Publications : Doctrine

 Référence complète : Houtcieff, D., Les plateformes au défi des plateformes, in L'émergence d'un droit des plateformes, Dalloz, coll. « Thèmes et commentaires », 2021, pp.51-64.

_____

 

► Lire la présentation générale de l'ouvrage dans lequel s'insère cet article. 

Publications : Doctrine

 Référence complète : Roda, J.-Ch, Vers un droit de la concurrence des plateformes , in L'émergence d'un droit des plateformes, Dalloz, coll. « Thèmes et commentaires », 2021, pp.77-90.

_____

 

► Lire la présentation générale de l'ouvrage dans lequel s'insère cet article. 

Publications : Doctrine

 Référence complète : Amrani-Mekki, S., Les plateformes de résolution en ligne des différends, in L'émergence d'un droit des plateformes, Dalloz, coll. « Thèmes et commentaires », 2021, pp.189-203.

_____

 

► Lire la présentation générale de l'ouvrage dans lequel s'insère cet article. 

Thesaurus : 03. Conseil d'Etat

June 23, 2022

Thesaurus : Doctrine

 Full Reference: Augagneur, L.-M., Le traitement réputationnel par et sur les plateformes, in Frison-Roche, M.-A. (ed.), La juridictionnalisation de la Compliance, series "Régulations & Compliance", Journal of Regulation & Compliance (JoRC) and Dalloz, to be published. 

___

 Article Summary (done by the author): The large platforms are in the position of arbiter of the reputation economy (referencing, notoriety) in which they themselves act. Although the stakes are usually low on a unit basis, the jurisdiction of reputation represents significant aggregate stakes. Platforms are thus led to detect and assess reputation manipulations (by users: SEO, fake reviews, fake followers; or by the platforms themselves as highlighted by the Google Shopping decision issued by the European Commission in 2017) that are implemented on a large scale with algorithmic tools.

The identification and treatment of manipulations is itself only possible by means of artificial intelligence tools. Google thus proceeds with an automated downgrading mechanism for sites that do not follow its guidelines, with the possibility of requesting a review through a very summary procedure entirely conducted by an algorithm. Tripadvisor, on the other hand, uses an algorithm to detect false reviews based on "fraud modeling to identify electronic patterns that cannot be detected by the human eye". It only conducts a human investigation in limited cases.

This jurisdictionality of reputation has little in common with that defined by the jurisprudence of the Court of Justice (legal origin, contradictory procedure, independence, application of the Rules of Law). It is characterized, on the one hand, by the absence of transparency of the rules and even of the existence of rules stated in predicative form and applied by deductive reasoning. It is replaced by an inductive probabilistic model by the identification of abnormal behaviors in relation to centroids. This approach of course raises the issue of statistical bias. More fundamentally, it reflects a transition from Rule of Law, not so much to "Code is Law" (Laurence Lessig), but to "Data is Law", that is, to a governance of numbers (rather than "by" numbers). It also comes back to a form of collective jurisdictionality, since the sanction comes from a computational apprehension of the phenomena of the multitude and not from an individual appreciation. Finally, it appears particularly consubstantial with compliance, since it is based on a teleological approach (the search for a finality rather than the application of principles).

On the other hand, this jurisdictionality is characterized by man-machine cooperation, whether in the decision-making process (which poses the problem of automaticity bias) or in the contradictory procedure (which poses, in particular, the problems of discussion with the machine and the explicability of the machine response).

Until now, the supervision of these processes has been based essentially on the mechanisms of transparency, a limited adversarial requirement and the accessibility of appeal channels. The French Law Loi pour une République Numérique ("Law  for a Digital Republic"), the European Legislation Platform-to-Business Regulation and the Omnibus Directive, have thus set requirements on the ranking criteria on platforms. The Omnibus Directive also requires that professionals guarantee that reviews come from consumers through reasonable and proportionate measures. As for the European Digital Services Act, it provides for transparency on content moderation rules, procedures and algorithms. But this transparency is often a sham. In the same way and for the moment the requirements of sufficient human intervention and adversarial processes appear very limited in the draft text.

The most efficient forms of this jurisdictionality ultimately emerge from the role played by third parties in a form of participatory dispute resolution. Thus, for example, FakeSpot detects false Tripadvisor reviews, Sistrix establishes a ranking index that helped establish the manipulation of Google's algorithm in the Google Shopping case by detecting artifacts based on algorithm changes. Moreover, the draft Digital Services Act envisages recognizing a specific status for trusted flaggers who identify illegal content on platforms.

