Quoted by Global Data Review:

Claude-Étienne Armingaud, a partner at K&L Gates in Paris, said the decision would have little impact in practice.

“The new sections adopted in July 2021 are implementing specific and targeted data retention requirements which should therefore comply with both the ECJ decisions and the Constitutional Council decision of today,” he said.

“So, if anything, it’s a tardy decision that was expected and confirmation that the Government did well to anticipate this.”

Read full article here.

During his January 2022 hearing before France’s National Assembly, the newly appointed chairman of the French competition authority (AdlC), Benoit Coeuré, stated that the digital sector would be one of the principal subject matters of his chairmanship (see press release here in English). 

His intention is to focus on “the emergence of new essential infrastructures such as cloud-computing” and that, in consequence, “it would be important and justified for the AdlC to rapidly undertake in-depth work on the consequences of cloud-computing in all sectors in conjunction with the relevant sectoral authorities.”

Pursuant to Article L. 462-4 of the French Commercial Code, the AdlC has therefore decided to conduct a wide analysis of the matter in order to assess the competitive situation of the cloud-computing ecosystem.

A BOOMING SECTOR

This opinion comes at a time when the cloud-computing market is booming at both the European and French level, with an average annual growth expected to exceed 25% over the next few years, with strong value-creation challenges for the economy, and allowing for a 2030 market prediction 10 times larger than in 2020.

Over the last few years, cloud computing has become a complex ecosystem of technologies, products, and services, giving rise to a wealthy economy where several cloud-computing service providers compete for an ever-increasing share of the service market. This peaking sector allows for more efficient ways of working, which has ended up being especially valuable during the COVID-19 pandemic.

This “cloud boom” also serves as the backbone of a widespread digitalization of the economy, which is supported by the French government with its new national plan to support the French cloud industry.

THE NECESSITY FOR GLOBAL ANALYSIS 

The AdlC’s purpose to conduct a broad analysis of the cloud-computing sector is pushed by both a European and international dynamic.

In this regard, the AdlC intends to provide for a definition of the relevant markets in the sector. 

This commitment can be traced back to the European Commission’s (EU Commission) early analysis of the “IT outsourcing services” market encompassing the “public cloud computing services” as one of its sub-segments.1  Concurrently and from a transatlantic perspective, the U.S. Federal Trade Commission is also pushing forward with an antitrust scrutiny in the cloud-computing business. 

The AdlC intends to study the competitive dynamics of the sector and the presence of operators in the various segments of the value chain (including their contractual relations) in a context where multiple alliances and partnerships are concluded for the provision of cloud services. 

Should the AdlC identify potential improvements, proposals may be issued for the competitive functioning of the sector.
Taking into account the variety and complexity of the cloud-computing technologies involved, the AdlC announced that, for the first time, the investigation unit will comprise lawyers, economists, and data scientists notably from the newly created Digital Economy Department.

THE NEXT STEPS

A broad public consultation will be taking place in the next few months to gather comments and suggestions from the stakeholders. Comments are to be sent to the AdlC through the following email address: avis.cloud@autoritedelaconcurrence.fr

The final opinion is expected to be issued by the beginning of 2023.

The firm’s global competition and data protection team (including the competition team and data protection team in each of our European offices) remains available to assist you in achieving the compliance of your data and antitrust matters at global levels.

First publication: K&L Gates Hub with Camille Scarparo

The French data protection Supervisory Authority (The CNIL) has issued a fine totaling EUR 400,000 against Monsanto for failing to inform individuals whose personal data was collected and processed  for lobbying purposes.

Further to the revelation by several media outlets, in May 2019, that Monsanto kept records on more than 200 political and civil society figures (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe, the CNIL received seven complaints from individuals whose personal data was included in those records. The personal data included in those records included professional details (e.g. company name, position, business address, business phone number, mobile phone number, business email address and Twitter account), along with a score of 1 to 5, aiming at evaluating  their influence, credibility and support for Monsanto on various topics such as pesticides or genetically modified organisms.

(more…)

The French Law n°2016-1691 of 9 December 2016 relating to transparency, the fight against corruption, and the modernization of economic life, known as the “Sapin II” Act 1)Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016) introduced to legal entities additional compliance requirements to address corruption in order for France to meet the highest European and international standards.

Sapin II has established a general principle of prevention and detection of corruption risks under the control of a national anticorruption structure, the French Anti-Corruption Agency (AFA),  whose main mission is to help economic and public players in the process.

The AFA noted in its 2019 annual activity report 2)French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).that anticorruption measures implemented by economic and public players were still incomplete.

On 12 January 2021, the AFA published new recommendations entered into force on 13 January 2021 (Recommendations, here in French).

