April 15, 2022
Conferences
► Référence complète : Frison-Roche, M.A., La fonction sociale du Droit de la Compliance, Table-ronde "Les nouvelles formes d'un Droit embrassant son rôle de régulation", in📅Association du Master de Droit privé de Paris I (ADPG), Le rôle de régulateur social du Droit privé, Paris, 15 avril 2022.
____
📅Lire le programme général du colloque
____
► Présentation générale de la conférence : En raison de la conception générale de la journée, ancrée dans le "Droit privé", mais qui oscillait en permanence sur la définition générale de ce qu'est la "régulation sociale" et qui est constitué depuis plus de vingt ans dans une branche du Droit spécifique, le Droit de la Régulation, parce qu'on m'avait demandé de présenter La fonction sociale du Droit de la Compliance, à un public sans doute peu averti du Droit économique, j'ai procédé de la façon suivante :
Je suis partie du souci actuel accru de savoir si le Droit peut avoir une part pour contenir les forces qui régissent le monde et s'y affrontent. Je suis partie de deux cas pratiques. Le premier irait plutôt vers une réponse positive, est celui de l'adoption en cours du Digital Services Act, législation européenne de Compliance qui utilise la puissance des opérateurs numériques cruciaux qui prévenir et lutte contre la haine et la désinformation dans l'espace numérique. Le second cas pratique qui débute est la possible prise de contrôle de Twitter par Elon Musk, opérée par celui-ci au nom de la "Démocratie" et pour l'instant le peu de contrôle que le Droit en cas.
A partir de de ces deux exemples, j'ai repris la définition du Droit de la Compliance, qui n'est pas la procédure par laquelle certains opérateurs devraient montrer qu'ils respectent la totalité des règles qui leurs sont applicables mais qui est substantiellement défini par des buts monumentaux substantiellement voulus posés par le Politique qui trouvent des alliés, volontaires ou contraints, en position de le faire. Ce Droit Ex Ante porte sur le futur, est de nature systémique et utilise des moyens qui traversent toutes les branches du Droit, notamment le contrat et la responsabilité.
Le Droit de la Compliance est le prolongement du Droit de la Régulation. Il opère une régulation sociale et présente trois caractéristiques. Il est forcément mondial. Il est forcément politique. Il est forcément humain.
____
Pour aller plus loin⤵️
📝Le droit de la Régulation, 2001
📝Le Droit de la Compliance, 2016
Sept. 23, 2021
Thesaurus
► Full Reference: : Linden, A., Motivation and publicity of the decisions of the restricted committee of the French Personal Data Protection Commission (Commission nationale de l'informatique et des libertés-CNIL) in a compliance perspective, in Frison-Roche, M.-A. (dir.),Compliance Jurisdictionalisation, series "Compliance & Regulation", Journal of Regulation & Compliance (JoRC) and Bruylant, to be published.
____
► Article Summary (done by the Journal of Regulation and Compliance - JoRC): In the event of a breach of the personal data protection rules, the restricted formation of the French personal data protection Commission (CNIL) pronounces fines, injunctions of "compliance" or calls to order. It can order the publication of these measures, which can be contested before the French High Administrative supreme court (Conseil d'État).
It is essential that these decisions be justified, not only in order to respect this principle of law but also concretely to obtain the public concerned, being very heterogeneous, understand them, the educational role of the CNIL also being applicable.
The principle of publicity is handled with nuance, the data controllers often requesting a closed door and, in fact, very few public attending the hearing. The publicity of decisions is in itself a sanction. The publication may moreover not be total or may only have a time, anonymization often allowing the balance between necessary pedagogy and preservation of interests, the CNIL taking great attention to the very modalities of publication, even if it cannot control the circulation and the media use which is then made of it.
____
Sept. 2, 2021
Interviews
► Référence complète : Frison-Roche, M.-A.,La nouvelle loi de protection des données en Chine est un « anti-RGPD », entretien avec Olivia Dufour, Actu-Juridique, 2 septembre 2021.
____
Les 3 questions posées étaient :
❓ La Chine a adopté fin août une grande loi de protection des données personnelles. Celle-ci est présenté dans les médias comme un équivalent de notre RGPD. Est-ce le cas ?
La réponse est : non.
(lire la réponse développée dans l'entretien)
____
❓ S'agit-il de simples effets indésirables ou bien du but poursuivi par le Législateur ?
La réponse est : Le but du Législateur n'est pas d'armer l'individu contre le pouvoir de l'Etat, c'est au contraire d'accroître le pouvoir de l'Etat, éventuellement contre lui.
(lire la réponse développée dans l'entretien)
____
❓ Si la compliance peut servir les intérêts d'Etats non-démocratiques, c'est donc qu'elle est potentiellement dangereuse ?
La réponse est : elle n'est dangereuse que définie comme "méthode d'efficacité des règles ; il faut définir le Droit de la Compliance par son "but monumental" qui est la protection des personnes. La contradiction de la loi chinoise nouvelle apparaît alors.
