WHAT HAPPENED IN 2016?

Personal data

EU – Adoption of the European data protection reform

After 4 years of negotiations, the final “Data Protection Package”, which sets out new European rules on privacy in the digital age, was formally adopted by the European Parliament and Council on April 2016.

The package consists of two legal instruments, namely Directive (EU) No 2016/680 of the European Parliament and of the Council of 27 April 2016[1] and Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”)[2].

The Directive took effect on 5 May 2016 and EU Member States have until 6 May 2018 to implement it in their national laws, while the GDPR came into force on 24 May 2016 and will be directly applicable in all Member States from 25 May 2018.

The new framework set out by the GDPR retains the major principles of data protection (i.e. fairness, lawfulness, transparency, security, confidentiality, accuracy) while introducing new rules reinforcing individual freedoms and addressing the challenges of high risk processing operations, such as big data.

The GDPR creates a set of harmonized rules within the EU and focuses on two aspects:

• enhancement of data subject rights (e.g. right to be forgotten; right to data portability); and
• enhancement of controllers and processors obligations (e.g. obligation to conduct a Data Protection Impact Assessment (“DPIA”), to appoint a data protection officer (“DPO”) and to keep records). Heavier penalties will strongly encourage data controllers and processors to comply with their obligations.

The new regulation will apply to data controllers/processors established in the EU but also to those not established in the EU, whenever the processing activities concern the offering of goods or services to EU residents or the monitoring of their behaviour within the EU.

For further information on the implications of the reform, please refer to our previous newsletter available here.

On 13 December 2016, following the adoption of the GDPR, Article 29 Working Party (“WP29”) provided guidelines and FAQs, particularly concerning the right to data portability and the DPO. Further guidelines on DPIA and certifications are expected in the coming months.

EU - Adoption of the Privacy Shield framework

Following the invalidation by the Court of Justice of the European Union (the “CJEU”) of the Safe Harbour Decision, the European Commission adopted, on 12 July 2016, the new legal framework for the transatlantic transfer of personal data, called the “EU-U.S. Privacy Shield”.

The new framework, in force since 1 August 2016, enables data transfers from the EU to the U.S. As with the former system, the EU-U.S. Privacy Shield is based on self-certification, but it imposes strengthened privacy rules, notably enhanced responsibility for onward transfers, greater transparency of the self-certified companies, and safeguards against mass surveillance by the U.S. authorities.

As part of the implementation of the EU-U.S. Privacy Shield Agreement, the WP29 recently confirmed that it will take on the role of the EU complaint-handling body set up under this agreement.

EU – Dynamic IP addresses are personal data

On 19 October 2016, the CJEU ruled that, under certain circumstances, IP addresses constitute personal data.

The question before the court[3] was whether a dynamic IP address, registered by an online media services provider when a person accesses the website of that provider, constitutes personal data where only a third party (e.g. the internet service provider (“ISP”)) has the additional data necessary to identify the user.

A dynamic IP address changes each time there is a new connection to the Internet. It does not enable the direct identification of an individual user, unless additional information is available.

The Court reached the conclusion that a dynamic IP address amounts to personal data in the hands of a website provider under the EU law as long as the website provider has the “legal means” of gaining access to the information held by the ISP in order to identify the user.

Trademarks

EU – Major European trademark reform in force

In December 2015, the European Parliament finally approved the European trade mark reform package which includes Regulation (EU) No 2015/2424[4], amending the current Community trademark regulation, and Directive (EU) No 2015/2436[5], aiming at further harmonizing the laws of the EU Member states relating to trademarks.

The Regulation came into force on 23 March 2016 and the Directive will have to be transposed by Member States before 14 January 2019 (or 14 January 2023 for some of its provisions).

The reform aims at strengthening the rights of brand owners and includes significant changes, particularly the following:

• the Community trademark office is now called the European Union Intellectual Property Office (“EUIPO”) and the Community Trademark became the European Union Trademark (“EUT”);
• the EUT system has changed from a basic fee that covers up to three classes of goods and services to a “pay-per-class” system (which results in a lower fee for one or two classes, and a higher fee for three or more classes; the renewal fees are lower);
• broad specifications consisting of class headings are deemed to cover only goods and services which fall within the literal meaning of that class heading, and not all the goods or services listed in that class;
• the requirement to represent a trademark graphically (criteria concerning the registrability of the sign) is no longer applicable;
• the rights conferred by an EUT are broader (i.e. right to prohibit preparatory acts in relation to the use of packaging or other means; right to prohibit the use of the sign as a trade or company name, or in comparative advertising; right to prevent third parties from bringing goods in the course of trade into the EU even though those goods are not intended for the EU market, etc.);
• renewals have to be requested by the date of expiry;
• Member States must provide for efficient and expeditious administrative opposition and cancellation (i.e. revocation and declaration of invalidity) proceedings at their intellectual property offices, as opposed to Court proceedings, as is currently the case particularly in Benelux. Member States have until 14 January 2019 to implement the administrative opposition proceedings, and until 14 January 2023 to implement the administrative cancellation proceedings.

