This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Luxembourg.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the merger control regime.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Yes, communications networks and services are regulated in Luxembourg by the Laws on Electronic Communication Networks and Services from 27 February 2011. The laws do not apply to the communications networks and services installed and exploited by the Grand-Duchy of Luxembourg for its own needs. Providers of communications networks and services generally do not require a specific licence or authorization to operate. Instead, they can rely on a 'general authorisation', meaning that only a notification must be filed with the Luxembourg Institute of Regulation (ILR) at least 20 days before the initiation of a telecommunications service. The ILR publishes on its website a list of the notified companies.
The communications services and networks which are in scope for the purposes of being regulated are:
- 'electronic communications networks'- i.e. transmission systems, communication and routing equipment; and
- 'electronic communications services' - i.e. a service offered against compensation, that consists entirely or mainly out of the transmission of signals by electronic communications networks. This does not include the services of providing content through electronic communications networks and services or exercising editorial responsibility for this content. This does also not include information society services that do not entirely or mainly consist of the transmission of signals through electronic communications networks.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
Telecommunication services are regulated by the Luxembourg Institute of Regulation (Institut Luxembourgeois de Régulation - ILR). Even though it is an independent public body with financial and administration autonomy, it is placed under the authority of the Minister in charge of relations with the ILR (currently the Minister of State). The roles and the organisation of ILR are codified in the Law of 30 May 2005 on the organisation of the Luxembourg Institute of Regulation.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
From a telecom regulatory perspective, there are no requirements for a communication provider to be domiciled in the Grand-Duchy of Luxembourg prior to or during the provision of services, and there are no foreign ownership restrictions. That said, there are general restrictions in place where necessary in the interests of national security, which could, theoretically, be used to restrict foreign ownership of certain telecoms operators, although this right is unlikely to be invoked.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
The rules on interconnection are governed by a mixture of communications- and competition-related laws.
Notified companies are free to negotiate, with each other and with undertakings notified in another EC member state, technical and commercial arrangements for access or interconnection, with:
- 'access' meaning: making available to another company, under well-defined conditions, resources and/or services for the provision of electronic communications services
- 'interconnection' meaning: the connection of public communications networks in order to allow users of a company to communicate with users of the same or another company, or to access the services provided by another company.
Operators have the obligation, when other notified companies request this, to negotiate a reciprocal interconnection to provide publicly available electronic communications services, in order to guarantee the provision of services and their interoperability in the EC. In this regard, the ILR may obligate notified companies to assure the interconnection of their networks and to make their systems interoperable.
Furthermore, if the ILR designates a provider with significant market power on the access and interconnection market, the ILR may impose transparency obligations, obligations of non-discrimination, accounting separation requirements, and cost recovery and price control obligations. The ILR may also obligate such an operator to publish a reference offer which guarantees that companies do not pay for resources that are not required for the requested service.
Where an operator has significant market power over the access or interconnection market, it must apply equivalent conditions to any notified company providing equivalent services. In this regard, it must also provide services and information under the same conditions and with the same quality as it provides for its own services or for those of its subsidiaries or partners.
An operator with significant market power may also be obligated by the ILR to make its wholesale and internal transfer prices transparent.
Moreover, general European competition law applies in respect of anti-competitive agreements and the abuse of dominant positions.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The Law on Electronic Communication Networks and Services provides a number of specific obligations relating to consumers, including the following:
- The requirement to include certain minimum terms in consumer contracts
- Requirements on the transparency of the price and tariffs, the charges due on the termination of the contract and the standard terms and conditions
- Requirements to make certain information available to customers, such as a description of the services offered, the quality of the services and standard tariffs
In addition to specific telecom regulations, provisions of general consumer law also apply, such as rules concerning unfair contract terms.
What legal protections are offered in relation to the creators of computer software?
