Which topic would you like to know more about?
What is the legal age of adulthood/ majority in your jurisdiction? Are all persons below this age considered a child/ minor?
According to Article 488 of the Civil Code, 18 is the age of majority in Luxembourg.
Has the UNCRC been directly incorporated into national law in your jurisdiction?
Yes.
The UNCRC has been incorporated into national law by the law of 20 December 1993 approving the UNCRC and modifying certain provisions of the Civil Code.
Is there an ombudsperson/ commissioner for children in your jurisdiction?
Yes.
The Ombudsman for Children and Youth is an independent institution established by the Law of 1 April 2020.
If there is an ombudsperson/ commissioner for children in your jurisdiction, do they have any responsibility for upholding children’s rights in the digital world or does the relevant regulator have sole competence?
Yes.
The the Law of 1 April 2020 provides that the Ombudsman for Children and Youth (OKaJu) is responsible for protecting and promoting the rights of the child, in order to recommend, if necessary, to the competent authorities any adjustments it deems necessary to ensure better protection of the rights of the child on a long-term basis.
The OKaJu is also responsible for receiving and examining complaints made to it regarding a failure to respect children's rights and making recommendations to remedy the situation reported, and for reporting cases of non-compliance with children's rights to the competent authorities and making recommendations for remedying the situation reported.
This may include complaints upholding children’s rights in the digital world.
Is there any standalone requirement to collect the consent of one or both parents when processing a child’s personal data (irrespective of any other obligations, e.g. the requirement to have a legal basis for processing)?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here. The requirement to collect parental consent under Article 8(1) of the GDPR only applies where the service provider is relying on consent as the legal basis under the GDPR for processing a child’s personal data. If another legal basis is relied on for processing, there is no requirement to collect parental consent for processing the child’s data.
Entirely separate to the requirement to collect parental consent under Article 8(1) is that a digital service provider (controller) may decide to seek parental permissions for a child to access different setting/ features/ functionalities etc. as part of the measures it implements under Articles 24 and 25 of the GDPR to ensure a high level of protection for child users.
At what age can children legally consent to the processing of their own personal data, such that parental permission/ consent is not required?
Article 8(1) of the GDPR provides that the age of digital consent may be anywhere between 13 and 16 years of age, depending on what age the EU Member State in question has adopted. In Luxembourg, this is 16 years of age.
Are there specific requirements in relation to collection and/or verification of parental consent/ permission concerning the processing of a child’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here.
Article 8(2) of the GDPR does not set out an approved method for the collection of parental consent; however, it does require organisations to “make reasonable efforts” to verify such consent by a holder of parental responsibility over a child taking into account available technology. No specific method has been endorsed by the National Commission for Data Protection (CNPD) and there is no specific guidance from the CNPD on this issue.
Are there any particular information or transparency requirements concerning the processing of children’s personal data?
Yes.
There are no national-specific laws in this regard; see more information on the GDPR-level requirements here.
While there is no specific national guidance on this issue,
Article 12(1) of the GDPR emphasises the particular importance of the requirement for clear and plain language when providing information to children.
Can children directly exercise their rights in relation to their personal data without the involvement of their parents?
Yes.
Children who are 16 years or over can directly exercise their rights in relation to their personal data without the involvement of their parents.
Can children make complaints on their own behalf directly to your national data protection/ privacy regulator(s)?
Yes.
Children who are 16 years or over can make complaints on their own behalf directly to the National Commission for Data Protection.
Are there any particular requirements/ prohibitions related to:
a. processing specific types of children’s personal data;
b. carrying out specific processing activities involving children’s personal data; and/ or
c. using children’s personal data for specific purposes.
Yes.
There are no such requirements / prohibitions under national laws. However see more information on the GDPR-level requirements here.
Has there been any enforcement action by your national data protection/ privacy regulator(s) concerning the processing of children’s personal data? In your answer, please include information on the volume, nature and severity of sanctions.
No.
There has been no enforcement action by the National Commission for Data Protection concerning the processing of children’s personal data.
Are there specific rules concerning electronic direct marketing to children?
Yes.
Where unsolicited direct marketing to any person is carried out through the sending of electronic mail (i.e. any text, voice, sound or image message including SMS text message) the Luxembourg law of 30 May 2005 on ePrivacy (ePrivacy Act) will apply to such communications.
The ePrivacy Act transposes the ePrivacy Directive into Luxembourg law. The ePrivacy Act is not specifically directed at communications made to children but, regardless of whether the communication is sent to an adult or a child, the general rule is that the consent of the individual recipient is required (which must be GDPR-standard consent) although there are certain strictly applied exemptions which can be relied upon in limited circumstances.
Pursuant to the guidance issued by the National Commission for Data Protection, where the processing of personal data is based on consent, parental consent is also required for children under the age of 16. Thus, consent to the receipt of electronic direct marketing messages sent by SMS and email can only be provided by a child who is 16 years or over or by a parent/guardian of a child who is under 16 years.
Are there specific rules concerning the use of adtech tracking technologies, profiling and/or online targeted advertising to children?
Yes.
There are no such specific rules under national laws or guidance.
Additionally, see information on the EU-level requirements here.
Are there specific rules concerning online contextual advertising to children?
Yes.
There are no such specific rules under national laws or guidance. See information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning advertising to children? In your answer, please include information on the volume, nature and severity of sanctions.
No.
There has been no regulatory enforcement action by the National Commission for Data Protection concerning advertising to children.
At what age does a person acquire contractual capacity to enter into an agreement to use digital services?
This is the age of civil capacity to enter into a contract in Luxembourg per Article 488 of the Civil Code.
Do consumer protection rules apply to children?
Yes.
