data breach. In any case, the data controller remains liable for the performance of the data processor’s obligations.

Launching or using blockchain provides many opportunities from a technical point of view; however, many legal challenges remain. The doctrine considers that blockchain consists of "technology for storing and transmitting information that is transparent, secure and operates without a central control body. By extension, a blockchain constitutes a database that contains the history of all the exchanges carried out between its users since its creation."

Transactions between the network’s users are grouped by block, and time and date stamped. Each block is validated by some users, called minors, and transmitted to the network nodes.

Risk and Liability

For a new technology like blockchain, one of the major legal risks is legal uncertainty. Fortunately, the Luxembourgish government was able to respond quickly to this risk through the creation of a legal framework for technologies including blockchain.

The law of 1 March 2019 amends the law of 1 August 2001 on the circulation of securities. Article 18bis of the law of 1 August 2001, as amended, allows financial market participants to bring transactions performed using distributed ledger technologies like blockchain.

Luxembourg is also involved in the International Organisation for Standardisation (ISO) committee to define a technical certification of blockchain, through the Luxembourg Institute for Normalisation, Accreditation Safety and Quality of Products and Services (Institut Luxembourgeois de la Normalisation, de l'Accréditation, de la Sécurité et Qualité des Produits et Services – ILNAS). ILNAS issued a whitepaper about blockchain on June 2018, which promoted a better understanding of the blockchain mechanism technologically, economically and in terms of privacy. It also indicated the application of data subject rights from the legal and technical points of view.

The financial sector is involved in addressing risk and liability. On 14 March 2018, the CSSF warned about cryptocurrencies and that "the absence of regulation means that cryptocurrencies could be used in illegal activities." However, the CSSF underlined that its warnings did not concern the blockchain technology used by cryptocurrencies, which it said "could bring certain advantages in their use in the financial sector and in different innovative projects."

The Luxembourgish government will need to update and adapt the legislation according to the blockchain evolution.

In the blockchain technology, a difference needs to be established between the following components:

• private blockchain, which is characterised by its limited access and the fact that only certain pre-approved participants may join it. For this type of blockchain, the risk of identity theft is reduced;
• public blockchain, which is characterised by its free access and anonymity. In this kind of anonymous blockchain, it is more difficult to control access and functioning, so the application of anti-money laundering and terrorism financing measures shall be enforced very strictly; and
• consortium blockchain, which is characterised by being semi-decentralised. It differs from public blockchain in that its access is under permission. Control over a consortium blockchain is not granted to a single entity, but rather to a group of approved individuals.

Another legal risk is presented by smart contracts.

A smart contract is a blockchain-based contract that defines contractual obligations in a programming language. It is automatically executed when coded contractual obligations laid down between the participants are met. In practice, it results from the doctrine outlined below.

The first risk is related to the contract negotiation and formation.

The main question is whether the consent of the party to a contract that will be translated into programming code could be considered as informed consent as required by Article 1108 of the Civil Code. The consent requirement on contractual obligations negotiated shall be given before the transformation into programming language. A legal officer shall draft the contractual obligations, and then the draft shall be translated into programming language by a developer. Both have to co-operate in order to avoid any misunderstanding, and an obligation of means should be inserted into the developing contract.

The second risk is the contract drafting on the blockchain.

Once recorded and executed, it is usually difficult or nearly impossible to cancel a transaction, even in the case of non-compliant drafting regarding the applicable legal obligations. As a result, the automatic execution may create an illegal situation or circumstance that is undesired by one party.

During the phase of registration and recording in the blockchain, some bugs can occur. If this happens for substantive elements of the contract, Article 1109 of the Civil Code, related to defect of consent, could apply.

The third risk is the execution of contractual obligations in the blockchain.

During the application of a blockchain, the block validation to add into the chain is guaranteed by the consensus method. A risk is the withdrawal of a participant’s consent. As everybody must agree on the validation of a block, in such a case, a blockage could occur. The blockage’s consequences shall be mentioned in the smart contract.