(lire la réponse développée dans l'entretien)
____
Aug. 30, 2021
Compliance: at the moment
► An article from March 3, 2021, Smile for the camera: the dark side of China's emotion-recognition tech, then an article from June 16, 2021, "Every smile you fake" - an AI emotion - recognition system can assess how "happy" China's workers are in the office describes how a new technology of emotional recognition is able, through what will soon be out of fashion to call "facial recognition", to distinguish a smile that reflects a mind state of real satisfaction from a smile which does not correspond to it. This allows the employer to measure the suitability of the human being for his or her work. It is promised that it will be used in an ethical way, to improve well-being at work. But isn't it in itself that this technology is incompatible with any compensation through ethical support?
The technology developed by a Chinese technology company and acquired by other Chinese companies with many employees, allows to have information on the actual state of mind of the person through and beyond his or her facial expressions and bodily behavior.
Previously, the technology of emotional recognition had been developed to ensure security, by fighting against people with hostile plans, public authorities using it for example in the controls at airports to detect the criminal plans which some passengers could have.
It is now affirmed that it is not about fighting against some evil people ("dangerousness") to protect the group before the act is committed ("social defense”) but that it is about helping all workers.
Indeed, the use that will be made of it will be ethical, because first the people who work for these Chinese companies with global activity, like Huawaï, do it freely and have accepted the operation of these artificial intelligence tools (which is not the case with people who travel, control being then a kind of necessary evil that they do not have to accept, which is imposed on them for the protection of the group), but even and above all, the purpose is itself ethical: if it turns out that the person does not feel well at work, that they are not happy there, even before they are perhaps aware, the company can assist.
Let’s take this practical case from the perspective of Law and let’s imagine that it is contested before a judge applying the principles of Western Law.
Would this be acceptable?
No, and for three reasons.
1. An "ethical use" cannot justify an unethical process in itself
2. The first freedoms are negative
3. "Consent" should not be the only principle governing the technological and digital space
I. AN "ETHICAL USE" CAN NEVER LEGITIMATE AN UNETHICAL PROCESS IN ITSELF
These unethical processes in themselves cannot be made "acceptable" by an "ethical use" which will be made of them.
This principle was especially reminded by Sylviane Agacinski in bioethics: if one cannot dispose of another through a disposition of his or her body which makes his or her very person available (see not. Agacinski, S., ➡️📗Le tiers-corps. Réflexions sur le don d’organes, 2018).
Except to make the person reduced to the thing that his or her body is, which is not ethically admissible in itself, that is excluded, and Law is there in order to this is not possible.
This is even why the legal notion of "person", which is not a notion that goes without saying, which is a notion built by Western thought, acts as a bulwark so that human beings cannot be fully available to others, for example by placing their bodies on the market (see Frison-Roche, M.-A., ➡️📝To protect human beings, the ethical imperative of the legal notion of person, 2018). This is why, for example, as Sylviane Agacinski emphasizes, there is no ethical slavery (a slave who cannot be beaten, who must be well fed, etc.).
That the human being agrees ("and what about if it pleases me to be beaten?") does not change anything.
II. THE FIRST FREEDOM IS THE ONE TO SAY NO, FOR EXAMPLE BY REFUSING TO REVEAL YOUR EMOTIONS: FOR EXAMPLE HIDING IF YOU ARE HAPPY OR NOT TO WORK
The first freedom is not positive (being free to say Yes); it is negative (being free to say No). For example, the freedom of marriage is having the freedom not to marry before having the freedom to marry: if one does not have the freedom not to marry, then the freedom to marry loses any value. Likewise, the freedom to contract implies the freedom not to contract, etc.
Thus, freedom in the company can take the form of freedom of speech, which allows people, according to procedures established by Law, to express their emotions, for example their anger or their disapproval, through the strike.
But this freedom of speech, which is a positive freedom, has no value unless the worker has the fundamental freedom not to express his or her emotions. For example if he or she is not happy with his or her job, because he or she does not appreciate what he or she does, or he or she does not like the place where he or she works, or he or she does not like people with whom he or she works, his or her freedom of speech demands that he or she have the right not to express it.
If the employer has a tool that allows him or her to obtain information about what the worker likes and dislikes, then the employee loses this first freedom.
In the Western legal order, we must be able to consider that it is at the constitutional level that the infringement is carried out through Law of Persons (on the intimacy between the Law of Persons and the Constitutional Law, see Marais , A., ➡️📕Le Droit des personnes, 2021).
III. CONSENT SHOULD NOT BE THE ONLY PRINCIPLE GOVERNING THE TECHNOLOGICAL AND DIGITAL SPACE
We could consider that the case of the company is different from the case of the controls operated by the State for the monitoring of airports, because in the first case observed people are consenting.
"Consent" is today the central notion, often presented as the future of what everyone wants: the "regulation" of technology, especially when it takes the form of algorithms ("artificial intelligence"), especially in digital space.
