[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Grand Duchy of Luxembourg

Constitutional Privacy Framework

Article 28 of the Constitution states, "(1) The secrecy of correspondence is inviolable. The law determines the agents responsible for the violation of the secrecy of correspondence entrusted to the postal services. (2) The law determines the guarantee to be afforded to the secrecy of telegrams."[3360]

Data Protection Framework

Luxembourg's Act concerning the Use of Nominal Data in Computer Processing was adopted in 1979.[3361] The law regulates individually identifiable automated personal records in both public and private computer files. All databanks including personal data have to be registered, and data subjects have the right to access their personal data and correct it if inaccurate. The law also requires licensing of systems used for the processing of personal data. The Commission nationale pour la protection des données (CNPD) set up a public online data processing register, which makes it possible to check if an authority, company, association, professional or self-employed worker is likely to hold information about an individual and if it has declared such processing to the CNPD.

The Data Protection Act of 2002[3362] governs the processing and use of personal data. It implements the European Union (EU) Data Protection Directive (1995/46/EC).[3363] The law[3364] went beyond the framework of the EU directive by covering not only natural, but also moral, persons. It contains specific provisions on the processing of medical data by health services,[3365] the processing of personal data for surveillance purposes[3366] and in the workplace.[3367] A 2006 draft law would curtail the requirements, which are not considered essential for the protection of freedom and fundamental rights of citizens.[3368] In addition, the draft law would cover only natural persons. However, in April 2004, the European Commission threatened legal action against Luxembourg and seven other countries for failing to incorporate the EU Directive on Privacy and Electronic Communications (2002/58/EC).[3369]

In May 2005, a new law[3370] implemented the provisions of the EU Directive on Privacy and Electronic Communications. The law states that any service provider must retain traffic and location data for a period of 12 months for the purposes of prevention, investigation, detection and prosecution of criminal offences. Following a recommendation of the CNPD, the government intends to reduce the duration of the mandatory data storage and retention period for ISPs to six months.[3371] It also adopts an "opt-in" system for unsolicited electronic communications; the use of automated calling systems, fax machines or e-mail for the purposes of direct marketing is prohibited without obtaining the subscriber's prior consent, unless the service provider can make use of the specific exceptions mentioned in the EU directive. The law provides for criminal sanctions (imprisonment and fines) for breach of the provisions related to spam and unsolicited communications. A court may ban any illegal processing, together with a penalty payment. The CNPD was consulted during the drafting of the bill.

In March 2006, the European Union enacted the Directive on Data Retention.[3372] The Directive aims at harmonizing the rules on retention of traffic data throughout the EU in order to facilitate judicial cooperation in criminal matters. All traffic data generated in publicly available electronic communications, such as telephony or the Internet, would have to be retained by service providers for law enforcement purposes. The data would have to be kept for a minimum period of six months and a maximum period of two years.[3373] Member States have until September 15, 2007 to transpose the requirements of the Directive into national laws; however, a delay of 18 additional months, until March of 2009, is available for retention of communications. Luxembourg is postponing application of this Directive.[3374]

In December 2004, a Grand Duchy Ruling[3375] established the conditions in which some data controllers may designate a person in charge of data processing and compliance with the data protection law. In doing this, they could avoid having to comply with the notification requirements to the Commission.

Data Protection Authority

The Data Protection Act of 2002 created a new data protection authority, the CNPD.[3376] Created on December 12, 2002,[3377] the CNPD is an independent agency whose task is to control the processing of personal data in Luxembourg and ensure compliance with data protection regulations.[3378]

A Grand-Ducal decree of August 1979 created the CNPD. The Commission is charged with overseeing the law and assisting the Minister of Justice with the management of the National Register of Databanks. If an application for personal data processing is granted, and there is an objection raised, or if the application is refused, or the original authorization is withdrawn for some reason, an appeal can be made to the Disputes Committee of the Council of State. The Minister for Justice maintains a national register of all systems containing personal information. Public sector personal data systems can only be established upon the issuance of a special law or regulation. The Advisory Board reviews such proposed laws or regulations. In 1992, the law was amended to include special protection requirements for police and medical data. In 1993, the law was modified to establish an independent control authority pursuant to the Schengen Agreement.

