Amidst a sudden increase in paid-for posts that went viral for dubious products and services, France has taken a significant step toward the regulation of influencer communication. The Act no. 2023-451 (Influencers Act), which came into effect on 9 June 2023, aims not only to protect consumers but also to support the influencers, in order to foster the healthy growth of this ecosystem. France is now the first European Union (EU) country to implement a thorough framework regulating commercial influence.

Background information

Digital influencers have changed the way companies can promote their products and services, from beauty and fashion to technology, notably by blurring the lines between commercial advertising and genuine consumer reviews.

Between 8 to 31 January 2023, the French Ministry of the Economy conducted a public consultation on the influencer ecosystem, to evaluate of the contemplated regulation, which received an overwhelming support from the panels.

Key provisions beating on influencers

General ban on certain communications

The following communications are explicitly banned from any influencer communication:

  • Cosmetic surgery and procedures;
  • Alternative therapeutic technics;
  • Nicotine-based products;
  • Non-domestic animal trade.
  • Certain financial services, notably as they pertain to blockchain-based services (e.g. NFT); and
  • Online gambling and betting;

With regard to the latter, the communication remains possible provided that it occurs exclusively on platforms restricted to adults over the age of 18 and subject to the usual specific disclaimer pertaining to the advertising of such services.

Mandatory labeling

The Influencers Act requires influencers to label:

  • Their promoted posts with the mention “advertisement” or “commercial collaboration” in a clear, legible and identifiable manner to avoid falling under misleading commercial practices further to Art. L. 121-3 of the French Consumer Code (“FCC”).

Influencers failing to comply with this obligation face up to 300,000 euros in fines and up to two years of imprisonment (Art. 5 Influencers Act).

  • The pictures (still or moving) they post and which have been
    • edited to enlarge or refine the general appearance or modify the appearance of the model’s face to clearly include the “Retouched images” mention; or
    • generated through artificial intelligence (AI), notably generative AI (gen AI) to clearly include a “Virtual image” disclaimer

Influencers failing to comply with this obligation face up to 4,500 euros in fines and up to one year of imprisonment (Art. 5 Influencers Act).

Drop-shipping

In case of sales of goods through a third party (so-called “drop-shipping” practices), influencers will need to abide by obligations of transparency about the identity of the supplier, pursuant to Art. L. 221-5 of the FCC and will bear the liability relating to the legality and availability of the promoted products.

Content moderation and insurance

Influencers based outside of the European Economic Area or Switzerland but directing their activities to a French audience are required to appoint a legal representative in the EU, as well as to subscribe to a dedicated insurance covering the potential damage resulting from their activities.

Key provisions bearing on platforms used by influencers

Further to the entry into force of the European Regulation no. 2022/2065 on a Single Market for Digital Services (Digital Services Act or DSA) on 25 August 2023, the Influencers A amended the Act no. 2004-575 of 21 June 2004 for trust in the digital economy (Loi pour la Confiance dans l’Économie Numérique or LCEN) increasing the burden on digital platforms, notably for such platforms which allow influencers to conduct their activities.

These platform now have the obligation to promptly remove any illegal content which would be notified through the “trusted flaggers” introduced under Art. 22 DSA.

Key provisions bearing on brands

  • The Influencers Act now mandate a written contract between the influencer and the advertised brands, or their respective representatives. This contract, which must imperatively be subject to French law, must include:
  • The identity of the parties, including their domiciliation for tax purposes;
  • The detailed nature of the influence services;
  • The financial compensation or any equivalent advantage resulting from the influence services;
  • As the case may be, any provision pertaining to intellectual property.

With regard to liability on the influence services, a joint and several liability between the brand and influencer has been implemented, rendering the brand de jure liable for any damage caused to third party.

Enforcement of the Influencers Act

Just prior to the summer holidays, the French Ministry of the Economy appointed a team of 15 agents responsible for monitoring social networks and responding to complaints.

In parallel, the French Directorate General for Consumer Affairs, Competition and Fraud Prevention (“DGCCRF”) audited fifty influencers in the first quarter of 2023, resulted in 60% of the audited influencers to be found in breach of the then-current (and pre-Influencers Act) misleading commercial practice framework.

These findings led to eighteen injunctions to cease illicit practices and sixteen criminal reports. In the following context, in July, the DGCCRF published a code of conduct for influencers and content creators in July, explaining their duties and obligations in accessible language.

Whether you are a brand considering hiring the services of influencers or an influencer yourself, the K&L Gates Luxury Product & Fashion team remains at your disposal to assist you in your compliance with the new French framework.

First publication: K&L Gates Fashion Law Watch Blog in collaboration with Camille Scarparo.