"Consent" would allow "ethical use" and could establish the whole (on these issues, see Frison-Roche, M.-A., ➡️📝Having a good behavior in the digital space, 2019).
"Consent" is a notion from which Law is today moving away in Law of Persons, in particular as regards the "consent" given by adolescents on the availability of their body, but not yet on digital.
No doubt because in Contract Law, "consent" is almost synonymous with "free will", whereas they must be distinguished (see Frison-Roche, M.-A., ➡️📝Remarques sur la distinction entre la volonté et le consentement en Droit des contrats, 1995).
But we see through this case, which precisely takes place in China, that "consent" is in Law as elsewhere a sign of submission. It is only in a probative way that it can constitute proof of a free will; this proof must not turn into an irrebuttable presumption.
The Data Regulatory Authorities (for example in France the CNIL) seek to reconstitute this probative link between "consent" and "freedom to say No" so that technology does not allow by "mechanical consents", cut off from any connection with the principle of freedom which protects human beings, from dispossessing themselves (see Frison-Roche, M.-A., Yes to the principle of will, No to pure consents, 2018).
The more the notion of consent will be peripheral, the more human beings will be able to be active and protected.
________
June 18, 2021
Compliance: at the moment
► Law is slow, but firm. By its judgment of June 15, 2021, Facebook , the European Union Court of Justice widely interprets the powers of National Authorities, since they serve the people protection in the digital space (➡️📝(CJEU, June 15, 2021, Facebook).
Law is slow. The reproach is so often made. But the bottom line is that, in the noise of changing regulations, it establishes clear and firm principles, letting everyone know what to stand for. The more the world is changing, the more Law is required.
When Law degenerates into regulations, then it is up to the Judge to make Law. "Supreme Courts" appear, de jure as in the United States, de facto as in the European Union by the Court of Justice of the European Union which lays down the principles, before everyone else, as it did for the "right to be forgotten" in 2014 (➡️📝CJEU, Google Spain, May 13, 2014), and then with the impossibility of transferring data to third countries without the consent of the people concerned (➡️📝CJEU, Schrems, October 6, 2015).
Facebook litigation is kind of a novel. The company knows that it is above all to the Courts that it speaks. In Europe, it is doing it behind the walls of the Irish legal space, from which it would like to be able not to leave before better dominating the global digital space, while national regulatory authorities want to take it to protect citizens.
There is therefore a technical question of "jurisdictional competence". The texts have provided for this, but Law is clumsy because it was designed for a world still anchored in the ground: the GDPR of 2016 therefore organizes cooperation between national regulatory authorities through a "one-stop-shop", forcing the authorities to relinquish jurisdiction so that the case is only handled by the "lead" National Authority. This avoids splintering and contradiction. But before the adoption of the GDPR, the Belgian data protection regulator had opened a procedure against Facebook concerning cookies. The "one-stop-shop" mechanism, introduced in 2016, is therefore only mentioned before the Brussels Court of Appeal, which is asked to relinquish jurisdiction in favor of the Irish Regulatory Authority, since the company has in Europe its head office in this country. The Court of Appeal referred to the CJEU for a preliminary ruling.
By its judgment of June 15, 2021 (➡️📝CJUE, Facebook, June 15, 2021), it follows the conclusions of its Advocate General and maintains the jurisdiction of the Belgian National Regulator because, even after the GDPR, the case still undergoes national treatment. In this decision, the most important is its reasoning and the principle adopted. The Court notes that the "one-stop-shop" rule is not absolute and that the national regulatory authority has the power to maintain its jurisdiction, in particular if cooperation between national authorities is difficult.
Even more, will it not one day have to adjust Law more radically? We need to consider the fact that the digital space is not bound by borders and that the ambition of "cross-border cooperation" is ill-suited. It is of course on this observation of inefficiency, consubstantial with the digital space, that the European Public Prosecutor's Office (EPPO) was designed and set up, which is not a cooperation, nor a "one-stop shop", but a body of the Union, acting locally for the Union, directly linked to Compliance concerns (➡️📝Frison-Roche, M.-A. "The European Public Prosecutor's Office is a considerable contribution to Compliance Law", 2021 and ., European Public Prosecutor's Office comes on stage: the company having itself become a private prosecutor, are we going towards an alliance of all prosecutors ?, 2021).
So that's what we should be inspired by.
June 15, 2021
Thesaurus : 05. CJCE - CJUE
Full reference: CJEU, Grand chamber, Judgment Facebook Ireland e.a. v. Gegevensbeschermingsautoriteit, C-645-19, June 15, 2021
Read the abstract of the judgment done by the Court
Jan. 11, 2021
Interviews
Full reference: Frison-Roche, M.-A., "Let's Use the Power of GAFAMs in the Service of General Interest!" ("Utilisons la puissance des GAFAMs au service de l'intérêt général!"), interview done by Olivia Dufour, Actu-juridiques Lextenso, 11st of January 2021
Read the interview (in French)
Summary of the interview by Olivia Dufour:
Marie-Anne Frison-Roche, Professor of Regulation and Compliance Law, reported to the government in 2019 about Internet governance. For this expert, giving a disciplinary power to GAFAMs is the only effective solution. And the suppression of Donald Trump's account is not likely to call this analysis into question.