The Luxembourg Consumer Code prohibits misleading advertising, which must be considered in the context of the ‘average consumer’ within the target group. Whether a commercial practice is misleading under the Consumer Code will depend on whether it includes the provision of false information, deceives or would be likely to deceive the average consumer regarding a number of matters listed in the relevant provision and such action causes or would be likely to cause the average consumer to make a transactional decision they would not otherwise make.
In determining whether a commercial practice is misleading, the commercial practice has to be considered in its factual context, taking account of all its features and circumstances.
The concept of the ‘average consumer’ is also important in the context of the general prohibition on unfair commercial practices contained in the Consumer Code. As with the prohibition on misleading commercial practices outlined above, when determining whether a commercial practice is unfair, the commercial practice has to be considered in its factual context, taking account of all of its features and circumstances.
Withholding, omitting or concealing material information that the average consumer would need, in the context, to make an informed transactional decision, with such action causing or being likely to cause the average consumer to make a transactional decision they would not otherwise make also constitutes a misleading commercial practice
In addition, the Consumer Code sets out the mandatory pre-sale information that must be provided to consumers.
Additionally, see information on the EU-level requirements here.
Are there any consumer protection rules which are specific to children only?
Yes.
Under Article L. 122-7 of the Consumer Code, the fact of directly encouraging children in an advertisement to buy the product being advertised or to persuade their parents or other adults to buy the product being advertised is considered as an unfair aggressive commercial practice.
Additionally, see information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning consumer protection requirements and children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
There has been no such regulatory enforcement action concerning consumer protection requirements and children’s use of digital services.
Are there any age-related restrictions on when children can legally access online/ digital services?
Yes.
There are national-specific laws in Luxembourg which implement age-related restrictions on the ages at which children can legally access specific goods and services in the online context. The following is a non-exhaustive list of goods and services to which such restrictions apply:
- alcohol, cigarettes, vaping;
- programmes offered by audio-visual media service providers that are likely to seriously impair the physical, mental or moral development of minors, in particular programme elements containing scenes of pornography or gratuitous violence; and
- television advertising for alcoholic beverages.
Are there any specific requirements relating to online/ digital safety for children?
Yes.
There are no national laws in Luxembourg with specific requirements relating to online / digital safety for children. However, protection of children is covered by generals laws and regulations, including in the following areas:
- Content moderation requirements: the E-commerce Act 2000 requires the removal of harmful and illegal content from certain services.
- Hate Speech: it is a criminal offence punished by Article 457-1 of the Penal Code, to make content available which is an incitement to hatred or violence against a person, group or community on the basis of discriminatory criteria.
- Misinformation and Disinformation: under Article 443 of the Penal Code, anyone who has maliciously imputed to a person a specific fact which is likely to prejudice that person's honour or to expose him or her to public contempt is guilty of slander or as the case may be defamation.
- Adult content, graphic violence: it is a criminal offence punished by article 383 of the Penal Code to distribute a message of a violent or pornographic nature or of a nature that seriously undermines human dignity, or trading in such a message where the message is likely to be seen or perceived by a minor.
- Cyberbullying and Harassment: under article 442-2 of the Penal Code, it is prohibited to repeatedly harass a person when they know or should know that that this behaviour would seriously affect the peace and quiet of the person concerned.
Additionally, see information on the EU-level requirements here.
Are there specific age verification/ age assurance requirements concerning access to online/ digital services?
Yes.
In the media sector, specific requirements apply with respect to the protection of minors, pursuant to the Regulation of 8 January 2015 on the protection of minors in audio-visual media services.
Video-on-demand (VOD) platform providers must use access restrictions that are different from those used by linear media service providers to limit the access of minors to certain content. These are mainly based on the following technical measures:
- filtering or labelling systems,
- provision of parental control features,
- presentation in a separate area with the most harmful content, access to which is only authorised by (i) age verification, (ii) allocation of personal access codes, (iii) payment.
In order to ensure the safety of minors on video-sharing platforms (VSP) and create a suitable environment, VSP providers must:
- establish and implement clear and sound safety policies;
- put in place effective, user-friendly mechanisms enabling users to easily report harmful and illegal content;
- carry out age checks at registration or by restricting access to adult-only content;
- offer rating systems enabling users to classify content by reference to different age categories;
- offer parental control tools enabling them to monitor their children’s use of services and restrict their access to certain content; and
- provide media literacy measures to encourage responsible use of their services and to raise users’ awareness of various topics related to their online experience.
Due to the increased risk of minors being exposed to harmful and illegal content on video-sharing platforms, providers are obliged to cooperate with the competent judicial authorities, particularly in relation to child pornography offences.
Additionally, see information on the EU-level requirements here.
Are there requirements to implement parental controls and/or facilitate parental involvement in children’s use of digital services?
Yes.
In the media sector, providers of on-demand audio-visual media services must implement a parental control system allowing the users to enter a specific code to access the audio-visual programmes in the catalogue. Providers must ensure that users are informed in an appropriate way of the existence of a parental control system.
Additionally, see information on the EU-level requirements here.
Has there been any regulatory enforcement action concerning online/ digital safety? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any existing requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific laws in this regard; the AI Act (Regulation 2024/1689) applies in this context. See EU-level response here.
Are there any upcoming requirements relating to children and AI in your jurisdiction?
Yes.
There are no national-specific requirements in this regard; see EU-level response here.
Has there been any other regulatory enforcement activity to date relevant to children’s use of digital services? In your answer, please include information on the volume, nature and severity of sanctions.
No.
N/A
Are there any other existing or upcoming requirements relevant to children’s use of digital services?
Yes.
There are no other national existing or upcoming requirements relevant to children’s use of digital services. See more information on the upcoming EU-level requirements here.
Contributors
Hervé Wolff
LGAvocats
Stéphan Le Goueff
LGAvocats
