Nov. 1, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., Due process and Personal Data Compliance Law: same rules, one Goal (CJEU, Order, October 29, 2020, Facebook Ireland Ltd v/ E.C.)Newsletter MAFR - Law, Compliance, Regulation, 1st of November 2020

Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation

Read Marie-Anne Frison-Roche's interview in Actu-juridiques about this decision (in French)

 

Summary of the news: 

As part of a procedure initiated for anti-competitive behaviors, the European Commission has three times requested, between the 13th of March and the 11th of November 2019, from Facebook the communication of information, reitarated in a decision in May 2020.  

Facebook contests it alleging that the requested documents would contain sensitive personal information that a transmission to the Commission would make accessible to a too broad number of observers, while "the documents requested under the contested decision were identified on the basis of wideranging search terms, (...) there is strong likelihood that many of those documents will not be necessary for the purposes of the Commission’s investigation". 

The contestation therefore evokes the violation of the principles of necessity and proportionality but also of due process because these probatory elements are collected without any protection and used afterwards. Moreover, Facebook invokes what would be the violation of a right to the respect of personal data of its employees whose the emails are transferred. 

The court reminds that the office of the judge is here constraint by the condition of emergency to adopt a temporary measure, acceptable by the way only if there is an imminent and irreversible damage. It underlines that public authorities benefit of a presumption of legality when they act and can obtain and use personal data since this is necessary to their function of public interest. Many allegations of Facebook are rejected as being hypothetical. 

But the Court analyzes the integrality of the evoked principles with regards with the very concrete case. But, crossing these principles and rights in question, the Court estimates that the European Commission did not respect the principle of necessity and proportionality concerning employees' very sensitive data, these demands broadening the circle of information without necessity and in a disproportionate way, since the information is very sensitive (like employees' health, political opinions of third parties, etc.). 

It is therefore appropriate to distinguish among the mass of required documents, for which the same guarantee must be given in a technique of communication than in a technic of inspection, those which are transferable without additional precaution and those which must be subject to an "alternative procedure" because of their nature of very sensitive personal data. 

This "alternative procedure" will take the shape of an examination of documents considered by Facebook as very sensitive and that it will communicate on a separate electronic support, by European Commission's agents, that we cannot a priori suspect to hijack law. This examination will take place in a "virtual data room" with Facebook's attorneys. In case of disagreement between Facebook and the investigators, the dispute could be solved by the director of information, communication and medias of the Directorate-General for Competition of the European Commission. 

___

We can draw three lessons from this ordinance: 

  1. This decision shows that Procedural Law and Compliance Law are not opposed. Some often say that Compliance guarantees the efficacy and that Procedure guarantees fundamental rights, the protection of the one must result in the diminution of the guarantee of the other. It is false. As this decision shows it, through the key notion of sensitive personal data protection (heart of Compliance Law) and the care for procedure (equivalence between communication and inspection procedures; contradictory organization of the examination of sensitive personal data), we see once again that two branches of Law express the same care, have the same objective: protecting people. 
  2. The judge is able to immediately find an operational solution, proposing "an alternative procedure" axed around the principle of contradictory and conciliating Commision's and Facebook's interests has shown that it was able to bring alternative solutions to the one it suspends the execution, appropriate solution to the situation and which equilibrate the interest of both parties. 
  3. The best Ex Ante is the one which anticipate the Ex Post by the pre-constitution of evidence. Thus the firm must be able to prove later the concern that it had for human rights, here of employees, to not being exposed to sanctioning pubic authorities. This Ex Ante probatory culture is required not only from firms but also from public authorities which also have to give justification of their action. 

 

__________

 

 

Nov. 1, 2020

Publications

Oct. 27, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., From Competition Law to Compliance Law: example of French Competition Authority decision on central purchasing body in Mass DistributionNewsletter MAFR - Law, Compliance, Regulation, 27th of October 2020

Read by freely subscribing the other news of the Newsletter MAFR - Law, Compliance

 

 

_____

 

Summary of the news: Through its decision of 22nd of October 2020, the Autorité de la concurrence (French Competition Authority) accepted the commitments proposed by retail sector's firms Casino, Auchan, Metro and Schiever so that their agreement by which a common body centralizes purchases from numerous retailers, allowing each to offer these products under private label, is admissible with regard to competitive requirements. 

In this particular case, the Authority had self-sized in July 2018, estimating that such a purchase center could harm competition, opening immediately a large consultation on the terms of the contract. In October 2018, the law Egalim permitted to the Authority to take temporary measures to suspend such a contract, what the Authority did from September. 

The convention parties' firms committed on the one hand to update their contract limiting the power on suppliers, especially small and very small suppliers, excluding totally of the field of the contract some kind of products, especially food products and reducing the share of bought products volume dedicated to their transformation in distributor brand. 