The three questions (translated in English here by ourselves) asked by Olivia Dufour are:
Read the answers to these three questions (in French)
To go further, especially about the logics that guide the Avia system, see:
Dec. 10, 2020
Thesaurus : 03. Conseil d'Etat
Dec. 7, 2020
Thesaurus : Doctrine
Full reference: Vergnolle, S., L'effectivité de la protection des personnes par le droit des données à caractère personnel (The effectiveness of the protection of people by personal data Law (our translation)), Passa, J. (dir.), thesis, Law, Panthéon-Assas University (Paris II), 2020, 531 p.
Read directly and only the table of contents (in French)
To go further about regulation of personal data, read:
Nov. 23, 2020
Interviews
Full reference: Frison-Roche, M.-A., Facebook: Quand le Droit de la Compliance démontre sa capacité à protéger les personnes (Facebook: When Compliance Law proves its ability to protect people), interview with Olivia Dufour, Actu-juridiques Lextenso, 23rd of November 2020
Read the interview (in French)
Read the news of the Newsletter MAFR - Law, Compliance, Regulation about this question
Nov. 1, 2020
Newsletter MAFR - Law, Compliance, Regulation
Full reference: Frison-Roche, M.-A., Due process and Personal Data Compliance Law: same rules, one Goal (CJEU, Order, October 29, 2020, Facebook Ireland Ltd v/ E.C.), Newsletter MAFR - Law, Compliance, Regulation, 1st of November 2020
Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation
Read Marie-Anne Frison-Roche's interview in Actu-juridiques about this decision (in French)
Summary of the news:
As part of a procedure initiated for anti-competitive behaviors, the European Commission has three times requested, between the 13th of March and the 11th of November 2019, from Facebook the communication of information, reitarated in a decision in May 2020.
Facebook contests it alleging that the requested documents would contain sensitive personal information that a transmission to the Commission would make accessible to a too broad number of observers, while "the documents requested under the contested decision were identified on the basis of wideranging search terms, (...) there is strong likelihood that many of those documents will not be necessary for the purposes of the Commission’s investigation".
The contestation therefore evokes the violation of the principles of necessity and proportionality but also of due process because these probatory elements are collected without any protection and used afterwards. Moreover, Facebook invokes what would be the violation of a right to the respect of personal data of its employees whose the emails are transferred.
The court reminds that the office of the judge is here constraint by the condition of emergency to adopt a temporary measure, acceptable by the way only if there is an imminent and irreversible damage. It underlines that public authorities benefit of a presumption of legality when they act and can obtain and use personal data since this is necessary to their function of public interest. Many allegations of Facebook are rejected as being hypothetical.
But the Court analyzes the integrality of the evoked principles with regards with the very concrete case. But, crossing these principles and rights in question, the Court estimates that the European Commission did not respect the principle of necessity and proportionality concerning employees' very sensitive data, these demands broadening the circle of information without necessity and in a disproportionate way, since the information is very sensitive (like employees' health, political opinions of third parties, etc.).
It is therefore appropriate to distinguish among the mass of required documents, for which the same guarantee must be given in a technique of communication than in a technic of inspection, those which are transferable without additional precaution and those which must be subject to an "alternative procedure" because of their nature of very sensitive personal data.
This "alternative procedure" will take the shape of an examination of documents considered by Facebook as very sensitive and that it will communicate on a separate electronic support, by European Commission's agents, that we cannot a priori suspect to hijack law. This examination will take place in a "virtual data room" with Facebook's attorneys. In case of disagreement between Facebook and the investigators, the dispute could be solved by the director of information, communication and medias of the Directorate-General for Competition of the European Commission.
___
We can draw three lessons from this ordinance:
__________
Nov. 1, 2020
Publications
This working paper served as a basis for an interview organized by Olivia Dufour in French in Actu-juridiques-Lextenso on 11st of January 2021.
Oct. 22, 2020
Interviews
Full reference: Frison-Roche, M.-A., "Health Data Hub est un coup de maître du Conseil d'Etat", interview realized by Olivia Dufour for Actu-juridiques, Lextenso, 22nd of October 2020
Read the news of 19th of October 2020 of the Newsletter MAFR - Law, Compliance, Regulation on which relies this interview: Conditions for the legality of a platform managed by an American company hosting European health data: French Conseil d'Etat decision
To go further, on the question of Compliance Law concerning Health Data Protection, read the news of 25th of August 2020: The always in expansion "Right to be Forgotten": a legitimate Oxymore in Compliance Law built on Information. Example of Cancer Survivors Protection
Oct. 19, 2020
Newsletter MAFR - Law, Compliance, Regulation
Full reference: Frison-Roche, M.-A., Conditions for the legality of a platform managed by an American company hosting European health data: French Conseil d'Etat decision, Newsletter MAFR - Law, Compliance, Regulation, 19th of October 2020
Read by freely subscribing the other news of the Newsletter MAFR - Law, Compliance, Regulation
___
News Summary: In its ordinance of 13th of October 2020, Conseil national du logiciel libre (called Health Data Hub), the Conseil d'Etat (French Administrative Supreme Court) has determined the legal rules governing the possibility to give the management of sensitive data on a platform to a non-europeans firm, through the specific case of the decree and of the contract by which the management of the platform centralizing health data to fight against Covid-19 has been given to the Irish subsidiary of an American firm, Microsoft.