Creators of computer software are entitled to copyright protection according to the amended Law of 18 April 2001 on Copyrights, Neighbouring Rights and Databases (the "Copyright Act"). Copyright protection of computer software does not extend to ideas, procedures, methods of operations or mathematical concepts. The copyright protection therefore extends to the expressive elements of computer software, i.e. the source code or object code. Copyright gives the owner of the software the exclusive right to reproduce, translate, adapt and distribute the computer software. No registration is required. All works that are eligible for copyright protection, including computer programs, are protected for 70 years commencing January 1st following the death of the author.
Do you recognise specific intellectual property rights in respect of data/databases?
As a general principle, there are no intellectual property rights in data itself, although databases may be protected by copyright. Databases are defined under Luxembourg law as "collections or compilations of works or other independent elements, arranged in a structured way that required a substantial investment".
The Copyright Act provides for copyright protection to the authors of original databases whose structure, by choice or arrangement of the elements they contain, constitute a creation specific to their author, whether accessible by electronic or by other means, with the exception of phonograms and audio-visual works. The copyright protection of databases does not extend to their content nor to the computer programs used for their creation, operation or consultation. The protection lasts during the lifetime of the author and for 70 years commencing January 1st following his or her death.
The Copyright Act provides that a database, the content of which has been the object of a substantial change attesting from a qualitatively or quantitatively substantial investment, may also be protected by sui generis right, and any substantial modification to the content of a database may lead to a new term of protection granted to the database resulting from this investment. The law provides that the sui generis protection expires after 15 years upon the 1st January of the year in which it was completed, or of the year following the date when the database has been made available for the first time.
What key protections exist for personal data?
Since 25 May 2018, the General Data Protection Regulation (GDPR) (EU) 2016/679 has been in effect in Luxembourg. A complementing law in Luxembourg has been voted on 26 July 2018 to adapt the national legal framework to the GDPR provisions (the "Local DPA").
Under Article 5 of the GDPR, personal data must be processed lawfully, fairly and in a transparent manner. It must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The personal data must be adequate, relevant and limited to what is necessary in relation to the purpose of processing as well as accurate and, where applicable, kept up to date. Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the data are processed. Furthermore, it must be processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures. The controller is responsible for and must be able to demonstrate compliance with the above principles.
A controller must only process personal data in the basis of one or more of the legal grounds set out in Article 6 of the GDPR, which includes the data subject´s consent to the processing for one or more specific purpose, when it is necessary for entering or performing a contract with the data subject, when it is necessary for the performance of a task carried out in the public interest or on the exercise of official authority vested in the controller or in a third party to whom the data is disclosed, when processing is necessary in order to protect the vital interests fo the data subject or of another natural person, when it is necessary for the purposes of legitimate interests pursued by the controller og by a third party, except when those interests are overridden by the interests or the fundamental rights and freedoms of the data subject which require protection of personal data.
Although many of the former EU Directive's core principles remain the same under GDPR, the GDPR does impose some new and additional requirements. The following examples are not exhaustive.
There is increased territorial scope of GDPR as it applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the EU regardless of whether the processing takes place in the EU or not (Art. 3(1)). Additionally, the GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU where the activities relate to either the i) offering of goods or services to data subjects in the EU, irrespective of whether a payment of the data subject is required or ii) the monitoring of the behaviour of data subjects as far as their behaviour takes place within the EU. Other major changes are that the conditions for consent have been strengthened, and it must be easy for data subjects to withdraw consent.
The rights of the data subjects are substantially expanded under the GDPR. Part of that is the right for data subjects to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall, if requested, provide a copy of the personal data, free of charge. Data Erasure entitles data subjects to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties stop processing of the data. The conditions for erasure are stipulated in Art. 17 of the GDPR and include, inter alia, that the data is no longer relevant to the original purpose for processing, or data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects´ rights to "the public interest in the availability of the data" when considering such requests. GDPR also has provisions on data portability, which entails the right for data subjects to receive the personal data concerning them, which they have previously provided in a "structured, commonly used and machine readable format" and have the right to transmit that data to another controller.