Next, it is relevant to note that the blockchain provides the proof of any misconduct by a participant, with identification and date. No specific rule related to non-execution of smart contracts has yet been foreseen. As a result, the standard legal rules relating to non-execution of the contract and enforcement measures will be applied.

Intellectual Property

Copyright

Blockchain may help artists in providing evidence for their copyright.

Based on Article 1 of the law of 18 April 2001 on copyright, related rights and databases, as amended, a literary and artistic work can be protected by copyright if the criterion of originality of the work is met. The code source, created by developers, can also be protected by copyright if the condition of originality is demonstrated, based on intellectual collaboration and considerable personalised effort.

As the blockchain structure stores the time, location and identity of the creator, it can constitute a proof of the property of an original work, idea, concept or process put into the blockchain. This mechanism can constitute an alternative to i-Depot granted by Benelux Office for Intellectual Property. However, specific attention has to be paid to the copyright’s ownership. Consequently, any modification of information before the encryption into the record could be impossible to certify/monitor if the holder of an intellectual property right is actually the author or right holder.

Patent

The patentability of the software developed to host blockchain can also be analysed in Luxembourgish laws. The patent is only granted if the conditions provided by Article 4 of the law of 20 July 1992, amending the system of patents for inventions, as amended – pursuant to which "new inventions involving an inventive step and susceptible of industrial application" are patentable – are respected.

Data Privacy

Different legal challenges occur at any moment of the processing of personal data.

Even the processing itself and the structure of the blockchain shall be implemented following the principle of “privacy by design/by default”.

Parties’ qualification

It is generally admitted that the participants to the blockchain are considered as data controllers (defined in 1 Cloud Computing:The Processing of Personal Data in the Context of the Cloud), and as independent controllers or joint controllers if they work together to determine the specific purpose of the processing of personal data done in the blockchain. Persons who have to check and validate the registration of the transactions, called minors, are considered data processors.

Geographical scope

As mentioned under 1 Cloud Computing:The Processing of Personal Data in the Context of the Cloud, the relationship between the data controller and data processor shall be contractually settled on a DPA, with mention of obligations provided by Article 28 of the GDPR. On its blockchain solution analysis, the CNIL provides that, whether they are minors or not, participants can be located in countries outside of the EU; this raises the question of obligations for transfers outside of the EU. Consequently, the geographical scope can be related to the location of the participant. For a private blockchain, the participants should be identified easily. A block validation outside the EEA shall respect the adequate safeguards as developed in 1 Cloud Computing. If the parties have been considered as joint controllers, the agreement must respect the provisions of Article 26 of the GDPR. For public blockchain, "the CNIL observes that these safeguards are harder to implement (…), given that the data controller has no real control over the location of minors."

GDPR rights

In its blockchain whitepaper, ILNAS has issued some information concerning data protection rights foreseen by the GDPR.

The immutability characteristic of the blockchain is opposite to some GDPR principles. Indeed, as data cannot be removed retroactively from the blockchain, the following points, among others, can be mentioned:

• data minimisation can be difficult to combine with the blockchain mechanism;
• the right to rectification of personal data is partially applicable in practice. The data subject can send a request to rectify data included in the blockchain into the nodes. However, in practice, personal data cannot be changed; and
• the implementation of the right to be forgotten is strongly questioned.

In practice, for private blockchain, processed data can be deleted. For public blockchain, in order to have the possibility of deleting personal data, the French data protection authority (CNIL) recommends that "personal data should not be stored in the blockchain itself, but only information that makes it possible to prove the existence of the personal data in question (using, for example, a cryptographic commitment or a fingerprint from a key hash function). The removal of the link between the personal data stored outside the blockchain and the information that proves the existence of the personal data in question could be sufficiently similar to an outright deletion of the data."

Security

The identities of the parties involved in a transaction should not be revealed to an unauthorised third party from the information written to the blockchain. Personal and transaction data are not available to unauthorised parties unless one of the counterparties chooses to disclose this information.