The Conseil d'Etat used firstly CJEU case law, especially the decision of 16th of July 2020, called Schrems 2, in the light of which it was interpreted and French Law and the contract linking GIP and
The Conseil d'Etat concluded that it was not possible to transfer this data to United-Sates, that the contract could be only interpreted like this and that decree and contract's modifications secured this. But it observed that the risk of obtention by American public authorities was remaining.
Because public order requires the maintenance of this platform and that it does not exist for the moment other technical solution, the Conseil d'Etat maintained the principle of its management by Microsoft, until a European operator is found. During this, the control by the CNIL (French Data Regulator), whose the observations has been taken into consideration, will be operated.
We can retain three lessons from this great decision:
___________
Read the interview given on this Ordinance Health Data Hub
To go further about the question of Compliance Law concerning health data protection, read the news of 25th of August 2020: The always in expansion "Right to be Forgotten": a legitimate Oxymore in Compliance Law built on Information. Example of Cancer Survivors Protection
Oct. 6, 2020
Thesaurus : 05. CJCE - CJUE
Full reference: CJEU, Grand Chamber, 6th of October 2020, Privacy International c/ Secretary of State for Foreign and Commonwealth Affairs, C-623/17.
Read the summary of the judgment (in French)
Oct. 1, 2020
Thesaurus : Soft Law
Full reference of the guidelines: Commission Nationale de l'Informatique et des Libertés (CNIL), Délibération n°2020-091 du 17 septembre 2020 portant adoption de lignes directrices relatives à l'application de l'article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture et écriture dans le terminal d'un utilisateur (notamment aux "cookies et autres traceurs") et abrogeant la délibération n°2019-093 du 4 juillet 2019
Full reference of the recommendation: Commission Nationale de l'Informatique et des Libertés (CNIL), Délibération n°2020-092 du 17 septembre 2020 portant adoption d'une recommandation proposant des modalités pratiques de mise en conformité en cas de recours aux "cookies et autres traceurs".
Read the guidelines (in French)
Read the recommendation (in French)
Read the presentation of these guilines and of this recommendation by the CNIL (in French)
Read Marie-Anne Frison-Roche's comment about this in the Newsletter MAFR - Law, Regulation & Compliance of 1st of October 2020
Sept. 10, 2020
Newsletter MAFR - Law, Compliance, Regulation
Full reference: Frison-Roche, M.-A., Responding to an email with "serious anomalies",transferring personal data, blocks reimbursement by the bank: French Cour de cassation, July 1st 2020, Newsletter MAFR - Law, Compliance, Regulation, 10th of September 2020
Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation
Summary of the news
"Phishing" is a kind of cyber criminality aiming to obtain, by sending fraudulent emails which look like to those sent by legitimate organisms, recipient's personal information in order to impersonate or steal him or her. As it is difficult to find the authors of "phishing" and to prove their intentionality in order to punish them directly, on mean to fight against "phishing" could be to entitle banks to secure their information network and, to accompany this obligation with a strong incentive, to convict them to reimburse the victims in case of robbery of their personal data.
In 2015, a client victime of this kind of fraud asked to his bank, the Crédit Mutuel, to reimburse him the amount stole, what the bank refused to do on the grounds that the client committed a fault, transferring its confidential information without checking the email, however grossly counterfeit. The Court of first instance gave reason to the client because although he committed this fault, he was in good faith. This judgment was broken by the Chambre commerciale de la Cour de cassation (French Judicial Supreme Court) by a decision of 1st of July 2020 which states that this serious negligence, exclusive of any consideration of good faith, justifies the absence of reimbursement by the bank.
___
From this particular case, we can draw three lessons:
______
Sept. 2, 2020
Newsletter MAFR - Law, Compliance, Regulation
Full reference: Frison-Roche, M.-A., For regulating or supervising, technical competence is required: example of the French creation of the "Pôle d'expertise de la régulation numérique", Newsletter MAFR - Law, Regulation, Compliance, 2nd of September 2020
Lire par abonnement gratuit d'autres news de la Newsletter MAFR - Law, Regulation, Compliance
Summary of the news
Through a decree of 31st of August 2020, the government created a national service, the "Pôle d'expertise de la régulation numérique" (digital regulation expertise pole). It has to furnish to State services a technical expertise in computer science, data science and algorithm processes in order to assist them in their role of control, investigation and study. The aim is to favor information sharing between researchers and State services in charge of regulating digital space.
