June 18, 2021

Compliance: at the moment

 Law is slow, but firm. By its judgment of June 15, 2021, Facebook , the European Union Court of Justice widely interprets the powers of National Authorities, since they serve the people protection in the digital space (➡️📝(CJEU, June 15, 2021, Facebook)

 

Law is slow. The reproach is so often made. But the bottom line is that, in the noise of changing regulations, it establishes clear and firm principles, letting everyone know what to stand for. The more the world is changing, the more Law is required.

When Law degenerates into regulations, then it is up to the Judge to make Law. "Supreme Courts" appear, de jure as in the United States, de facto as in the European Union by the Court of Justice of the European Union which lays down the principles, before everyone else, as it did for the "right to be forgotten" in 2014 (➡️📝CJEU, Google Spain, May 13, 2014), and then with the impossibility of transferring data to third countries without the consent of the people concerned (➡️📝CJEU, Schrems, October 6, 2015).

Facebook litigation is kind of a novel. The company knows that it is above all to the Courts that it speaks. In Europe, it is doing it behind the walls of the Irish legal space, from which it would like to be able not to leave before better dominating the global digital space, while national regulatory authorities want to take it to protect citizens.

There is therefore a technical question of "jurisdictional competence". The texts have provided for this, but Law is clumsy because it was designed for a world still anchored in the ground: the GDPR of 2016 therefore organizes cooperation between national regulatory authorities through a "one-stop-shop", forcing the authorities to relinquish jurisdiction so that the case is only handled by the "lead" National Authority. This avoids splintering and contradiction. But before the adoption of the GDPR, the Belgian data protection regulator had opened a procedure against Facebook concerning cookies. The "one-stop-shop" mechanism, introduced in 2016, is therefore only mentioned before the Brussels Court of Appeal, which is asked to relinquish jurisdiction in favor of the Irish Regulatory Authority, since the company has in Europe its head office in this country. The Court of Appeal referred to the CJEU for a preliminary ruling.

By its judgment of June 15, 2021 (➡️📝CJUE, Facebook, June 15, 2021), it follows the conclusions of its Advocate General and maintains the jurisdiction of the Belgian National Regulator because, even after the GDPR, the case still undergoes national treatment. In this decision, the most important is its reasoning and the principle adopted. The Court notes that the "one-stop-shop" rule is not absolute and that the national regulatory authority has the power to maintain its jurisdiction, in particular if cooperation between national authorities is difficult.

Even more, will it not one day have to adjust Law more radically? We need to consider the fact that the digital space is not bound by borders and that the ambition of "cross-border cooperation" is ill-suited. It is of course on this observation of inefficiency, consubstantial with the digital space, that the European Public Prosecutor's Office (EPPO) was designed and set up, which is not a cooperation, nor a "one-stop shop", but a body of the Union, acting locally for the Union, directly linked to Compliance concerns (➡️📝Frison-Roche, M.-A. "The European Public Prosecutor's Office is a considerable contribution to Compliance Law", 2021 and ., European Public Prosecutor's Office comes on stage: the company having itself become a private prosecutor, are we going towards an alliance of all prosecutors ?, 2021).

So that's what we should be inspired by.

June 15, 2021

Thesaurus : 05. CJCE - CJUE

Full reference: CJEU, Grand chamber, Judgment Facebook Ireland e.a. v. Gegevensbeschermingsautoriteit, C-645-19, June 15, 2021

Read the judgment

Read the abstract of the judgment done by the Court

Read the press release

 

 

Feb. 20, 2020

Thesaurus : Doctrine

Référence complète : Mounoussamy, L., Le smart contract, acte ou hack juridique ?, in Petites Affiches, n°37, 20 février 2020, pp. 12-19.

 

Résumé par les Petites Affiches : Dans cet article, l'auteur analyse l'arrivée du smart contract, système innovant né du développement des nouvelles technologies, dans un environnement juridique déjà structuré. Il commence par définir la nature du smart contract, et le positionne dans cet ensemble juridique mondialisé. Il en présente les impacts et les perspectives de développement, les forces et les faiblesses ainsi que l'intime relation que noues les technologies informatiques et le droit. Le smart contract est un outil dont l'utilisateur définira s'il viendra disrupter le contrat ou le parfaire.

Sept. 8, 2019

Blog

Experience shows that in the digital the legal technique of consent is not protective enough.
 
If only because a simplest technology neutralizes the link that should exist between the "consent" of the user and the "free will" of the latter: the consent of the user only protects the latter to the extent that this one can in Law and in fact to say "no.
 
 
I. THE EXPERIENCE 
 
For example I found on my Facebook New an access to an unknown web site which puts online an article on "the rights of trees" ...
I go. In accordance with the European Regulation (GDPR) transposed into French legal system, the site informs that there is possibility for the user to accept or refuse the use of their personal data for the benefit of "partners".
If they continue reading, the user is supposed to accept everything, but they can click to "customize".
I click: there I find two options: "accept everything" or "reject everything". But the "reject all" option is disabled. It is only possible to click on the "accept all" option.
 
