Luxembourg - the cradle of EU (privacy) law

This year Tadej and I spent the New Year's Eve in Luxembourg. The tiny state might not be the top destination for christmas celebrations, but at least it has a fantastic history I could read about and, being the seat of the CJEU, it has been an influential player in the development of EU privacy law. 
Luxembourg in 4 sentences

Luxembourg is one of the most prosperous European countries with GDP per capita of $ 79, 594. During its turbulent history Luxembourg belonged to different states, until it was finally proclaimed an independent republic in 1919. Interestingly, it was a women, the duchess Charlotte (see her statute in the photo below), who is given credit for achieving the independence.


Today, Luxembourg is one of the centres of the Union, home of its highest judicial institution and, due to its favourable tax rates, the seat of numerous banking and financial organisations. With the average temperature for December firmly below zero, it might not be a dream place to spend your New Year's Eve, although this was exactly what me and Tadej planned to do during our first visit. 

Privacy laws in Luxembourg - highlights

Luxembourg privacy laws mostly follow the European pattern, although it is possible to spot some minor differences and specifics: 

  • The definition of personal data is broader, as it also includes genetics data.
  • The information about legal entities is not considered personal data.
  • The data controller must comply with the general data security obligations. A description of these measures and of any subsequent major change must be communicated to the data protection authority (CNPD) within 15 days, at its request.
  • No special guidance for cookies. 
  • The data protection authority has no power to impose financial penalties, however, it may impose some disciplinary sanctions.
  • Data notification duty only exists in certain sectors. 
  • Luxembourg is also the seat of the European Court of Justice (see below me posing in front of the famous yellowish CJEU building) where some fundamental decisions on EU privacy law were taken. One of the most recent and attention/grabbing judgements was the Google case about the right to be forgotten.


Privacy in the Luxembourg media

Last summer Luxembourg was the scene of  eBay massive data breach. Namely, eBbay is established in Luxembourg which means that Luxembourg privacy laws are applicable in the case of a data breach. “CNPD will open an investigation procedure to examine the circumstances and consequences of the breach of integrity and confidentiality of eBay user's personal information,” stated the official message of the data protection authority. During the investigation procedure the authority checked eBay security practice, asked for the proof of privacy assessments (also for the contracts with their sub-processors) and reviewed their compliance with the notification duty, but finally closed the case without imposing any disciplinary or other action.


When we said goodbye to Luxembourg, it was not that sad. We agreed this mini state must have been much more beautiful in summertime. 
Luxembourg - the cradle of EU (privacy) law Luxembourg - the cradle of EU (privacy) law Reviewed by Helena Uršič on 2:43 PM Rating: 5

No comments:

Theme images by merrymoonmary. Powered by Blogger.