Newsletter TMT n° 11 – Year in review – 2016
Franklin’s TMT practice is pleased to present the latest edition of its Newsletter, which focuses on the top 10 French TMT law developments of 2016. Last year was particularly eventful, especially in the field of personal data, with the long-awaited adoption of the European Data Protection Regulation. Data protection is therefore becoming an increasing focal point for all businesses, which would be well advised to keep up with this increasingly important area of law. We hope this newsletter will help you anticipate some of the legal issues your company may face.
I. European Regulation on Data Protection
The General Data Protection Regulation no. 2016/679 of April 27, 2016 (“GDPR”), replacing the 1995 Directive as of May 25, 2018, will dramatically reshape the rules governing the protection of personal data in the European Union.
On the one hand, it has increased the rights of individual data subjects, in particular by introducing the rights to data portability and erasure, and by establishing special protections for minors.
On the other hand, it has simplified administrative procedures for controllers by drastically reducing filing requirements and, for controllers active in several EU countries, by introducing a “one stop shop” whereby such controllers only need to directly deal with a single national supervisory authority.
In exchange for the simplification of administrative formalities, the regulation encourages the sector to regulate itself and imposes new obligations on businesses (“privacy by design”, accountability, reporting security breaches, direct liability of data processors, etc.).
The European lawmakers have made data protection more effective in several ways. First, violators of the GDPR may face fines of up to 4% of their worldwide revenue. Second, data subjects will have enhanced means to enforce their rights. Finally, the territorial scope of the GDPR will be much wider: beyond the existing criterion (any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union), it will also apply to any processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: a) the offering of goods or services to such data subjects in the Union, whether or not a payment is required (“targeting”); or b) the monitoring of their behavior provided it takes place within the Union (“monitoring”).
II. Privacy Shield
The European Commission’s adequacy decision of July 12, 2016, enabled the Privacy Shield to replace the Safe Harbor framework (declared invalid by the ECJ in its Schrems ruling no. C-362/14 of October 6, 2015) as the principal means to facilitate personal data transfers from the European Union to the United States.
However, the validity of the Privacy Shield has already been challenged in the EU, mainly on the grounds that it does not provide a level of protection of personal data equivalent to that required under the Directive. Therefore, this is a subject to be monitored closely over the next few years.
III. New law introduces privacy class actions in France
On March 17, 2014, France passed a law (no. 2014-344) introducing class actions to allow licensed, nationwide consumer organizations having received consumer complaints to bring suit on their behalf.
In 2016, a new law (no. 2016-1457) extended the scope of class actions to the protection of personal data. However, the only remedy available in such a class action is an injunction to stop violations of the French Data Protection Act, to the exclusion of any award of damages to the individual plaintiffs.
IV. Dynamic IP addresses may qualify as personal data
In its judgment dated October 29, 2016 (Patrick Breyer v. Federal Republic of Germany, C-582/14), the ECJ was called upon to rule on whether an IP address held by a website operator qualifies as personal data if that operator is able to access additional information held by a third party (in this instance, internet access providers) enabling it to identify the data subject.
The ECJ held that an IP address, whether dynamic or static, constitutes personal data if the person collecting it has the legal means to obtain additional information from a third party that enables it to identify the data subject. France’s highest appellate court (Cour de Cassation) adopted this approach in its ruling no. 15/22595 dated November 03, 2016.
V. Regulation on online dispute resolution for consumer disputes
In parallel to Directive 2013/11/EU of May 21, 2013, on alternative dispute resolution for consumer disputes, which imposes new obligations on dispute resolution bodies (arbitration centers, ombudsmen, etc.), Regulation 524/2013 also of May 21, 2013, on online dispute resolution for consumer disputes came into force in January 2016. It introduced an online platform available in all official EU languages for handling disputes arising from online sales or service agreements between a business and a consumer residing in the European Union.
The platform receives complaints, informs traders, puts the parties in touch with each other so that they can designate a consumer dispute resolution body, submits the application to the designated body and communicates its verdict to the parties.
The regulation requires e-traders and online marketplaces to provide consumers with a hyperlink to the platform’s website and to include information on this new procedure in their terms and conditions of sale or service. Once the designated body receives the complaint, it has 90 days to hand down its decision.
The procedure and enforceability of the dispute resolution decision vary depending on the body designated by the parties.