August may be perceived as the month where France shuts down for the summer. Yet, just before the summer ’23 holiday, the French Data Protection Authority (“CNIL”) published several call to action for the various players of the data ecosystems in general and in artificial intelligence (AI) in particular, following its 16 May 2023 announcement of an AI action plan:

  • Opening and re-use of publicly accessible data – The CNIL published a draft guidance on the such data usage, and all stakeholders are invited to weight in until 15 October 2023 before its finalization. While non-binding, this guidance is expected to lead the way on how the EU’s Supervisory Authority will apprehend and enforce the General Data Protection Regulation (“GDPR”) when personal data is scraped from online sources and subsequently used for subsequent purposes. This notably focuses on Art. 14 GDPR and the indirect collection of personal data and specific prior information requirements. Artificial Intelligence is explicitly mentioned by the CNIL in the draft, as such data, which feeds large-language models, “undeniably contributes to the development of the digital economy and is at the core of artificial intelligence.” Stakeholders are invited to submit their observations online through the dedicated portal.
  • Artificial Intelligence Sandbox – Following in the footsteps of its connected cameras, EdTech & eHealth initiatives, the CNIL is launching an AI sandbox call for projects, where stakeholders involved in AI in connection with public services may apply to receive dedicated assistance by the regulator to co-construct AI systems complying with data protection and privacy rules.
  • Creation of databases for Artificial Intelligence uses – Open to the broadest possible array of stakeholders (including individuals), this call for contributions notably addresses the specific issue relating to the use of publicly accessible data and aims at informing the CNIL of the various positions at play and how to balance GDPR’s requirements (information, legitimate interests, exercise of rights) with data subjects’ expectations. Stakeholders are invited to submit their observations online through the dedicated form (in French – our free translation in English is available below)- no deadline for submission has been set.
(more…)

Version 2.0 dated 14 February 2023
Go to the official PDF version.

Executive Summary

The GDPR does not provide for a legal definition of the notion “transfer of personal data to a third country or to an international organisation”. Therefore, the EDPB provides these guidelines to clarify the scenarios to which it considers that the requirements of Chapter V should be applied and, to that end, it has identified three cumulative criteria to qualify a processing operation as a transfer:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

If the three criteria as identified by the EDPB are met, there is a transfer and Chapter V of the GDPR is applicable. This means that the transfer can only take place under certain conditions, such as in the context of an adequacy decision from the European Commission (Article 45) or by providing appropriate safeguards (Article 46). The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation.

Conversely, if the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. In this context, it is however important to recall that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place. Indeed, although a certain data transmission may not qualify as a transfer according to Chapter V, such processing can still be associated with increased risks since it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in the third country. These risks need to be considered when taking measures under, inter alia, Article 5 (“Principles relating to processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of processing”) – in order for such processing operation to be lawful under the GDPR.

These guidelines include various examples of data flows to third countries, which are also illustrated in an Annex in order to provide further practical guidance.

(more…)

In this first episode, we discuss the challenges faced by data controllers in their compliance with Article 5 GDPR following the EU Court of Justice’s Digi Case C-77/21. In particular, we focus our discussion on the purpose and data storage limitations, and how your legal team should be the 3PO protocol droid within your organization for the implementation of GDPR best practices.

May the enforcement be with you!

First publication: K&L Gates Hub with Eleonora Curreri

On 27 October 2022, the Digital Services Act (DSA) was published in the EU Official Journal as Regulation (EU) 2022/2065, with the aim to fully harmonize the rules on the safety of online services and the dissemination of illegal content online. The Digital Services Act will require online intermediaries to amend their terms of service, to better handle complaints, and to increase their transparency, especially with respect to advertising.

(more…)

GDPR fines have been increasing over the last 18 months, and it is proving to be a complex environment for the regulators and the regulated. But GDPR has not led to seismic changes (the possibility of entirely new operating models, for example), but has had a major effect on the ways organizations collect and use data. This panel will discuss the last few years and look ahead to gauge what we have learned and how things will and should change.

Speakers Include:

Jacob Høedt Larsen, Head of Communications, Wired Relations

Andreea Lisievici, Head of Data Protection Compliance, Volvo Car Corporation

Claude-Etienne Armingaud, CIPP/E, Partner & Practice Group Coordinator – Technology, Sourcing and Privacy, K&L Gates

More information.

On 2 July 2018, the French Data Protection Authority (“Commission Nationale de l’Informatique et des Libertés” or “CNIL”) published its yearly thematic guidance for the priority axes of its control activities, notably further to the entry into force of the recent General Data Protection Regulation (“GDPR”).

As for the previous periods, the CNIL is expecting to launch 300 dawn-raids, either on premises or online, in order to control compliance of companies subject to French and European data protection regulations, notably on newly introduced aspects relating to the implementation of GDPR (right to portability, data protection impact assessments…).

(more…)

REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

(more…)

The French Autorité des Marchés Financiers has recently published a synthesis of the contributions it received in response to its public consultation on Initial Coin Offerings (ICOs) to obtain stakeholder views on how these new types of blockchain offerings might be regulated.

The consultation included a presentation of ICOs, a warning on the risks they present, a legal analysis of ICOs with respect to the rules overseen by the AMF and the regulatory options proposed by the AMF. Respondents were invited to give their views on all of these points.

The English version of the synthesis can be found here, the French version here and our previous coverage of the consultation can be found here.

First published on K&L Gates Fintech Law Blog.

On 26 October 2017, France’s Financial Markets Authority, the “Autorité des Marchés Financiers” (“AMF”), published a discussion paper focusing on initial coin offerings (“ICOs”) that highlights the (many) dangers that arise from these unregulated transactions and discusses the regulation options that it currently foresees.
(more…)