The Autorité de la concurrence accepts this proposal of commitments, congratulates itself of the protection of small suppliers operating like that and observe the similarity with the contract consisting in a purchase center between Carrefour and Tesco, which will be examined soon. 

_____

 

We can draw three lessons of this innovating decision, which could be a model for after: 

1. The technique of Compliance Law permits to the Autorité de la concurrence to find a reasonable solution for the future. 

  • Indeed, rather than punishing much later by a simple fine or to annihilate the performing mechanism of the purchase center, the Authority obtains contract modifications. 
  • The contract is structured and the obtained modifications are also structural. 
  • The commitments are an Ex Ante technique, imposed to operators, for the future, in an equilibrium between competition, operators and consumers protection and the efficacy of the coordination between powerful operators. 
  • The nomination of a monitor permits to build the future of the sector, thanks to the Ex Ante nature of Compliance Law. 

2. The retail sector finally regulated by Compliance technics.

  • "Distribution law" always struggle to find its place, between Competition law and Contract Law, especially because we cannot consider it as a common "sector". 
  • The Conseil constitutionnel (French constitutional court) refused a structural injunction power to the authority because it was contrary to business freedom and without any doubt ethics of business is not sufficient to the equilibrium of the sector.
  • Through commitments given against a stop of pursuits relying on structuring contracts, it is by Compliance law that a Regulation law free of the condition of existence of a sector could leave.

3. The political nature of Compliance law in the retail sector

  • As for digital space, which is not a sector, Compliance law can directly impose to actors imperatives that are strangers to them. 
  • In the digital space, the care for fighting against Hate and for protecting private life; here the care for small and very small suppliers. 

 

___________

 

See in counterpoints the pursuit of a contentious procedure against Sony, whose the proposals of commitments, made after a public consultation, were not found satisfying.

To go further, on the question of Compliance law permitting through indirect way the rewriting by the Conseil of a structuring contract (linking a platform created by the State to centralize health data with an American firm subsidy to manage them).

Oct. 15, 2020

Thesaurus : Soft Law

Full reference: Serious Fraud Office, Operational Handbook about Deferred Prosecution Agreements, October 2020

Read the Operational Handbook

Sept. 21, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., Regulation, Compliance & Cinema: learning about Internet Regulation with the series "Criminals"​Newsletter MAFR - Law, Compliance, Regulation, 21st of September 2020

Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation

 

Summary of the news: 

Season 2 Episode 3 of the British version of the series "Criminals" features the character of Danielle. Danielle is a mother which has decided to hunt down pedophiles on social networks in order to trap them and show to the world their acts. Danielle insists on the efficiency of her action with regard to the police and justice that she finds unproductive. In the episode, Danielle is accused of defamation by the police. While policemen try to explain to Danielle the importance of using a regular procedure and to respect the Rule of Law aiming to prove its accusations, she makes efficiency her only principle. According to her, her methods get results (on the contrary of those used by the police which respect procedures) and those she accuses to be pedophiles do not deserve defense rights. 

We can learn three lessons from Danielle's story: 

  1. If Compliance Law is just a process of application of mechanical rules, then Rule of Law is not salient face to the principle of efficiency. But, if Compliance Law is defined by its "monumental goals" and that the respect of Rule of Law is erected in "monumental goal", then efficiency and Rule of Law become compatible and congruent. 
  2. The digital space must be disciplined by crucial digital firms supervised by public authorities, like in France or Germany for hate speeches and disinformation. 
  3. Compliance Law, and Law in general, must be pedagogue towards individuals as Danielle which do not understand why their behaviors are reproachable. 

Sept. 16, 2020

Publications

Full reference: Frison-Roche, M.-A., Se tenir bien dans l'espace numérique, in Penser le droit de la pensée. Mélanges en l'honneur de Michel Vivant, Lexis Nexis and Dalloz, 2020, pp. 155-168

Read Marie-Anne Frison-Roche's article (in French)

Read the working paper, written in English, on which this article is based, enriched with additional developments, technical references and hyperlinks

 

Summary of the article: 

The digital space is one of the scarce spaces not framed by a specific branch of Law, Freedom also offering opportunity to its actors to not "behave well", that is to express and diffuse broadly and immediately hateful thoughts through Hate speechs, which remained before in private or limited circles. The intimacy of Law and of the legal notion of Person is broken: Digital permits to individuals or organizations to act as demultiplied and anonymous characters, digital depersonalized actors who carry behaviors that are hurtful to other's dignity. 

