The law of 17 December 2021, which implements Directive (EU) 2018/1972 establishing the European Electronic Communications Code (the “EECC”) into Luxembourg law, has just been published and, as a Christmas present, will enter into force next week-end on 26 December 2021.
Ultimately, this new legal framework is meant to help cope with the evolution of technologies and changes in the use of telecommunications services by the general public, and to support the development of 5G and very high capacity networks, so that every citizen and business in the EU can enjoy high quality connectivity, a high level of consumer protection and a greater choice of innovative digital services.
The key changes brought by the EECC are:
- The expansion of the scope of telecommunications legislation to so-called “over-the-top” (“OTT”) players, whether the relevant services are or may be based on assigned numbers (WhatsApp, Telegram, Messenger, Snapchat, etc.) or not (e-mail services such as Gmail, Yahoo mail, etc.).
OTT players will also have to comply with new and existing legal constraints relating to security, interoperability, information and user protection (including their privacy and personal data), or to universal service.
The definition of “electronic communication service” now also explicitly includes machine-to-machine communications.
- The strengthening of consumer rights, with increased transparency and increased obligations with respect to contract duration and termination. In particular, contracts with end-users will:
- not be permitted to extend beyond 24 months;
- be terminable at any time with a notice period of 1 month or less and at no cost, irrespective of the services in question;
- be provided along with a contractual summary in line with a template drafted by the European Commission.
The right to number portability would no longer be conditional on a simultaneous change of operator, and could extend to one month after the effective termination of the telephone subscription.
- Better access to numbering resources, as the Institut Luxembourgeois de Régulation (the “ILR”) will now be able to allocate numbers to legal entities other than electronic communications operators (provided that operators' needs for numbering resources are otherwise met in accordance with the national numbering plan).
- New rules on frequency coordination on the radio spectrum between the Member States and on the obligation to release the frequency bands needed for 5G deployment.
In order to ensure sufficient stability and visibility for operators, frequency authorisations will be granted for 15 years, with a possible extension for an appropriate period as decided by the relevant minister. Here, note that in Luxembourg, frequencies relevant for 5G have already been attributed to four operators for an initial period of 15 years.
- The extension of universal service to include affordable access to high-speed internet at an affordable price.
- The prohibition of unnecessary restrictions on the interconnection of wireless access points. This will allow connection to Wi-Fi access points to receive data traffic by users other than those who subscribe to the service.
- Support for very high capacity communications networks, namely by facilitating the deployment of limited range wireless access points. The new legislation will provide electronic communications operators with the right to access any physical infrastructure controlled by public authorities that is technically suitable for hosting limited-range wireless access points, or that is needed to connect such access points to a backbone network. In addition, the installation of such devices will be exempt from any prior administrative authorisation.
- Additional obligations on dominant operators with a view to fostering effective and sustainable competition with a positive impact on prices, quality and choice for end-users. The dominant operators will be identified as such by the ILR and the obligations upon them will relate to interconnection, transparency, non-discrimination, accounting segregation, access to resources or networks, and prices and price control.
- Increased security of electronic communication networks and services. Providers will be obliged inter alia to notify the ILR without delay of any security incident having a significant impact on the operation of networks or services, as well as the users themselves if there is a particular and significant threat of a security incident.
Here, note that in the event of a security incident, providers may need to notify not only the ILR, but also the Luxembourg data protection authority (the “CNPD”) if the security incident qualifies as a data breach under the EU General Data Protection Regulation (the “GDPR”) or the Luxembourg law of 30 May 2005 on the protection of privacy in the electronic communications sector (the “Law of 2005”).
While under the GDPR and the Law of 2005, a personal data breach will only be established in the event of an actual breach of user data, it should be noted that the definition of “security incident” under the newly approved bill is particularly broad: the mere observation of an event that may have an adverse effect on the security of electronic communications networks and services will be sufficient to trigger notification.
The bill of law approved by the Luxembourg Chamber of Deputies on 8 December 2021 implements the EECC in a very faithful manner. The only Luxembourg specifics are minor, and are as follows:
- The new Luxembourg telecommunications law will not apply to networks and electronic communications services installed or operated by the Luxembourg government for its own purposes.
- It is reiterated that companies providing electronic communications services will need to comply with the constitutional right to privacy of correspondence, but will also have to provide the necessary access to competent authorities for the purposes of their duties.
- Contracts with consumers only take effect once the consumer has confirmed their agreement in writing or on another durable medium after receiving the contractual summary.
- Providers have an obligation to collect and retain the relevant personal data of prepayment customers.
What sanctions can be incurred by the providers of electronic communications and/or networks falling under the scope of the bill?
Beyond issuing a reprimand or a ban on carrying out certain operations or providing certain services, or temporarily suspending one or more managers of the company, the ILR can also impose fines up to one million euros (subject to a penalty payment if necessary).
The competent minister may also suspend or withdraw administrative authorisations, such as rights to the use of the radio spectrum.