Creating huge data repositories on a blockchain increases the risk of security breaches. Blockchain operators will need to take cybersecurity particularly seriously to avoid potential regulatory and liability actions and reputational damage. Provisions foreseen by the Directive on security of network and information systems (NIS) and the GDPR should be followed, particularly regarding the obligation of notification in case of cybersecurity breach and personal data breach.

Criminal offence

Based on Article 509-1 and seq. of the Penal Code and Luxembourgish authors, the blockchain contains data that is exploited in an automatic data processing system in such a way that any attempt to interfere with the operation of the system and modify a blockchain without authorisation constitutes a computer crime.

Jurisdictional Issues

No major legal jurisdictional issue has been issued so far. Blockchain can be an interesting means to avoid some litigation – for instance, in the art market, it is considered a protection against counterfeiting. Indeed, blockchain has recorded protected transactions, including the history of the transactions. Art experts authenticate artwork, and this decision is identified with certainty in a unique and tamper-proof manner. This could replace an authenticity certificate.

The smart contract shall include a dispute resolution provision mentioning the applicable law and competent jurisdiction. The legitimacy of a judge could be questioned because of the automatic execution, and the recourse to arbitration could be a relevant solution to settle potential disputes.

Definitions

Before going any further, definitions and interactions of the different terms must be provided. The expression "Big Data" refers to a large set of various data obtained at a fast rate and technologies associated with processing data. Data is processed with the help of technology solutions/concepts like artificial intelligence (AI), comprising subfield technology approaches like machine learning.

Big Data

In practice, computers will often be ahead of the data management legal framework. As a result, Luxembourg shall rely on existing rules for the processing of data (ie, GDPR and the law of 1 August 2018 on the organisation of the CNPD and the general regime on data protection) and shall adapt itself through strategies and specific regulations.

Luxembourg strategy for AI

At a national level, the government issued its strategic vision for AI on 24 May 2019.

Luxembourg's vision of AI is one of technology that can "easily apply and improve the lives of all citizens" on the one hand, and "consolidate the regional pole of excellence in AI research, at an international level" on the other.

Considering this documentation, the legal challenges that can arise relate to the following topics:

• the guarantee of fundamental rights of ethics and confidentiality; and
• data transfer: in several fields, Luxembourg will not have enough data mass. As a consequence, to ensure that these datasets reach their full economic and social potential, it could have some transfers, particularly to advanced AI research centres in neighbouring countries (ie, France and Germany).

Data privacy

Data minimisation

One of the main technical issues is the large volume of processed data; the processing capacity and storage are overrun. As a consequence, data controllers and data processors shall process this large set of various data respecting the data minimisation privacy principle.

Privacy by design/by default

According to Article 25 of the GDPR, all products developed with technologies based on Big Data shall be developed according to the principle of privacy by design/by default from the beginning of the project. For instance, if a chatbot (an automated conversation service based on AI) is put in place, the user, who is the data subject, shall (i) give his/her consent, and (ii) be informed about:

• personal data processing;
• the personal data retention period, with data deleted after this time period;
• his/her rights; and
• the capacity and permission of the legal representative (in the case of a minor).

Assimilation to profiling

One of the objectives of Big Data is to detect and anticipate new opportunities that have been influenced by the GDPR – for instance, based on user experiences enabling profiling.

Based on Articles 15.1 and 22 of the GDPR, the data subject has the right to obtain information about the existence of automated decision-making processing and the right not to be subject to this kind of processing.

Contractual clauses and liability

Contractual clauses

In the absence of a specific legal regime or case law to date, this question has to be solved through contractual provisions related to intellectual property and its ownership and transfer.

Liability

For now, in Luxembourgish law, a robot or any process created by AI has no legal personality. As a consequence, in practice, the standard liability foreseen by the Civil Code is applicable.

The aim would be to focus the liability on the person with the ability to minimise the risk of damage, whereby the liability would be proportional to the degree of autonomy of the robot.

In the contractual relationship between the programmer of the AI and the user, liability may arise either because the user has received a product that does not correspond to the qualities he/she could have expected or because the AI has caused him/her damage.