This singular jurisdictional configuration (judge and party platform, massive situations, algorithmic systems for handling manipulations) thus leads us to reconsider the grammar of the jurisdictional process and its characteristics. If Law is a language (Alain Sériaux), it offers a new grammatical form that would be that of the middle way (mesotès) described by Benevéniste. Between the active and the passive way, there is a way in which the subject carries out an action in which he includes himself. Now, it is the very nature of this jurisdictionality of compliance to make laws by including oneself in them (nomos tithestai). In this respect, the irruption of artificial intelligence in this jurisdictional treatment undoubtedly bears witness to the renewal of the language of Law.

____

 

📝 Consulter une présentation générale du volume dans lequel l'article est publié.

 

Sept. 8, 2021

Thesaurus : Doctrine

► Référence complète : Delpech, X. (dir.), L'émergence d'un droit des plateformes, coll. "Thèmes et Commentaires", Dalloz, 2021, 239 p.

____

 

► Présentation de l'ouvrage en 4ième de couverture : De Uber à Parcoursup en passant par Amazon, le phénomène des plateformes est au cœur de notre vie quotidienne. S’il reflète des réalités diverses, il semble néanmoins possible, d’une plateforme à l’autre, d’observer quelques constantes : toutes sont des dispositifs de mise en relation faisant appel aux nouvelles technologies (internet, un algorithme, etc.).

Les plateformes suscitent cependant de multiples interrogations – et même inquiétudes, compte tenu de la puissance de certaines d’entre elles – auxquels tentent de répondre économistes et bien entendu juristes. Elles constituent ainsi un champ de recherche qui reste encore largement à explorer. Il faudra en particulier s’interroger sur le point de savoir si notre arsenal juridique, y compris européen, est suffisamment armé pour les appréhender, voire même les domestiquer, ou s’il doit être réinventé. Plus profondément, il est légitime de se demander si les plateformes ne sont pas en train de faire émerger une nouvelle branche du droit.

C'est à ces questions que tente de répondre cet ouvrage issu des actes du colloque du 21 octobre 2020 organisé par l'équipe de recherche Louis Josserand de l'Université de Jean Moulin Lyon 3. 

 

____

 

► Lire la présentation des articles :

📝Roda, J.-Ch, Vers un droit de la concurrence des plateformes

📝Houtcieff, D., Les plateformes au défi des qualifications

📝Amrani-Mekki, S., Les plateformes de résolution en ligne des différents

📝Douville, Th., Quel droit pour les plateformes ? 

____

 

 

Aug. 31, 2021

Compliance: at the moment

Par un article publié le 13 juillet 2021, "Targeted ads isolate and divide us even when they’re not political – new research"  des chercheurs ayant mené une étude à propos d'intelligence artificielle et d'éthique , rendent compte des résultats obtenus. Il ressort de cette étude empirique montre que les technologies, mises au point à des fins politiques pour capter les votes afin de faire élire Trump ou pour obtenir un vote positif pour le Brexit, utilisées à des fins commerciales, auraient deux effets sur nous : en premier lieu elles nous isolent ; en second lieu elles nous opposent.

____


Le seul lien social qui a donc vocation à avoir serait donc l'agression.  


Certes l'usage ainsi fait de nos informations personnelles, auquel nous "consentons" tous, que cela soit pour obtenir notre adhésion à des discours ou à des produits, casse ce qu'Aristote appelait "l'amitiés" comme socle de la Cité Politique.
L'on mesure que la notion de "consentement", qui est une notion juridique, relativement périphérique dans le Droit des Obligations, que beaucoup voudraient mettre comme l'alpha et l'omega, ne nous protège en rien de cette destruction de nous-même et des autres, de cette perspective de la Cité.
Il est important de penser la régulation de la technologie, sur laquelle est construit l'espace digital sur une autre notion que le "consentement".
C'est pourquoi le Droit de la Compliance, qui n'est pas construit sur le "consentement", est la branche du Droit de l'avenir.
#droit #numérique #amitié #consentement #haine #politique

Aug. 30, 2021

Compliance: at the moment

An article from March 3, 2021, Smile for the camera: the dark side of China's emotion-recognition tech, then an article from June 16, 2021, "Every smile you fake" - an AI emotion - recognition system can assess how "happy" China's workers are in the office describes how a new technology of emotional recognition is able, through what will soon be out of fashion to call "facial recognition", to distinguish a smile that reflects a mind state of real satisfaction from a smile which does not correspond to it. This allows the employer to measure the suitability of the human being for his or her work. It is promised that it will be used in an ethical way, to improve well-being at work. But isn't it in itself that this technology is incompatible with any compensation through ethical support?