As its acronym indicates, this pole of expertise aims to represents constance in a changing world. Moreover, more than being a national service, this organism must adopt a transversal dimension, its creation decree being signed by the Prime Minister, Minister of Economy, Minister of Culture and Minister of Digital Transition. The creation of such a pole shows the awareness of the government of the importance of technical competency in the regulation of digital space and of the necessity to centralize these expertises in one organ.
However, as the decree indicates, this pole of expertise could be consulted only by "State services", that excludes regulators which are independent from the State and which could put the pole in conflict of interest, and courts even if they are supposed to play a central role in the regulation of digital space and even if they are allowed to ask the advice of the regulator about some cases. But if regulators cannot size the pole, to whom does it benefit except the legislator and a few officials?
It would therefore have been better for this pole of expertise to be placed under the direction of regulatory and supervisory bodies, which would have enabled it to be able to be consulted both by regulators and by judges, both of whom are key players in digital regulation.
Aug. 31, 2020
Newsletter MAFR - Law, Compliance, Regulation
Full reference: Frison-Roche, M.-A., Compliance by Design, a new weapon? Opinion of Facebook about Apple new technical dispositions on Personal Data protection, Newsletter MAFR - Law, Compliance, Regulation, 31st of August 2020
Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation
Summary of the news:
Personal Data, as they are information, are Compliance Tools. They represent a precious resource for firms which must implement a vigilance plan in order to prevent corruption, money laundering or terrorism financing, for examples. It is the reason why personal data are the angular stone of "Compliance by design" systems. However, the use of these data cannot clear the firm of its simultaneous obligation to protect these same personal data, that is also a "monumental goal" of Compliance Law.
In order to be able to exploit these data in an objective of Compliance and protecting them in the same time, the digital firm Apple adopted for example new dispositions in order to the exploitation of the Identifier For Advertisers (IDFA) integrated in the iPad and in the iPhone and broadly used by targeted advertising firms, is conditioned to the consumer's consent.
Facebook reacted to this new disposition explaining that such measures will restrict the access to data for advertisers who will suffer from that. Facebook suspects Apple to block the access to advertisers in order to develop its own advertising tool. Facebook guaranteed to advertisers who work with it that it will not take similar measures and that it will always favor consultation before decision making in order to concile sometimes divergent interests.
We can sleep and already make some remarks:
The whole paradox of Compliance Law rests in the equilibrium between circulation of information and secret.
Aug. 27, 2020
Newsletter MAFR - Law, Compliance, Regulation
Full reference: Frison-Roche, M.-A., "Interregulation" between Payments System and Personal Data Protection: how to organize this "interplay"?, Newsletter MAFR - Law, Compliance, Regulation, 27th of August 2020
Read by freely subscribing the other news of the Newsletter MAFR - Law, Compliance, Regulation
Summary of the news
Regulation Law, in order to recognize and draw the consequences from the specificities of some objects, has been build, at the start, around the notion of "technical sector" although their delimitation is partially related to a political choice. But, in facts, there are multiple points of contacts between sectors, actors moving from one to another as objects. The regulatory solution is so to climb over some technical borders through the methodology of interregulation which is by the way the only one to enable the regulation of some phenomena going beyond the notion of sector and related to Compliance Law.
This news takes the exemple of companies furnishing new payment services. In order to they can provide these services, these firms needs to access to banking accounts of concerned people and so to very sensitive personal data. Regulation of such a configuration needs a cooperation between the banking regulator and the personal data regulator. Legislation being not sufficient to organize in Ex Ante this interregulation, the European Data Protection Board has published some guidelines on 17th of July 2020 about the way it conceives the articulation between the PSD2 (European directive about payment services) and GDPR and has announced that it intended to expand the circle of its interlocutors to do this interregulation. Such an initiative from EDPB can be justified by the uncertainty about how interpreting both texts and articulating them.
Aug. 21, 2020
Newsletter MAFR - Law, Compliance, Regulation
Full reference: Frison-Roche, M.-A., Being obliged by Law to unlock telephone is not equivalent to self-incrimination: Cour de cassation, Criminal Chamber, Dec. 19, 2019, Newsletter MAFR - Law, Compliance, Regulation, 21st of August 2020
Read by freely subscribing the other news of the Newsletter MAFR - Law, Compliance, Regulation
Summary of the news
The Cour de Cassation (French Supreme Judicial Court) made a decision on 19th of December 2019 about a case concerning a refusal to communicate his mobile phone's unlock code to the police while the police found him with a significant quantity of narcotic and a lot of cash and that there was a certain probability that this mobile phone get proofs of culpability of its owner. The individual was indicted not for narcotic trafficking but for not having communicate its unlock code which constitute an offense to article 434-15-2 of code pénal, from the loi du 3 juin 2018 renforçant la lutte contre la criminalité organisée, et le terrorisme et leur financement (law reinforcing organized crime, terrorisme and their financing).