The AFA specifies the practical procedures for implementing an anticorruption system structured around three foundational principles, namely:

  • Governing body’s commitment;
  • Understanding the entity’s exposure to probity risks; and
  • Risk management.
(more…)

References

References
1 Sapin II entered into force on 10 December 2016 (JORF n°0287 of Dec. 10, 2016)
2 French Anti-Corruption Agencyn Annual Activity Report 2019 (7 July 2020) (in French).

The French Supervisory Authority (CNIL) wrapped up 2020 with a EUR 20,000 fine against NESTOR, a French food preparation and delivery company catering to office employees (see full Decision SAN-2020-018 in French).

The CNIL highlighted various breaches of the General Data Protection Regulation (GDPR) and the ePrivacy Directive regarding the processing of prospects and clients’ personal data by the CNIL, most notably:

While the fine is rather limited in view of the maximum potential amount of EUR 20 million or four percent of the turnover (whichever the greater), this decision presents an opportunity to examine web scraping and direct marketing practices, which are rapidly developing.

(more…)

The French Supervisory Authority has set 31 March 2021 as the end of the “reasonable period” to bring websites and mobile applications into compliance.

Following the adoption and publication of its updated guidelines along with practical recommendations on the use of cookies on 1 October 2020 (see our alert on the subject here), the French Supervisory Authority (CNIL) reaffirmed on 4 February 2021 the need for private and public players to comply with the new obligations regarding cookies and other tracers (together, Cookies – See the CNIL press release of 4 February 2021 (in French)).

To make its action plan on online advertising effective and in view targeting of the deficiencies witnessed in both the public and private sectors, the CNIL set a specific deadline for the implementation of its recommendation: 31 March 2021.

(more…)

Through its Act no.2020-1266 dated 19 October 2020 (the Act), the French legislator elected to regulate the commercial exploitation of the images of children aged 16 and under on online platforms (Kidfluencers).

Despite the potentially lucrative consequences of these emerging practices, Kidfluencers operated in a legal vacuum which could have resulted in parents exploiting their children, without the latter reaping any financial benefits or regaining any control of their images upon coming of age.

First and foremost, the Act extends the existing legal framework of child models, under Article L7124-1 of the French Labor Code (FLC). As such, Kidfluencers will require a written authorization from the French Administration prior to being engaged or broadcasted, inter alia:

  • By any entertainment provider, regardless of the medium or broadcast type;
  • In order to perform “modeling activities,” broadly defined under Article L7123-2 FLC as presenting oneself, directly or indirectly through the reproduction of one’s image, either through photographs or video, notably by presenting a product, service of commercial message;
  • By eSport competition organizers; and
  • By “Employer whose activities consist in creating audiovisual recording whose main subject is a child aged 16 or under, for the purpose of for-profit broadcasting on an online video sharing platform”.

The latter category was notably introduced to characterize the parents or legal guardians of the influencers as the “employer” of the Kidfluencer. As they may not be as aware of the legal undertakings as the other providers and organizers mentioned, the Administration will provide them with specific information relating to the Kidfluencers’ rights and the risks associated with exhibiting their image online.

Moreover, a portion of the revenue gained by Kidfluencers would be placed in escrow on a French public bank account until their majority.

Secondly, in situation when the broadcast would not be performed for profit, the Act introduces additional protective measures for Kidfluencers: instead of a prior authorization, a simple declaration of the activity will be required, when the published content exceeds certain thresholds in terms of (i) duration or individual items; or (ii) direct or indirect revenues. Such thresholds will be addressed in a supplemental decree to be adopted shortly.

Failing to obtain the authorization or to proceed with the notification would entitle the Administration to seize a court in order to take down the related content.

Finally, the Act also implements a collaborative framework for the online video sharing platforms, and enjoin them to publish dedicated policies to aiming at

  • Informing users of the applicable Kidfluencers’ regulatory framework;
  • Informing Kidfluencers directly of the consequences on their private life of the broadcasting of their image, of the legal and psychological consequences and of the means they have to protect their rights and dignity;
  • Encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity;
  • Preventing the processing of personal data relating to minors for commercial purposes, such as targeted advertisement, further to the broadcasting a Kidfluencers video;
  • Detecting situations where the recording or broadcasting of Kidfluencers’ videos could impact their dignity, psychological or physical integrity; and
  • Helping Kidfluencers to easily exercise their right to be forgotten on the video-sharing platforms.

While a welcomed step to protect children online, sometimes from their own families, the Act will need to be completed with regard to the thresholds triggering its applicability. In addition, by mainly addressing online video sharing platforms, the Act could have benefited from a more homogenous framework for online platform allowing the sharing of both still and moving pictures. Indeed, while still images could be included in the modeling provision, it remains to be seen how extensively it will be enforced.

