I. Legal framework
Constitutional privacy and data protection framework
The Constitution of the Grand Duchy of Luxembourg guarantees a general right to privacy as well as the secrecy of correspondence. Article 11 of the Constitution provides that the State guarantees the protection of one's private life, except if the law provides otherwise. Article 28 states, "(1) The secrecy of correspondence is inviolable. The law determines the agents responsible for the violation of the secrecy of correspondence entrusted to the postal services. (2) The law determines the guarantee to be afforded to the secrecy of telegrams."1
Privacy and data protection laws and regulations
The processing and use of personal data in Luxembourg is regulated by the Data Protection Act of 2002 and secondary legislation. Specific matters that affect privacy are governed by sectoral regulations.
Luxembourg's first act concerning the use of nominal data in computer processing was adopted in 1979.2The law regulated individually identifiable automated personal records in both public and private computer files. All databanks including personal data had to be registered, and data subjects had the right to access their personal data and correct it if inaccurate. The law also required licensing of systems used for the processing of personal data. The law has been widely ignored as it was not in line with modern technology and compliance was very low.3
It has been replaced by the Act of 2 August 2002 relating to the protection of persons with respect to the processing of personal data (Loi relative à la protection des personnes à l'égard du traitement des données à caractère personnel), as amended by the Laws of 31 July 2006, 22 December 2006, and 27 July 2007 (the "Data Protection Act").4The Data Protection Act has implemented5EU Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data.6The Act entered into force on 1 December 2002.
The Data Protection Act of 2002 governs the processing and use of personal data. The law7went beyond the framework of the EU Directive by covering not only natural, but also moral, persons. It contains specific provisions on the processing of medical data by health services,8the processing of personal data for surveillance purposes,9and in the workplace.10
An amendment to the Data Protection Act was voted in July 2007 and took effect on 1 September 2007. It modified some of the Act's provisions in order to simplify them. The amendment also extended several exceptions relating to certain situations and professions, as well as modified certain terms and definitions, such as the concepts of consent, personal data, and surveillance.11
The Data Protection Act applies to "data controllers" ("a natural or legal person, public authority, agency, or any other body which solely or jointly with others determines the purposes and methods of processing personal data") and "data processors" ("any natural or legal person, public authority, administrative body or other entity that processes personal data on behalf of the controller" excluding any of the data controller's employees).12
In December 2004, a Grand-Ducal Decree13established the conditions pursuant to which some data controllers have the option of designating a data protection officer (DPO): an independent person in charge of data processing and compliance with the data protection law. In doing this, they could avoid having to comply with the notification requirements to the Data Protection Commission (Commission nationale pour la protection des données, or CNPD). The CNPD is notified of the appointment of the DPO, who should refer to it any problems that he may encounter in the performance of his duties.
The Data Protection Act follows the framework of EU Directive 95/46/EC,14including its provisions related to security requirements.15To assist data controllers in determining the required levels of security, the CNPD has issued standard measures for the security of personal data processing.16
Luxembourg has a sectoral law and a regulation on privacy relating to telecommunications.17In April 2004, however, the European Commission threatened legal action against the country and seven other countries for failing to implement on time the EU Directive on Privacy and Electronic Communications (2002/58/EC).18In May 2005, a new law19(the "2005 law") eventually implemented the provisions of the EU Directive.20
The 2005 law states that any service provider must retain traffic and location data for a period of 12 months for the purposes of prevention, investigation, detection, and prosecution of criminal offences. The 2005 law adopted an "opt-in" system for unsolicited electronic communications, and the use of automated calling systems. It also prohibited the use of fax machines or email for the purposes of direct marketing without obtaining the subscriber's prior consent, unless the service provider can make use of the specific exceptions mentioned in the EU directive. Furthermore, the law provides for criminal sanctions (imprisonment and fines) for breach of the provisions related to spam and unsolicited communications, and a court may ban any illegal processing, together with a penalty payment. Following a recommendation of the CNPD, a new law, introduced on 27 July 2007, reduced the retention period of data traffic from 12 months to six months.21The 27 July 2007 law clarified some of the provisions of the 2005 law in order to provide a more accurate interpretation of provisions of Directive 2002/58/EC. The CNPD was consulted during the drafting of the bill.
Data protection authority
The Data Protection Act of 2002 created a new data protection authority, the Commission nationale pour la protection des données (CNPD).22Created on 12 December 2002,23the CNPD is an independent agency whose task is to regulate the processing of personal data in Luxembourg and ensure compliance with data protection regulations.24The Data Protection Act has provided for a public data processing register online, which makes it possible to check if an authority, company, association, professional, or self-employed worker is likely to hold information about an individual and if it has declared such processing to the CNPD.
The CNPD has three permanent members and three substitute members, and is assisted by a team of IT and legal specialists.