Luxembourg – Benelux trademarks and designs reform

On 17 December 2016, the legislator ratified two Protocols signed on May and December 2014 amending the Benelux Convention on intellectual property.

The major amendments are as follows:

• The Benelux Court of Justice has exclusive competence for judging any appeal against a final decision issued by the Benelux Office for Intellectual Property (the “BOIP”). In the past, appeals could be filed either before the Courts of Appeal of Brussels, Luxembourg or La Haye, each jurisdiction having its own rules and case law. Centralization of competences to the Benelux Court of Justice will result in a uniform and faster judicial procedure.
  The headquarters of the Court will be transferred in the Grand-Duchy of Luxembourg.
• An administrative procedure for revocation or declaration of invalidity has been introduced before the BOIP for Benelux trademarks and International trademarks designating the Benelux territories, for specific grounds listed in the Benelux Convention (Article 2.30bis of the Benelux Convention).

This proceeding may need to be reviewed in the next few years so as to ensure its compliance with the provisions of Directive (EU) No 2015/2436, which requires Member States to implement administrative cancellation proceedings (Article 45 of the directive).

Trade secrets

EU – Specific protection for trade secrets

On 27 May 2016, the Council of the European Union adopted Directive (EU) No 2016/943 establishing for the first time common rules on the protection of trade secrets across the EU. Presently, trade secrets do not enjoy an equivalent level of protection within the EU. The Directive aims, therefore, to reduce these disparities in order to stimulate innovation-related activities and foster competition within the EU.

The Directive governs only civil remedies. The main provisions of the Directive concern:

• a uniform definition of trade secrets;
• definition of lawful acquisition, use and disclosure of trade secrets;
• definition of unlawful acquisition, use and disclosure of trade secrets;
• obligation for Member States to ensure effective civil redress against the unlawful acquisition, use and disclosure of trade secrets;
• specific protection for whistle-blowers against civil penalties. 

The Directive came into force on 5 July 2016 and Member States must incorporate it into their national law by 9 June 2018.

Consumer law

Luxembourg - New legal framework for out-of-court settlement of consumer disputes

On 17 February 2016, the legislator enacted a new law to promote out-of-court settlements of consumer disputes. This law applies to disputes arising from sales or service contracts between a trader established in Luxembourg and a consumer residing in the EU (including Luxembourg), and transposes Directive No 2013/11/EU obliging EU Member States to create alternative dispute resolution (“ADR”) entities for consumer disputes.

Whilst this law does not prescribe a general obligation to use ADR, traders who commit to or are obliged, due a sectorial regulation, to use ADR procedures for resolving their dispute with consumers, must provide consumers, prior to the conclusion of the contract, with specific information.

For further information, please refer to our previous newsletter available here.

Luxembourg – New legal framework for credit agreements for consumers relating to residential immovable property

On 23 December 2016 a new law and regulation implementing Directive (EU) No 2014/17 of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property was adopted.

These two texts, integrated into the Consumer Code, set out a specific legal framework for real estate credit agreements. Before this, the Luxembourg Consumer Code only regulated consumer credit agreements.

Commercial practices

Luxembourg – Repeal of the amended Law of 30 July 2002 regulating certain commercial practices

The Grand-Duchy of Luxembourg had to amend the existing framework on commercial practices and unfair competition as certain provisions of the amended Law of 30 July 2002 regulating certain commercial practices[6] were deemed contrary to EU law by the European Commission.

As a consequence, this law was abolished on 23 December 2016.

The new law[7] governs misleading and comparative advertising, as well as shop sales and pavement sales.

Sale below cost, lotteries, competitions, promotional draws, chain transactions, and acts of unfair competition are no longer covered by this new law. They may, however, be prohibited under other laws.

IP tax regime

Luxembourg – IP tax regime

As a reminder, the favourable Luxembourg IP tax regime was repealed on 1 July 2016 in order to comply with the “Modified nexus approach for IP regimes” agreed by all OECD and G20 Countries on 5 February 2015.