It is also possible, because the law obliges, to consult the list of the partners of this website: I click and find a list of unknown companies, with foreign denominations, which without doubt once will collect my personal data (and those of my contacts) , having their own head office outside the European Union.
It is stated in a text, which can not be copied, that these "partners" can use my data without my consent and for purposes that they do not have to inform me. But, again, these things I can "refuse everything". Here again the "reject all" mention exists but the fonctionality is not active, while the mention "accept all" is an active fonctionality.
 
As I can not refuse (since it's disabled), and as 99% of Internet users have never clicked on the first two buttons, all their data has been fed into the data market that allows the targeting of products that spill out in the digital space, to their detriment and that of their contact.
While believing to read a free article on the "right of the trees".
At the end, I do not read this article, since I did not click on the only active buttons: "accept everything".
 
In more than 50% of cases, the "reject all" or "customize" options are only images but are not active. And data absorption is also about contacts.
In exchange for a whimsical article about trees and their rights, or creams to be always young, or celebrities who change spouses, or about so-called tests to find what king or queen you should be if the all recognized all your merits, etc.
Proposed on the digital news feed by unknown sites; in partnership with foreign companies that you will never reach.
And mass-viewed by Internet users who are also told that "consent" is the proven solution for effective protection ....
While these are just panels hastily built by new Potemkins ...
 
II. WHAT TO DO ? 
 
1. Not be satisfied with "consent" from the moment that it is a mechanism that may not be the expression of a free will: how could it be if the option "to refuse" is not active?
 
2. The link between will and consent must therefore be "presumed" only in a simple presumption and in a non-irrefutable way, because we must refuse to live in a dehumanized society, operating on "mechanical consents", to which the digital does not lead necessarily.
 
3. Entrust by the Compliance Law to the "crucial digital operators" (in the case of Facebook thanks to which these proposals for free reading are made on the thread of news of the Net surfers) the care to verify in Ex Ante the effectiveness of the link between Will and Consent: Here and concretely the possibility for the user to read while refusing the capture of all its data (for the benefit of operators who do not even have the concrete obligation to give the information of the use that will be made of these personal data).
 
_____

Updated: Sept. 5, 2019 (Initial publication: April 30, 2019)

Publications

►  Full Reference : Frison-Roche, M.-A., L'apport du Droit de la Compliance dans la Gouvernance d'Internet  (The contribution of Compliance Law to the Internet Governance), Report asked by the French Government, published the 15th July 2019, 139 p.

_____

►  Report Summary. Governing the Internet? Compliance Law can help.

Compliance Law is for the Policy Maker to aim for global goals that they requires to be achieved by companies in a position to do so. In the digital space built on the sole principle of Liberty, the Politics must insert a second principle: the Person. The respect of this One, in balance with the Freedom, can be required by the Policy Maker via Compliance Law, which internalises this specific pretention in the digital companies. Liberalism and Humanism become the two pillars of Internet Governance.

The humanism of European Compliance Law then enriches US Compliance law. The crucial digital operators thus forced, like Facebook, YouTube, Google, etc., must then exercise powers only to better achieve these goals to protect persons (against hatred, inadequate exploitation of data, terrorism, violation of intellectual property, etc.). They must guarantee the rights of individuals, including intellectual property rights. To do this, they must be recognized as "second level regulators", supervised by Public Authorities.

This governance of the Internet by Compliance Law is ongoing. By the European Banking Union. By green finance. By the GDPR. We must force the line and give unity and simplicity that are still lacking, by infusing a political dimension to Compliance: the Person. The European Court of Justice has always done it. The European Commission through its DG Connect is ready.

 

► 📓 Read the reporte (in French)

📝 Read the Report Summary in 3 pages (in English)

📝 Read the Report Summary in 6 pages (in English)

____

 

►  Plan of the Report (4 chapters): an ascertainment of the digitization of the world (1), the challenge of civilization that this constitutes (2), the relations of Compliance mechanisms as it should be conceived between Europe and the United States, not to mention that the world is not limited to them, with the concrete solutions that result from this (3) and concrete practical solutions to better organize an effective digital governance, inspired by what is particularly in the banking sector, and continuing what has already been done in Europe in the digital field, which has already made it exemplary and what it must continue, France can be force of proposal by the example (4).

____

 

📝  Read the written presentation of the Report done by Minister Cédric O (in French).

🏛 Listen to the oral  presentation of the Report by Minister Cédric O durant the parliamentary discussion of the law against hate contente on the Internet (in French).

____

 

💬 Read the interview published the 18 July 2019 : "Gouvernance d'Internet : un enjeu de civilisation" ( "Governing Internet: an Issue of Civilization"), given in French, 

📻 Listen the Radio broadcast of July 21, 2019 during which its consequences are applied to the cryptocurrency "Libra" (given in French)

🏛 Presentation of the Report to the Conseil Supérieur de l'Audiovisuel- CSA (French Council of Audiovisual) on Septembre 5, by a discussion with its members presentation (in French)

💬 Read the  Interview published the 20 December 2019 : "Le droit de la compliance pour réguler l'Internet" ("Compliance Law for regulate Internet"), given in French

____

 

 

read below the 54 propositions of the Report ⤵️

June 5, 2019

Thesaurus : Doctrine

Référence complète : Thierache, C., RGPD vs Cloud Act : le nouveau cadre légal américain est-il anti-RGPD ?, in La Revue juridique Dalloz IP/IT,  n°6, 2019, p.367

 

Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance"