Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

Articles 88-1 and 88-2 of the Criminal Investigation Code regulate telephone tapping.1Judicial wiretaps are authorised if it can be shown that: (i) a serious crime or infringement, punishable by two or more years imprisonment, is involved; (ii) there is sufficient evidence to suspect that the subject of the interception order committed or participated in the crime; or received or transmitted information to, from, or concerning the accused; and (iii) ordinary investigative techniques would be inadequate under the circumstances.

Orders are granted for one-month periods and may be extended repeatedly as long as the cumulative period does not exceed one year. Administrative wiretaps may also be authorised for national security reasons by a special tribunal appointed by the head of government. These interceptions are granted for three months at a time and must stop once the requested information is received. In case of emergency, the head of government may authorise such wiretaps without obtaining the CNPD's prior approval, but in such cases, the CNPD will decide whether the wiretap measures may be maintained.

The communications of persons bound by professional secrecy rules cannot be intercepted and any recordings of such must be destroyed immediately. Information gathered during judicial and administrative interceptions, but not subsequently used, must be destroyed. In the case of judicial warrants, persons who were the subject of the warrant will sometimes be informed of the action taken.

This law was highly criticised by human rights activists and the Socialist Workers Party when it was first introduced. The law was challenged on numerous occasions before the European Court of Human Rights. That court, however, ruled that the law violated neither Article 8 (concerning the right to private and family life) nor Article 13 (concerning the right to due process) of the European Convention on Human Rights.2

An authorisation from the CNPD is required before using technical means for monitoring people, particularly by video camera or electronic tracing.3Even if authorisation for the use of video surveillance has been granted, the entity still must register the database concerning the video surveillance. Personal data gathered that way can only be processed under very specific circumstances set forth by law. This includes surveillance on public premises, in public transportation, in shopping malls, and in the workplace. Workplace monitoring may only be undertaken if the staff representative, joint committee, or the Labour and Mine Inspection Office (Inspection du travail et des mines) and the person being monitored have previously been informed.

A law dated 5 June 2009 grants police forces direct access to a number of state-held databases, such as the databases of the central population register, the tax registers, drivers' licences, social security records, asylum candidates, visas, and passports, etc.4Police forces and magistrates may access these databases without the need for a warrant or other prior control. However, each access to them is carefully logged and all logs are kept for three years. The CNPD is in charge of verifying these logs ex post facto and has to indicate any results in a yearly report to the State Ministry.

The Act of 22 July 2008 provides specific rules regarding the access by magistrates and judicial police officers to certain public bodies' personal data processing operations.5

National security legislation

No update to report under this section.

Data retention

As a general rule personal data which allows for the identification of a data subject, must not be kept longer than necessary for the purpose for which it was collected or will be processed, unless it is kept solely for historical, statistical or scientific purposes.

In March 2006, the European Union enacted the Directive on Data Retention.6The Directive aims at harmonising the rules on retention of traffic data throughout the EU in order to facilitate judicial cooperation in criminal matters. All traffic data generated in publicly available electronic communications, such as telephony or the Internet, would have to be retained by service providers for law enforcement purposes. The data would have to be kept for a minimum period of six months and a maximum period of two years.7Member states had until 15 September 2007 to transpose the requirements of the Directive into national laws; however, a delay of 18 additional months, until March of 2009, was available for retention of communications and Luxembourg postponed application of this Directive.8The final implementation only came through a law and a Grand-Ducal Decree, both dated 24 July 20109(the "2010 law"), amending the 2005 law. As the 2005 law already had introduced the principle of traffic data retention (for a period of six months), the amendments undertaken were mostly of a technical nature.

The main change of the 2010 law is a clear definition of the crimes that authorise authorities to access traffic data for investigation purposes. Access is possible for any traffic data that may relate to crimes that are punishable with a prison sentence of more than one year. There has been a lot of discussion10about this condition of access to the data, as many felt that the condition was too broad. The counter-argument was that many of the primary crimes that relate to money laundering are not necessarily punishable by more than a one-year prison sentence, therefore undermining the main rationale for which data retention was justified in the first place. Furthermore, the original text of the 2005 law allowed access to the retained data for the investigation of any crimes.

Another important point of discussion11during the drafting process of the law was whether service providers subject to the data retention obligations were entitled to sub-contract the data retention function to a third party. While initial drafts permitted such sub-contracting, the final law no longer includes this possibility, further to a formal opposition of the State Council and the CNPD. Both feared that sub-contracting might lead to centralised storage of millions of communications at a single sub-contractor and thus pose a significant threat to citizens' privacy.

National databases for law enforcement and security purposes

No update to report under this section.

National and international data disclosure agreements

No update to report under this section.