Against that, Compliance Law offers an appropriate solution: internalizing in digital crucial operators the mission to disciplinary and substantially hold the digital space. The digital space has been structured by powerful firms able to maintain order. Because Law must not reduce digital space to be only a neutral market of digital prestations, these crucial operators, like social networks or search engines, must be forced to substantially control behaviors. It could be about an obligation of internet users to act with their face uncover, "real identity" policy controlled by firms, and to respect others' rights, privacy rights, dignity, intellectual property rights. In their Regulatory function, digital crucial firms must be supervised by public authorities. 

Thus, Compliance law substantially defined is the protector of the person as "subject of law" in the digital space, by the respect that others must have, this space passing from the status of free space to the one of civilized space, in which everyone is obliged to behave well. 

______

 

Read to go further: 

Sept. 2, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., Compliance & Regulatory Soft Law, legal Certainty and Cooperation: example of the U.S. Financial Crimes Enforcement Network new Guidelines on AML/FTNewsletter MAFR - Law, Compliance, Regulation, 2nd of September 2020

Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation

 

Summary of the news

The Financial Crimes Enforcement Network (FinCEN) is an organ, depending on the American Treasury, in charge of fighting against financial criminality and especially against money laundering and terrorism financing. For this, it has large control and sanction powers. 

In August 2020, the FinCEN published a document untitled "Statement on Enforcement" which aimed to explicit its control and sanction methods. It reveals what firms risk in case of offense (from the simple warning letter to criminal pursuits passing through financial fines) and the different criteria on which FinCEN is based to use one sanction rather than another. Among these criteria, we find for examples the nature and the seriousness of committed violations or the firm's history but also the implementation of compliance program or the quality and the spread of the cooperation with FinCEN durning the investigation. 

One of the objectives of the publication of such an information document is to obtain the cooperation of firms by creating a confidence relationship between the regulator and the regulated firm. However, it is very difficult to ask to the firms to cooperate and to furnish information if they can fear that this same information can be used later as proof against them by the FinCEN. 

Another objective is to reinforce legal security and transparency. However, the FinCEN's declaration does not seem to commit it, because it is not presented as a chart but as a simple declaration. Indeed, the list of the possible sanctions and the criteria used by the FinCEN are far from being exhaustive and can be completed in concreto by the FinCEN without any justification.

Aug. 31, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., Compliance by Design, a new weapon? Opinion of Facebook about Apple new technical dispositions on Personal Data protectionNewsletter MAFR - Law, Compliance, Regulation, 31st of August 2020

Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation

 

Summary of the news:

Personal Data, as they are information, are Compliance Tools. They represent a precious resource for firms which must implement a vigilance plan in order to prevent corruption, money laundering or terrorism financing, for examples. It is the reason why personal data are the angular stone of "Compliance by design" systems. However, the use of these data cannot clear the firm of its simultaneous obligation to protect these same personal data, that is also a "monumental goal" of Compliance Law. 

In order to be able to exploit these data in an objective of Compliance and protecting them in the same time, the digital firm Apple adopted for example new dispositions in order to the exploitation of the Identifier For Advertisers (IDFA) integrated in the iPad and in the iPhone and broadly used by targeted advertising firms, is conditioned to the consumer's consent.

Facebook reacted to this new disposition explaining that such measures will restrict the access to data for advertisers who will suffer from that. Facebook suspects Apple to block the access to advertisers in order to develop its own advertising tool. Facebook guaranteed to advertisers who work with it that it will not take similar measures and that it will always favor consultation before decision making in order to concile sometimes divergent interests. 

We can sleep and already make some remarks:

  • GDPR imposing to companies that they guarantee a minimal level of protection for personal data does not apply in the United-States. It is then possible that Apple acted through Corporate Social Responsibility (CSR), more than through legal obligation. 
  • The mode of regulation used here is the "conversational regulation" theorized by Julia Black. Indeed, regulators let the forces in presence discuss. 
  • This "conversational regulation" does not seem to be very efficient in this case and an intervention of administrative authorities or of judges could be justified via Competition Law, Regulation Law or Compliance Law, knowing that Competition Law will favor access right to information and Regulation or Compliance Law private life right. 

The whole paradox of Compliance Law rests in the equilibrium between circulation of information and secret. 

Aug. 26, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., Difficulty of Compliance in Self-Regulation system: example of the Summer 2020 meetings of OPEC about the "conformity"​ for Oil Market Stability​Newsletter MAFR - Law, Compliance, Regulation, 26th of August 2020

Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation

 

Summary of the news

The world production of oil is largely coordinated by the Organization of the Petroleum Exporting Countries (OPEC) and especially by its Joint Ministerial Monitoring Committee (JMMC). On 15th of July 2020, this Committee decides to reduce the world production of oil in order to maintain a certain price stability in a context of restricted demand because of the COVID-19 pandemic. 