Wiretapping and Other Government Surveillance

Articles 88-1 and 88-2 of the Criminal Code regulate telephone tapping.[3379] Judicial wiretaps are authorized if it can be shown: that a serious crime or infringement, punishable by two or more years imprisonment, is involved; that there is sufficient evidence to suspect that the subject of the interception order committed or participated in the crime; or received or transmitted information to, from, or concerning the accused; and that ordinary investigative techniques would be inadequate under the circumstances. Orders are granted for one-month periods and may be extended repeatedly as long as the cumulative period does not exceed one year. Administrative wiretaps may also be authorized for national security reasons by a special tribunal appointed by the head of government. These interceptions are granted for three months at a time and must stop once the requested information is received. The communications of persons bound by professional secrecy rules cannot be intercepted and any recordings of such must be destroyed immediately. Information gathered during judicial and administrative interceptions, but not subsequently used, must be destroyed. In the case of judicial warrants, persons who were the subject of the warrant will sometimes be informed of the action taken. This law was highly criticized by human rights activists and the Socialist Workers Party when it was first introduced. In fact the law was challenged on numerous occasions before the European Court of Human Rights. That court, however, ruled that the law violated neither Article 8 (concerning the right to private and family life) nor Article 13 (concerning the right to due process) of the European Convention on Human Rights.[3380]

An authorization from the CNPD is required before using technical means for monitoring people, particularly by video camera or electronic tracing.[3381] Even if authorization for the use of video surveillance has been granted, the entity still must register the database concerning the video surveillance. Personal data gathered in this way can only be processed under certain very specific circumstances enumerated by law. This includes surveillance on public premises, in public transportation, in shopping centers and in the workplace. Workplace monitoring may only be undertaken if the staff representative, joint committee or the Inspection du travil et des mines and the person being monitored have previously been informed. Notice of surveillance may be communicated through the CNPD’s newly created online system.[3382] The Fair Labor Standards Act also governs workplace monitoring.[3383]

Statutory Rules Related to Privacy

A law on electronic commerce that implements three European Union directives (Directive 1999/93 on Electronic Signatures, Directive 2000/31/EC on Electronic Commerce, and Directive 1997/7 on Distance-Selling) was adopted in August 2000.[3384] This law contains provisions on the privacy rules certification authorities have to comply with, spamming, and the liability of online service providers. A Grand-Ducal regulation on electronic signatures, electronic payments and the creation of the Electronic Commerce Committee was adopted on June 1, 2001. On July 5, 2004, the legislator amended the Law on Electronic Commerce to establish the "opt-in" regime for unsolicited commercial communications and add various provisions on consumer protection.[3385] A law enacted in May 30, 2005[3386] transposes part of the EU "telecommunications regulatory package" by establishing new rights for consumers and telecommunications users, and corresponding obligations for network and publicly available electronic communications service providers.

The Numerical Identification of Natural and Legal Persons Act of 1979[3387] provides for the introduction of an identity number, consisting of 11 digits (including digits to represent date of birth and sex, nationality, marital status and spouse's name) for every resident in the country, and a numbering system for companies. The law contains specifications for use of this number: the identification number and other related information can only be used by the public services that are authorized to have access to the index, and is restricted to an internal use. These specifications are loosely drafted, however, and allow the number to be widely circulated. The data protection authority is said to be monitoring the adoption of this number closely.[3388]

There are also sectoral laws on privacy relating to telecommunications[3389] and banking secrecy. Luxembourg's status as a financial haven ensures that unwarranted surveillance of individuals is forbidden. This may change as Luxembourg comes under increasing pressure to amend its financial confidentiality laws to permit greater access to personal financial records by European and American investigators.