The technology developed by a Chinese technology company and acquired by other Chinese companies with many employees, allows to have information on the actual state of mind of the person through and beyond his or her facial expressions and bodily behavior.

Previously, the technology of emotional recognition had been developed to ensure security, by fighting against people with hostile plans, public authorities using it for example in the controls at airports to detect the criminal plans which some passengers could have.

It is now affirmed that it is not about fighting against some evil people ("dangerousness") to protect the group before the act is committed ("social defense”) but that it is about helping all workers.

Indeed, the use that will be made of it will be ethical, because first the people who work for these Chinese companies with global activity, like Huawaï, do it freely and have accepted the operation of these artificial intelligence tools (which is not the case with people who travel, control being then a kind of necessary evil that they do not have to accept, which is imposed on them for the protection of the group), but even and above all, the purpose is itself ethical: if it turns out that the person does not feel well at work, that they are not happy there, even before they are perhaps aware, the company can assist.

Let’s take this practical case from the perspective of Law and let’s imagine that it is contested before a judge applying the principles of Western Law.

Would this be acceptable?

No, and for three reasons.

1. An "ethical use" cannot justify an unethical process in itself

2. The first freedoms are negative

3. "Consent" should not be the only principle governing the technological and digital space

 

I. AN "ETHICAL USE" CAN NEVER LEGITIMATE AN UNETHICAL PROCESS IN ITSELF

These unethical processes in themselves cannot be made "acceptable" by an "ethical use" which will be made of them.

This principle was especially reminded by Sylviane Agacinski in bioethics: if one cannot dispose of another through a disposition of his or her body which makes his or her very person available (see not. Agacinski, S., ➡️📗Le tiers-corps. Réflexions sur le don d’organes, 2018).

Except to make the person reduced to the thing that his or her body is, which is not ethically admissible in itself, that is excluded, and Law is there in order to this is not possible.

This is even why the legal notion of "person", which is not a notion that goes without saying, which is a notion built by Western thought, acts as a bulwark so that human beings cannot be fully available to others, for example by placing their bodies on the market (see Frison-Roche, M.-A., ➡️📝To protect human beings, the ethical imperative of the legal notion of person, 2018). This is why, for example, as Sylviane Agacinski emphasizes, there is no ethical slavery (a slave who cannot be beaten, who must be well fed, etc.).

That the human being agrees ("and what about if it pleases me to be beaten?") does not change anything.

 

II. THE FIRST FREEDOM IS THE ONE TO SAY NO, FOR EXAMPLE BY REFUSING TO REVEAL YOUR EMOTIONS: FOR EXAMPLE HIDING IF YOU ARE HAPPY OR NOT TO WORK

The first freedom is not positive (being free to say Yes); it is negative (being free to say No). For example, the freedom of marriage is having the freedom not to marry before having the freedom to marry: if one does not have the freedom not to marry, then the freedom to marry loses any value. Likewise, the freedom to contract implies the freedom not to contract, etc.

Thus, freedom in the company can take the form of freedom of speech, which allows people, according to procedures established by Law, to express their emotions, for example their anger or their disapproval, through the strike.

But this freedom of speech, which is a positive freedom, has no value unless the worker has the fundamental freedom not to express his or her emotions. For example if he or she is not happy with his or her job, because he or she does not appreciate what he or she does, or he or she does not like the place where he or she works, or he or she does not like people with whom he or she works, his or her freedom of speech demands that he or she have the right not to express it.

If the employer has a tool that allows him or her to obtain information about what the worker likes and dislikes, then the employee loses this first freedom.

In the Western legal order, we must be able to consider that it is at the constitutional level that the infringement is carried out through Law of Persons (on the intimacy between the Law of Persons and the Constitutional Law, see Marais , A., ➡️📕Le Droit des personnes, 2021).

 

III. CONSENT SHOULD NOT BE THE ONLY PRINCIPLE GOVERNING THE TECHNOLOGICAL AND DIGITAL SPACE

 

We could consider that the case of the company is different from the case of the controls operated by the State for the monitoring of airports, because in the first case observed people are consenting.

"Consent" is today the central notion, often presented as the future of what everyone wants: the "regulation" of technology, especially when it takes the form of algorithms ("artificial intelligence"), especially in digital space.