Moreover, appointing a Data Protection Officer (DPO) is mandatory under certain circumstances under the GDPR. The DPO shall be involved, properly and in a timely manner in all issues related to the protection of personal data, and data subjects may contact the DPO regarding processing of their personal data and to exercise their rights under the GDPR. Breach notification, within a specific and narrow timeframe, has become mandatory in all member states where a data breach is likely to "result in a risk for the rights and freedoms of individuals." Organizations (either controllers or processors) in breach of the GDPR, can be fined up to 4% of annual global turnover or €20 million (whichever is greater), for the most serious infringements.
Numerous GDPR provisions allow EU member states to enact national legislation specifying, restricting, or expanding the scope of the GDPR's requirements. The Local DPA provides for three specific provisions that complement the GDPR in the matters that were left to the discretion of the member states.
1. Processing of personal data for the purposes of journalism, university research, art or literature:
- Processing of such data is not subject to prohibition provisions set out in Article 9 of the GDPR.
- Processing of such data is not subject to limitations applicable to processing of personal data relating to criminal convictions and offences provided that (Article 10 of the GDPR):
- such processing concerns data made publicly available by the data subject; or
- if the concerned data are connected to the public life of the data subject; or
- if the data is closely connected to the event in which the data subject has willingly become involved.
- Processing of such data is not subject to obligations imposed on the data controller in case of a transfer of personal data to third countries or international organisations
- Processing of such data is not subject to the obligation of the data controller to provide particular information to the data subject where personal data is collected from the data subject, (Article 13 of the GDPR).
- Processing of such data is not subject to the obligation of the data controller to provide information to the data subject where personal data has not been obtained from the data subject (Article 14 of the GDPR).
- Processing of such data is not subject to the obligation to provide the data subject with the right of access to his/her personal data. Such right may only be exercised with the assistance of the National Data Protection Commission (CNPD) and with the President of the Press Council present or his representative.
2. Processing of personal data for the purposes of statistics or scientific or historical research.
The rights of the data subject specified under Articles 15, 16, 18 and 21 of the GDPR may be limited provided that such limitations are proportional to the aim pursued and take into consideration the nature of the data and of the processing. Such limitation may only be applied where the data controller has taken additional appropriate safeguard measures for the rights and freedom of the data subject, such as, in particular:
- Appointment of a DPO.
- Making an analysis of the impact of the contemplated processing on the protection of personal data.
- Anonymising the data processed, etc.
3. Processing of sensitive data.
The Local DPA provides that the processing of sensitive data, including health data, may be carried out by the relevant medical bodies and healthcare professionals in the framework of their activities, as well as by research bodies (with appropriate safeguards), social security organisms, insurance companies, pension funds, the Medical and Surgical Mutual Fund and other approved organisms.
In addition to the above, the Law of 30 May 2005 regarding the protection of privacy in the electronic communications sector, that implements Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), lays down some specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector.
Furthermore, specific provisions of the Luxembourg Labour Code (L.261-1 and L.261-2) regulate the processing operations for workplace supervision purposes.
Are there restrictions on the transfer of personal data overseas?
Yes. Like the Data Protection Directive, the GDPR restricts transfers of personal data outside the European Economic Area (EEA) in order to ensure that the same level of protection offered by the GDPR, which has direct effect in Luxembourg, is not undermined. Personal data can only be transferred outside the EEA to third countries or international organizations, provided they are in compliance with the conditions for transfer, as further stipulated in Articles 44-50 of the GDPR.
The Commission can make findings of adequacy in relation to a third country, according to Art. 45(1) of the GDPR. Cross border data transfers to such “adequate” countries are generally permitted and do not require prior approval from a supervisory authority.
According to Art. 46 of the GDPR, transfers of personal data can be made in the absence of adequacy decisions where the controller or processor receiving the personal data have provided adequate safeguards, i.e. provided that enforceable data subject rights and legal remedies are available. The list of appropriate safeguards includes, amongst others, binding corporate rules, a legally binding and enforceable instrument between public authorities or standard contractual clauses adopted by or approved by the Commission.
