🧮Les techniques de supervision des contenus numériques disponibles sur les plateformes (Technical risks controls on platforms and disputes arising from them), in cycle de conférences-débats "Contentieux Systémique Émergent" ("Emerging Systemic Litigation")

Third conference-debate

LES CONTROLES TECHNIQUES DES RISQUES PRESENTS SUR LES PLATEFORMES ET LES CONTENTIEUX ENGENDRES 

(TECHNICAL RISKS CONTROLS ON PLATFORMS AND DISPUTES ARISING FROM THEM)

under the scientific supervision of Marie-Anne Frison-Roche 

Monday May 27, 2024

 Paris Court of Appeal, Cassin courtroom

Presidency and moderation by 🕴️Marie-Anne Frison-Roche, Professor of Regulatory and Compliance Law, Director of the Journal of Regulation & Compliance (JoRC)

🕰️9h-9h10. 🎤Le contentieux Systémique Emergent du fait du système numériqué (Systemic Litigation Emerging from the Digital System), 🕴️Marie-Anne Frison-Roche

• In my introduction, I recalled what an Emerging Systemic Litigation is: a case (in the procedural sense of the term) in which the interests of a system and its very future are involved (banking, financial, energy, transport, digital systems, etc.).
• This case, which is systemic because a system is involved in the proceedings, may be brought before Judge specialised in issues affecting that system, including and by its very nature a Regulator in his jurisdictional formation, but also an Ordinary Judge, not because he would like to take over a subject but because the parties in dispute ask questions to him and it is part of his judicial function to have to answer the questions asked to him📎!footnote-3631.
• The result, by its very nature, is a fragmentation of litigation, a system of pulleys with stays of proceedings, and issues of coherence that need to be addressed from the outset, because it is always the same system that is present before each of these judges. Even before the ordinary judge, it is in terms of ‘interregulation’ that the case must be considered, both procedurally and substantially📎!footnote-3632.
• The Digital System is an example of this📎!footnote-3633. The digital system is considered here insofar as it presents ‘systemic risks’. These systemic risks are managed ‘on the front line’ by the operators themselves, since their management is internalised in the crucial operators who have built, structure and operate the digital space. This is the very basis of Compliance Law📎!footnote-3634.
• These interregulation issues must be integrated into the office of the judge itself📎!footnote-3635.
• Platforms thus give rise de facto and de jure to Systemic Litigations, since they generate and manage systemic risks. These risks are listed, but they are also unique in terms of the type of litigation they give rise to. Thus, by method, the more dispersed the litigation appears to be, the more this uniqueness must be highlighted by the various judges who, through their dialogue and joint work, must take action, while the parties refer to so many different judges on issues that appear different but that all come under the same logic.
• In the digital system, these include risks of disinformation, risks of aggression through speech, risks of capturing information, risks of destroying infrastructure, ‘cyber risks’ (which is a very broad term), risks of access by minors to websites that are forbidden to them (which is a very precise term), but these are always risks that infiltrate the very structure of the digital space and about which a question will be put to the courts: the result will therefore be ‘Emerging Systemic Litigation’.

🔲see the slides used to support this speech (in French)

🌐see on LinkedIn the slides used to support this speech (in French)

🕰️9h10-9h30. 🎤Les techniques de gestion du risque systémique pesant sur la cybersécurité  des plateformes (The Systemic Obligation of Security on Platforms and associated Litigation), 🕴️Michel Séjean, Professor of Law at Sorbonne Paris Nord University