"Consent" would allow "ethical use" and could establish the whole (on these issues, see Frison-Roche, M.-A., ➡️📝Having a good behavior in the digital space, 2019).

"Consent" is a notion from which Law is today moving away in Law of Persons, in particular as regards the "consent" given by adolescents on the availability of their body, but not yet on digital.

No doubt because in Contract Law, "consent" is almost synonymous with "free will", whereas they must be distinguished (see Frison-Roche, M.-A., ➡️📝Remarques sur la distinction entre la volonté et le consentement en Droit des contrats, 1995).

But we see through this case, which precisely takes place in China, that "consent" is in Law as elsewhere a sign of submission. It is only in a probative way that it can constitute proof of a free will; this proof must not turn into an irrebuttable presumption.

The Data Regulatory Authorities (for example in France the CNIL) seek to reconstitute this probative link between "consent" and "freedom to say No" so that technology does not allow by "mechanical consents", cut off from any connection with the principle of freedom which protects human beings, from dispossessing themselves (see Frison-Roche, M.-A., Yes to the principle of will, No to pure consents, 2018).

The more the notion of consent will be peripheral, the more human beings will be able to be active and protected.

________

June 23, 2021

Publications : Doctrine

 Référence complète : Douville, T., Quel droit pour les plateformes ?, in Delpech, X. (dir.), L'émergence d'un droit des plateformescoll. « Thèmes et commentaires », Dalloz, 2021, pp.217-239.

_____

 

► Lire la présentation générale de l'ouvrage dans lequel est publié cet article. 

June 18, 2021

Compliance: at the moment

 Law is slow, but firm. By its judgment of June 15, 2021, Facebook , the European Union Court of Justice widely interprets the powers of National Authorities, since they serve the people protection in the digital space (➡️📝(CJEU, June 15, 2021, Facebook)

 

Law is slow. The reproach is so often made. But the bottom line is that, in the noise of changing regulations, it establishes clear and firm principles, letting everyone know what to stand for. The more the world is changing, the more Law is required.

When Law degenerates into regulations, then it is up to the Judge to make Law. "Supreme Courts" appear, de jure as in the United States, de facto as in the European Union by the Court of Justice of the European Union which lays down the principles, before everyone else, as it did for the "right to be forgotten" in 2014 (➡️📝CJEU, Google Spain, May 13, 2014), and then with the impossibility of transferring data to third countries without the consent of the people concerned (➡️📝CJEU, Schrems, October 6, 2015).

Facebook litigation is kind of a novel. The company knows that it is above all to the Courts that it speaks. In Europe, it is doing it behind the walls of the Irish legal space, from which it would like to be able not to leave before better dominating the global digital space, while national regulatory authorities want to take it to protect citizens.

There is therefore a technical question of "jurisdictional competence". The texts have provided for this, but Law is clumsy because it was designed for a world still anchored in the ground: the GDPR of 2016 therefore organizes cooperation between national regulatory authorities through a "one-stop-shop", forcing the authorities to relinquish jurisdiction so that the case is only handled by the "lead" National Authority. This avoids splintering and contradiction. But before the adoption of the GDPR, the Belgian data protection regulator had opened a procedure against Facebook concerning cookies. The "one-stop-shop" mechanism, introduced in 2016, is therefore only mentioned before the Brussels Court of Appeal, which is asked to relinquish jurisdiction in favor of the Irish Regulatory Authority, since the company has in Europe its head office in this country. The Court of Appeal referred to the CJEU for a preliminary ruling.

By its judgment of June 15, 2021 (➡️📝CJUE, Facebook, June 15, 2021), it follows the conclusions of its Advocate General and maintains the jurisdiction of the Belgian National Regulator because, even after the GDPR, the case still undergoes national treatment. In this decision, the most important is its reasoning and the principle adopted. The Court notes that the "one-stop-shop" rule is not absolute and that the national regulatory authority has the power to maintain its jurisdiction, in particular if cooperation between national authorities is difficult.

Even more, will it not one day have to adjust Law more radically? We need to consider the fact that the digital space is not bound by borders and that the ambition of "cross-border cooperation" is ill-suited. It is of course on this observation of inefficiency, consubstantial with the digital space, that the European Public Prosecutor's Office (EPPO) was designed and set up, which is not a cooperation, nor a "one-stop shop", but a body of the Union, acting locally for the Union, directly linked to Compliance concerns (➡️📝Frison-Roche, M.-A. "The European Public Prosecutor's Office is a considerable contribution to Compliance Law", 2021 and ., European Public Prosecutor's Office comes on stage: the company having itself become a private prosecutor, are we going towards an alliance of all prosecutors ?, 2021).

