III. Privacy topics
Internet and consumer privacy
A law on electronic commerce that implements three European Union directives (Directive 1999/93 on Electronic Signatures, Directive 2000/31/EC on Electronic Commerce, and Directive 1997/7 on Distance-Selling) was adopted in August 2000.1This law contains provisions on the privacy rules certification authorities have to comply with, spamming, and the liability of online service providers. A Grand-Ducal regulation on electronic signatures, electronic payments and the creation of the Electronic Commerce Committee was adopted on 1 June 2001.
On 5 July 2004, the legislator amended the Law on Electronic Commerce to establish the "opt-in" regime for unsolicited commercial communications and add various provisions on consumer protection.2The same opt-in regime is set forth in Article 11 of the Act of 30 May 2005 on Networks and Electronic Communications Services.3The Act transposes part of the EU "telecommunications regulatory package" by establishing new rights for consumers and telecommunications users, and corresponding obligations for network and publicly available electronic communications service providers.
This Act also lays down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector, and amends Articles 88-2 and 88-4 of the Code of Criminal Procedure. As a general rule, sending unsolicited commercial communications to prospects or clients is only allowed with the latter's prior and unambiguous consent. No prior consent is required, however, if the recipient's electronic contact details (such as email address or mobile phone number) were obtained by the sender in the context of the sale of products or services. The sender may then use these electronic contact details for sending direct marketing communications provided that the message relates to the sender's own similar products or services. In addition, at the moment of obtaining the electronic contact details, the recipient should be offered the opportunity to object (opt-out) to the use of his electronic contact details in a free-of-charge and easy manner. If the recipient does not make use of the initial possibility to opt-out at the time of sale, the recipient should in each subsequent transmitted communication be offered the option to register an objection under the same conditions.
There is nothing to report under this section.
Online behavioural marketing and search engine privacy
Online social networks and virtual communities
In an online notice published on 31 July 2007,5the CNPD adhered to the principles relating to online social networks as set forth in the WP29's Opinion 5/2009 on online social networking6of 12 June 2005.7
Online youth safety
In July 2007, the CNPD adhered to the principles relating to online social networks as they were set forth by the WP29 in a 2005 opinion on online social networking.
(See more details under the "Online social networks and virtual communities" section.)
An authorisation from the CNPD is required before using technical means for monitoring people in the workplace, particularly by video camera or electronic tracing.8Personal data gathered in this way can only be processed under certain very specific circumstances enumerated by law. Workplace monitoring may only be undertaken if the staff representative, joint committee, or the Inspection du travail et des mines and the person being monitored have previously been informed. Notice of surveillance may be communicated through the CNPD's newly created online system.9The Labour Act also governs workplace monitoring.10When the employer intends to use video surveillance in the workplace, he cannot rely on his employees' consent, e.g., obtained through their employment contract, as a sufficient legal basis.
Health and genetic privacy
The Data Protection Act contains specific provisions on the processing of health-related data by health services and genetic data.
Without prejudice to the rules relating to the processing of genetic data, the Data Protection Act allows the processing of health-related data in the following situations:11
- Medical authorities may process personal data on health and sex life that are necessary for the purpose of preventative medicine, medical diagnosis or the provision of care or treatment;
- Medical authorities may also process personal data on health and sex life that are necessary for the purpose of healthcare or scientific research, as well as research bodies or the natural or legal persons whose research project has been approved under the legislation applicable to biomedical research. If the controller is a legal entity, it must appoint a delegated controller, who will be subject to professional secrecy;
- Medical authorities may process personal data on health and sex life where necessary for the management of healthcare services, and also, provided that, as data controllers, they are subject to professional secrecy, social security bodies, and authorities that manage that type of data in performance of their legal and regulatory tasks, insurance companies, pension fund management companies, the Caisse Médico-Chirurgicale Mutualiste and those natural or legal persons authorised to do so for socio-medical or therapeutic reasons.12
The processing may be sub-contracted, but subject to certain conditions imposed by the Data Protection Act.
The Data Protection Act defines genetic data as any data concerning the hereditary characteristics of an individual or group of related individuals.
Genetic data falls into the category of sensitive data, the processing of which is generally prohibited. This type of data may, however, be processed if one of the following conditions is met:
1) its processing is required to verify the existence of a genetic link for the purpose of legal proof, for compensation of the data subject, or the prevention or punishment of a specific criminal offence in the cases covered by the Data Protection Act;
2) its processing is required to protect the vital interests of the data subject;
3) its processing is necessary in the public interest for historical, statistical or scientific reasons;
4) if the data subject has given his consent and if the processing is carried out only in the area of healthcare or scientific research, subject to the inalienability of the human body, and except where the law provides that the prohibition cannot be lifted by the data subject's consent;
5) if the processing of genetic data is necessary for the purpose of preventive medicine, medical diagnosis or the provision of care or treatment. (In this case, the processing of this data may only be carried out by medical authorities); or
6) in cases where the law allows the processing of genetic data with the data subject's consent, but for which, for practical reasons, it either proves to be impossible to obtain, or if obtaining such consent would require a disproportionate effort in relation to the objective sought â€“ without prejudice to the data subject's right of opposition. In either case, it is not necessary to get the data subject's prior consent, but it is subject to conditions to be laid down in a Luxembourg regulation.