In December 2001, the Commission of Surveillance of the Financial Sector (Commission de Surveillance du Secteur Financier) released practical and technical guidelines to financial services companies that intend to promote the protection of customers' privacy and the confidentiality of their financial information when launching new online financial services.[3390]

Recent Developments

Luxembourg started issuing RFID-enabled passports in August 2006.[3391] The chip will contain the passport holder’s name, date of birth, gender, nationality, place of residence and biometric data consisting of the owner’s photograph.[3392] A later inclusion of a fingerprint is also planned. The data is encoded and managed by the Office of the Passports of the Ministry for Foreign Affairs. The data is given an electronic signature, which allows the passport holder to check if any modifications to their data have taken place. In an effort to keep passports up to date, both in terms of technology and changing the basic access code to decrease the risk of deciphering the passport data, passports are valid for five years. The Office of the Passports will remove biometric data from its files one month after the passport is issued.

In April 2005, the government of Luxembourg requested a CNPD opinion on a draft law regulating access by judicial and police authorities to personal data processed by the State administration and by public authorities. The CNPD advised the government to adopt a more restrictive approach and better implementation of the rights of concerned citizens.[3393]

Open Government

On June 8, 2004, Luxembourg adopted new legislation on the press, repealing the Acts from 1869 and 1979.[3394] Journalists have an obligation to ensure their work does not infringe any individual’s presumption of innocence or the entitlement to personal privacy, honor or reputation.[3395] In addition, a person who has been cited either by name or implicitly, or who has been accused wrongfully to have the inclusion, free of charge, or a reply or information correcting the false information originally given. However, there is no general freedom of information law in Luxembourg. The new legislation on the press only states that freedom of expression includes the right to receive and seek information.[3396] Under the 1960 Decree on State Archives, the archives are open to the public, but citizens must make a written request explaining why they want access and ministers have broad discretion to deny requests.[3397]

International Obligations

Luxembourg is a member of the Council of Europe (CoE) and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[3398] It signed the Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETC No. 181).[3399] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[3400] In January 2003, Luxembourg signed the CoE Convention on Cybercrime, but has not ratified it.[3401] It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

In December 2006, Luxembourg approved the Treaty of Prüm, signed by Austria, Spain, Netherlands, Germany, Belgium and France enhancing cross-border police cooperation to combat terrorism, cross border crime, and illegal immigration.[3402] This includes an online exchange of DNA profiles, fingerprints and vehicle register data.

[3360] Constitution of the Grand Duchy of Luxembourg.

[3361] Act on the Use of Nominal Data in Computer Processing, March 31, 1979; see Charles E.H. Franklin, Business Guide to Privacy and Data Protection Legislation 306 (1996).

[3362] Loi du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel (Data Protection Act of 2002), Mémorial, A-91, August 13, 2002, at 1836-1854, available at <http://www.legilux.public.lu/leg/a/archives/2002/0911308/0911308.pdf#page=2> (in French).
[3363] Luxembourg should have amended this law by October 1, 1998. In January 2000, the European Commission initiated a case before the European Court of Justice against Luxembourg and other countries for failure to implement the directive on time; see European Commission, Data Protection: Commission Takes Five Member States to Court, January 11, 2000, available at <http://europa.eu.int/comm/internal_market/en/media/dataprot/news/2k-10.htm>. A new bill was eventually drafted and submitted to Parliament in October 2000, and enacted in August 2002.
[3364] For more information on the law, see the exhaustive analysis made by Steve Jacoby & Catherine Dauger de Caulaincourt, AGEFI Luxembourg, December 2002 and February 2003; see also Dossier de presse quant à la presentation de la Commission nationale pour la protection des données <http://www.gouvernement.lu/salle_presse/actualite/2002/12/12biltgen/dossierpresse.pdf> (in French).
[3365] Data Protection Act of 2002, supra at Article 7.
[3366] Id. at Article 10.
[3367] Id. at Article 11; on the particular issue of the processing of personal data by employers in the workplace, see Guy Castagnero, L'actualité du droit du travail: la protection des données personnelles des travailleurs, AGEFI Luxembourg, April 2003, available at <http://www.agefi.lu/mensuel/Article.asp?NumArticle=5364>.
[3368] Draft Law No. 5554 of March 16, 2006.
[3369] Associated Press, "EU Issues Order on Internet Privacy," Toronto Star, April 2, 2004, at E05.

