The Luxembourgish legislator issued a an act on 28 July 2011 on data protection in the electronic communications sector (the “Act”) which (1) modified the act of 30 May 2005 on privacy protection in the electronic communications sector (the 2005 Law) and (2) implemented Directive 2009/136/ EC modifying directive 2002/58/EC on the processing of personal data and protection of privacy in the telecom sector (the “ePrivacy Directive”). The Act entered into force on 1 September 2011.

First, the scope of the Act has been extended and the Act now also addresses communication services to the public such as RFID chips. In addition, where the former act of 2005 only required prior consent of a person in case he or she is the target of unsolicited calls via automatic call mechanisms, the Act now also requires prior consent of a subject in case SMS or MMS is used. This shows the legislator’s attempt to neutralise the concept “communication” and to extend it to currently unknown forms of communicattion. Violation of this provision may lead to criminal sanctions and/or an injunction to cease the prohibited processing of data with a penalty payment.  

In addition, communication service providers have the legal obligation to contact the Luxembourgish National Data Protection Commission (the “Commission”) if there is a security breach relating to the confidentiality of personal data. Communication service providers are also obliged to inform their customers when they become aware of such a potential risk. The Act defines a violation of personal data as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, disclosure or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of electronic communications services to the public”. According to the ePrivacy Directive and the Commission, this definition aims at “breakdowns”, e.g. when an employee of a telecom service provider losing a CD-ROM or a USB key with client data or if some people have access to personal data that are normally only accessible with a password. If such a breach of security occurs, the service provider must notify the Commission and the customer whose personal data have been affected if the violation is likely to have a negative impact on the customer’s personal data. However, this notification is not legally required if the service provider can guarantee that sufficient protection technologies have been set up and that such technologies have been applied to the data affected by the breach. The Commission may also issue an injunction against the service provider if it is of the opinion that the breach is likely to have negative effects on the personal data of the consumer. Furthermore, the Act provides for an obligation for all Luxembourgish service providers to maintain a register listing all breaches of personal data, elaborating on the context, the effects and the measures that were taken.

The CNPD may also impose fines which are equal to criminal sanctions even though they are not imposed by a judicial authority. (NVH)