Regarding third parties, the Civil Code provides for liability for the fact of things (Article 1384 al. 1 of the Civil Code). The notion of a thing must here be understood as also covering the object incorporating AI. The producer of the object incorporating the AI is liable here. The difficulty lies in that neither the user nor the producer of the thing can ensure total control of it, since an object with AI is autonomous.

Intellectual property

Copyright granting is conditioned by a creation from a human mind, which the system created with AI will never be able to possess. As a consequence, the status of an original literary and artistic work cannot be granted to something created by AI.

Machine-to-machine Communications, Communications Secrecy, Data Protection, etc

Restrictions affecting a project's scope

The Internet of Things (IoT) has been defined by the Article 29 Working Party (WP29), in its opinion 8/2014, as "an infrastructure in which billions of sensors embedded in common, everyday devices – things as such, or things linked to other objects or individuals – are designed to record, process, store and transfer data and, as they are associated with unique identifiers, interact with other devices or systems using networking capabilities."

The term covers "smart things" – wearable computing objects and clothes, quantified-self objects, home automation (domotics) – that communicate with homes, cars, the work environment and physical activities. Examples include heating systems that are switched on remotely with a smartphone, refrigerators that signal the expiration of food, transport systems that can automatically increase the number of runs based on registered access to turnstiles, and smart watches that alert the wearer’s doctor to any body abnormalities.

The possibility for things to "dialogue" and interact with each other through sensors, without human intervention and through electronic communication networks, presents undoubted advantages for everyday life, but it also involves risks that should not be underestimated.

The IoT triggers various legal issues relating to data protection, security and contractual or non-contractual liability that need to be considered.

Data protection

The interconnection of things and systems – which affects not only smartphones and PCs but also wearable devices and home automation systems – involves the collection, recording and processing of the data of users, who are often unaware that this is being done. Such data not only allows the building of detailed profiles of people based on their behaviour, habits, tastes and even their state of health, but also enables particularly invasive monitoring of users’ privacy to be carried out, and the imposition of potential constraints on their freedom.

From the international survey titled Privacy Sweep 2016, conducted by 26 privacy authorities belonging to the Global Privacy Enforcement Network (GPEN) – of which the CNPD is also a part – it was found that, on more than 300 devices connected to the Internet (such as smart watches and bracelets, electronic meters and thermostats), more than 60% failed the scrutiny of the privacy authorities.

Under today’s legal framework, the collection of data that can directly or indirectly identify an individual – that is, personal data – involves the application of the GDPR and, when a data controller is established in Luxembourg or uses equipment situated in Luxembourg, the law of 1 August 2018 mentioned above.

The controller must carry out a data protection impact assessment according to Article 35 of the GDPR before any new applications are launched in the IoT. This assessment is aimed at identifying and adopting the appropriate measures and mitigating the risks to the rights and freedom of data subjects. In this regard, the principles of "privacy by design" and "privacy by default" have high priority.

Under Article 25 of the GDPR, the controller must adopt technological solutions to guarantee the privacy of users, starting from the design stage of services and products. Furthermore, to avoid any prejudice to the rights and freedoms of data subjects, the controller must implement appropriate technical and organisational measures, such as pseudonymisation and data minimisation, collecting and storing only necessary data, expelling redundant or marginal data, and keeping data for no longer than necessary in relation to the purpose for which it was collected or further processed.

Privacy protective settings of devices and apps require that, by default, personal data is not made accessible without the individual’s intervention, nor to an indefinite number of natural persons. Moreover, personal data not necessary for the services offered through the IoT should not be collected or stored.

Transparency must be ensured through clear information and granular consent of the users, which has to be free, informed and specific.

Finally, according to Articles 13 and 14 of the GDPR, the controller must provide the data subjects with an adequate privacy notice, containing clear information on data processing, the categories of data concerned, the purposes of processing, all the subjects involved in the data flow, the period for which the personal data will be stored and the existence of the right to request access to and rectification of personal data from the controller.

Security

The IoT raises security issues that must be addressed by achieving the right balance between device security and battery efficiency.

Less secure connected devices represent potentially efficient new ways of attack. For example, devices using a wireless communications infrastructure and characterised by limited resources in terms of energy and computing power are vulnerable to physical attacks.