Tax-payers already benefitting from the IP tax regime would continue to benefit from it until 30 June 2021. New entrants also benefit from the previous tax regime until 30 June 2021 for IP rights developed or acquired under certain conditions before 1 July 2016. Consequently, rights acquired/developed after this date do not benefit for the time being from the IP tax regime.

Currently, there is no indication as to the adoption of a replacement regime compliant with the “nexus approach”.

Competition law

Luxembourg – Compensation for the victims of anti-competitive practices

A new law facilitating compensation for the victims of anti-competitive practices came into force in December 2016[8].

This law implements EU Directive No 2014/104 of the European Parliament and of the Council of 26 November 2014, and introduces several provisions making it easier for victims of anti-competitive practices to prove the fault of an undertaking violating competition, particularly by establishing a presumption of harm deriving from anti-competitive agreements.

The law also contains guidance concerning the calculation of damages incurred by the victim.

What to expect in 2017?

Personal data

EU - Review of the ePrivacy Directive

As part of the Digital Single Market Strategy, the European Commission launched, between 12 April 2016 and 5 July 2016, a public consultation on the current text of the ePrivacy Directive[9] with a view to its reform.

The review will take into account, inter alia, the following issues:

• consistency of ePrivacy rules with the GDPR;
• updating the scope of the ePrivacy Directive in light of the new market and technological reality;
• enhancing security and confidentiality of communications; and
• addressing inconsistent enforcement and fragmentation at national level[10].  

In July 2016, the European Data Protection Supervisor published a preliminary opinion on the review of the ePrivacy Directive (available here).

On 10 January 2017, the European Commission adopted a draft regulation to replace the 2009 Directive (for more details, see https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation).

The Commission is excepting this regulation to be adopted by the European Parliament and the Council by 25 May 2018, when the GDPR will enter into application.

EU – International data transfers

As a reminder, the transfer of personal data outside the EU is only possible to third countries that ensure an “adequate level of data protection” in terms of protection of the private life and basic freedoms and rights of individuals. It is up to the European Commission (“EC”) to decide whether a third country ensures an adequate level of protection.

Transfers of personal data to a country which does not offer an adequate level of data protection are not impossible but may require the prior authorization of the competent national data protection authority (“DPA”).

Such authorization is likely to be given when the data controller has entered into data transfer agreements, based on the EC-approved model clauses (i.e. the Standard Contractual Clauses, “SCC”) with companies located outside the EEA to which it wishes to transfer personal data.

On 16 December 2016, the EC published two decisions amending its (i) previous decisions on SCC and (ii) adequacy decisions on third countries, in order to remove any illicit restriction on the DPA’s powers, and so to minimise the risk of these decisions being invalidated, as was the Safe Harbor Decision in October 2015, by the CJEU.

Further modifications of these decisions are expected in the near future so as to comply with the forthcoming GDPR.

Furthermore, the EC will engage proactively in discussions on reaching adequacy decisions with key trading partners in East and South-East Asia, starting with Japan and Korea in 2017, together with interested countries of Latin America and the European Neighborhood.

Luxembourg - End of the anonymity of mobile prepaid cards

A draft law No 7052 amending the Law of 27 February 2011 on electronic communication networks and services was submitted to the Chamber of Deputies in September 2016.

The idea of this bill came from serious concerns that mobile prepaid cards could be used to prepare or to carry out terrorist attacks.

In the aftermath of the Paris attacks, several telecom operators agreed to change their practices and to sell prepaid mobile cards only to buyers who agreed to identify themselves.

There are, however, still numerous anonymous mobile prepaid cards which were activated before the new practices took effect.

Therefore, the aim of the draft law is to put an end to the anonymity of mobile prepaid cards, by obliging those telecom operators which provide mobile prepaid cards services to collect and register certain personal data about the person to whom the service is provided, before the provision of the service.

This draft law is still under examination.

Luxembourg – End of prior notifications

The draft law No 7049 amending the Law of 2 August 2002 on the protection of persons with regard to the processing of personal data aims at facilitating the transition to the GDPR regime.

The main goal of the proposal is to simplify the formalities of prior authorisation regarding processing activities for supervision purposes and transfers of personal data to third countries.

This draft law is still under examination.

Unitary IP rights & Brexit

Currently, the consequences of Brexit on the unitary IP rights (i.e. EU trademarks, EU designs and Unitary patents) are uncertain and will depend on the terms of the international agreement to be negotiated between the UK and the EU. It is estimated that Brexit will not be effective before 2019.