What is the maximum fine that can be applied for breach of data protection laws?
Under the General Data Protection Regulation (GDPR) (EU) 2016/679, fines can go up to EUR 20 million or, in case of an undertaking, 4% of the worldwide turnover of the preceding year. These fines apply amongst others to infringement of the data protection principles for processing, data subjects' rights and international transfer restrictions.
A limited number of breaches are subject to fines which can go up to EUR 10 million or, in case of an undertaking, 2% of the worldwide turnover of the preceding year. This lower tier of fines apply amongst others when failing to notify a personal data breach or failing to put an adequate contract in place with a processor.
Are there any restrictions applicable to cloud-based services?
There are no specific 'Cloud laws' in Luxembourg, and that applies to many European countries. Nonetheless, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations. Some of these initiatives are binding, such as the guidelines issued by several financial supervisory bodies.
The May 2017 Circular 17/654 of the Luxembourg supervisory authority of the financial sector (CSSF – Commission de Surveillance du Secteur Financier) deals with the use of cloud services by financial institutions. It addresses the obligations which have to be met when financial institutions use or rely on a cloud computing infrastructure. An entity needs to obtain prior approval by the CSSF to be able to lawfully outsource any material IT infrastructure. However, if the IT infrastructure is outsourced to a Luxembourg based Professional of the Financial Sector (PFS), a prior notification to the CSSF is sufficient.
Aside from sector-specific guidance, the key restriction applicable to cloud-based services will depend upon the nature of the data being placed in the cloud. In the event that the data is personal data then the points made at 8 and 9 above will apply.
Are there specific requirements for the validity of an electronic signature?
Luxembourg law does not require an agreement to be in written form or to be signed. However, to prove a valid contract, a signature can be useful.
The EU Regulation 910/2014 (“Electronic Identification Regulation”, also called the eIDAS Regulation), which has direct effect in Luxembourg, sets out the validity requirements for electronic signatures. Under this regulation, a ‘qualified electronic signature’ has the same effect as a handwritten signature as long as it was created by a qualified electronic signature device and based on a qualified certificate for electronic signatures.
The validity requirements for a qualified electronic signature include the following: the signature must be uniquely linked to the signatory, the qualified electronic signature creation device must have appropriate technical and procedural measures to ensure that the confidentiality of the signature is assured, and the qualified certificate for electronic signatures must clearly indicate the name or pseudonym of the signatory.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No transfers of assets or third-party contracts would occur automatically.
However, there will frequently be detailed contract provisions negotiated between the parties to the outsourcing arrangement to facilitate this. In the case of other signatories to third-party contracts, their consent to the proposed transfer of their contracts to the new outsource service provider will ordinary be required.
If there are individuals who are wholly or substantially engaged in the services/functions which are being outsourced, however (and whether they be employed by the customer entity or its other service providers), then their contracts of employment may transfer automatically to the outsource service provider by virtue of the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE). In such event, all of their rights and obligations (including claims arising from employment related mistreatment by their previous employer) will transfer to the outsource service provider.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
Ordinarily, there will be strict liability for the producer of defective products for consumers, cf. the EU Product Liability Directive 85/374/EEC as implemented into Luxembourg law with the law of 21 April 1989 related to civil liability for defective products. Where such defects have resulted from computer assisted design or creation or other software assisted processes, it will generally be the person who programmed the software who will be held liable. Again, this can be problematic - as in theory it isn´t necessarily the same person that feeds the AI the data or "trains" it and that originally programs it.
When the software starts to make decisions "on its own" based on machine learning, this liability concept becomes less clear. However, for the time being at least, it would seem most likely that the licensor/programmer of the AI product would be liable pursuant to the strict liability regime under Luxembourg law as referred to above. In the business (i.e. non-consumer) context, contractual provisions will usually specify where liability will sit in any event.
What key laws exist in terms of obligations as to the maintenance of cyber security?