Amidst the current discussions surrounding the Digital Services Act at the European level, this France-specific framework creates yet another undertaking for online platforms to implement additional measures to support public policies. And by encouraging users to report any content involving Kidfluencers that could affect their dignity, psychological or physical integrity, the Act could generate extra-territorial consequences, forcing the platforms to deploy such reporting mechanism at a global scale.

K&L Gates IP/IT team in Paris remains available to assist you in assessing the changes triggered by this Act. Please get in touch if you would like to discuss the steps that your organization might want to consider to prepare now for this new Kidfluencer framework.

First publication: K&L Gates Fashion Law Watch

France’s top administrative court has overruled the country’s data authority regarding “cookie walls”, stating that as an agency that only offers guidelines – so-called flexible laws – the authority cannot prohibit their use.

Cookie walls prevent internet users from accessing websites unless they consent to the use of tracking cookies, which often gather data used by advertisers.

(more…)

The current COVID-19 pandemic continues to raise many issues on employee privacy and how employers may balance processing their employees’ data with ensuring safety in the workplace. The French Supervisory Authority (CNIL) has provided guidance on the methods that may be used by employers to collect and process health data from their employees (outside of medical care data) in order to detect possible symptoms related to COVID-19, as well as data relating to travel or events. In addition, more generally, the French Labor Ministry has published a “National protocol regarding the end of the lockdown for companies to ensure health and safety of the employees” (Protocol), in order to help employers manage the various tasks and issues related to the end of the lockdown and employees’ return to work. This document does not have legal force, but sets out the general recommendations and principles of prevention regarding the protection of employees’ health and safety in the context of the current health crisis.

Under the General Data Protection Regulation (GDPR) framework, the CNIL guidance available here in French) reiterates a number of core principles:

Respective Obligations to Ensure and Maintain Health and Safety in the Workplace

Obligations Incumbent On Employers

In the private sector, Articles L. 4121-1 and R. 4422-1 of the French Labor Code (FLC) provide for a safety obligation incumbent on employers, which must implement occupational risk prevention, information and training actions. The company and its legal representatives are criminally liable for the employee security obligation. Employers that fail to provide employees with safe and appropriate working conditions would face a court risk and could be held liable for not ensuring the employees’ safety and security on the workplace. Since 2015, the French Supreme Court has held that the employer’s obligation with regard to employees’ health and safety is an enhanced best efforts obligation (obligation de moyen renforcée). Therefore, the employer can avoid liability by proving that preventive measures have been implemented. French Supreme Court case law holds that the employer has complied with this legal obligation to take the necessary measures to ensure the safety and protect physical and mental health of employee when it is demonstrated that he has taken all measures to prevent, adapt and provide information on the risks, in accordance with Articles L. 4121-1 and L. 4121-2 of the FLC.

In the context of the current pandemic, the employer’s safety obligation is more topical than ever. In order to comply with this mission, employers have the right to process personal data, albeit only when strictly necessary to foster that purpose. In this respect, the CNIL encourages employers to regularly consult the information and recommendations published by the French Labor Ministry, in order to better understand their obligations in this period of health crisis.

According to the CNIL’s position, employers are entitled, in this context, to:

  • Remind their employees, when working in contact with other individuals, of their obligation to report to their employers or the competent health authorities in the event of actual or suspected contamination, for the sole purpose of enabling working conditions to be adapted in consequence;
  • Facilitate the transmission of this feedback by setting up, if necessary, dedicated and secure channels; and
  • Promote remote working methods and encourage the use of occupational medicine.

Obligations Incumbent On Employees

On the other hand, Article L.4122-1 FLC provides that each employee has a safety obligation which requires them to preserve not only their own health and safety, but also, the health and safety of other individuals with whom they may come into contact in the course of their professional activity, be it other workers or customers. However, in practice, employers might be in a delicate situation if they were to take disciplinary sanctions against these employees, and they might face labor court actions.

While French employees are usually only required to provide an illness certificate, which does not provide any specifics on the health status other than inability to work, the CNIL understands that the contagiousness of the COVID-19 pandemic mandates self-reporting be more specific to enable employers to take any measure required to ensure the safety in the workplace.

However, this reinforced duty to provide information does not extend to individuals working in isolated conditions, e.g. without contact with other individuals and/or working remotely. For such “isolated” workers, the classic rules of labor law apply and employers are not allowed to mandate such disclosure of personal data.

The Processing of COVID-19 related Personal Data by Employers

When organizing the return to work, employers are encouraged to facilitate dialogue with its employees and employee representative. Employers may require certain information, and may ask employees to inform the company’s management of, in particular, any travel to risk areas and risk factors related to their health or relatives. However, this organizational requirement must be compliant with the GDPR for the processing of employees’ personal data.