So that's what we should be inspired by.

June 17, 2021

Compliance: at the moment

 Compliance Law and Competition: for building, is it necessary to legislate ? Example of quasi-public interest judicial agreement: the French Competition Authority's Statement of June 3, 2021 on Facebook

 

The French law so-called "Sapin 2" of 2016, organized the "convention judiciaire d’intérêt public - CJIP" (Public Interest Judicial Agreement) which allows the prosecutor to undertake not to prosecute a company in returns for this company's commitments for the future. Is this mechanism reserved for this law, which only concerns corruption and bribery? The answer is often positive.

Is it so obvious?

Since the entity having the power to prosecute therefore always has the power not to prosecute. As the company always has the freedom to make commitments for the future. And everything stops.

News in Competition Law illustrate this. On June 9, 2021, as part of a transaction, the Autorité de la concurrence (French Competition Authority) sanctions Google (➡️📝 Communiqué of the Autorité de la Concurrence , translated in English by the French Competition Authority) , which has not contested the facts, for abuse of dominant position for having privileged its services in the online advertising services. Similar facts were alleged against Facebook. But on June 3, 2021, the Autorité de la concurrence (French Competition Authority) published a "communiqué de presse" (➡️📝statement translated in English by the French Competition Authoritysaying that Facebook has, during the investigation, proposed commitments regarding its future behavior. It is remarkable that this statement on Facebook is published as an “acte de régulation” (regulatory act).

Yes, it is indeed an regulatory act about the future and structuring the online advertising area, internalized in this company which engages itself in its future behavior. With its statement, the Competition Authority invites the “acteurs du secteur” (actors of this sector) to make observations, for the development of what will be a sort of compliance program.

In these negotiations which are akin to a game table, where everyone calculates without knowing if they enter into a negotiation or a confrontation, the first game assuming that one shows more cards than in the second, it is indeed towards a kind of Public Interest Judicial Agreement that they are going with a Competition Authority which is both Judge and Prosecutor, concludes the agreement and, through a later decision, gives it force. Under the various legal qualifications, it is indeed the same general mechanism of Compliance Law, well beyond the specific French law known as Sapin 2.

Managed in this way, Compliance Law being an Ex Ante corpus, transforms the Competition Authority, an Ex Post Authority, into an Ex Ante Authority, openly taking "acte de régulation" (Regulatory Act), and allows it to rely on the power of companies, thus “committed”, to structure markets, which are however not regulated. Like advertising or retailing areas (➡️📝see Frison-Roche, M.-A., From Competition Law to Compliance Law: Example of French Competition Authority's decision on central purchasing body in mass distribution, 2020).

Thus Compliance Law has achieved the autonomy of Regulatory Law with regards to the notion, which nevertheless seemed intimate to it, of "sector".

 

► register to the French Newsletter MaFR ComplianceTech®

June 15, 2021

Thesaurus : 05. CJCE - CJUE

Full reference: CJEU, Grand chamber, Judgment Facebook Ireland e.a. v. Gegevensbeschermingsautoriteit, C-645-19, June 15, 2021

Read the judgment

Read the abstract of the judgment done by the Court

Read the press release

 

 

Jan. 11, 2021

Interviews

Full reference: Frison-Roche, M.-A., "Let's Use the Power of GAFAMs in the Service of General Interest!" ("Utilisons la puissance des GAFAMs au service de l'intérêt général!"), interview done by Olivia Dufour, Actu-juridiques Lextenso, 11st of January 2021

Read the interview (in French)

To read the article translated in English by us, read the working paper on which this interview is based

 

Summary of the interview by Olivia Dufour:

Marie-Anne Frison-Roche, Professor of Regulation and Compliance Law, reported to the government in 2019 about Internet governance. For this expert, giving a disciplinary power to GAFAMs is the only effective solution. And the suppression of Donald Trump's account is not likely to call this analysis into question.

 

The three questions (translated in English here by ourselves) asked by Olivia Dufour are: 

  • The deletion of Donald Trump's Twitter account arouses strong emotions on social networks, and not only among his supporters. What do you think about this ?
  • However, this incident does raise concern. Are we not giving too much power to these private companies? This raises the question in France of the relevance of the Avia system ...
  • Should we therefore resolve by default to give our freedoms to private and opaque mastodons?