EU - Trademarks and designs

European Union trademarks (“EUTM”) and Registered Community Designs (“RCD”) will continue to be valid in the UK as long as the UK remains a full member of the EU.

There is no clarity over the validity of EUTM and RCD after Brexit becomes effective. The British government is currently analysing various scenarios and will launch a consultation with the users of these systems in order to adopt an appropriate solution.

EU - Patents

As a reminder, the European patent with unitary effect will be a European patent, granted by the European Patent Office under the provisions of the European Patent Convention, to which unitary effect for the territory of the 26 participating states is given after grant, at the patentee's request.

It will coexist with pre-existing national patents and classical European patents, which do not have a unitary effect. Therefore, Brexit will not affect European patents.

The new unitary patent regime is not yet in force. It can come into effect only when at least thirteen member states have ratified the Agreement on the Unified Patent Court (the “UPC”), including France, Germany and the UK. As of today, 11 countries have ratified it, including France.

On 28 November 2016, the UK government stated its intention to ratify this agreement. This means that the unitary patent regime is likely to become effective in the upcoming months, subject to thirteen ratifications, including from Germany.

Copyright

EU – Modernization of the EU copyright rules

The Commission is currently rolling out a major modernisation of the EU copyright framework, to make the EU copyright rules fit for the digital age.

The reform consists in five texts, including:

• a Regulation laying down rules on the exercise of copyright and related rights applicable to certain online transmissions of broadcasting organisations and retransmissions of television and radio programmes;
• a Directive on copyright in the Digital Single Market; and
• a Directive on ensuring the cross-border portability of online content services in the internal market.

The reform focuses on the following main objectives:

• better choice and access to content online and across borders;
• wider opportunities to use copyrighted materials in research, education, and cultural heritage;
• a fairer online environment for online content especially for press publications, online platforms and remuneration of authors and performers;
• a greater access to books and texts for people who are visually impaired or have other reading disabilities.

These legislative proposals will be discussed by the European Parliament and the Council in early 2017.

Luxembourg – Transposition of the EU Directive on collective rights management and multi-territorial licensing of rights

On 26 February 2014, the EU adopted, a Directive on collective rights management and multi-territorial licensing of rights in musical works for online use (2014/26/EU).

The Directive aims at ensuring that rightholders have a say in the management of their rights and envisages a better functioning of collective management organisations as a result of EU-wide standards.

The new rules will also ease the multi-territorial licensing by collective management organisations of authors’ rights in musical works for online use.

This Directive was supposed to be transposed into Luxembourg law by 10 April 2016, but no draft law has yet been submitted to the Chamber of Deputies

Consumer law

Luxembourg – Authorisation of online sale of medicine in Luxembourg

Currently, the sale of medicine in Luxembourg is authorised only in pharmacies. A draft law No 6943 submitted to the Chamber of Deputies in February 2016 aims in particular to legalise the online sale of medicine not subject to medical prescription.

In order to ensure the security and health of patients, the draft law imposes several conditions concerning the online sale of medicine, particularly:

• the online sale concerns only medicine not subject to medical prescription;
• the medicine may only be offered by pharmacies;
• the pharmacies which intend to sell medicine online must provide the Health Ministry with certain information defined by the draft law;
• the medicine proposed online should be presented in an objective, clear and not misleading manner;
• the consultation of the patient information leaflet by the buyer is mandatory. 

This draft law is still under examination.

[1] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, on the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data
[2] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation, or “GDPR”), which reforms and repeals the Directive 95/46/EC on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. 
[3] Case C-582/14, judgement of the Court of 19 October 2016
[4] Regulation (EU) No 2015/2424 of the European Parliament and the Council amending the Community trade mark regulation
[5] Directive (EU) 2015/2436 of the European Parliament and of the Council of 16 December 2015 to approximate the laws of the Member States relating to trade marks
[6] Law of 30 July 2002 regulating certain commercial practices, penalising unfair competition and transposing Directive 97/55/EC of the European Parliament and of the Council amending Directive 84/450/EEC concerning misleading advertising so as to include comparative advertising
[7] Law of 23 December 2016 regarding shop sales, pavement sales and misleading and comparative advertising
[8] The law of 5 December 2016 on certain rules governing actions for damages as a result of infringements of competition law and amending the amended law of 23 October 2011 on competition
[9] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector
[10] Public Consultation on the Evaluation and Review of the ePrivacy Directive, https://ec.europa.eu/digital-single-market/en/news/public-consultation-evaluation-and-review-eprivacy-directive