There are also sectoral laws on privacy relating to banking secrecy. Luxembourg's status as a financial haven ensures that unwarranted surveillance of individuals is forbidden. This may change as Luxembourg comes under increasing pressure to amend its financial confidentiality laws to permit greater access to personal financial records by European and American investigators.
In December 2001, the Commission of Surveillance of the Financial Sector (Commission de Surveillance du Secteur Financier) released practical and technical guidelines to financial services companies that intend to promote the protection of customers' privacy and the confidentiality of their financial information when launching new online financial services.13
- 1. Loi du 14 août 2000 relative au commerce électronique modifiant le code civil, le nouveau code de procédure civile, le code de commerce, le code pénal et transposant la Directive 99/93 relative à un cadre communautaire pour les signatures électroniques, la Directive relative à certains aspects juridiques des services de la société de l'information, certaines dispositions de la Directive 97/7 concernant la vente à distance des biens et des services autres que les services financiers, Mémorial, 8 September 2000, at 2176, available in French at http://www.eco.public.lu/documentation/legislation/lois/2000/08/14_comme....
- 2. Law of 5 July 2004 modifying the Law of August 14, 2000 on Electronic Commerce (Loi du 5 juillet 2004, modifiant la loi du 14 août 2000 relative au commerce électronique), Mémorial, A-125, 16 July 2004, at 1848, available in French at http://www.legilux.public.lu/leg/a/archives/2004/1251607/2004A18481.html; see, for more details, Sandrine Munoz, "Le Luxembourg modifie sa loi relative au commerce électronique â€“ Analyse," available in French at http://www.droit-technologie.org/1_2.asp?actu_id=1047.
- 3. Law on Networks and Electronic Communications Services (Loi du 30 mai 2005 sur les réseaux et les services de communications électroniques), Mémorial, A-073, 7 June 2005, at 1144-1159, available in French at http://www.legilux.public.lu/leg/a/archives/2005/0730706/0730706.pdf.
- 4. Available in English at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp171_en.pdf.
- 5. Available in French at http://www.cnpd.public.lu/fr/actualites/international/2009/07/facebook/i....
- 6. Available in English at http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2009/wp163_en.pdf.
- 7. According to the WP29, providers of online social networking services are subject to the following obligations: (a) they should inform users of their identity, and provide comprehensive and clear information about the purposes and different ways in which they intend to process personal data; (b) they should offer privacy-friendly default settings; (c) they should provide information and adequate warning to users about privacy risks when they upload data onto the social network; (d) users should be advised by social networking service providers that pictures or information about other individuals should only be uploaded with the individual's consent; (e) at a minimum, the homepage of the social network should contain a link to a complaint facility, covering data protection issues, for both members and non-members; (f) marketing activity must comply with the rules laid down in the Data Protection and ePrivacy Directives; (g) providers of online social networking services must set maximum periods to retain data on inactive users. Abandoned accounts must be deleted; and (h) with regard to minors, providers should take appropriate action to limit the risks.
- 8. Loi du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel (Data Protection Act of 2002), supra at Articles 10, 17.
- 9. Commission Nationale pour la Protection des Données, "Simplification de certaines demandes d'authorisation", 26 June 2007, available in French at http://www.cnpd.lu/fr/actualites/activite_nationale/2007/06/22_06_2007/i....
- 10. Code du Travail (Labour Code), 29 December 2006, available in French at http://www.legilux.public.lu/leg/textescoordonnes/codes/code_travail/Cod.... Article L.261-1 sets forth the conditions for video surveillance in the workplace: video surveillance by the employer, acting as data controller, is only allowed if it is necessary: (i) for employees' security and health; (ii) to protect the company's assets; (iii) to monitor the production process (provided such monitoring only relates to the machinery); (iv) to monitor the number of hours performed by employees, provided such video monitoring is the only measure allowing to determine the exact remuneration; (v) in the context of the organisation of work with flexible working schedules, in accordance with the provisions of the Labour Code. In cases (i), (iv) and (v), the employer must have obtained the prior approval of the Labour Council. The employer should also provide prior information about the installation of surveillance videos to the same Labour Council, or in absence thereof, the employees' representatives, or in absence thereof, to the Labour and Mining Inspection.
- 11. Article 7, Data protection Act.
- 12. Pursuant to the Act of September 8, 1998 governing relations between the State and the bodies working in the areas of social security, family, and therapeutic matters where their activity falls within the areas to be listed in a Luxembourg regulation.
- 13. Commission de Surveillance du Secteur Financier, Services financiers par Internet (Résultats du recensement Internet au 31 décembre 2000 et recommendations portant sur les aspects prudentiels), December 2001, available in French at http://www.droit-technologie.org/redirect.asp?type=legislation&legis_id=....