Technology law continues to evolve rapidly in the EU, and Luxembourg is no exception. A number of pending legal and regulatory proposals were recently adopted and entered into force (e.g. amendments to the CSSF rules on outsourcing, the implementation of the NIS and Trade Secrets Directives, etc.). Furthermore, new trends are gaining in importance (e.g. artificial intelligence, blockchain technology, etc.) and clear answers are needed on how they should be dealt with from a legal perspective. Another focus area is GDPR enforcement, with further guidance being provided by the European Data Protection Board (EDPB) and national supervisory authorities. Last, but not least, Brexit looms on the horizon. This article provides a brief overview of the most relevant new developments in technology law of which you should be aware this fall.
1. GDPR compliance: Luxembourg-specific rules, the UBO register, enhanced enforcement, US data flows, EDPB guidance and Brexit
Luxembourg-specific provisions. The General Data Protection Regulation (2016/679) or GDPR entered into force in the EU on 25 May 2018. As the GDPR is an EU regulation, its provisions are directly applicable in Luxembourg, although there is some leeway for the adoption of specific national rules. The Luxembourg Act of 1 August 2018 on the organization of the National Data Protection Commission (Commission Nationale pour la Protection des données or "CNPD") entered into force on 20 August 2018 and notably introduced specific provisions on personal data processing for employment, journalistic, research and healthcare purposes.
At present, the data subject's consent is required in the insurance sector to process health-related data, but an expected legislative proposal could change this. The new law also amended Article L. 261-1 of the Luxembourg Labour Code, which lays down the requirements for workplace monitoring, including an obligation to inform both employees and employee representatives, bearing in mind that the general obligations arising from the GDPR (e.g. the keeping of internal records, a prior impact assessment for high-risk processing) still apply. In our practice, we see that some employers are still struggling to comply with these obligations.
Luxembourg DPIA list. The Luxembourg list of critical data processing activities which require a data protection impact assessment was published in early 2019 and includes processing activities such as the combination, correlation or comparison of data collected for different purposes when this activity has a legal effect or significant impact on the data subject, the regular and systematic monitoring of employee activities that has a legal effect or similar significant impact on the data subject, systematic geolocalisation, etc.
Legitimate interest. Don't forget to balance the interests at stake. Over the past year, we've reviewed many GDPR compliance programs and see that a legitimate interest of the data controller or a third party remains a popular basis for the processing of personal data. However, many companies neglect to balance the interests at stake to assess whether the legitimate interest invoked actually outweighs the privacy rights of the data subjects.
UBO register. Further to the adoption of the Act of 13 January 2019, the UBO register became a reality in Luxembourg. Since 1 September 2019, the public can access certain information such as the identity of a UBO and the nature and extent of the beneficial interest held, without having to establish a legitimate interest. This free access to private data raises a number of questions in terms of data protection. The proportionality of this measure is in particular highly debatable. Furthermore, companies required to submit personal data about their UBOs should use the introduction of the UBO register as an occasion to review the GDPR compliance of their processing of UBO personal data and their UBO information notice.
Further guidance. The umbrella group for EU data protection authorities and successor to the Article 29 Working Party, the European Data Protection Board (EDPB), has issued further guidance on important topics such as the relationship between the ePrivacy Directive and the GDPR. In the spring of this year, the UK data protection authority, the Information Commissioner's Office (ICO), also published guidance on cookies and similar technologies, recalling the GDPR's strict consent requirements and that the use of cookie walls cannot generally prohibit access to a website. Likewise, the French data protection authority, the CNIL, has issued guidelines clarifying that the continued use of a website does not in principle constitute valid consent to cookies, noting that website operators have a transition period of 6 months to obtain consent. It goes without saying that the forthcoming EU ePrivacy Regulation, which has yet to be adopted, will impact this discussion.
Effective GDPR enforcement. Over the past year, approximately 150,000 GDPR-related complaints were filed in the EU, resulting in numerous enforcement actions and decisions. In Luxembourg, the CNPD has selected around 30 organizations for investigation and is in the process of assessing their compliance with the obligation to appoint a DPO. Furthermore, the CNPD has conducted several on-site inspections, in particular in order to assess video surveillance practices. Supervisory authorities in other EU Member States have already handed down decisions related to GDPR compliance, including the imposition by ICO of significant fines (more than €100 million) on British Airways and Marriott for significant data breaches. In France, the CNIL fined Google more than €50 million for failure to obtain consent and lack of transparency in its targeted advertising practices.
Brexit. On 14 November 2018, the draft Withdrawal Agreement on the UK's exit from the EU, along with a draft Political Declaration on the future of the UKEU relationship, was published. The Withdrawal Agreement provides that, at the end of the transition period (December 2020), the UK must continue to apply the EU data protection rules until the EU has established, by way of a formal adequacy decision, that the UK's personal data protection regime provides safeguards which are «essentially equivalent» to those in the EU. The Withdrawal Agreement has been rejected by the UK Parliament, meaning a hard Brexit is possible, in which case the abovementioned formal adequacy decision will have to be adopted as soon as possible after the effective exit date in order to ensure protection for personal data flows between the EU/EEA and the UK.