• After this brief general introduction, Michel Séjean set out how the systemic obligation of cybersecurity on platforms.
• The speaker underlines the uniqueness of the seemingly scattered rules governing the digital space if they are understood through the requirement for cybersecurity, which justifies the redaction of a publisher's code devoted to this: M. Séjean & a. (ed.), Code de la cybersécurité, Dalloz, 2nd ed., 2024
• This illustrates the fact that the digital space as a whole can justify a risk-based approach📎!footnote-3636.
• The speaker emphasised the analogy often drawn between digital space and physical space, since in either case any one of us can be the object of aggression. But this analogy quickly reaches its limits.
  First and foremost, individuals have a right to security in the physical world, but in the digital world this right is subject to the firm having organised its own security. The firm can only complain of an attack, such as data theft, if it has secured the data beforehand, for which it is responsible, and for which everyone is responsible, for example through the strength of the passwords chosen.
  This singular requirement stems from the fact that an attack against an individual does not endanger or cause harm to that individual alone, but endangers and causes harm to the system as a whole: its occurrence or prospect is by nature systemic.
• If we combine this with the fact that, by their very nature, platforms, and more particularly the first 4 (the first 3 of which are American), are themselves a systemic phenomenon, for example in that they host the vast majority of the world's data, we can see that the security obligation on platforms is a ‘systemic obligation’.
• The speaker also emphasised that a situation has a systemic dimension when the vital interests of the nation are at stake. For a situation to be characterised in this way, it is not necessary for a very large number of people to be involved; it is necessary, but sufficient, for a ‘vital operator’ to be concerned. In other words, the actual or potential incident does not have to be ‘massive’ for it to have a systemic dimension.
• If we take the more specific case of platforms, two types of criteria highlight this systemic dimension: the first criterion is the importance of the data, the second criterion is the importance of the entity concerned.
  • The importance of the data varies and does not necessarily depend on the distinctions made by the law, for example between personal data and non-personal data, but often involves the sector in question (health, banking, defence, etc.), with each category and sub-category having its own specific legal regime that intersects with other legal regimes.
    The general criterion is rather that of the criticality of the data, a unifying qualification giving rise to increasingly restrictive legal regimes which consist of "warning the system" in the event of a problem, notably through the various Regulation authorities concerned in one capacity or another, for example an health autority, a banking authority, a data protection authority, etc.
  • The second criterion concerns the criticality of the entities. These are operators of vital importance, essential entities, which include very large firms in 18 sectors of the economy. The difference in criticality implies different legal regimes.
• The speaker emphasised that it is not the platform that is the focus of analysis, but that the platform is a sign of the way in which Law is developing the systemic obligation of cybersecurity, in that this systemic obligation goes beyond the French Nation, which also justifies the regulatory and supervisory agencies. More specifically, the French Cybersecurity Agency (Agence nationale de la sécurité des systèmes d'information - ANSSI), which reports to the Prime Minister, will soon be given the power to impose sanctions under the forthcoming law transposing the European directive on raising the level of cybersecurity (Network and Information Security 2 directive - NIS 2).
• But this Ex Ante preservation of the system by its own technical devices and administrative Authorities, as well as the obligations built into the entities themselves, does not prevent disputes. The speaker gave an example. A cyber attack took place in 2017 to the detriment of more than 10,000 firms, some of them of critical size. Merck Laboratories wanted to activate their insurance policy, protecting them in the event of a "computer virus". At the same time, the President of the United States referred to this cyber attack in the media, blaming it on the Russians and describing it as an act of war. However, in the insurance contract, while one clause provides cover in the event of damage caused by a computer virus, another clause excludes cover when the damage results from an act of war. The firm went to court. While the case was pending before the Supreme Court of New Jersey, a settlement was reached between the parties, so it is not known what solution the judge would have provided to such a dispute. However, the Court of Appeal had previously ruled that ambiguity is to the advantage of the person who does not draw up the contract, and that the qualification of ‘act of war’ cannot be retained since no blood was shed in this cyber attack.
• In the ‘systemic grammar’ on which such systemic litigation is built, we find the principle that the entity, in particular the platform, must respect its obligation to minimise the damage that may be done to it, in particular by drawing up a risk map, an incident response plan and a general security policy, as part of a more general documentary requirement.
• If the risk is too great, it will be shared between the firm and the State, which also plays its part in the control procedures. The aim is not to eliminate cyber risk, which is impossible, but to limit and manage it through prevention, information, detection and security.

