♾️ suivre Marie-Anne Frison-Roche sur LinkedIn

♾️ s'abonner à la Newsletter MAFR Regulation, Compliance, Law 

____

► Référence complète : M.-A. Frison-Roche, "Si l'algorithme engendre un risque systémique de fraude, l'entreprise doit trouver le moyen de prévenir et détecter celle-ci : cas d'école", Newsletter MAFR Law, Compliance, Regulation, 15 janvier 2023.

____

Le cas agite et inquiète à juste titre. Il est notamment relayé dans Le Parisien et dans Libération.

Il apparait qu'un professeur de master découvre que la moitié de la promotion de ses étudiants avait fait écrire sa copie par un algorithme (ChatGPT), dont on dit que les productions mécaniques se rapprochent, à s'y méprendre, du "langage naturel", c'est-à-dire manié par les êtres humains. Il en a résulté des copies correctes, mais si identiques que l'usage de l'outil par les étudiants avait été ainsi détecté.

La dimension systémique du phénomène mérite qu'on y réfléchisse car il s'agit non seulement de détecter mais encore de prévenir le recours à cet outil, si l'on veut que les travaux rendus par les étudiants permettent d'évaluer leurs niveaux.

L'on peut certes rechercher des solutions très radicales, comme obliger les étudiants à écrire à la main dans des contrôles faits sur table et surveillés..., ou interdire le recours aux algorithmes, interdiction dont l'effectivité va être difficile ; ou rêver d'une Université où l'on leur donnerait des sujets de réflexion à traiter chacun d'une façon originale, ce qui suppose sans doute un nombre d'étudiants moins élevés (d'ailleurs, les lycées et collègues sont aussi concernés).

Mais si l'on regarde le "but" : il s'agit bien de prévenir et détecter un comportement systémiquement dommageable, pour l'Université et pour les étudiants eux-mêmes (qui n'auront rien appris ; ce sont les premières victimes).

Or, la prévention et détection des comportements systémiquement dommageables non pas tant pour les sanctionner mais pour qu'ils ne prospèrent pas à l'avenir, ici garder les avantages des algorithmes comme outils et prévenir leur usage dolosif, c'est la définition du Droit de la Compliance comme mode de prévention et de détection des maux systémique. Cela constitue un "but monumental".

🔴 M.-A. Frison-Roche, 📕Les buts monumentaux de la Compliance, 2022

Pour concrétiser une telle ambition, notamment face à la puissance de ces outils neutres que sont les algorithmes, qui permettent d'ailleurs à des professeurs de rédiger sans difficulté des cours sur l'originalité desquels on ne leur demande pas de compte, le Droit de la Compliance présente un atout majeur : il repose sur les entreprises elles-mêmes, notamment celles par lesquelles le risque est né.

Historiquement, le Droit de la Compliance est né aux Etats-Unis, en imposant aux entreprises ayant contribué par leur comportement interne à la crise de 1929 une série d'obligations de prudence, de gestion des conflits d'intérêts, d'information et de soumission à un superviseur.

🔴 M.-A. Frison-Roche, 📝Compliance : avant, maintenant, après, 2018

C'est en effet aux entreprises de trouver les solutions pour détecter et prévenir les comportements systémiques dommageables.

L'article publié dans Libération fait état des travaux menés par les entreprises fabriquant les algorithmes pour que soient insérés dans les textes des signaux, indétectables par l'usager (par exemple l'algorithme achevant une phrase sur dix par un mot finissant par la même lettre, ou une phrase sur vingt par un mot commençant par la même lettre), mais qu'un autre algorithme pourrait "détecter" pour que le travail produit soit analysé par le professeur (comme on le fait déjà en matière de plagiat).

Il s'agit ici d'une "compliance consentie, choisie par l'entreprise elle-même ; cela pourrait être leur être également imposé.

🔴 L. Benzoni et B. Deffains, 📝Approche économique des outils de la Compliance: finalité, effectivité et mesure de la Compliance subie et choisie, in M.-A. Frison-Roche (dir.), 📕Les outils de la Compliance, 2021

Apparaît ainsi le juste et efficace rapport entre le Droit de la Compliance et ce que l'on appelle "l'intelligence artificielle", dès l'instant que l'on n'a précisément pas une vision mécanique du Droit de la Compliance, ce qui permet de laisser les algorithmes à leur place : des "outils".