The key laws imposing obligations on companies to maintain cybersecurity include the law of 18 July 2014 on Cybercrime, which is incorporated into the national substantive and procedural criminal law, and relates to the specific needs of fighting against cybercrime.
The General Data Protection Regulation (GDPR) (EU) 2016/679 contains a general obligation to implement appropriate technical and organisational measures to protect personal data and to ensure a level of security appropriate to the risk, including, where appropriate:
- the pseudonymisation and encryption of personal data
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of its information technology systems
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
A personal data breach must be notified to the relevant supervisory authority within 72 hours. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, then the controller must also communicate the personal data breach to the data subject.
Moreover, the amended law of 30 May 2005 regarding the protection of privacy in the electronic communications sector, which implements Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), regulates the protection of personal data in the field of telecommunications and electronic communications in Luxembourg and takes into account recent and foreseeable developments in the field of electronic communications services and technologies.
Furthermore, Luxembourg has transposed the Directive on Security of Network and Information Systems ("NIS Directive"), into national law, modifying the law of 23 July 2016 creating the Haut-Commissariat à la Protection Nationale, as well as the modified law of 20 April 2009 creating the Centre de Technologies de l'Information de l'Etat. The aim of the Directive is to provide legal measures to increase the level of cybersecurity throughout the EU. Luxembourg must identify a list of Operators of Essential Services with an establishment on their territory for each subsector. Such operators must comply with requirements like taking technical and organizational measures to manage risks posed to the security of networks and information systems in addition to notifying any incident that has “significant” or “substantial” impact to the National Competent Authority or to the Computer Security Incident Response Team, in due course.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The articles 509-1 to 509-7 of the Luxembourg criminal code (code pénal) covers criminality relating to hacking/DDOS attacks. It creates various offences relating to cybercrime, including:
- fraudulently accessing a processing system or an automated system for data transmission, or deleting or modifying data in these systems, or modifying the functioning of these systems;
- intentionally and in violation of other's rights undermining and distorting the functioning of a processing system or an automated system for data transmission;
- unlawful intercepting of data during a non-public transmission ;
- producing, selling, obtaining, detaining, importing, distributing or providing a computer device to commit one of these cybercrimes or an electronic key which permits to access, in violation of other's rights, a processing system or an automated system for data transmission.
What technology development will create the most legal change in your jurisdiction?
The most legal change will probably relate to advancements in Artificial Intelligence (AI). AI has disrupted so many fields and most people rely heavily on it every day. The legal provisions surrounding it are either very limited or non-existent which can create colourful legal debates. For instance, issues related to ownership of IP´s that are created by an AI system is an on-going debate that needs to be addressed. Lack of liability provisions will also trigger need for a legal reform.
In addition to AI, cybercrime poses a great challenge and still remains, to some extent, out of reach for legislators, as its scale has become global. With the fourth industrial revolution fast approaching, there is growing risk of cyber-attacks and at the same time more difficulty to prevent them.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
It is difficult to pinpoint an exact legal provision as the greatest impediment to economic development or commerce within Luxembourg. In general Luxembourg is a very open economy and the government heavily invests in the development of digital services, aiming to create a favourable legal environment.
What companies sometimes view as frustrating is the tendency of the Luxembourg legislator to implement EU legislation without any gold plating, meaning that certain elements of the law remain vague and subject to multiple interpretations, which may lead to uncertainty in some areas until additional guidance is issued.
Do you believe your legal system specifically encourages or hinders digital services?
On a general note, the Luxembourg legal system greatly encourages the provision and use of digital services. The Grand Duchy boasts many information highways linking the country to the key European hubs for the digital economy, and has one of the best pools of data centres in Europe. Luxembourg has implemented number of laws governing and encouraging the use of digital services and technology.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
At the moment, as Luxembourg, along with most European countries, lacks legislation specifically dealing with artificial intelligence issues - there is lack of legal certainty. For example, more clarity would be needed under Luxembourg law, and other EU countries, in connection with issues related to liability in case of damages caused by an AI solution and ownership of intellectual property rights in connection with works created by AI systems.