 

Read the answers to these three questions (in French)

 

To go further, especially about the logics that guide the Avia system, see:

Dec. 31, 2020

Thesaurus : Doctrine

Full reference: Zittrain, J. L., "Gaining Power, Losing Control", Clare Hall Tanner Lecture 2020, 2020

See the intervention

Read the intervention's report

 

This intervention is divided in two parts: 

  • Between Abdication and Suffocation: Three Eras of Governing Digital Platforms 
  • With Great Power Comes Great Ignorance: What’s Wrong When Machine Learning Gets It Right 

Dec. 7, 2020

Thesaurus : Doctrine

Full reference: Vergnolle, S., L'effectivité de la protection des personnes par le droit des données à caractère personnel (The effectiveness of the protection of people by personal data Law (our translation)), Passa, J. (dir.), thesis, Law, Panthéon-Assas University (Paris II), 2020, 531 p.

 

Read the thesis (in French)

Read directly and only the table of contents (in French)

 

 

To go further about regulation of personal data, read: 

Nov. 23, 2020

Interviews

Full reference: Frison-Roche, M.-A., Facebook: Quand le Droit de la Compliance démontre sa capacité à protéger les personnes (Facebook: When Compliance Law proves its ability to protect people), interview with Olivia Dufour, Actu-juridiques Lextenso, 23rd of November 2020

Read the interview (in French)

Read the news of the Newsletter MAFR - Law, Compliance, Regulation about this question

Nov. 1, 2020

Publications

Oct. 22, 2020

Interviews

Full reference: Frison-Roche, M.-A., "Health Data Hub est un coup de maître du Conseil d'Etat", interview realized by Olivia Dufour for Actu-juridiques, Lextenso, 22nd of October 2020

Read the news of 19th of October 2020 of the Newsletter MAFR - Law, Compliance, Regulation on which relies this interview: Conditions for the legality of a platform managed by an American company hosting European health data​: French Conseil d'Etat decision 

To go further, on the question of Compliance Law concerning Health Data Protection, read the news of 25th of August 2020: The always in expansion "Right to be Forgotten"​: a legitimate Oxymore in Compliance Law built on Information. Example of​ Cancer Survivors Protection 

Oct. 1, 2020

Thesaurus : Soft Law

Full reference of the guidelines: Commission Nationale de l'Informatique et des Libertés (CNIL), Délibération n°2020-091 du 17 septembre 2020 portant adoption de lignes directrices relatives à l'application de l'article 82 de la loi du 6 janvier 1978 modifiée aux opérations de lecture et écriture dans le terminal d'un utilisateur (notamment aux "cookies et autres traceurs") et abrogeant la délibération n°2019-093 du 4 juillet 2019 

Full reference of the recommendation: Commission Nationale de l'Informatique et des Libertés (CNIL), Délibération n°2020-092 du 17 septembre 2020 portant adoption d'une recommandation proposant des modalités pratiques de mise en conformité en cas de recours aux "cookies et autres traceurs". 

Read the guidelines (in French)

Read the recommendation (in French)

Read the presentation of these guilines and of this recommendation by the CNIL (in French) 

Read Marie-Anne Frison-Roche's comment about this in the Newsletter MAFR - Law, Regulation & Compliance of 1st of October 2020

Sept. 16, 2020

Publications

Full reference: Frison-Roche, M.-A., Se tenir bien dans l'espace numérique, in Penser le droit de la pensée. Mélanges en l'honneur de Michel Vivant, Lexis Nexis and Dalloz, 2020, pp. 155-168

Read Marie-Anne Frison-Roche's article (in French)

Read the working paper, written in English, on which this article is based, enriched with additional developments, technical references and hyperlinks

 

Summary of the article: 

The digital space is one of the scarce spaces not framed by a specific branch of Law, Freedom also offering opportunity to its actors to not "behave well", that is to express and diffuse broadly and immediately hateful thoughts through Hate speechs, which remained before in private or limited circles. The intimacy of Law and of the legal notion of Person is broken: Digital permits to individuals or organizations to act as demultiplied and anonymous characters, digital depersonalized actors who carry behaviors that are hurtful to other's dignity. 

Against that, Compliance Law offers an appropriate solution: internalizing in digital crucial operators the mission to disciplinary and substantially hold the digital space. The digital space has been structured by powerful firms able to maintain order. Because Law must not reduce digital space to be only a neutral market of digital prestations, these crucial operators, like social networks or search engines, must be forced to substantially control behaviors. It could be about an obligation of internet users to act with their face uncover, "real identity" policy controlled by firms, and to respect others' rights, privacy rights, dignity, intellectual property rights. In their Regulatory function, digital crucial firms must be supervised by public authorities. 

