Newsletter Digital Technologies & Network Practices n° 12 – January through June 2017
Franklin’s Digital Technologies & Networks Practice is pleased to present the latest edition of its Newsletter, which focuses on the most significant legal developments that took place in France during the first half of 2017, in the fields of personal data, IT contracts and telecommunications networks.
We hope this newsletter will help you anticipate some of the legal issues your company may face.
Please feel free to contact us for any legal assistance you may need.
I France’s highest administrative court asks the ECJ for a preliminary ruling on the application of the 1995 Directive to search engines (Conseil d’État, Judicial Assembly, February 24, 2017, case no. 391000, published in the Lebon law report)
In its famous Google Spain ruling (ECJ, May 13, 2014, Google Spain, case no. C-131/12), which created a right to be forgotten enforceable against search engines, the European Court of Justice (“ECJ”) held that Google must be regarded as a data controller within the meaning of Directive 95/46/EC of October 24, 1995, in respect of its search engine operations. At the time, the Advocate General and several commentators observed that the consequences of that decision would extend far beyond the right to be forgotten since the obligations of a data controller under the Directive (and soon under the GDPR) are numerous and some of them seem impossible for a search engine to fulfill (see the article by Bradley Joslove and Adeline Jobard entitled “Personal Data – The Right to be Forgotten: Google Down the Memory Hole”).
Today the ECJ has an opportunity to rule on the subject since, on February 24, 2017, France’s highest administrative court (Conseil d’Etat), referred a series of questions to the ECJ for a preliminary ruling on the application of the 1995 Directive to search engines. For example, how do the rules that strictly regulate the processing of personal data (such as information on a person’s religious beliefs, political opinions, or sex life) apply to a search engine? Should a search engine be treated as any data controller or should special rules apply? If so, which ones?
The ECJ may find it hard to answer the questions of the Conseil d’Etat and one might wonder whether it sufficiently thought through the consequences of its finding that Google was acting as a data controller in respect of its search engine activities. The ECJ will have other questions to answer after these, including those referred by the Conseil d’Etat in July 2017, regarding the territorial scope of the 2014 Google Spain decision (more on this in our next newsletter).
II The Conseil d’Etat clarifies the concept of data anonymization (joint sitting of the 10th – 9th divisions of the Conseil d’État, February 8, 2017, case no. 393714)
In a ruling dated February 8, 2017, the Conseil d’Etat upheld the French Data Protection Agency’s decision not to approve the installation of a pedestrian counting system in the Paris business district of La Défense. The system collected mobile network identifiers to which it applied what the data controller described as a ‘data anonymization’ technique.
The French Data Protection Agency (CNIL) conducted a technical review of the counting system and concluded that the data anonymization technique did not guarantee complete anonymization (decision no. 2015-255 of July 16, 2015). The Conseil d’Etat sided with the agency, ruling that data cannot be considered anonymous when “it is still possible to single out an individual or piece together data from two recordings of that individual.”
This ruling therefore applies a narrow definition of anonymization. Data controllers will have to be careful that the anonymization techniques they implement actually prevent re-identification of the data subjects. Otherwise, the CNIL may regard them as ‘pseudonymization’ techniques that merely reduce the risk to privacy, which would not get data controllers off the legal hook but still go some way toward meeting the requirements imposed on data controllers under the accountability principle introduced by the GDPR.
III. Emails exchanged using an employer’s email system whose existence was not notified to the CNIL are admissible in court (Cour de Cassation, labor division, June 1st, 2017, case no. 15-23.522, published in the Court’s law report)
In a ruling dated June 1st, 2017, France’s highest appellate court (Cour de Cassation) held that an employer could submit as evidence an email from its employee’s professional email account, even if the employer had failed to notify the French Data Protection Agency (CNIL) of the existence of its email system.
The email system in that case did not include any technology that could serve to monitor individual employees’ use of their professional email account and was therefore subject to a “simplified” declaration requirement, which applies to any processing activity that does not infringe on the privacy or freedoms of individuals.
For now, this decision applies only to employers’ email systems that are under a “simplified” declaration requirement. It does not appear to apply to email systems under a “standard” declaration requirement, since those can be used to monitor employees’ activity and therefore pose a serious risk to their privacy.
IV. French and German cybersecurity agencies create common label
The French and German cybersecurity agencies (ANSSI and BSI) have created the ESCloud label to establish a common basis for trust in the cloud sector. The ESCloud label establishes a set of organizational and technical rules for certifying Member States’ commitment to cybersecurity, the skill of selected service providers and the proper processing and storage of data within the European Union.
The ESCloud label coexists with French and German labels: those who have received the SecNumCloud (in France) or C5 (in Germany) certification will be able to obtain the ESCloud label. This certification process is currently limited to France and Germany but should soon be extended across Europe.
V. IBM ordered to pay over €6.6 million over the failure of a system integration project (Cour de Cassation, commercial division, March 29, 2017, case no. 15-16.010, unpublished)
In a ruling dated March 29, 2017, the Cour de Cassation confirmed the decision of the Court of Appeals of Bordeaux, ordering IBM to pay over €6.6 million to its client, the French insurance company MAIF, for the failure of an IT project (1st civil division – section B of the Court of Appeals of Bordeaux, January 29, 2015).
After ten years of proceedings, IBM was held solely responsible for the failure of a system integration project contracted for under a fixed-price agreement, pursuant to which IBM had a duty to achieve a specific result (obligation de résultat) which it never actually delivered despite significant schedule and budget overruns that eventually prompted MAIF to terminate its agreement with IBM.
IBM attempted to minimize its responsibility by citing the client’s extensive involvement in the execution of the project and operational trade-offs, but this strategy failed, as the court upheld the primacy of the terms of the initial contract, which were very tough on IBM. One upshot of this case is that it serves as a reminder for service providers and their clients, if indeed they needed one, that a well-negotiated contract is key to minimizing their exposure should the project go awry.
VI. The end of EU roaming charge
Since June 15, 2017, telecoms operators can no longer charge roaming fees (extra fees for using a mobile device abroad) within the European Union. This is the first step in the Digital Single Market strategy introduced by the European Commission in 2015.
The next step will be cross-border portability of online content, which will allow Europeans who paid for online content services such as Netflix or TF1 replay in their home country to access them when visiting another EU country.
VII. French media watchdog asserts jurisdiction over a YouTube channel (Full panel, November 9, 2016)
In a ruling dated November 9, 2016, the French media watchdog (CSA) asserted jurisdiction over the content of a YouTube channel under the law of September 30, 1986, as amended to extend the CSA’s oversight to on-demand media services (replay, VOD, etc.).
While platforms are regarded as technical intermediaries, which seems to disqualify them as on-demand media services, the same cannot be said for YouTube channels, which are edited by their operator and therefore cannot be regarded as technical intermediaries. That was the case in this instance: the CSA held that, setting aside the mode of broadcasting (on YouTube), the channel had all the characteristics of an on-demand media service, since it featured a catalog of professionally-organized content, had business operations and offered content independently from any other service.
This groundbreaking decision could pave the way to increased CSA oversight of online content.
GOVERNING LAW / JURISDICTION
VIII. French courts have jurisdiction over foreign websites (Cour de Cassation, commercial division, July 5, 2017, case no. 14-16.737, published in the court’s law report)
In a ruling dated July 5, 2017, the Cour de Cassation extended the jurisdiction of French courts to a French authorized distributor’s liability suit against foreign websites offering products for sale in violation of the prohibition on resale outside a selective distribution network.
In that case, the Cour de Cassation had referred a question to the ECJ (Cour de cassation, commercial division, November 10, 2015, case no. 14-16.737, unpublished) for a preliminary ruling on the interpretation of Article 5.3 of Regulation 44/2001, which provides that in matters relating to tort, delict or quasi-delict, a person residing in a Member State may be sued in another Member State in the courts for the place where the harmful event occurred or may occur. The ECJ answered that “the place where the harmful event occurred or may occur”, within the meaning of Article 5.3, is the territory of the Member State that protects the prohibition on resale and where the distributor alleges to have suffered a reduction in its sales (ECJ, December 21, 2016, case no. C-618/15).
In light of this answer, the Cour de Cassation held that French courts had jurisdiction over the matter referred to it because, although the websites being sued did not target the French public, French law protected the prohibition on resale outside a selective distribution network and it was in France that the distributor alleged it had suffered a reduction in its sales.