[3370] Law "Privacy in Electronic Communications" of May 30, 2005 (Loi du 30 mai 2005 (1) relative aux dispositions spécifiques de protection de la personne à l'égard du traitement des données à caractère personnel dans le secteur des communications électroniques et (2) portant modification des articles 88-2 et 88-4 du Code d'instruction criminelle), Mémorial, A-073, June 7, 2005, at 1168-1173, available at <http://www.legilux.public.lu/leg/a/archives/2005/0730706/0730706.pdf#page=2>.
[3371] Commission nationale pour la protection des données, “Rapport relative aux Années 2004 à 2006,” at 1/21, available at <http://www.cnpd.lu/fr/objets/publications/rapports/rapport_activite_2004-06.pdf> (in French).

[3372] EU Directive 2006/24/EC (March 15, 2006) available at <http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32006L0024:EN:NOT>.
[3373] Id.
[3374] Id.

[3375] Règlement grand-ducal relatif à la désignation des chargés de la protection des données. Mémorial A-200, December 20, 2004.

[3376] Commission Nationale pour la Protection des Données homepage <http://www.cnpd.lu/>.
[3377] See Le Gouvernement du Grand-Duché de Luxembourg, Actualité gouvernementale: Présentation de la Commission Nationale pour la Protection des Données, available at <http://www.gouvernement.lu/salle_presse/actualite/2002/12/12biltgen/index.html>.
[3378] See Article 32, Data Protection Act, for the details of its competences.

[3379] Articles 88-1 - 88-4 of the Criminal Code, Law of 26 November 1982, modified by the law of July 7, 1989.
[3380] Commission nationale de contrôle des interceptions de sécurité, (France) 8e Rapport d'activité 1999, at 66-67.

[3381] Loi du 2 août 2002 relative à la protection des personnes à l'égard du traitement des données à caractère personnel (Data Protectiona Act of 2002), supra at Articles 10, 17.
[3382] Commission Nationale pour la Protection des Données, “Simplification de certaines demandes d’authorisation,” June 26, 2007 <http://www.cnpd.lu/fr/actualites/activite_nationale/2007/06/22_06_2007/index.html>.
[3383] Code du Travail, December 29, 2006, available at <http://www.legilux.public.lu/leg/textescoordonnes/codes/code_travail/Code_du_Travail.pdf> (in French).

[3384] Loi du 14 août 2000 relative au commerce électronique modifiant le code civil, le nouveau code de procédure civile, le code de commerce, le code pénal et transposant la Directive 99/93 relative à un cadre communautaire pour les signatures électroniques, la Directive relative à certains aspects juridiques des services de la société de l'information, certaines dispositions de la Directive 97/7 concernant la vente à distance des biens et des services autres que les services financiers, Mémorial, September 8, 2000, at 2176, available at <http://www.eco.public.lu/documentation/legislation/lois/2000/08/14_commerce_electronique/index.html>.
[3385] Law of July 5, 2004 modifying the Law of August 14, 2000 on Electronic Commerce (Loi du 5 juillet 2004, modifiant la loi du 14 août 2000 relative au commerce électronique), Mémorial, A-125, July 16, 2004, at 1848, available at <http://www.legilux.public.lu/leg/a/archives/2004/1251607/2004A18481.html> (in French); see, for more details, Sandrine Munoz, "Le Luxembourg modifie sa loi relative au commerce électronique – Analyse," available at <http://www.droit-technologie.org/1_2.asp?actu_id=1047>.
[3386] Law on Networks and Electronic Communications Services (Loi du 30 mai 2005 sur les réseaux et les services de communications électroniques), Mémorial, A-073, June 7, 2005, at 1144,-1159, available at <http://www.legilux.public.lu/leg/a/archives/2005/0730706/0730706.pdf>.