Thus, Compliance law substantially defined is the protector of the person as "subject of law" in the digital space, by the respect that others must have, this space passing from the status of free space to the one of civilized space, in which everyone is obliged to behave well. 

______

 

Read to go further: 

Sept. 10, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., Responding to an email with "serious anomalies"​,transferring personal data, blocks reimbursement by the bank: French Cour de cassation, July 1st 2020Newsletter MAFR - Law, Compliance, Regulation, 10th of September 2020

Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation

 

Summary of the news

"Phishing" is a kind of cyber criminality aiming to obtain, by sending fraudulent emails which look like to those sent by legitimate organisms, recipient's personal information in order to impersonate or steal him or her. As it is difficult to find the authors of "phishing" and to prove their intentionality in order to punish them directly, on mean to fight against "phishing" could be to entitle banks to secure their information network and, to accompany this obligation with a strong incentive, to convict them to reimburse the victims in case of robbery of their personal data.  

In 2015, a client victime of this kind of fraud asked to his bank, the Crédit Mutuel, to reimburse him the amount stole, what the bank refused to do on the grounds that the client committed a fault, transferring its confidential information without checking the email, however grossly counterfeit. The Court of first instance gave reason to the client because although he committed this fault, he was in good faith. This judgment was broken by the Chambre commerciale de la Cour de cassation (French Judicial Supreme Court) by a decision of 1st of July 2020 which states that this serious negligence, exclusive of any consideration of good faith, justifies the absence of reimbursement by the bank.

___

 

From this particular case, we can draw three lessons

  1. The Cour de Cassation states that good faith is not a salient criterion and that, as the bank must react when a banking account is objectively abnormal, the client must react face to an obviously abnormal email. 
  2. The Cour de Cassation describes the repartition of proof burden. Proof obligations are alternatively distributed between the bank and its client. First, the bank must secure its information network but, secondly, the client must take every reasonable measure to preserve its safety. It results from this that, if the email seems normal, phishing damages must be supported by the bank, and more generally of by the firm, while if the email is obviously abnormal, they must be supported by the client, but the burden to prove the abnormality of the email must be supported by the firm and not by the client. 
  3. Such a proof system shows that Compliance Law includes a pedagogic mission by educating each client in order to he or she would be able to distinguish among his or her emails, those which are normal and those which are obviously suspect. This pedagogic dimension, with the legal consequences associated to it, will not stop to spread. 

 

______

Sept. 2, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., For regulating or supervising, technical competence is required: example of the French creation of the "Pôle d'expertise de la régulation numérique"​Newsletter MAFR - Law, Regulation, Compliance, 2nd of September 2020

Lire par abonnement gratuit d'autres news de la Newsletter MAFR - Law, Regulation, Compliance

 

Summary of the news

Through a decree of 31st of August 2020, the government created a national service, the "Pôle d'expertise de la régulation numérique" (digital regulation expertise pole). It has to furnish to State services a technical expertise in computer science, data science and algorithm processes in order to assist them in their role of control, investigation and study. The aim is to favor information sharing between researchers and State services in charge of regulating digital space. 

As its acronym indicates, this pole of expertise aims to represents constance in a changing world. Moreover, more than being a national service, this organism must adopt a transversal dimension, its creation decree being signed by the Prime Minister, Minister of Economy, Minister of Culture and Minister of Digital Transition. The creation of such a pole shows the awareness of the government of the importance of technical competency in the regulation of digital space and of the necessity to centralize these expertises in one organ. 

However, as the decree indicates, this pole of expertise could be consulted only by "State services", that excludes regulators which are independent from the State and which could put the pole in conflict of interest, and courts even if they are supposed to play a central role in the regulation of digital space and even if they are allowed to ask the advice of the regulator about some cases. But if regulators cannot size the pole, to whom does it benefit except the legislator and a few officials? 

It would therefore have been better for this pole of expertise to be placed under the direction of regulatory and supervisory bodies, which would have enabled it to be able to be consulted both by regulators and by judges, both of whom are key players in digital regulation.

Aug. 31, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., Compliance by Design, a new weapon? Opinion of Facebook about Apple new technical dispositions on Personal Data protectionNewsletter MAFR - Law, Compliance, Regulation, 31st of August 2020

Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation

 

Summary of the news:

Personal Data, as they are information, are Compliance Tools. They represent a precious resource for firms which must implement a vigilance plan in order to prevent corruption, money laundering or terrorism financing, for examples. It is the reason why personal data are the angular stone of "Compliance by design" systems. However, the use of these data cannot clear the firm of its simultaneous obligation to protect these same personal data, that is also a "monumental goal" of Compliance Law. 