Cybercrime

No update to report under this section.

Critical infrastructure

No update to report under this section.

Territorial privacy

Video surveillance

An authorisation from the CNPD is required before using video surveillance for monitoring people.12Even if authorisation for its use has been granted, the entity still must register the database concerning the video surveillance. Personal data gathered in this way can only be processed under certain very specific circumstances enumerated by law. This includes surveillance on public premises, in public transportation, in shopping centres, and in the workplace.13Data controllers must also inform the data subjects about such processing by posting signs or sending circulars or letters by registered mail or electronic means.14

Workplace monitoring may only be undertaken if the staff representative, joint committee or the Inspection du travail et des mines and the person being monitored have previously been informed. Notice of surveillance may be communicated through the CNPD's newly created online system.15The Fair Labour Standards Act also governs workplace monitoring.16

The Grand-Ducal Decree of 1 August 2007 regulates the use of security cameras by police forces in "security areas". Any data recorded can only be retained for a period of two months.17

The Administrative Court and subsequently the Administrative Court of Appeals have confirmed that supermarkets are not allowed to have video surveillance of interview rooms in which suspected shoplifters are questioned, as it constitutes a violation of the 2002 laws. Supermarkets are allowed to have surveillance cameras within the actual shopping mall.18

The CNPD in 2007 used its powers under the 2002 laws to verify compliance with its refusal to allow video surveillance in certain shops. It discovered that the stores had been compliant.19

Location privacy (GPS, mobile phones, location based services, etc.)

In April 2010, Google announced that it had captured and stored data from users connected to WiFi networks when it collected photos for its Street View service. Google said Street View cars had been collecting WiFi data in several countries around the world, including Luxembourg.20In September 2010, the CNPD granted Google the permission to pursue its data collection, provided that it adhered to specific criteria, including the blurring out of faces to make it impossible to identify individuals and car number plates.21

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

There is nothing to report under this section.

National ID and smart cards

The Act of 30 March 1979 on Numerical Identification of Natural and Legal Persons22provides for the introduction of an identity number, consisting of 11 digits (including digits to represent date of birth and sex, nationality, marital status, and spouse's name) for every resident in the country, and a numbering system for companies. The law contains specifications for use of this number: the identification number and other related information can only be used by the public services that are authorised to have access to the index, and is restricted to an internal use. These specifications are loosely drafted, however, and allow the number to be widely circulated. The data protection authority is said to be monitoring the adoption of this number closely.23

In April 2005, the government requested an opinion of the Data Protection Commission on a draft law regulating access by judicial and police authorities to personal data processed by the State administration and public authorities. The Commission advised the government to adopt a more restrictive approach and a better implementation of the rights of concerned citizens.24

Luxembourg started issuing RFID-enabled passports in August 2006.25The chip contains the passport holder's name, date of birth, gender, nationality, place of residence, and biometric data consisting of the owner's photograph and fingerprint.26The data is encoded and managed by the Office of the Passports of the Ministry for Foreign Affairs. The data is given an electronic signature, which allows the passport holder to check if any modifications to their data have taken place. In an effort to keep passports up to date, in terms of both technology and changing the basic access code to decrease the risk of deciphering the passport data, passports are valid for five years. The Office of the Passports will remove biometric data from its files one month after the passport is issued.

RFID tags

There is nothing to report under this section.

Bodily privacy

There is nothing to report under this section.