The controller must protect data against unlawful access or any other unlawful forms of processing.

According to Article 32 of the GDPR, the controller must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, perform security assessments of systems and apply principles of composable security. Therefore, it is necessary for the controller to do the following: (i) perform security assessments of systems as a whole, including at the components level; (ii) use certifications for devices; and (iii) align with internationally recognised security standards.

Finally, an adequate policy of data breach notification can also include the negative effects of software and design vulnerabilities.

Contractual and non-contractual liability

The unlawful use of smart devices raises questions relating to contractual or liability issues. Here, the reference should be to the provisions of the Luxembourg Civil Code (Articles 1146 et seq. and Articles 1382 et seq.) and the Luxembourg Law of 21 April 1989 concerning liability due to defective products.

Specific Features of the Local Legal Framework

Please see 1 Cloud Computing regarding the general provisions on cloud contracts.

IT service agreement on financial sector

Specific provisions for service providers are provided by Article 41 of the law of 5 April 1993 on the financial sector, as amended. Some IT providers can be qualified as support PSF, and are under the supervision of the regulator of the CSSF. Specific obligations are applied to them. IT outsourcing in the financial sector is regulated by Articles 29-3 and 29-4 of the law of 5 April 1993 on the financial sector, as amended. The law distinguishes between primary IT systems operators of the financial sector and secondary IT systems and communication network operators of the financial sector.

Personal data

IT outsourcing may also be regulated as follows by the law of 1 August 2018, as mentioned above:

• the key issues in IT and telecom outsourcing transactions include security obligations to ensure that suppliers have appropriate security and organisational measures in place to prevent unauthorised access, fraud or theft of data, and procedures that manage possible security and data breach; and
• confidentiality obligations may be imposed to ensure that suppliers keep secret the information in connection with the provision of their services. A support PSF may also be subject to professional secrecy.

Contractual provisions

The common legal provisions are applicable to any contractual relationship, particularly provisions of the Civil Code.

Intellectual property

The allocation of intellectual property rights shall be provided for in the contract as assigned rights and use of work performed.

Rules that are Typically Excluded

Based on the Civil Code, a contractual clause that is deprived of essential obligations on the substance of limited liability – as a failure of the execution of a corrective maintenance service for any product under contract – is deemed unwritten.

Core Rules Regarding Data Protection

The core rules regarding data protection are mentioned in the following texts:

• GDPR (mentioned above);
• Law of 1 August 2018 (mentioned above);
• Law of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters; and
• Law of 30 May 2005 concerning the specific provisions for protection of the individual on the processing of personal data in the electronic communications sector and amending Articles 88-2 and 88-4 of the Code of Criminal Procedure, as amended.

Distinction Between Companies/Individuals

Personal data within a legal entity

The personal data of a person who is part of a legal entity (eg, members of the board, shareholders, employees) is regulated by the GDPR.

Business data

Business data regarding legal entities does not fall under the scope of the GDPR. Data that is considered confidential could be protected by a non-disclosure agreement.

Trade secrets could also be an effective means of protecting business data. The Luxembourg law of 26 June 2019 on the protection of know-how and undisclosed commercial information (trade secrets) against unlawful obtaining, use and disclosure is transposing the same named Directive 2016/943 of 8 June 2016. Article 2 of the law has defined a trade secret cumulatively as follows:

• not generally known or not readily accessible to persons normally concerned with this type of information;
• having commercial value in remaining a secret; and
• kept secret with reasonable means of arrangements, regarding the circumstances, by the person lawfully in control of the information.

General Processing of Data

Non-personal data

On 14 November 2018, a European regulation (2018/1807) on non-personal data was adopted. Based on its Article 3, non-personal data comprises data other than personal data as defined by the GDPR. This regulation lays down the principle of prohibition of the data location requirement, unless it is justified on grounds of public security. Consequently, by 30 May 2021, Luxembourg will have to repeal any existing data location requirements, laid down in a law, regulation or administrative provision, that do not comply with this principle.