🕰️9h30-9h50. 🎤Un cas systémique in vivo : le cas dit des sites pornographiques (An in vivo Systemic Case: the so-called case of pornographic websites),🕴️Marie-Anne Frison-Roche

• Following this overall demonstration, an in vivo Systemic Case was described step by step by Marie-Anne Frison-Roche
• Building on the previous demonstration, which showed that firms are on the front line, to illustrate how things are happening, not always so well, not always so quickly, that the notion of territory is effectively disappearing, allowing a multitude of judges, of different kinds, in different places, in different disputes between different parties, even though it is a single systemic issue that is being raised and contested, I have taken a case that has been open since 2021: the so-called case of pornographic content sites.
• The presentation is not repeated here, as more detailed information is available on the slides: 🧱consult the slides used as a basis for this intervention, reproducing step by step the letters, court rulings and legislation, with the arguments and claims of each side (in French)
• In this case, which is still ongoing and involves numerous laws, old and new, French and European, the Arcom, the judicial judge, the administrative judge, potentially the constitutional judge and the European judge, the result is that the various judges have always been able not only to answer the questions but also to listen to what the other judges had to say.
• The fact remains that 3 years on, the effectiveness of the ban on minors accessing pornography has not been achieved. The French law of 21 May 2024 visant à sécuriser et à réguler l'espace numérique (aiming at securing and regulating digital space) entrusts the Regulator with the task of achieving this. It is to be feared that this will not put an end to the litigation. Ofcom, the UK Regulator, is increasing the obligations and penalties imposed on digital operators. This may not put an end to it either.
• The dialogue between judges that can be observed in this case, where the Tribunal judiciaire de Paris (Paris First Instance Civil Court) expressly referred in its judgment of 7 July 2023 to the concept of "cause systémique" ("systemic case")📎!footnote-3637 to justify its stay of proceedings, thus turning to the Conseil d'État (French Council of State), must see its efficacy increased.
• Through this case, it is an observation and a wish that we can make in a more general way for the whole of Emerging Systemic Litigation.

🔲see the slides used to support this speech (in French)

🌐see on LinkedIn the slides used to support this speech (in French)

🕰️9h50-10h10. 🎤Les obligations systémiques des opérateurs numériques à travers le Règlement sur les Services Numériques (RSN/DSA) et le rôle des régulateurs (Systemic Obligations of Operators (DSA) and the role of Regulators), 🕴️Roch-Olivier Maistre, Chair of the Autorité de régulation de la communication audiovisuelle et numérique - Arcom (French Regulatory Authority for Audiovisual and Digital Communication)