The accused invokes before the court its right to not incriminate oneself. Indeed, the configuration face to policemen was such that if he refused to communicate its unlock code, he will be punished because of this obligation to communicate his code and that if he accepted, he will also be sanctioned because of the proofs contained into the mobile phone. Such a configuration therefore offered him no alternative to confessing, which is contrary to the European Convention on Human Rights and to European and national jurisprudence.
Face to such a case, the Cour de Cassation chose to segment the information and proposed the following solution: if the researched information cannot be obtained regardless of the suspect willingness, it is not possible to constraint this person to communicate this information without violating its procedural rights, but if the information can be obtained regardless of the suspect willingness then the individual is obliged to communicate his code. In the current case, as it was possible for policemen to obtain information contained in the phone by technical means, longer but existent, then the refuse of communication of the unlock code by the suspect constitute an obstruction that should be sanctioned.
Such a decision is an exemple of the conciliation by the judge of two fundamental but contradictory "monumental goals" of Compliance Law: transparency of information towards public authorities and very sensible personal data protection.
To go further, read Marie-Anne Frison-Roche's working paper: Rethinking the world from the notion of data
Jan. 16, 2020
Thesaurus : Doctrine
Full reference: Féral-Schuhl, C., Cyberdroit. Le Droit à l'épreuve de l'internet, Collection Praxis Dalloz, Dalloz, 8th edition, 2020, 1731p.
Read the forth of cover (in French)
Read the table of contents (in French)
Nov. 16, 2019
Publications
The Finance Bill has proposed to the Parliament to vote an article 57 whose title is: Possibilité pour les administrations fiscales et douanières de collecter et exploiter les données rendues publiques sur les sites internet des réseaux sociaux et des opérateurs de plateformes (translation: Possibility for the tax and customs administrations to collect and exploit the data made public on the websites of social networks and platform operators).
Its content is as is in the text voted on in the National Assembly as follows:
"(1) I. - On an experimental basis and for a period of three years, for the purposes of investigating the offenses mentioned in b and c of 1 of article 1728, in articles 1729, 1791, 1791 ter, in 3 °, 8 ° and 10 ° of article 1810 of the general tax code, as well as articles 411, 412, 414, 414-2 and 415 of the customs code, the tax administration and the customs administration and indirect rights may, each as far as it is concerned, collect and exploit by means of computerized and automated processing using no facial recognition system, freely accessible content published on the internet by the users of the online platform operators mentioned in 2 ° of I of article L. 111-7 of the consumer code.
(2) The processing operations mentioned in the first paragraph are carried out by agents specially authorized for this purpose by the tax and customs authorities.
(3) When they are likely to contribute to the detection of the offenses mentioned in the first paragraph, the data collected are kept for a maximum period of one year from their collection and are destroyed at the end of this period. However, when used within the framework of criminal, tax or customs proceedings, this data may be kept until the end of the proceedings.
(4) The other data are destroyed within a maximum period of thirty days from their collection.
(5) The right of access to the information collected is exercised with the assignment service of the agents authorized to carry out the processing mentioned in the second paragraph under the conditions provided for by article 42 of law n ° 78-17 of January 6, 1978 relating to data processing, the files and freedoms.
(6) The right to object, provided for in article 38 of the same law, does not apply to the processing operations mentioned in the second paragraph.
(7) The terms of application of this I are set by decree of the Council of State.
(8) II. - The experiment provided for in I is the subject of an evaluation, the results of which are forwarded to Parliament as well as to the National Commission for Data Protection at the latest six months before its end. "
This initiative provoked many comments, rather reserved, even after the explanations given by the Minister of Budget to the National Assembly.
What to think of it legally?
Because the situation is quite simple, that is why it is difficult: on the one hand, the State will collect personal information without the authorization of the persons concerned, which is contrary to the very object of the law of 1978 , which results in full disapproval; on the other hand, the administration obtains the information to prosecute tax and customs offenses, which materializes the general interest itself.
So what about it?
Read below.
Updated: July 4, 2019 (Initial publication: April 30, 2019)
Publications
► Complete reference : Frison-Roche, M.-A., Having a good behavior in the digital space, working paper, April 2019.
____
Summary: The jurist sees the world through the way he learns to speak
The Law of the Environment has already come to blur this distinction, so finally so strange because this classical conception refers to a person taken firstly in his immobility (Law of individuals), and then in his only actions (Contrats and Tort Law, Property Law). Indeed, the very notion of "environment" implies that the person is not isolated, that he/she is "surrounded", that he/she is what he/she is and will become because of what surrounds him/her ; in return the world is permanently affected by his/her personal action. On second thought, when once "Law of Individuals" was not distinguished from Family Law, the human being was more fully restored by this division in the legal system that not only followed him/her from birth to death but also in him/her most valuable interactions: parents, siblings, couples, children. Thus Family Law was finer and more faithful to what is the life of a human being.