Processing of Personal Data

In national law, there is no difference between the GDPR and the principles of transparency, fairness and lawfulness of personal data processing that have to be followed. The law of 1 August 2018 foresees specific provisions in the data processing of employees’ personal data.

Data Loss Prevention Tools, Web Traffic Monitoring, Extensive Private E-mail Use, etc

The CNPD took an interest in this topic and asserted its view on the balance of the fundamental rights to privacy of life at work for employees and the right to protect company assets, including business data. The main principle is the right for each employee to have a private life in the workplace. With the implementation of the GDPR, the Labour Code has been amended regarding the monitoring of employees. Indeed, the new Article L261-1 of the Labour Code foresees that the monitoring of the use of company computer resources shall be transparent, proportionate and made known to employees.

GDPR documentation requirement

In March 2019, the CNPD published a list of processing activities that require a data protection impact assessment ("DPIA"), including the regular and systematic monitoring of employees' activities.

Two conditions are provided by Articles 35 and 36 of the GDPR, which are as follows:

• the DPIA shall be done before the processing implementation; and
• after the DPIA analysis, the CNPD must be consulted by the data controller prior to processing in case of the following:
1. a result of a high residual risk to the rights and freedoms of individuals; or
2. an absence of measures taken to mitigate the risk.

Company’s documentation

If the use of computer resources for private purposes cannot be forbidden, the tolerance of computer resource use for private purposes shall be determined by the employer. In any event, such use must remain reasonable and not affect the proper functioning of the company, including the integrity of its computer network and the productivity of its employees.

Documentation type

Information regarding the employees’ data processing shall be provided on an individual basis in the employment contract, and collectively in an appendix of the company’s internal rules, IT charter and privacy notice disseminated to the employee and the employee representatives (staff delegation or joint work committee), or the labour inspectorate (Inspection du Travail et des Mines) if no employee representation has been put in place.

It shall be noted that the staff delegation – or the employees if there is no staff delegation – may request a preliminary opinion from the CNPD within 15 days of the prior information notice. In turn, the CNPD has to adopt its opinion within one month of the request. If such a request is filed, processing must be suspended pending the opinion.

Information provided

The employee shall be informed by the employer of the following:

• the processing of personal data (including purpose, data collected, recipients, storage period of personal data); and
• the scope of the monitoring system (including overall/detailed control, duration of the period, penalties and sanctions to infringements of provisions).

The principle of proportionality requires any implemented monitoring system to be weighted according to the concrete risks that the employer intends to prevent.

The following may be stated as general principles:

• employees may never be subject to permanent monitoring of the use of their computer tools; and
• the measures put in place by the employer shall be limited to one-off monitoring and compliant with a gradation in the intensification of the monitoring ("progressive Kontrollverdichtung"), which must be justified each time by signs and suspicions previously detected.

In practice, it is recommended for the company’s documentation to mention, at least, the prohibition of the following:

• visits to certain site categories – for instance, pornographic, racist, terrorist, gambling and social network websites; and
• the downloading of software that is not used by or configured for the company.

Access to professional and private documents

To mitigate risks associated with the use of professional computer tools where a private use is authorised or at least tolerated, it is usually recommended to implement rules in the company concerning a mandatory separation between private and professional documents. For instance, Luxembourg case law provides that correspondences, documents and files of the employee that are generated or received on the business-owned computer tool of the employee are professional, unless there are specific clear indications included by the employee to the contrary (eg, "private" in the title subject of the message or file name). As a result, all documents not identified as such and stored outside this file should automatically be considered as professional; the employer’s access to professional documents is unrestricted.

If the employer is dealing with private documentation, it may not have access to the content without the presence of the employee. Unauthorised access to private documents by the employer may be subject to the sanctions specified in the GDPR, and may give rise to the employer being held civilly or even criminally liable.

Technologies Falling Within the Scope of Local Rules

Local rules

Over ten years, the telecommunications regime has evolved through the European legislation framework. The Luxembourg law of 27 February 2011 on electronic communications networks and services (Telecom Act), as amended, is implemented in Directive 2009/140/EC for electronic communications networks and services and Directive 2009/136/EC for citizens’ rights.

