Since our last e-alert on the bill of law n°7024 (the Bill of Law 7024)1, aimed, among others, at amending article 41 of the Luxembourg act of 5 April 1993 on the financial sector, as amended (the Banking Act 1993), which deals with professional secrecy obligations for credit institutions and other professionals of the financial sector, several institutions have again taken position.
Subject to a series of comments, in particular concerning the form of client consent, the Chambre de Commerce overall agrees upon the governmental amendments to the Bill of Law 7024 proposed on 4 April 2017 while, on the contrary, the Chambre des Salariés still objects to the proposed amendments to article 41 of the Banking Act 1993 considering the potential impact on employment in the financial sector but also in the insurance and payment services sectors. Most importantly, although it still has some comments concerning the wording and content of the governmental amendments, the Conseil d’Etat has now lifted its objections to the Bill of Law 7024, particularly in light of the new organisational requirements and the new rules on client consent in the context of outsourcing arrangements introduced by the governmental amendments.
However, it appears that the precise form that the client consent to the transfer of certain of his confidential data should take is still subject to some uncertainty. The governmental amendments do not include any reference to a written consent of the protected person (which tends to imply that it should be possible, under certain conditions, to obtain such a consent by the insertion of a provision to that effect in the general terms and conditions of the professional). However, the Conseil d’Etat (and going in the same direction, the Chambre de Commerce), although not formally imposing a written consent requirement, seem to have a stricter approach as regards the form that such an acceptance should take, based on the provisions of the EU General Data Protection regulation, which will enter into force on 25 May 2018. In any case, those two institutions have recommended that this matter be clarified in the final text. More recently, the Commission Nationale pour la Protection des Données (the Luxembourg data protection authority), while maintaining its initial comments, also insisted on the fact that the form of the client consent should be clarified, notably whether such consent ought to follow the strict requirements for client consent set forth in the EU General Data Protection regulation.
One can expect that the legislative process will most probably come to an end soon. Once the final text of the Bill of Law 7024 is adopted, this matter will require special attention in order for professionals to assess the appropriate course of action to be taken.