Pour lire le résumé du Rapport en français, cliquer sur le drapeau français
Law is a practical art. It is all the more effective in practice that it is ordered around some principles posed in advance, easy to understand by all and accepted by the majority. In this respect, Law constitutes an essential element of a stable "governance".
Pragmatism does not consist in piling up texts that each brings a punctual solution to a specific difficulty identified, while waiting for the appearance of a new difficulty that will give rise to a new text. If one does so, one lives then under a continuous stream of texts, often called under the sole term of "regulations", which are only of the Ex Post, which runs after the facts and the cases, which are always unexpected. On the contrary, nothing is more practical than some principles both simple and peculiar to the object, which constitute a true Ex Ante, the jurisdictions applying the principles to the cases, always diverse, always new, always happening, the courts interpreting the principles. Sometimes it is needed to change the principles or add others, but it does not happen often.
But for the moment there do not seem to be many simple and stable principles in the digital world. Rather, texts are asked to run after facts. This could be the Contribution of Compliance Law for the Internet Governance to formulate principles and draw their legal consequences, including institutional ones. This does not mean being indifferent to the facts.
To reason in principle, one must know the facts: Law can be developed only by measuring first and as simply as possible what today and now public Authorities and people face in the "digital world", the question being large because the digital world has digitized the world (chapter I). The digital world is born thanks to the principle of freedom, a principle to which there is no question of giving up. Faced with situations and behaviors that are worrying, even inadmissible, Law has for the moment only "reacted", either by specific laws, or by Competition Law which remains an Ex Post Law. Thus the only Ex Ante principle is Freedom, some people asking the end of it because humans are "sprayed", whether it takes the conventional form of freedom of speech or the new form of spraying of the person in data. This seems to be an impasse, since some people propose as the only solution to give up the Principle of Freedom to protect people. But to this renunciation, it is not necessary to be resolved. Except to enter into a great legal violence, for example breaking the power of these very large digital companies that would have to be dismantled as they have built and make live this extraordinary digital world and participate in the existence that continues of the West in the world.
The contribution of Compliance Law could allow to leave this aporia: instead of aiming at decreasing the power of the companies, it is necessary on the contrary to be based on these (chapter II). Indeed, Compliance Law consists in internalizing in crucial operators, whose list is easy to draw up, goals which are concretized thanks to their power (information, globalization, technology). These goals are set by the public Authorities. Normativity being in the goals (link between Regulatory Law and Compliance Law), the essential thing is to fix them clearly. The first is of a systemic nature, the digital world here being very similar to the banking and financial system: it is the systemic goal of trust, trust in information, trust in information transmission systems, trust in crucial operators themselves in indifference of their nationality. This systemic trust is brought by all Internet users thanks to a first pillar that must be preserved, the Principle of Freedom, and thanks to a second pillar, which must be built, the Principle of Person, that some want to misunderstand, to appropriate or destroy, not only in the digital world but in the “real” world. It is the articulation of these two Principles - Freedom and Person - that will preserve or restore the common good of trust.
In this respect, Law of the European Union has already shown that by still fragmented Compliance sectorial Laws it has gone further than the mechanical concern for the protection of a system developed in the United States (Chapter III). A mechanical Law, reduced to empty "regulations" automatically applied to a system, is a dead Law. US Compliance Law can give that impression… Through the European Banking Union and the three banking, insurance and financial European Regulators, the European Union managed, without links with a State, to express a systemic goal of general protection of people, internalized in crucial digital operators. This is why it is necessary to take American Law only as initial model; but it should not also be taken as an enemy: Europe does not have to be in defense, while the digital world lends itself so well to the Renaissance. And it is European Union Law that has set the example through the case law then the 2016 Regulation on the circulation of data and the protection of the persons "concerned" by them by internalizing in companies a concern little present in the American techniques of Compliance: the first concern of the Person (GDPR). In this, Law finds its primary object: the life of human beings. The Law of the Union already has the lineaments of this Principle Ex Ante of the Principle of Person articulating with the Principle of Liberty (whose excesses are already sanctioned Ex Post by Competition Law, but this cannot suffice ): the Ex Ante of Compliance Law aims for a double systemic prevention, the prevention of the risk of loss of confidence in the contents and the prevention of attacks on the Person which lead to a loss of confidence in the operators. These two pillars Ex Ante are still inadequately formulated in a simple and general way: it is the contribution of Compliance Law that to do it so that it applies across the entire digital world and the digitized world and the respect for freedom (which must not be lost) and respect for the person (to be won). In this, this constituent principle of the Person must stop the effectiveness of foreign mechanical rules, including in the process mechanics of compliance process.
Chapter IV sets out the elements of application constituting this contribution of Compliance Law in Internet Governance, which does not require major institutional upheavals or adoption of texts upsetting the actual legal organization in Europe of the law, process of which everyone knows the difficulty and the slowness. It is necessary to start from the goal: preservation in the digitized and digital world of the "Person", that is to say, "subjects of law", technically by the titularity of rights and obligations. To activate the Principle of Person, it is necessary to assure the effectiveness of these rights and to create new subjective rights, as historically the judge has done, and more particularly the Court of Justice of the European Union. These subjective rights, of which the "right to be forgotten" is the paragon, the right not to be insulted, persecuted, etc., have a disciplinary and structuring effect with adequate extraterritorial effects, the attachment of the "person concerned "with the Union Law to be broad (three alternative criteria).
