Five things you need to know About Luxembourg IP & Technology Law
In the field of IP & technology law, our Luxembourg Technology & IP-team identified the following five trends, which will shape your agenda in the coming year. By anticipating these developments, you can use them to your advantage and prepare for their impact. The five main trends relate to:
- GDPR enforcement
- Digital transformation
- Protection of trade secrets
- Open data
1. GDPR enforcement
Cybercrime is nothing new, but the rapidly accelerating digital transformation (sometimes organised in an improvised fashion, as in the case of working from home) and the recent Log4j security vulnerability have led to an increase in criminal acts committed online through electronic communications networks and information systems. A multidisciplinary approach is required to tackle these types of offences, the legal aspects of which should not be neglected, from both from a proactive (IT governance policies, the contractual organisation of resilience throughout the value and supply chains, cyber insurance, etc.) and reactive (liability litigation, sector and data protection notification requirements, and regulatory investigations) perspective. In any case, laws and regulations in the area of cybersecurity are clearly increasing. A second Network and Information Security (NIS) Directive is in the works, and the myriad existing rules and regulations in the financial sector (e.g. CSSF Circular 20/750 and the corresponding EBA guidelines) will be embodied in the DORA Regulation (aka the EU's Digital Operational Resilience Act for the financial sector) in order to tackle IT security holistically and further foster the digital resilience of financial players.
3. Digital transformation
The Covid-19 crisis has further accelerated the need for digital client onboarding and a digital client journey, AI-based processes (e.g., chatbots and data analytics), and electronic signature and archiving solutions. The legal challenges raised by these phenomena and the responses of lawmakers, regulators and the courts are constantly changing. Many of these new developments are based on outsourced services and/or are made possible via cloud solutions. These in turn trigger sector regulatory issues and, in the wake of the CJEU's Schrems II judgment, raise data protection questions. The financial (including investment funds) and insurance sectors should be particularly attentive to the applicable sector regulatory framework. Many financial institutions had to be compliant with the EBA guidelines on outsourcing arrangements by 31 December 2021, and the CSSF will publish its revamped circular on outsourcing in the coming weeks. Furthermore, many insurance companies must comply with the EIOPA guidelines on outsourcing to cloud service providers, declared applicable by CAA Circular 21/15, which contains additional requirements as well.
4. Protection of trade secrets
Cybersecurity and data protection rules and regulations have raised awareness within organisations of the value of information and the need to protect it. Only if valuable internal information is adequately protected can it benefit from the EU's harmonised and enhanced protection and enforcement regime for trade secrets, introduced by Directive (EU) 2016/943 (and the 2019 Luxembourg implementing legislation). Businesses are clearly more aware of this regime, integrating it into their overall IP protection strategy and, finally, enforcing it.
5. Open data
Various legislative initiatives have been taken to support data economy by fostering the exchange of data, even when it appears difficult to reconcile with data protection. In the payment services sector and other financial sectors, open banking, reinforced by the Second Payment Services Directive, is on the rise. It goes without saying, however, that the open data movement is not limited to banking. More horizontal initiatives, such as the Data Governance Act, will further bolster data sharing and the reuse of public-sector data, even when protected by IP or personal data regulations. This act provides a framework for "data intermediation" services and encourages "data altruism", permitting individuals and companies to make data voluntarily available for the common good such as scientific research. In 2022, a major new legislative initiative, the Data Act, is expected, which will complement the Data Governance Act and aims to facilitate business-to-business data sharing, amongst other things.
If you would like to know more about it, please read the extended version of the article published in the January edition of Agefi.