🔴 M.-A. Frison-Roche, 🎥Compliance, Intelligence artificielle et gestion des entreprises : la juste mesure, 2022

________

The Finance Bill has proposed to the Parliament to vote an article 57 whose title is: Possibilité pour les administrations fiscales et douanières de collecter et exploiter les données rendues publiques sur les sites internet des réseaux sociaux et des opérateurs de plateformes (translation: Possibility for the tax and customs administrations to collect and exploit the data made public on the websites of social networks and platform operators).

Its content is as is in the text voted on in the National Assembly as follows:

"(1) I. - On an experimental basis and for a period of three years, for the purposes of investigating the offenses mentioned in b and c of 1 of article 1728, in articles 1729, 1791, 1791 ter, in 3 °, 8 ° and 10 ° of article 1810 of the general tax code, as well as articles 411, 412, 414, 414-2 and 415 of the customs code, the tax administration and the customs administration and indirect rights may, each as far as it is concerned, collect and exploit by means of computerized and automated processing using no facial recognition system, freely accessible content published on the internet by the users of the online platform operators mentioned in 2 ° of I of article L. 111-7 of the consumer code.

(2) The processing operations mentioned in the first paragraph are carried out by agents specially authorized for this purpose by the tax and customs authorities.

(3) When they are likely to contribute to the detection of the offenses mentioned in the first paragraph, the data collected are kept for a maximum period of one year from their collection and are destroyed at the end of this period. However, when used within the framework of criminal, tax or customs proceedings, this data may be kept until the end of the proceedings.

(4) The other data are destroyed within a maximum period of thirty days from their collection.

(5) The right of access to the information collected is exercised with the assignment service of the agents authorized to carry out the processing mentioned in the second paragraph under the conditions provided for by article 42 of law n ° 78-17 of January 6, 1978 relating to data processing, the files and freedoms.

(6) The right to object, provided for in article 38 of the same law, does not apply to the processing operations mentioned in the second paragraph.

(7) The terms of application of this I are set by decree of the Council of State.

(8) II. - The experiment provided for in I is the subject of an evaluation, the results of which are forwarded to Parliament as well as to the National Commission for Data Protection at the latest six months before its end. "

This initiative provoked many comments, rather reserved, even after the explanations given by the Minister of Budget to the National Assembly.

What to think of it legally?

Because the situation is quite simple, that is why it is difficult: on the one hand, the State will collect personal information without the authorization of the persons concerned, which is contrary to the very object of the law of 1978 , which results in full disapproval; on the other hand, the administration obtains the information to prosecute tax and customs offenses, which materializes the general interest itself.

So what about it?

Read below.

 It is often observed, even theorized, even advised and touted, that Compliance is a mechanism by which public authorities internalize political (eg environmental) concerns in big companies, which accept them, in Ex Ante, because they are rather in agreement with these "monumental goals" (eg saving the planet) and that this shared virtue is beneficial to their reputation. It is observed that this could be the most successful way in new configurations, such as digital.

But, and the Compliance Mechanism has often been brought closer to the contractual mechanism, this is only relevant if both parties are willing to do so. This is technically true, for example for the Deferred Prosecution, which requires explicit consent. This is true in a more general sense that the company wants to choose itself how to structure its organization to achieve the goals politically pursued by the State. Conversely, the compliance mechanisms work if the State is willing to admit the economic logic of the global private players and / or, if there are possible breaches, not to pursue its investigations and close the file it has opened, at a price more or less high.

But just say No.

As in contractual matters, the first freedom is negative and depends on the ability to say No.

The State can do it. But the company can do it too.

And Daimler just said No.

___

Publicly, including through an article in the Wall Street Journal of June 28, 2019.

The company sets out in a warning to the market that it is the object of a requirement on the part of the German Motor Authority (Kraftfahrt-Bundesamt)  of an allegation of fraud, by the installation of a software, aimed at misleading instruments for measuring emissions of greenhouse gases on cars using diesel.

It is therefore an environmental compliance mechanism that would have been intentionally countered.

On this allegation, the Regulator both warns the company of what it considers to be a fact, ie compliance fraud, and attaches it to an immediate measure, namely the removal of the circulation of 42,000 vehicles sold or proposed by Daimler with such a device.

And the firm answers : "No".