To have instituted Law of Individuals, it is thus to have promoted of the human being a vision certainly more concrete, because it is above all of their identity and their body about what Law speaks, astonishing that we have not noticed before that women are not men like the others. To have instituted the Law of the people, it is thus to have promoted of the human being a vision certainly more concrete, because it is above all of his identity and his body that one speaks to us, astonishing that the we have not noticed before that women are not men like the others
From this concrete vision, we have all the benefits but Law, much more than in the eighteenth century, perceives the human being as an isolated subject, whose corporeality ceases to be veiled by Law
This freedom will come into conflict with the need for order, expressed by society, social contract, state, law, which imposes limits on freedom of one to preserve freedom of the other, as recalled by the French Déclaration des Droits de l'Homme of 1789. Thus, it is not possible de jure to transform every desire in action,, even though the means would be within reach of the person in question, because certain behaviors are prohibited in that they would cause too much disorder and if they are nevertheless committed, they are punished for order to return. Thus, what could be called "law of behavior", obligations to do and not to be put in criminal, civil and administrative Law, national and international Law, substantial Law and procedural Law :they will protect the human being in movment pushed by the principle of freedom forward others and thing, movement inherent in their status as a Person.
The human being is therefore limited in what they want to do. In the first place by the fact: their exhausting forces, their death that will come, the time counted, the money that is lacking, the knowledge that they does not even know not holding, all that is to say by their very humanity; Secondly, by the Law which forbids so many actions ...: not to kill, not to steal, not to take the spouse of others, not to pass as true what is false, etc. For the human being on the move, full of life and projects, Law has always had a "rabat-joy" side. It is for that reason often ridiculous and criticized because of all its restraining regulations, even hated or feared in that it would prevent to live according to our desire, which is always my "good pleasure", good since it is mine. Isolated and all-powerful, the human being alone not wanting to consider other than its desire alone.
Psychoanalysis, however, has shown that Law, in that it sets limits, assigns to the human being a place and a way of being held with respect to things and other persons. If one no longer stands themselves by the prohibition of the satisfaction of all desire (the first of which is the death of the other), social life is no longer possible
But this presentation aims to make it possible to admit that the criterion of Law would be in the effectiveness of a sanction by the public power: the fine, the prison, the confiscation of a good, which the rudeness does not trigger whereas Law would imply it: by this way we are thus persuaded of the intimacy between the public power (the State) and Law... But later, after this first lesson learned, the doubt comes from the consubstansuality between Law and State. Is it not rather appropriate to consider that Law is what must lead everyone to "behave well" with regard to things and people around them? The question of punishment is important, but it is second, it is not the very definition of Law. The French author Carbonnier pointed out that the gendarme's "kepi" is the "Law sign", that is to say what it is recognized without hesitation, but it is not its definition.
The first issue dealt with by Law is then not so much the freedom of the person as the presence of others. How to use one's freedom and the associated deployment of forces in the presence of others? How could I not using it when I would like to harm them, or if the nuisance created for them by the use of my free strength is indifferent to me
We do not use our force against others because we have interest or desire, we do not give him the support of our strength while he indifferent us, because Law holds us. If the superego was not enough. If Law and the "parental function of the States" did not make alliance. We do it because we hold ourselves
Or rather we were holding ourselves.
Because today a new world has appeared: the digital world that allows everyone not to "hold" himself, that is to say to constantly abuse others, never to take them into consideration, to attack massively. It's a new experience. It is not a pathological phenomenon, as is delinquency (which simply leads to punishment), nor a structural failure in a principle otherwise admitted (which leads to regulatory remedies) but rather a new use, which would be a new rule: in the digital space, one can do anything to everyone, one is not held by anything or anyone, one can "let go" (I). This lack of "good behavior" is incompatible with the idea of Law, in that Law is made for human beings and protect those who can not afford to protect themselves; that is why this general situation must be remedied (II).
Cornu, G., Linguistique juridique, 2005.
Frison-Roche, M.-A. & Sève, R., Le Droit au féminin (ed.), 2003.
Under this "mask" of the "subject of Law", we are all equal. S. Archives de Philosophie du Droit, Le sujet de droit, 1989.
Baud, J.P., L'affaire de la main volée. Histoire juridique du corps humain, 1993.
On neurosis as a constitutive mode of child sociability, s. Lebovici, S., "C'est pas juste", in La justice. L'obligation impossible, 1994.
Read the article of Alain Supiot about the idée of Rule common of all, under the discussion between all, presented by this author through the artwork of Kafka : "Kafka, artiste de la loi", 2019; Kafka is very present in the work of Alain Supiot, for example in his First Lesson in the Collège de France, 2012, or in an Introduction of La Gouvernance par les nombres ; This latter book is now available in English : Governance by numbers. The making a legal model of allegiance, 2017 (translated by S. Brown).
That's why splitting Persons Law and Family Law masks another reality: the family is not made up of third parties. The links are there. They pre-exist. Starting from the only Persons Law pushes to think one can "build" his/her family by links drawn on white paper: the contracting of the families made up of individuals becomes thinkable, even natural.