[3387] Loi du 30 mars 1979 organisant l'identification numérique des personnes physiques et morales, available at <http://www.legilux.public.lu/leg/a/archives/1979/0460706/0460706.pdf>; Règlement grand-ducal du 7 juin 1979 déterminant les actes, documents et fichiers autorisés à utiliser le numéro d'identité des personnes physiques et morales, available at <http://www.legilux.public.lu/leg/a/archives/1979/0460706/0460706.pdf?SID=bae197f880b764969bea1d73e51d3c0c#page=8>. Règlement grand-ducal modifié du 21 décembre 1987 fixant les modalités d'application de la loi du 30 mars 1979, available at <http://www.legilux.public.lu/leg/a/archives/1987/1092912/1092912.pdf?SID=04ffd4a6c80ed2f62918d2c3f3d7d3c9#page=6>.
[3388] The Council of Europe, The introduction and use of personal identification numbers: the data protection issues, 1991, available at <http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/documents/reports_and_studies_of_data_protection_committees/X-Pins_1991.asp>.

[3389] Law of March 21, 1997 on Telecommunications (Loi du 21 mars 1997 sur les télécommunications), available at <http://www.ilr.etat.lu/tele/legal/loi-t.htm>; Grand Duchy Ruling of December 22, 1997 (Règlement grand-ducal du 22 décembre 1997, modifié 18 avril 2001, fixant les conditions du cahier des charges pour l'établissement et l'exploitation de réseaux fixes de telecommunications), available at <http://www.legilux.public.lu/leg/a/archives/2001/0540305/0540305.pdf#page=2>.

[3390] Commission de Surveillance du Secteur Financier, Services financiers par Internet (Résultats du recensement Internet au 31 décembre 2000 et recommendations portant sur les aspects prudentiels), December 2001, available at <http://www.droit-technologie.org/redirect.asp?type=legislation&legis_id=95&url=legislations/CSSF_services_financiers_sur_internet_decembre2001.pdf>.

[3391] Commission Nationale Pour La Protection Des Donnees, “Le passport électronique et biométrique,” June 6, 2007,<http://www.cnpd.lu/fr/dossiers/passeport_electronique/index.html>.
[3392] Mémorial A n° 134 de 2006, “Passeports biométriques et titres de voyages pour estrangers,” Règlement grand-ducal du 31 juillet 2006 portant règlement d'exécution de la loi du 14 avril 1934, concernant les passeports biométriques, les titres de voyage pour étrangers, apatrides et réfugiés et l'établissement d'un droit de chancellerie pour légalisations d'actes, August 10, 2006, available in French at <http://www.legilux.public.lu/leg/a/archives/2006/1341008/1341008.pdf>.

[3393] Commission nationale pour la protection des données, “Rapport relative aux Années 2004 à 2006,” at 1/21, supra at 2/6.

[3394] Loi du 8 juin 2004 sur la liberté d’expression dans les medias, available at <http://www.legilux.public.lu/leg/a/archives/2004/0850806/0850806.pdf#page=2> (in French).
[3395] Id. at Art. 10-20.
[3396] Id. at Art. 6.
[3397] Arrété grand-ducal fixant l'organisation et les conditions de fonctionnement des Archives de l'Etat.

[3398] Signed January 28, 1981; ratified February 10, 1988; entered into force June 1, 1988.
[3399] Signed February 24, 2004; ratified January 23, 2007; entered into force May 1, 2007.
[3400] Signed November 11, 1950; ratified September 3, 1953; entered into force September 3, 1953.
[3401] Signed January 28, 2003.

[3402] Loi du 22 décembre 2006, “approbation du Traité entre le Royaume de Belgique, la République fédérale d’Allemagne, le
Royaume d’Espagne, la République française, le Grand-Duché de Luxembourg, le Royaume des Pays-Bas et la République d’Autriche relatif à l’approfondissement de la cooperation transfrontalière, notamment en vue de lutter contre le terrorisme, la criminalité transfrontalière et la migration illégale, ainsi que de la Déclaration commune, signés à Prüm le 27 mai 2005, 2. modification de la loi du 21 décembre 2004 portant approbation du Traité entre le Royaume de Belgique, le Royaume des Pays-Bas et le Grand-Duché de Luxembourg en matière d’intervention policière transfrontalière, signé à Luxembourg, le 8 juin 2004, 3. modification de la loi du 25 août 2006 relative aux empreintes génétiques en matière pénale, et 4. modification de la loi modifiée du 7 mars 1980 sur l’organisation judiciaire,” available at <http://www.legilux.public.lu/leg/a/archives/2006/2342812/2342812.pdf#page=2> (in French).