2. Outsourcing in the Luxembourg financial sector: new EBA Guidelines
On 25 February 2019, the European Banking Authority (EBA) released revised Guidelines on Outsourcing Arrangements («the new Guidelines»). The new Guidelines revise and replace both the current guidelines on outsourcing arrangements which date back to 2006 and the 2017 EBA guidelines on the use of cloud service providers by financial institutions. The new Guidelines have a broader scope of application and apply to credit institutions, investment firms subject to the Capital Requirements Directive, and payment and electronic money institutions (collectively referred to as «Institutions»).
Furthermore, the new Guidelines substantially increase the governance and risk assessment requirements compared to both the current EBA guidelines and the Luxembourg financial sector outsourcing framework. Institutions must ensure compliance with the new Guidelines, which require that outsourcing contracts be updated, in order to include an extensive list of compulsory clauses, by (i) 30 September 2019, for any outsourcing arrangement entered into, reviewed or amended on or after the date of application as well as any existing cloud infrastructure-based outsourcing arrangements, or (ii) 31 December 2021, for pre-existing non-cloud-based outsourcing arrangements. In practice, this means that internal processes must be adapted by 30 September 2019 and financial institutions should be careful when amending or adopting new outsourcing arrangements that are subject to the 30 September 2019 deadline. All cloud-based arrangements (including existing ones) should be assessed as soon as possible.
The new Guidelines also underscore the importance of the proportionality principle, meaning they are to be applied in a manner appropriate to the institution's size and internal organization, the nature, scope and complexity of its activities and the outsourced functions (risks arising from the outsourcing, critical nature or importance of the outsourced function, the potential impact on continuity, etc.).
The CSSF is in the process of implementing the new Guidelines and already has amended Circular 17/654 to abolish the authorization requirement for non-material cloud-based outsourcing arrangements. Material cloud-based outsourcing arrangements remain subject to an authorization request. The details of both material and non-material cloud-based outsourcing arrangements must be recorded in a special register.
3. Payment services: full implementation of open banking
The Payment Services Directive (PSD 2) was implemented in Luxembourg by the Act of 20 July 2018. Establishments subject to PSD2 must comply with regulatory technical standards for strong customer authentication and common and secure open standards of communication («RTS») as well as the various EBA guidelines published in relation thereto. The RTS set out inter alia technical rules to ensure the implementation of open banking by 14 September 2019 (although the EBA published an opinion in June 2019 leaving the national authorities the option to grant an extension for the implementation of strong customer authentication). The European Commission asked account servicing payment service providers to enable third-party providers to test their open banking interfaces and grant them access to relevant information by 14 March 2019. The idea is to create a new open banking market and enable account information service providers (AISP) and payment initiation service providers (PISP) to develop their activities, bearing in mind that banks may enter this market and will hence have to position themselves very quickly. The CSSF appears to intend to enforce these provisions against more atypical fintech players which do not provide classic retail banking services to their (often professional) clients, such as e-commerce merchants.
The relationship between PSD 2 and the GDPR remains an area for attention. A number of national data protection authorities, such as the Dutch Autoriteit Persoonsgegevens in July 2019, have recalled that the use of payment data for direct marketing purposes is subject to strict conditions.
4. Implementation of Directive (EU) 2016/1148 on the security of network and information systems
Directive (EU) 2016/1148 on the security of network and information systems (the "NIS Directive") is the first piece of European legislation on cybersecurity, aimed at achieving a high common level of security for network and information systems in the EU. Each Member State must adopt a national strategy on the security of network and information systems and designate national competent authorities, single points of contact and CSIRTs with tasks related to the security of network and information systems. Operators of essential services and digital services providers will also be subject to security and notification requirements. The NIS Directive has been implemented in Luxembourg by the Act of 28 May 2019, which identifies operators of so-called «essential services» (e.g. entities active in the transport, health and energy sectors as well as the providers of digital infrastructure, credit institutions, etc.).
5. Implementation of the Trade Secrets Directive (EU) 2016/943
Directive (EU) 2016/943 harmonizes the national laws of the Member States on the unlawful acquisition, disclosure and use of trade secrets. The directive will help to streamline the legislation on the protection of trade secrets and ensure a clearer, more harmonized procedural framework for the enforcement of trade secrets. The remedies provided are based on the IP Enforcement Directive (2004/48). Furthermore, the directive includes measures to protect the confidentiality of trade secrets in the course of legal proceedings. An area that warrants particular attention is the treatment of trade secrets in dealings with employees, as the directive clarifies that the protection of trade secrets cannot be a ground for «limiting employees' use of experience and skills honestly acquired in the normal course of their employment». Each organization should thus thoroughly assess the limits of this exception.
Directive (EU) 2016/943 was implemented in Luxembourg by the Act of 26 June 2019 on the protection of trade secrets. According to this law, the district court (tribunal d'arrondissement) ruling on commercial matters (even when the parties are not merchants) will in principle have jurisdiction to hear claims relating to the protection of trade secrets and will be able to order inter alia the following measures: the cessation of or, as the case may be, an injunction prohibiting the use or disclosure of business secrets, appropriate remedial measures with respect to the infringing items, destruction of all or part of any document, object, material, substance or electronic file containing or materializing a trade secret, etc. Claims for damages may also be brought.
Originally published by Agefi, September 2019.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.