Compliance Law is not at all the enemy of the digital enterprises: on the contrary, it increases their powers, by legitimizing their power to collect data, but by setting them guardians of these and not masters or owners of these: it is also to serve goals that exceed them that this power is designed and their obligation of immediate collaboration with the public Authorities must be increased. Indeed, their action for the protection of the social group must be dictated by the public Authority and not by their charter or various internal committees that only copy or anticipate their duty. It remains that to perform their duties, they must have adequate powers, especially on Internet users, powers that are legitimized. As such, a dismantling of "crucial operators" would also weaken the public Authorities who have already inserted public interest goals into them.
In addition, as are the managers of essential infrastructure, they become the direct debtors of these subjective rights of the people, prerogatives conferred on them directly by Law (on the model of the "right to be forgotten"), even if these operators are not in a contractual relationship with these persons. The debtor of a subjective right has an Ex Ante obligation to fulfill it. This is true for the subjective rights that Law must create, as the "right to be educated" could be, since education is now digitized, there is a right for it not to be worse (pornography, violence, protected secrets accessible to all, etc.) and that it is for the better; this is true for the classical subjective rights that the digital world has concretely erased and whose return to effectiveness must be borne by the crucial operators on which this new world is based. Thus, we must legitimize but also demand a more effective involvement of crucial operators in the effectiveness of the rights of "creators", rights which go beyond simple financial compensation. The world is not just about money, it's not its sole issue, its sole measure. For that, it is necessary to increase the Ex Ante powers of the operators, so that they execute new Ex Ante obligations with regard to the subjective rights of the creators, so that these ceases to be dispossessed, notably in the matter of counterfeiting. The persons, concrete holders of all these subjective rights, must be able to act before a Regulator or a judge to demand their effectiveness.
In doing so and for that, as is done in Financial Regulatory system, crucial operators must be recognized as "second level regulators", their legal form and their nationality not having any relevance for the granting in Europe of such qualification, their position being sufficient to justify this qualification, a public body then exercising on them a power of "supervision". At the European level, this generates in the first place a mesh of all the regulators, because the mesh is a better solution than the concentration (it is the model of the trio ESMA - EBA - EIOPA and the three organs of the Banking Union , supervision, resolution of difficulties and guarantee, which themselves are articulated with national supervisors).
The Court of Justice has stated in its case-law that it is the guardian of a "rule of law": in the absence of a European State, a distribution of subjective rights by authorities (Court of Justice, Commission, Regulators, courts) whose crucial digital operators will be the actual debtors, overseen by a network of public authorities whose central focus will be the European Commission, represented by DG Connect, would correspond to the evolution of European Law. This would not be a break but a new degree in its maturity as a sovereign zone.
This system of institutional networking is all the more appropriate that the daily implementation is based on a lightning technology controlled by the operators themselves and that it is here to supervise them, not to "regulate" a sector. Some concerned authorities have both regulatory powers, concerning sectors to be built or whose equilibrium must be maintained over time, and supervisory powers over the operators which must become transparent in this regard. In this articulation resulting from a system of Compliance, it is only a question of articulating the powers of supervision on the crucial operators.
For the inter-sectorial to work well, especially via the European networks of national regulators, while digital is not a sector and it is only a matter of supervising the crucial operators of the digital world whose activity impacts "persons who are concerned", the European Commission is most likely to constitute what would be this hub of the European intersectorial in a perspective of supervision of crucial digital regulators. Within it, DG Connect would be the best able to be this pillar of supervision of a compliance system that has internalized in the crucial operators the effectiveness function of the subjective rights of the "persons who are concerned" by the digitalization of the world, operators recognized as such as second level regulators.
Such a mechanism does not hinder innovation, on the contrary: to be supervised and directed towards certain goals that make the Freedom Principle, natural to the operator, and the Principle of Person, which may be less so, but crucial digital operators will gain ownership, and this obligation does not prevent an operator from innovating. On the contrary, Compliance Law relies on the power of crucial operators, established as guardians of liberties and people. The very strong pedagogical dimension of Compliance finds in digital and its operators a consubstantial ground.
Other crucial operators can be born in this new institutional but flexible ecosystem, not only in B to C but in B to B because the more crucial operators there are and the more the overall mechanism is solid, going beyond the immediate prospect of markets to care more about infrastructure, data retention and sharing between companies, under public supervision, can show that Compliance Law is then - by a return effect - a way to return to a Regulatory Law, able to build data infrastructures between companies in Europe, as long as they are supervised by a Supervisory Authority, which is neither a Regulatory Authority nor a Competition Authority. In this way, Compliance can compensate for the absence of an industrial Europe.