_____

Which is probably only beginning, since a No ends the dialogue of Ex Ante to project in the Ex Post sanction procedures, calls 6 observations:

• 1. No doubt Daimler, a German car manufacturing company, has it in mind in this allegation of fraud calculating pollution of its diesel cars what happened to his competitor Volkswagen: namely a multi-billion dollar fine, for lack of compliance in a similar hypothesis (so-called dieselgate). The strategic choice that is then made depends on education through the experience of the company, which benefits as such from a previous case that has had a very significant cost. Thus educated, the question is to measure the risk taken to refuse any cooperation, when the company can anticipate that it will still result in such an amount ....

• 2. In addition, we find the difficulty of the distinction of Ex Ante and Ex Post. Indeed, saying No will involve for the company a cost of confrontation with the Regulator, then the peripheral jurisdictions or review courts. But in Germany, the Government itself, concerning a bank threatened with compliance proceedings and almost summoned by the US regulator to pay "of its own free will" a transactional fine, felt that this was not normal, because it must be the judges who punish, after a contradictory procedure with due process and after established facts. 

• 3.  However, this is only an allegation, of probable assertions, of what legally allows to continue, but which does not allow to condemn. The confusion between the burden of proof, which presupposes the obligation to prove the facts before being able to sanction, and the burden of the allegation, which only supposes to articulate plausibility before being able to prosecute, is very damaging, particularly if we are committed to the principles of Repressive Law, such as the presumption of innocence and the due process. This distinction between these two probationary charges is at the heart of the probatory system in the Compliance Law. Because Compliance Law always looks for more efficiency, tends to go from the first to the second, to give the Regulator more power, since businesses are so powerful ....

• 4. But the first question then arises: what is the nature no so much of the future measure to be feared, namely a sanction that could be taken later, against Daimler, if the breach is proven, or which will not be applied to the firm if the breach is not established; but what is the nature of the measure immediately taken, namely the return of 42,000 vehicles?

• This may seem like an Ex Ante measurement. Indeed, the Compliance assumes non-polluting cars. The Regulator may have indications that these cars are polluting and that the manufacturer has not made the necessary arrangements for them to be less polluting (Compliance) or even organized so that this failure is not detected ( Compliance fraud).

• This allegation suggests that there is a risk that thiese cars will polluting. They must immediately be removed from circulation for the quality of the environment. Here and now. The question of sanctions will arise after that, having its procedural apparatus of guarantees for the company that will be pursued. But see the situation on the side of the company: having to withdraw 42,000 vehicles from the market is a great damage and what is often called in Repressive Law a "security measure" taken while the evidence is not yet met could deserve a requalification in sanction. Jurisprudence is both abundant and nuanced on this issue of qualification.

• 5. So to withdraw these cars, it is for the company to admit that it is guilty, to increase itself the punishment. And if at this game, taken from the "cost-benefit", as much for the company immediately assert to the market that this requirement of Regulation is unfounded in Law, that the alleged facts are not exacts, and that all this the judges will decide. It is sure at all whether these statements by the company are true or false, but before a Tribunal no one thinks they are true prima facie, they are only allegations.
•  And before a Court, a Regulator appears to have to bear a burden of proof in so far as he has to defend the order he has issued, to prove the breach which he asserts exists, which justifies the exercise he made of his powers. The fact that he exercises his power for the general interest and impartially does not diminish this burden of proof.

• 6. By saying "No", Daimler wants to recover this classic Law, often set aside by Compliance Law, classic Law based on burden of proof, means of proof, and prohibition of punitive measures - except imminent and future imminente and very serious damages  - before 'behavior could be sanctioned following a sanction procedure.
• Admittedly, one would be tempted to make an analogy with the current situation of Boeing whose aircraft are grounded by the Regulator in that he considers that they do not meet the conditions of safety, which the aircraft manufacturer denies , Ex Ante measurement that resembles the retraction measure of the market that constitutes the recall request of cars here operated.
• But the analogy does not work on two points. Firstly, flight activity is a regulated activity that can only be exercised with the Ex Ante authorization of several Regulators, which is not the case for offering to sell cars or to drive with. This is where Regulatory Law and Compliance Law, which often come together, here stand out.Secundly, the very possibility that planes of which it is not excluded that they are not sure is enough, as a precaution, to prohibit their shift. Here (about the cars and the measure of the pollution by them), it is not the safety of the person that is at stake, and probably not even the overall goal of the environment, but the fraud with respect to the obligation to obey Compliance. Why force the withdrawal of 42,000 vehicles? If not to punish? In an exemplary way, to remind in advance and all that it costs not to obey the Compliance? And there, the company says: "I want a judge".

​______