• Roch-Olivier Maistre then drew on the previous two presentations to set out the systemic obligations incumbent on operators, in particular as they result from the Digital Services Act (DSA) and the role of the Regulator, echoing the role of the Judge.
• By way of introduction, and based on the case mentioned above, the speaker recalled that the role of the Regulator is ‘alongside’ the Judge. He does not replace the judge, whether judicial or administrative, and always acts under the latter's control.
• On this subject of the role of the Regulator, he also notes that national and European political powers (legislative and executive) oscillate between choosing the path of Regulation on the one hand and that of a more direct coercion on the other.
• He then explained Arcom's role in monitoring content published on digital platforms.
  He briefly retraces the foundations of Arcom's action in this area and how it has evolved. First, the French law of 22 December 2018 relative à la lutte contre la manipulation de l'information (on combating the manipulation of information), which imposed initial obligations on operators and in particular to collaborate with the Regulator (at the time the Conseil Supérieur de l'Audiovisuel - CSA (French Superior Audiovisual Council)), but without the latter then being endowed with sanctioning powers. Then came the law of 24 June 2020 visant à lutter contre les contenus haineux sur internet (aiming at combating hateful content on the internet) (known as the "Avia" law), which was almost entirely censured by the Conseil constitutionnel (French Constitutional Council). The French legislator then passed the law of 24 August 2021, confortant le respect des principes de la République (reinforcing respect for the principles of the Republic) and anticipating to some extent what has since become the reference text for the Regulator's action: the European Regulation of 19 October 2022 on a single market for digital services (known as the Digital Services Act - DSA), in force since August 2023 for very large platforms and February 2024 for smaller ones.
• Arcom also has specific jurisdiction over pornographic sites, to prevent minors from accessing content published on these sites. The first legal basis for this jurisdiction was the French law of 30 July 2020 visant à protéger les victimes de violences conjugales (aiming at protecting victims of domestic violence). This legal framework has recently evolved, with the law of 21 May 2024 visant à sécuriser et à réguler l'espace numérique (aiming at securing and regulating digital space) (known as the "SREN" law). This law has given rise to much debate, particularly at European level, regarding its relationship with the DSA. In application of the SREN law, Arcom has worked with the Commission nationale de l'informatique et des libertés - CNIL (French data protection authority) to draw up a reference framework, which has been notified to the European Commission.
• All these texts will not prevent litigation, firstly because they will themselves be challenged and secondly because Arcom's exercise of its powers, in particular its new direct power to block sites, will be challenged before national and European courts, both judicial and administrative, while the question of introducing technical checks on the age of Internet users has still not been resolved. The guidelines drawn up by the two French authorities propose an intermediate solution, based on the banking card used. This state of affairs clearly shows the difficulty of the subject, since these sites remain accessible.
• Arcom's second mission is also very specific, aimed at combating terrorist and child pornography content, in particular through the so-called TCO Regulation, which entrusts the Regulator with supervising the operation of the French Pharos platform, which blocks these sites. Every week, a check is made to prevent abuses in the exercise of this power.
• The speaker then focused on the DSA.
• He points out that the above-mentioned Regulation, DSA, is the first worldwide attempt by a continent to Regulate the major global digital players and to combat the excesses of content available on the major platforms.
• What is at stake here and more generally is the balance between the protection of fundamental public freedoms, in particular the freedom of communication exercised on platforms, which are indispensable in our daily lives, and the need to protect individuals and society.
• This Law was inspired by what prevails in the audiovisual field, with the exception that it is not possible to deploy the same techniques, because the audiovisual world is a finite world, which unfolds in relation to a physical situation in which all content can be reviewed to analyse it legally and, if necessary, sanction it, whereas on digital platforms hundreds of millions of items of content are broadcasted every second, on a planetary scale, which makes it impossible for the regulator to control each item of content. This is why the DSA is also based on Compliance Law, in that it requires operators themselves to combat illegal content. The European Union expresses this political will, this goal, and asks operators to fight against illegal content.
• This is reflected in a number of obligations placed on operators, namely the obligation to assess each year the systemic risks to which the platform exposes users and the obligation to combat these risks, the obligation to submit to external audits, the involvement of civil society, in particular through trusted whistleblowers whose information must be processed as a priority by the digital operator, and the obligation to collaborate with the academic world, in particular by giving researchers access to data.
• This internalisation of the rules in firms through Compliance mechanisms takes place under the control of a Regulator, but in an original governance system set up in the European Union by the DSA. The European Commission is at the heart of the system, which also relies on the Authorities of the Member States. The SREN law has entrusted this role to Arcom in France, as the authority responsible for coordination at national level.
• This original form of governance has already produced results, as the Commission has opened investigations on the basis of the DSA on very large platforms, European investigations in which Arcom is collaborating as national coordinator.
• In addition, the text provides for substantial financial penalties for operators, of up to 6% of worldwide sales.
• The speaker emphasised the practical difficulty created by the difference in timeframes between systemic Regulation, judicial timeframes, administrative and political decision-making timeframes, and the timeframes for technical controls on platforms, with regard to the risks and aims of Regulation.
• This interplay of timeframes is being put in place by the platforms themselves, in particular through the use of algorithmic tools, while the State has stepped up its efforts to combat foreign interference. The new European Regulation provides for emergency procedures. The fact remains that this first issue deserves all our attention, and that technologies are part of the solutions to ensure that the gap between these temporalities does not remain.
• On substance and for this new type of governance to being deployed, not only must the various regulations be coordinated, as is already happening, using methods that are still being invented, but a balance must also be struck between several fundamental public freedoms, as referred to in this complex and promising European Regulation, namely the balance between freedom of expression and the freedoms that citizens are calling for to be effectively protected through the control of content or even the blocking of websites. The courts are one of the key guardians of this balance.

🕰️10h10-10h30. Debate

________