The Telecom Act has been slightly modified in the following ways:

• a law dated 7 June 2017 introduced an obligation for the service providers to identify the purchasers of pre-paid services prior to providing the service; and
• a law dated 27 June 2018 created a centralised database under which all notified entities that provide publicly available electronic communication services and use Luxembourg numbering resources must automatically, by electronic means and through a secure interface, provide the Luxembourg Institute of Regulators (Institut Luxembourgeois de Régulation – ILR) with certain data regarding their clients.

The Telecom Act will also be modified by the transposition of the European Electronic Communication Code, which will have to be done by 21 December 2020.

Technologies related to electronic communications networks (as "transmission systems which permit the conveyance of signals by wire, by radio") and electronic communications services ("service which consists (…) in the transmission of signals over electronic communications networks"), as defined by the law, fall within the scope of local rules. However, "services consisting of the provision of, or exercising editorial responsibility for, content using electronic communications networks and services" are excluded.

Voice-over-IP (VoIP)

The Telecom Act does not specifically mention VoIP services. In principle, providers of VoIP services are exempt from the obligation to file a notification to the ILR.

Radio Frequency Identification tags ("RFID tags")

The Radio Equipment Directive (RED) sets standards for all radio-enabled devices, particularly covering Wi-Fi, Bluetooth and 5G devices. RED is also applicable to certain types of RFID products.

A piece of radio equipment is defined as an "electrical or electronic product, which intentionally emits and/or receives radio waves for the purpose of radio communication (…) which must be completed with an accessory, so as to intentionally emit and/or receive radio waves for the purpose of radio communication and/or radio determination." For instance, radio equipment that is marketed in EU Member States shall be certified CE.

According to the guide to RED issued by the EC, RFID tags "are radio equipment within the scope of the RED and the manufacturer is responsible for compliance. Due to the nature or size, CE marking, contact details and other required information may not be affixed on it. The RED is not applicable to passive RFID products, which is defined as RFID products without a battery, for instance, RFID cards, tokens and passports."

Requirements Prior to Bringing a Product/Service to the Market

Notification

Article 8 of the Telecom Act, as amended, has determined a general authorisation regime. A notification must be filed to the ILR "at least 20 days" before the initiation of a telecommunications service in Luxembourg, including "a description of the electronic communication networks or services and the launch date of the activities". All notified companies that provide telecommunications services must pay an administrative fee. According to Article 37 of the Telecom Act, as amended, all notified companies have the right to use "public facilities on the public state and municipalities domains" with "access to technical accommodation and equipment". The installation of resources must be carried out in the least damaging conditions for the public areas concerned, while respecting the environment and the aesthetic quality of the premises. If the domain is already used by another notified entity, an agreement on the sharing of the installations shall be submitted.

Security

To guarantee the security of the electronic communications network or service, adequate technical and organisational measures shall be put in place. In case of a security breach or loss of integrity relating to a significant effect on the operation of networks or services, notification to the ILR is mandatory; the CNPD must be notified if the situation is related to personal data.

Notified companies providing electronic communications services shall make the technical data and equipment necessary for the fulfilment of their lawful communications monitoring tasks available to the competent authorities in the field, on their own initiative and free of charge.

Sanctions

The non-compliance of a company with the Telecom Act, as amended, and regulations and specifications adopted in its execution, as well as the institute's regulatory measures, is subject to payment of an administrative fine of up to EUR1 million or disciplinary sanctions.

Main Requirements for Providing an Audiovisual Service

The Luxembourg Independent Audiovisual Authority (Autorité Luxembourgeoise Indépendante de l’Audiovisuel – ALIA) is the public establishment in charge of the supervision of audiovisual and sound media services. It exercises its functions in the framework defined by the law of 27 July 1991 on electronic media, as amended.

