As regards the insurance sector, confidentiality has to be guaranteed by insurance or reinsurance undertakings (Undertakings) either by using the highest ICT industry standard or by employing experts in IT security to provide it. In contrast, professional secrecy is a much more limited right granted to clients, who can choose to waive it, and breach of which is punishable by criminal sanctions.
It is arguably more important these days to ensure confidentiality from a technical standpoint, in order to protect all the insurance sector, than to protect secrecy from an individual standpoint.
A new Luxembourg law allows, under certain conditions, Undertakings to engage ICT providers located in Luxembourg OR abroad, provided that these providers comply with the highest IT security standards.
The new law, dated 29 March 2024, which implements the directive (EU) 2021/2118 of 24 November 2021 (amending Directive 2009/103/EC relating to insurance against civil liability in respect of the use of motor vehicles, and the enforcement of the obligation to insure against such liability) (Law 2024), was published in the Luxembourg Official Gazette on 2 April 2024. It has the effect of materially amending article 80 of the Law on the Insurance Sector dated 7 December 2015 (LIS) regarding the storage of documents and data by Luxembourg Undertakings. The original text of the LIS1 stated that
“Luxembourg insurance and reinsurance undertakings are required to ensure that their accounts ledgers and other documents relating to their business activities are held in the Grand Duchy of Luxembourg at all times, either at their registered office in Luxembourg or in any other place duly notified to the CAA [Commissariat aux Assurances].
[…]”
Law 2024 introduces an exemption to paragraph 1 of article 80. Luxembourg Undertakings may outsource the digital storage of documents and related data and their processing to a critical third-party ICT service provider established in Luxembourg OR in another Member State, provided that the provider is subject to supervision by a European Supervisory Authority pursuant to Article 31 of DORA.
The addition to article 80 of the LIS provides additional options for all relevant Undertakings, as it broadens the possibility of outsourcing the digital storage and processing of data to entities NOT located in Luxembourg, while still maintaining the highest possible level of security and confidentiality standards.
One of the potential implications arising from the implementation of this new exemption would be the need to navigate how employing a third, non-Luxembourg, party to provide IT security can be achieved whilst maintaining compliance with article 300 of the LIS on professional secrecy. Pursuant to paragraph 2 of article 300, the professional secrecy duty ceases to apply where the disclosure of confidential information is permitted by law. Therefore, the amendments to article 80, authorising outsourcing under certain conditions, create a legal exemption, so the requirement of professional secrecy does not apply. In addition, it should be noted that this exemption is a legal exemption, meaning that the prior approval of the Undertakings’ clients is not required to implement the outsourcing of the storage and processing of documents and data. The requirements of IT security take precedence over the clients’ right to secrecy to a certain extent.
The exemption described above applies only to professional secrecy rules. As any outsourcing of this nature is likely to include the processing of personal data, data protection law applies, and Undertakings must obviously comply with the General Data Protection Regulation (GDPR).
Furthermore, if any outsourcing which is arranged to take advantage of the changes implemented by article 80 uses technology or information held in the Cloud, it will have to comply with Circular 21/15 on “cloud outsourcing”, issued by the CAA. Where such outsourcing is not “cloud outsourcing”, compliance with Circular 22/16 on the outsourcing of critical or important operational functions and activities will need to be verified.
Whilst Law 2024 has given new options to Undertakings in terms of outsourcing outside Luxembourg, issues of substance from a regulatory and tax point of view may be triggered where Luxembourg-based Undertakings are tempted, for example by lower overheads, to outsource all of their IT systems.
Share your thoughts with .
1 English translation of the version of the LIS available on the Commissariat aux assurances (CAA) website