In any case, employers may only process elements related to (i) the date, (ii) the identity of the person, (iii) the contamination status reported by the employee, and (iv) the data related to the organizational measures to be put in place.

The CNIL emphasizes the particular sensitivity of health-related data, which is considered a “special category of personal data” under Article 9 GDPR, and thus requires processing under robust conditions of security and confidentiality, as well as limited access to authorized personnel. Consequently, employers wishing to take steps to ensure the health of their employees must rely on their occupational health service.
Processing operations pertaining to such special category of personal data is, by principle, prohibited under GDPR, unless they fall within one of the exceptions provided under GDPR, namely:

  1. Consent of the individuals, which is always a difficult basis when processing employees’ personal data;
  2. Necessity to carry out the obligations in the field of employment and social security and social protection law in so far as it is authorized by Union or Member State law;
  3. Necessity to protect the vital interests of individuals when physically or legally incapable of giving consent;
  4. Legitimate activities of nongovernmental organizations and other associations;
  5. Processing relating to personal data that is manifestly made public by the individuals;
  6. Necessity in the context of legal claims;
  7. Necessity in the context of substantial public interest;
  8. Necessity for the purposes of preventive or occupational medicine, for the assessment of the working capacity of employees, medical diagnosis, the provision of health or social care, or treatment or the management of health or social care systems and services;
  9. Necessity for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices; or
  10. Necessity for archiving purposes in the public interest or scientific or historical research or statistical purposes.

In the context of the pandemic, the CNIL highlights that (2) and (8) would be the only relevant bases to ensure the safety in the workplace.

In that regard, the coordination with health authorities, as potential recipients of the data, is authorized, to ensure the medical care of the exposed person. Nevertheless, the identity of the individual, effectively or presumably infected, must not, under any circumstances, be communicated to other employees.

Considering that GDPR and its French implementation only apply to automated processing (particularly computer processing) or to non-automated processing where a physical file is materialized, this means that the simple verification of temperatures prior to access to premises would not trigger application of GDPR insofar as no trace of this check is kept and if no other operation is carried out. On the other hand, any automated temperature verification, such as through use of thermal cameras, would be subject to GDPR. Given that other less intrusive methods to achieve a similar purpose exist, they may not pass muster for the data minimization tenet of GDPR.

ACTION POINTS

Based on the CNIL and French Labor Ministry guidance, the following could be considered by employers in order to effectively and efficiently organize their employees’ return to work:

  • Transparency: Employers must remain fully transparent with regard to the processing operations implemented and provide the relevant information through dedicated or amended privacy notice;
  • Temperature tests: In principle, temperature logs pertaining to personnel, visitors and customers, as well as automated temperature verification (e.g. through thermal cameras) are not authorized. Indeed, the Protocol published by the French Labor Ministry provides that systematic monitoring of employee temperatures is not recommended. However, if the employer is willing to set up temperature controls at the entrance of the company, it is necessary to (i) post an information note for the employees, and (ii) provide employees with sufficient guarantees (i.e., prior information regarding to the maximum temperature allowed in the premises and the consequences of a positive control, compliance with the GDPR, etc.). Such controls of temperatures could be implemented within the framework of a more global policy stating safety measures in order to preserve the employee’s security and safety when returning to work ;
  • Screening test: The Protocol considers that screening tests at the entrance to the company’s premises are not authorized (several groups had announced that they would provide screening tests for their employees);
  • Access: Only relevant departments within the company may access the health data collected in the context of COVID-19. Notably, for larger companies, only aggregated and deidentified data, which may not allow any identification of the individuals, can be shared more broadly within the organization;
  • Continuity plan: Any continuity plans considered by a company must include specific measures aiming at protecting the safety of employees and identify the essential activities and individuals that must be maintained in order to ensure continuity of service, with such continuity plan, or any professional travel authorization, containing only the personal data necessary to achieve this objective; and
  • Transfer: Employers may only communicate such data to qualified health authorities upon request. While no direct communication to health professionals is authorized, employers should direct their personnel to engage with these health professional directly. Similarly,

First publication: K&L Gates Hub in collaboration with Christine ArtusSarah ChihiAnne RaguClara Schmit

While privacy concerns associated to the implementation of COVID-19 contact tracing apps across the European Union exist, the French Data Protection Authority (CNIL) also released a position paper on the collection of publicly available personal data for the purpose of direct marketing on 30 April 2020 and following numerous individual complaints. Such complaints notably related to companies automating the collection of telephone and email contact information from individuals, appearing on consumer-to-consumer (C2C) websites (e.g. real estate ads) or from online directories, a practice known as “web scraping”.

(more…)