Article 28 of the Constitution states, "(1) The secrecy of correspondence is inviolable. The law determines the agents responsible for the violation of the secrecy of correspondence entrusted to the postal services. (2) The law determines the guarantee to be afforded to the secrecy of telegrams."[1801]
Luxembourg's Act concerning the Use of Nominal Data in Computer Processing was adopted in 1979.[1802] The law regulates individually identifiable automated personal records in both public and private computer files. All databanks including personal data have to be authorized, and data subjects have the right to correct their personal data and correct them if inaccurate. The law also requires licensing of systems used for the processing of personal data.[1803]
The Data Protection Act of 2002[1804] governs the processing and use of personal data. It implements the European Union (EU) Data Protection Directive (95/46/EC).[1805] The new law[1806] goes even beyond the framework of the Directive by covering not only natural, but also moral, persons; it contains specific provisions on the processing of medical data by health services,[1807] the processing of personal data for surveillance purposes[1808] and in the workplace[1809]... As yet, no measure has been introduced to implement the EU Directive on Privacy and Electronic Communications.
The Data Protection Act of 2002 created a new data protection authority (the Commission nationale pour la protection des données[1810], or CNPD). The CNPD, created on December 12, 2002,[1811] is an independent agency whose task will be to control the processing of personal data in Luxembourg and ensure the compliance with data protection regulations.[1812]
A Grand-Ducal decree of August 1979 created the Commission à la protection des données nominatives (the Commission). The Commission is charged with overseeing the law and assisting the Minister of Justice with the management of the National Register of Databanks. If an application for personal data processing is granted, and there is an objection raised, or if the application is refused, or the original authorization is withdrawn for some reason, an appeal can be made to the Disputes Committee of the Council of State. The Minister for Justice maintains a national register of all systems containing personal information. Public sector personal data systems can only be established upon the issuance of a special law or regulation. The Advisory Board reviews such proposed laws or regulations. In 1992, the law was amended to include special protection requirements for police and medical data. In 1993, the law was modified to establish an independent control authority pursuant to the Schengen Agreement.
Articles 88-1 and 88-2 of the Criminal Code regulate telephone tapping.[1813] Judicial wiretaps are authorized if it can be shown: that a serious crime or infringement, punishable by two or more years imprisonment, is involved; that there is sufficient evidence to suspect that the subject of the interception order committed or participated in the crime; or received or transmitted information to, from, or concerning the accused; and that ordinary investigative techniques would be inadequate under the circumstances. Orders are granted for one-month periods and may be extended repeatedly as long as the cumulative period does not exceed one year. Administrative wiretaps may also be authorized for national security reasons by a special tribunal appointed by the head of government. These interceptions are granted for three months at a time and must stop once the requested information is received. The communications of persons bound by professional secrecy rules cannot be intercepted and any recordings of such must be destroyed immediately. Information, gathered during judicial and administrative interceptions, but not subsequently used, must be destroyed. In the case of judicial warrants, persons who formed the subject of the warrant will sometimes be informed of the action taken. This law was highly criticized by human rights activists and the Socialist Workers Party when it was first introduced. In fact the law was challenged on numerous occasions before the European Court of Human Rights. That Court, however, ruled that the law violated neither Article 8 (concerning the right to private and family life) nor Article 13 (concerning the right to due process) of the European Convention on Human Rights.[1814]
A Law on Electronic Commerce that implements three European Union Directives (Directive 99/93 on Electronic Signatures, Directive 2000/31/EC on Electronic Commerce, and Directive 97/7 on Distance-Selling) was adopted on August 2000.[1815] This law contains provisions on the privacy rules certification authorities have to comply with, spamming, and the liability of online service providers. A Grand-Ducal regulation on electronic signatures, electronic payments and the setting up of the Electronic Commerce Committee was adopted on June 1, 2001.
The Numerical Identification of Natural and Legal Persons Act of 1979[1816] provides for the introduction of an identity number, consisting of eleven digits (including digits to represent date of birth and sex, nationality, marital status and spouse's name) for every person resident in the country, and a numbering system for companies. The law contains specifications for use of this number: the identification number and other related information can only be used by the public services that are authorized to have access to the index, and is restricted to an internal use. These specifications are loosely drafted, however, and leave it open for the number to be widely circulated. The data protection authority is said to be monitoring the adoption of this number closely.[1817]
There are also sectoral laws on privacy relating to telecommunications,[1818] and banking secrecy. Luxembourg's status as a financial haven ensures that unwarranted surveillance of individuals is forbidden. This may change as Luxembourg comes under increasing pressure to amend its financial confidentiality laws to permit greater access to personal financial records by European and American investigators.
In December 2001, the Commission de Surveillance du Secteur Financier (Commission of Surveillance of the Financial Sector) released practical and technical guidelines intended to financial services companies - that, i.e., promote the protection of customers' privacy and the confidentiality of their financial information when launching new online financial services.[1819]
There is no general freedom of information law in Luxembourg. Under the 1960 Decree on State Archives, the archives are to be open to the public, but citizens must make a written request explaining why they want access and ministers have broad discretion to deny requests.[1820] The government announced in August 1999 that it was planning to develop a new press bill including a right to access records.[1821]
Luxembourg is a member of the Council of Europe (CoE) and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[1822] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1823] In January 2003, Luxembourg signed the CoE Convention on Cybercrime.[1824] It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.