Footnotes

  • 1. Articles 88-1 - 88-4 of the Criminal Investigation Code (Code d'instruction criminelle), Law of 26 November 1982, modified by the laws of 7 July 1989 and 30 May 2005.
  • 2. Commission nationale de contrà´le des interceptions de sécurité (France), 8e Rapport d'activité 1999, at 66-67, available at http://www.ladocumentationfrancaise.fr/catalogue/9782110045867/.
  • 3. Loi du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel (Data Protection Act of 2002), supra at Articles 10, 17.
  • 4. Loi du 5 juin 2009 relative à l'accès des autorités judiciaires, de la Police et de l'Inspection générale de la Police à certains traitements de données à caractère personnel mis en oeuvre par des personnes morales de droit public. Mémorial A-135, 16 June 2009.
  • 5. Loi du 22 juillet 2008 relative à l'accès des magistrats et officiers de police judiciaire à certains traitements de données à caractère personnel mis en oeuvre par des personnes morales de droit public et portant modification: du Code d'instruction criminelle, de la loi modifiée du 31 mai 1999 sur la Police et l'Inspection générale de la Police, et de la loi modifiée du 27 juillet 1997 portant réorganisation de l'administration pénitentiaire, available in French at http://www.legilux.public.lu/leg/a/archives/2008/0126/a126.pdf.
  • 6. EU Directive 2006/24/EC (15 March 2006), O. J. L 105, 13 April 2006, at 54-63,available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:E....
  • 7. Id.
  • 8. Id.
  • 9. Loi du 24 juillet 2010 portant modification des articles 5 et 9 de la loi modifiée du 30 mai 2005 concernant la protection de la vie privée dans le secteur des communications électroniques et de l'article 67-1 du Code d'instruction criminelle and Règlement grand-ducal du 24 juillet 2010 déterminant les catégories de données à caractère personnel générées ou traitées dans le cadre de la fourniture de services de communications électroniques ou de réseaux de communications publics. Mémorial A-122, 29 July 2010, available in French at http://www.legilux.public.lu/leg/a/archives/2010/0122/a122.pdf.
  • 10. Comments to the draft law, Parliament document n° 6113-10, available in French at http://www.chd.lu/wps/PA_1_084AIVIMRA06I432DO10000000/FTSShowAttachment?....
  • 11. Id.
  • 12. Loi du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel (Data Protection Act of 2002), supra at Articles 10, 17.
  • 13. Pursuant to the Data Protection Act, data collected through video surveillance may only be processed for supervision purposes: (i) if the data subject has given his consent, or (ii) in surroundings or in any place accessible or inaccessible to the public other than residential premises, particularly indoor car parks, stations, airports and on public transport, provided the place in question due to its nature, position, configuration or frequentation presents a risk that makes the processing necessary for the safety of users and for the prevention of accidents, for the protection of property, if there is a characteristic risk of theft or vandalism, or (iii) in private places where the resident natural or legal person is the controller, or if the processing is necessary to protect the vital interests of the data subject or of another where the data subject is physically or legally incapable of giving his consent.
  • 14. The data collected for supervision purposes may be communicated to third parties only: (i) if the data subject has given his or her consent, except where forbidden by law or if data is communicated to the public authorities; or (ii) to the competent legal authorities to record a criminal offence or take legal action in respect of it and to the legal authorities before which a legal right is being exercised or defended (Loi du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel (Data Protection Act of 2002), supra at Article 10).
  • 15. Commission Nationale pour la Protection des Données, "Simplification de certaines demandes d'authorisation," 26 June 2007, available at http://www.cnpd.lu/fr/actualites/activite_nationale/2007/06/22_06_2007/i....
  • 16. Code du Travail, 29 December 2006, available in French at http://www.legilux.public.lu/leg/textescoordonnes/codes/code_travail/Cod....
  • 17. Supra.
  • 18. Supra.
  • 19. Supra.
  • 20. "Google: We Have Collected Information Sent over the WiFi via StreetView", 19 May 2010, EDRi-gram, No. 8.10, 19 May 2010 http://www.edri.org/edrigram/number8.10/street-view-wifi-data-google.
  • 21. "You've Been Googled! Street View Approved for Luxembourg", 352LuxMag, 30 September 2010 http://www.352luxmag.lu/edito-14275-you-ve-been-googled-street-view-appr....
  • 22. Loi du 30 mars 1979 organisant l'identification numérique des personnes physiques et morales, available at http://www.legilux.public.lu/leg/a/archives/1979/0460706/0460706.pdf; Règlement grand-ducal du 7 juin 1979 déterminant les actes, documents et fichiers autorisés à utiliser le numéro d'identité des personnes physiques et morales, available in French at http://www.legilux.public.lu/leg/a/archives/1979/0460706/0460706.pdf?SID.... Règlement grand-ducal modifié du 21 décembre 1987 fixant les modalités d'application de la loi du 30 mars 1979, available in French at http://www.legilux.public.lu/leg/a/archives/1987/1092912/1092912.pdf?SID....
  • 23. The Council of Europe, The introduction and use of personal identification numbers: the data protection issues, 1991, available at http://www.coe.int/t/e/legal_affairs/legal_co%2Doperation/data_protectio....
  • 24. Commission Nationale pour la Protection des Données, Rapport relatif aux années 2004 à 2006, at 1/21.
  • 25. Commission Nationale pour La Protection Des Donnees, "Le passport électronique et biométrique", 6 June 2007 http://www.cnpd.lu/fr/dossiers/passeport_electronique/index.html.
  • 26. Mémorial A n° 134 de 2006, "Passeports biométriques et titres de voyages pour étrangers", Règlement grand-ducal du 31 juillet 2006 portant règlement d'exécution de la loi du 14 avril 1934, concernant les passeports biométriques, les titres de voyage pour étrangers, apatrides et réfugiés et l'établissement d'un droit de chancellerie pour légalisations d'actes, 10 August 2006, available in French at http://www.legilux.public.lu/leg/a/archives/2006/1341008/1341008.pdf.