"Audiovisual media" can be defined as any service that is either a media service or audiovisual service – ie, a radio or television. A media service is defined as a "service that falls under the editorial responsibility of a media and whose main purpose is the provision of audiovisual programmes for the purpose of informing, entertaining or educating the general public or for the purpose of ensuring commercial communication, through communications networks electronic media services."

Requirements are provided for in Article 3 and following the law of 27 July 1991 on electronic media, as amended.

Transmission of a television or radio service of any nationality is qualified as a broadcast service based on the following:

• obtaining prior permission or concession after a public call for proposals with a set of rules and regulations (cahier des charges) for a licence for broadcasting over the air, local radios and radio transmission networks; the call must state "the available frequencies and slots (…), the information to be provided by applicants and the selection criteria of the beneficiaries, the conditions to be met by the beneficiary and the service proposed, the deadline for the submissions"; and
• for services distributed by cable and broadcast via satellite, an application shall be sent to the “communication and media service with the application form for a service distributed by cable (TV and radio) and all the supporting documents requested in the form”.

This permission is personal and not transferable. A copy is transferred to the Minister of Telecommunications.

The file for use to request a concession for the provision of a media service from Luxembourg is available on the Luxembourgish administrative guide (guichet.lu). Every licence comes with specifications stating the operating conditions to be respected.

Specifications vary depending on the type of licence obtained; it can contain, among other things, provisions on royalties to be paid to the Public Treasury or the surveillance of the content by the ALIA.

Requirements for Companies with Online Video Channels

The Audiovisual Media Services Directive 2018/1808 of 14 November 2018 has established new provisions on the Video-Sharing Platform Service (VSPS). Its purpose is to have service "devoted to providing programmes, user-generated videos, or both, to the general public, for which the video-sharing platform provider does not have editorial responsibility, in order to inform, entertain or educate (…)." A specific chapter is applied to the VSPS. The Directive introduces some obligations, including to provide "transparent, easy-to-use" and effective procedures for the handling and resolution of complaints between the platform provider and its users related to "hate speech", harmful advertising or the protection of minors. Use of the collected personal data of minors for commercial purposes is prohibited.

This Directive shall be transposed into national law before 19 September 2020.

Legal Requirements Governing the Use of Encryption

Encryption enables data to be unintelligible to any person who is not authorised to access it through the use of an encryption key of the sender and the corresponding decryption key of the recipient. On this topic, a balance shall be applied between security, confidentiality protection and the knowledge of the data content.

GDPR

Encryption is one of the security measures required by Article 32 of the GDPR; its absence may be subject to the sanctions specified in the GDPR.

Luxembourg national legal framework

In the Luxembourgish legal framework, Article 3 of the law of 14 August 2000 on electronic commerce, as amended, foresees the freedom to use cryptographic techniques. Article 4 of the law of 30 May 2005, as amended, provides an obligation on operators and providers of electronic communications services to guarantee the confidentiality of electronic communications.

The law of 28 July 2011 transposes Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 on universal service and users' rights relating to electronic communications networks and services. In practice, it could be recommended to have information transfer policies and procedures in place, and to be aware of market possibilities in terms of the encryption category (ie, AES 256), secure attachments and data recovery capability.

Penal Code

For now, Luxembourg has no specific regulation concerning judicial authority authorisation to decrypt seized data obtained in a legal context. Pursuant to Article 66(4) of the Code of Criminal Investigation, the investigating judge would be able to order any person "of whom he considers that he has special knowledge" related to the encryption mechanism to allow the encrypted data to be understood. The designated person, who will be "required to assist", could be a user of the encryption software, its developer (regardless of whether the developer has thrown away the decryption keys) or any other third party specialised in the field.

Pursuant to Article 509-2 of the Penal Code, the fact of encrypting data of a third party, recorded on a third-party device, without consent constitutes a cybercrime intrusion, basically involving fraudulent access to or maintenance of the system.

Does the Use of Encryption Exempt an Organisation from Certain Rules?

Article 34 of the GDPR, Article 3 of the law of 28 July 2011 related to privacy and Article 30 of the law of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal and national security matters foresee that the data controller shall not be required to inform the data subject about a personal data breach if the subject’s personal data was encrypted.