However, such a stability can be maintained only if each member respects this decision and effectively reduce its production level. This meeting of 15th of July also aimed to get member's conformity. In order to get this conformity, the JMMC declared that it will use "name and shame", shaming countries which do not respect the Committee's declaration and naming those which respect it. A second meeting, on 19th of August 2020, reminded to non-compliant countries their obligation and urged them to comply before the 28th of August. 

We can observe two things: 

  • The term used by the Committee is "conformity" and not "compliance", which implies less adherence to "monumental goals than the mechanical respect of formal rules.
  • In an self-regulation system where there is not supposed to be a need for "conformity", the need for it is a clue that this self-regulation is malfunctioning.

Aug. 25, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., The always in expansion "Right to be Forgotten"​: a legitimate Oxymore in Compliance Law built on Information. Example of​ Cancer Survivors ProtectionNewsletter MAFR - Law, Compliance, Regulation, 25th of August 2020 

Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation

 

Summary of the news

The "right to be forgotten" is an invention of the Court of Justice of the European Union during the case Google Spain in 2014. It implies that digital firms block the access to personal data of someone who asks it. This "right to be forgotten", which permits to impose secret to third parties has largely been generalized by GDPR in 2016. This new fundamental subjective right is a very political and European right. United-States which, on the contrary of Europe, did not experience nazism, links the "right to be forgotten" to the protection of consumer, conception which especially leads California Consumer Privacy Act adopted in 2018 to link this right to a situation of absence of necessity of this data for the firm which obtained it. 

In Europe, this willingness to protect directly the person increases the scope of such a subjective right. Thus, in France and in Luxembourg, since 2020, a cancer survivor can thus ask that such an information is not accessible among his or her health data, especially for insurance companies which use them in their risk calculus to set premium amount. Netherlands will do the same in 2021 to fight against discrimination between banks' and insurances' clients. 

The "monumental goal" is therefore not so much here the protection of individual freedoms as the protection of the vulnerable person, which is bye the way the keystone of a Compliance Law, concealing sometimes prohibition to circulate information (as here) and sometimes obligation to circulate information (in other cases, where the alert must be given) depending on whether vulnerable people are protected either by one or by the other.

Dec. 12, 2019

Thesaurus : Doctrine

Référence complète : Malik, A., La conformité dans les établissements financiers sous le prisme du droit pénal, thèse Toulouse, 2019. 

 

Lire la thèse. 

Dec. 12, 2013

Thesaurus : Doctrine

Full reference: Collard, C., and Roquilly, C., Les risques juridiques et leur cartographie : proposition de méthodologie (Legal Risks and Their Mapping: proposition of Methodology)La Revue des Sciences de Gestion, vol. 263-264, no. 5, 2013, pp. 45-55.

Sciences Po's students can read this article via Sciences Po's Drive in the folder MAFR - Regulation & Compliance

Nov. 17, 2011

Thesaurus : Doctrine

Full reference: Bon-Michel, B., La cartographie des risques : de la rationalisation du futur à l'apprentissage du risque. Cas de l'identification du risque opérationnel au sein d'un établissement de crédit (Risks Mapping: from Rationalization of the Future to Risk Learning. Case of the Identification of the Operational Risk in a Credit Establishment)Management & Avenir, vol. 48, no. 8, 2011, pp. 326-341.

Sciences Po's students can read this article in the Sciences Po Drive in the folder MAFR - Regulation & Compliance 

June 17, 2011

Publications

Référence complète : FRISON-ROCHE, Marie-Anne, L’utilité du notariat face à des marchés menacés par la crise, Droit & Patrimoine, Lamy, n°204, juin 2011, p.38-42.

 

Il faut appliquer la technique du "coût/avantage » pour mesure son utilité lorsque des marchés sont menacés par la crise. En effet, s’il y a des défaillances de marché, par exemple par la financiarisation de ceux-ci, ils ne peuvent plus supporter des risques qui s’avèrent systémiques. Or, l’incertitude des propriété" et la chaine d’engagements inconsidérés constituent des risques systémiques. Le notariat s’avère utile en ce qu’il produit des actes authentiques, actes normatifs produisant de l’incontestabilité, c’est-à-dire de la sécurité réduisant les risques sur les marchés. En outre, par ces diligences et l’organisation disciplinaire de la profession, le notaire assure la plus juste coïncidence entre le negotium et l’instrumentum, ce qui garantit ou restaure sur les marchés la confiance, qui en est le bien commun.

Accéder à l'article.

 

Lire le résumé de l'article ci-dessous.

July 8, 2000

Publications

Référence complète : Frison-Roche, M.-A., La prise en charge par le droit des systèmes à risques, observations récapitulatives, in Le droit face à l’exigence contemporaine de sécurité, P.U.A., 2000, pp. 259-282.

 

Accéder à l'article.