VI. Information security at the heart of French and EU regulations in 2016
In 2016, a series of regulations were enacted to reinforce the information security obligations of tech companies.
First, the European Union published the eIDAS Regulation (no. 910/2014) dated July 23, 2016, establishing security standards based on electronic signatures, electronic seals, electronic time stamps and mechanisms for issuing qualified certificates so that they have the same legal value as paper documents.
Then, the “NIS” Directive (no. 2016/1148) published on July 19, 2016, laid down the requirements to be met by (i) operators of services designated as “essential” by the Member States (banks, energy companies, etc.) and (ii) digital service providers (platforms, cloud service providers, etc.). In particular, these companies will have to take appropriate measures to prevent risks, mitigate the impact of any incidents and notify the relevant authorities of those that have “an actual adverse effect on the security of network and information systems”.
Finally, on December 8, 2016, the French cybersecurity watchdog (ANSSI) published a security standard applicable to cloud service providers and called “SecNumCloud”. For their security system to achieve “Essential Level” certification (which is the minimum certification level, an “Advanced level” is soon to be published), cloud service providers will have to meet access control, identity management, encryption, operational security and incident management requirements. In particular, they will be required to host and process data within the European Union.
GOVERNING LAW / JURISDICTION
VII. French law and jurisdiction apply to internet crime
New Article 113-2-1 of the French Criminal Code, introduced by law no. 2016-731 dated June 3, 2016, provides that any crime or offense committed on the Internet against a person residing in France is deemed to have been committed in France. Therefore, crimes committed outside France may fall under French criminal law and jurisdiction.
This new article partially departs from private international law and European law, under which the criterion of the victim’s place of residence was only subsidiary to the “lex loci delicti” rule, i.e., the law of the place where the crime was committed governs.
It can be expected that foreign courts will not accept to enforce French judgments based solely on the victim’s place of residence.
VIII. Forum selection clauses deemed unfair if the selected forum is too far away
In a ruling dated April 12, 2016, the Paris Court of Appeals struck down Facebook’s dispute resolution clause selecting California as the forum for any litigation, on the grounds that it forced users to pursue their legal remedies in a particularly distant location and to incur increased costs that were disproportionate to the value of the contract. Users would thus be deterred from taking legal action, while Facebook had sufficient human and financial resources to defend any claim brought against it in France.
IX. Changes in French contract law
On October 1st, 2016, Order (ordonnance) no. 2016-131 came into force, bringing many changes to the law of contracts. For instance, the better-informed party to an IT contract now has a more stringent obligation to inform the other party, both before and after signing the contract, and if it fails to provide key information to the other party, the contract may be held null and void.
With a view to reducing inequality between parties, the Order has extended to all contracts, including those between businesses, the notion of legal unenforceability of a “contract term creating a significant imbalance in the rights and obligations of the parties” that already existed under consumer law.
Finally, the Order provides that (i) in the event of any change in unforeseen circumstances, (ii) inflicting an excessive burden on one party (iii) that did not agree to bear the risk of such a change, the parties may mutually agree to renegotiate or terminate the contract, or petition a court to adapt the contract. If the parties are unable to agree within a reasonable period, the judge may, upon the request of a party, modify or terminate the contract, at the date and under the terms decided by the judge.
X. Digital Republic Act
The French Digital Republic Act published on October 8, 2016, has overhauled the legal framework governing the digital economy. It promotes the dissemination of information and knowledge by opening up public data (as a rule, government files are now published in open, standard and reusable formats).
It also allows researchers whose work is 50% government-funded to publish their findings after 6 or 12 months and introduces the concept of general interest data (data relating to public service concession contracts, subsidies, etc.) to optimize its use.
The Digital Republic Act also strengthens citizens’ rights over their data by beginning to enact the European Data Protection Regulation into French law (minors’ right to be forgotten, “digital death”, data portability, enhanced enforcement powers for the French privacy watchdog, etc.), by entrenching the principle of net neutrality and imposing on trading platforms stricter fair dealing and information obligations towards consumers. It also contains an “AirBnb” article pursuant to which individuals in strained areas who wish to rent their property via AirBnB may be required to register with their town council. Hospitality platforms are required to bar hosts from listing their primary residence for more than 120 days a year.
Finally, the Digital Republic Act contains a section on internet access for all, requiring operators to develop fiber-optic and mobile networks across the country and establishing a right for people who defaulted on their bills to have their internet connection maintained temporarily, among other less significant measures.