In order to be able to exploit these data in an objective of Compliance and protecting them in the same time, the digital firm Apple adopted for example new dispositions in order to the exploitation of the Identifier For Advertisers (IDFA) integrated in the iPad and in the iPhone and broadly used by targeted advertising firms, is conditioned to the consumer's consent.

Facebook reacted to this new disposition explaining that such measures will restrict the access to data for advertisers who will suffer from that. Facebook suspects Apple to block the access to advertisers in order to develop its own advertising tool. Facebook guaranteed to advertisers who work with it that it will not take similar measures and that it will always favor consultation before decision making in order to concile sometimes divergent interests. 

We can sleep and already make some remarks:

  • GDPR imposing to companies that they guarantee a minimal level of protection for personal data does not apply in the United-States. It is then possible that Apple acted through Corporate Social Responsibility (CSR), more than through legal obligation. 
  • The mode of regulation used here is the "conversational regulation" theorized by Julia Black. Indeed, regulators let the forces in presence discuss. 
  • This "conversational regulation" does not seem to be very efficient in this case and an intervention of administrative authorities or of judges could be justified via Competition Law, Regulation Law or Compliance Law, knowing that Competition Law will favor access right to information and Regulation or Compliance Law private life right. 

The whole paradox of Compliance Law rests in the equilibrium between circulation of information and secret. 

Aug. 27, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., "Interregulation"​ between Payments System and Personal Data Protection: how to organize this "interplay"​?Newsletter MAFR - Law, Compliance, Regulation, 27th of August 2020

Read by freely subscribing the other news of the Newsletter MAFR - Law, Compliance, Regulation

 

Summary of the news

Regulation Law, in order to recognize and draw the consequences from the specificities of some objects, has been build, at the start, around the notion of "technical sector" although their delimitation is partially related to a political choice. But, in facts, there are multiple points of contacts between sectors, actors moving from one to another as objects. The regulatory solution is so to climb over some technical borders through the methodology of interregulation which is by the way the only one to enable the regulation of some phenomena going beyond the notion of sector and related to Compliance Law. 

This news takes the exemple of companies furnishing new payment services. In order to they can provide these services, these firms needs to access to banking accounts of concerned people and so to very sensitive personal data. Regulation of such a configuration needs a cooperation between the banking regulator and the personal data regulator. Legislation being not sufficient to organize in Ex Ante this interregulation, the European Data Protection Board has published some guidelines on 17th of July 2020 about the way it conceives the articulation between the PSD2 (European directive about payment services) and GDPR and has announced that it intended to expand the circle of its interlocutors to do this interregulation. Such an initiative from EDPB can be justified by the uncertainty  about how interpreting both texts and articulating them.   

Aug. 14, 2020

Newsletter MAFR - Law, Compliance, Regulation

Full reference: Frison-Roche, M.-A., Is Regulating Hate and Infox a legal obligation imposed to the Digital Enterprises or the expression of their free will to contribute to Democracy?Newsletter MAFR - Law, Compliance, Regulation, 14th of August 2020

Read, by freely subscribing, other news in the Newsletter MAFR - Law, Compliance, Regulation

 

Summary of the news

Internet permits to access to expanded knowledge but also make easier the broadcasting of fake news and hate speeches. Unfortunately, public powers cannot know who broadcast these fake news and hate speeches and are so not able to fight efficiently against this. A solution would be to expect from digital firms that they find a way to contain these fake news and hate speeches that they structurally contribute to diffuse. 

Digital firms already do that and especially Facebook which plans to sensibilize its American users to 2020 presidential elections. However, digital firms explain that if they fight against fake news and hate speeches, it is only because of its Corporate Social Responsibility (CSR). But, even if it is a calculus to get a better reputation and avoid boycott actions, this remains a willingness of the firm which is therefore neither forced to succeed, nor even to act. 

The solution proposed by Compliance Law is to make of this effort a legal obligation by internalizing in crucial operators (digital firms) the "monumental goal" to fight against fake news and hate speeches so that digital companies are required to act and that they are supervised by public authorities in this task. The forthcoming law about digital services will impose to digital firms Ex Ante obligations while the law of 22 of December 2018 related to the fight against information manipulation already forces platforms operators a legal obligation to "cooperate" in the fight against fake news. 

 

To go further, read :