The main tasks of the Data Protection Commission include:
- the control and verification of the legitimacy and lawfulness of data controllers' collection and use of personal data;
- to ensure implementation of the provisions of the Data Protection Act and its executive regulations;
- to ensure the respect of the freedom and fundamental rights of individuals, and to inform them about their rights; to receive and verify complaints from the public;
- to keep a register of processing operations;
- to render opinions on legislation relating to the processing of personal data;
- to approve codes of conduct submitted by professional associations which represent the controllers;
- to promote the dissemination of information relating to data subjects' rights and controllers' obligations, particularly as regards the transfer of data to third countries;
- to engage in legal proceedings and notify legal authorities of any offences of which it is aware;
- to cooperate with other data protection authorities set up in other member states of the European Union, notably by exchanging information; and
- to represent Luxembourg at the meetings of the Article 29 Working Party on Data Protection.
The CNPD also has extensive control powers and may request access to the personal data processed by data controllers. It may also do in situ verifications at a data controller's premises. It also investigates complaints and usually attempts to mediate between the parties involved. If no amicable settlement is reached, the CNPD provides an opinion on the merits of the complaint with recommendations to the data controller. In case the latter refuses to comply, or whenever any dispute occurs that relates to the application of the Data Protection Act and its implementing measures, the CNPD may forward the case to criminal prosecution authorities or submit it directly to the Criminal Section of the Court of First Instance.
The CNPD can, either at its own initiative or upon request, initiate an investigation to verify whether the processing of personal data is in accordance with the law. In the course of such investigation, the data controller is obliged to provide all necessary information and cooperation. Furthermore, the CNPD is obliged, in principle, to notify criminal prosecution authorities of any criminal offence of which it becomes aware.
Violation of the Data Protection Law is criminally sanctioned with fines between â‚¬251 and â‚¬125,000) or imprisonment, or both, which can only be imposed by a court. Affected parties may also claim damages for infringement. Moreover, the CNPD may order (i) the seizure of the personal data systems to which the offence relates, such as manual filing systems, magnetic discs, or tapes, except for the computers or any other equipment; (ii) the erasure and destruction of personal data; or (iii) a prohibition to process personal data, directly or through an agent, for a period of up to two years. In addition, a court may order (i) the temporary closure of the business of the data controller or processor if its sole activity is to process data, for a period of up to two years; and (ii) the discontinuance of processing that is contrary to the provisions of the Data Protection Act and the temporary suspension of the activity of the controller or processor, for a period of up to two years.
The Data Protection Act of 2002 also created a specific regulatory authority for any data processing carried out by police forces, customs, the military, and the intelligence agency. The authority is composed of the state prosecutor and two members of the CNPD, and has the authority to access and verify, including by in situ controls, any personal data contained in the databases of the above public entities. Whenever an individual requests access to the personal data held in those databases, he has to address it to that regulatory authority, as there is no direct access right to those public entities.
The CNPD pursued an information and awareness-raising campaign, partaking in Data Protection Day in 2007 and 2008, as well as promoting awareness through its website and interviews with Luxembourg's media.25
Major privacy and data protection case law
The first conviction under the 2002 laws occurred in October 2007. A journalist divulged a list of persons who were members of the freemasons in France. The CNPD filed a complaint with the public prosecutor alleging a breach of the 2002 laws. The District Court found that an infringement had occurred as it constituted a communication of special categories of data to third parties without any legitimate condition warranting such a disclosure.
The Court of Appeals ruled in July 2007 that evidence obtained in violation of the Data Protection Act would be inadmissible. The Supreme Court however rescinded this decision, ruling that the judge has the right to determine the admissibility of such unlawfully obtained evidence.
In February 2008, the Court of Appeals ruled that the production of proof obtained illicitly, without the CNPD's prior authorisation, and proceedings that were not in accordance with the governing provisions relating to criminal prosecution and judicial investigation, amounted to a violation of the right to a fair trial.
- 1. Constitution of the Grand Duchy of Luxembourg, available in French at http://www.legilux.public.lu/leg/textescoordonnes/recueils/constitution_....
- 2. Act on the Use of Nominal Data in Computer Processing, 31 March 1979; see Charles E.H. Franklin, Business Guide to Privacy and Data Protection Legislation 306 (1996).
- 3. Comments to the draft Data Protection Act of 2002, Parliament document nÂ° 4735-00, available in French at http://www.chd.lu/wps/PA_1_084AIVIMRA06I432DO10000000/FTSShowAttachment?....
- 4. Loi du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel (Data Protection Act of 2002), Mémorial, A-91, 13 August 2002, at 1836-1854, available in French at http://www.legilux.public.lu/leg/a/archives/2002/0911308/0911308.pdf#page=2. Available in English at http://www.cnpd.public.lu/fr/legislation/droit-lux/doc_loi02082002_en.pdf.
- 5. Luxembourg should have amended this law by 1st October 1998. In January 2000, the European Commission initiated a case before the European Court of Justice against Luxembourg and other countries for failure to implement the directive on time. A new bill was eventually drafted and submitted to Parliament in October 2000, and enacted in August 2002.
- 6. OJ L 281, 23 November 1995, at 31â€“50.
- 7. For more information on the law, see the exhaustive analysis made by Steve Jacoby & Catherine Dauger de Caulaincourt, AGEFI Luxembourg, December 2002 and February 2003; see also Dossier de presse quant à la présentation de la Commission nationale pour la protection des données http://www.gouvernement.lu/salle_presse/actualite/2002/12/12biltgen/doss... (in French).
- 8. Data Protection Act of 2002, supra at Article 7.
- 9. Id. at Article 10.
- 10. Id. at Article 11; on the particular issue of the processing of personal data by employers in the workplace, see Guy Castagnero, L'actualité du droit du travail: la protection des données personnelles des travailleurs, AGEFI Luxembourg, April 2003, available at http://www.agefi.lu/mensuel/Article.asp?NumArticle=5364.
- 11. Eleventh Annual Report of the Article 29 Working Party on Data Protection, at 70, available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/11th_annua....
- 12. For instance, in cases where a company has outsourced a particular function to a third party, such as payroll, this third party is likely to qualify as a data processor.
- 13. Règlement grand-ducal relatif à la désignation des chargés de la protection des données. Mémorial A-200, 20 December 2004.
- 14. The Data Protection Act applies to data controllers in respect of any processing of personal data if either: the data controller has a permanent establishment in Luxembourg and the personal data are processed in the context of that establishment; or the data controller is established neither in Luxembourg nor in any other EU member state, but uses equipment in Luxemburg for processing the data otherwise than just in transit. In such case, it must nominate a representative in Luxemburg. The Data Protection Act applies to the automated processing of personal data â€“ whether fully or partially automated â€“ and the non-automated processing of personal data entered in a file or intended to be entered in a file. A "file" is defined as "any structured set of personal data that are accessible according to specific criteria, whether centralized or dispersed on a functional or geographical basis." An unstructured manual file in which the data is not interrelated and that is not accessible in a systematic way is therefore not covered by the Act.
- 15. Data controllers need to ensure that appropriate technical and organisational security measures are taken to protect personal data against accidental or unauthorised destruction, loss, or disclosure, as well as against alteration, access, and any other unlawful processing. These measures should ensure an appropriate level of security, taking into account the state of the art in this field and the cost of implementing such measures on the one hand, and the nature of the data to be protected and the potential risks on the other hand.
- 16. Commission nationale pour la protection des données, "Mesures de sécurité à mettre en oeuvre", available in French at http://www.cnpd.public.lu/fr/dossiers-thematiques/nouvelles-tech-communi....
- 17. Law of March 21, 1997 on Telecommunications (Loi du 21 mars 1997 sur les télécommunications), available at http://www.ilr.etat.lu/tele/legal/loi-t.htm; Grand Duchy Ruling of 22 December 1997 (Règlement grand-ducal du 22 décembre 1997, modifié le 18 avril 2001, fixant les conditions du cahier des charges pour l'établissement et l'exploitation de réseaux fixes de telecommunications), available at http://www.legilux.public.lu/leg/a/archives/2001/0540305/0540305.pdf#page=2.
- 18. Associated Press, "EU Issues Order on Internet Privacy," Toronto Star, 2 April 2004, at E05.
- 19. Law "Privacy in Electronic Communications" of 30 May 2005 (Loi du 30 mai 2005 (1) relative aux dispositions spécifiques de protection de la personne à l'égard du traitement des données à caractère personnel dans le secteur des communications électroniques et (2) portant modification des articles 88-2 et 88-4 du Code d'instruction criminelle), Mémorial, A-073, 7 June 2005, at 1168-1173, available at http://www.legilux.public.lu/leg/a/archives/2005/0730706/0730706.pdf#page=2. Law of 30 May 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector; and amending Articles 88-2 and 88-4 of the Code of Criminal Procedure (Loi du 30 mai 2005 (1) relative aux dispositions spécifiques de protection de la personne à l'égard du traitement des données à caractère personnel dans le secteur des communications électroniques et (2) portant modification des articles 88-2 et 88-4 du Code d'instruction criminelle), Mémorial, A-073, 7 June 2005, at 1168-1173, available in French at http://www.legilux.public.lu/leg/a/archives/2005/0730706/0730706.pdf.
- 20. OJ L 201, 31 July 2002, at 37-47.
- 21. Supra.
- 22. Commission Nationale pour la Protection des Données, homepage http://www.cnpd.lu/.
- 23. See Le Gouvernement du Grand-Duché de Luxembourg, Actualité gouvernementale: Présentation de la Commission Nationale pour la Protection des Données, available at http://www.gouvernement.lu/salle_presse/actualite/2002/12/12biltgen/inde....
- 24. See Article 32, Data Protection Act, for the details of its competences.
- 25. Supra.