Full reference: Frison-Roche, M.-A., Due process and Personal Data Compliance Law: same rules, one Goal (CJEU, Order, October 29, 2020, Facebook Ireland Ltd v/ E.C.), Newsletter MAFR - Law, Compliance, Regulation, 1st of November 2020

Read by freely subscribing other news of the Newsletter MAFR - Law, Compliance, Regulation

Read Marie-Anne Frison-Roche's interview in Actu-juridiques about this decision (in French)

Summary of the news: 

As part of a procedure initiated for anti-competitive behaviors, the European Commission has three times requested, between the 13th of March and the 11th of November 2019, from Facebook the communication of information, reitarated in a decision in May 2020.  

Facebook contests it alleging that the requested documents would contain sensitive personal information that a transmission to the Commission would make accessible to a too broad number of observers, while "the documents requested under the contested decision were identified on the basis of wideranging search terms, (...) there is strong likelihood that many of those documents will not be necessary for the purposes of the Commission’s investigation". 

The contestation therefore evokes the violation of the principles of necessity and proportionality but also of due process because these probatory elements are collected without any protection and used afterwards. Moreover, Facebook invokes what would be the violation of a right to the respect of personal data of its employees whose the emails are transferred. 

The court reminds that the office of the judge is here constraint by the condition of emergency to adopt a temporary measure, acceptable by the way only if there is an imminent and irreversible damage. It underlines that public authorities benefit of a presumption of legality when they act and can obtain and use personal data since this is necessary to their function of public interest. Many allegations of Facebook are rejected as being hypothetical. 

But the Court analyzes the integrality of the evoked principles with regards with the very concrete case. But, crossing these principles and rights in question, the Court estimates that the European Commission did not respect the principle of necessity and proportionality concerning employees' very sensitive data, these demands broadening the circle of information without necessity and in a disproportionate way, since the information is very sensitive (like employees' health, political opinions of third parties, etc.). 

It is therefore appropriate to distinguish among the mass of required documents, for which the same guarantee must be given in a technique of communication than in a technic of inspection, those which are transferable without additional precaution and those which must be subject to an "alternative procedure" because of their nature of very sensitive personal data. 

This "alternative procedure" will take the shape of an examination of documents considered by Facebook as very sensitive and that it will communicate on a separate electronic support, by European Commission's agents, that we cannot a priori suspect to hijack law. This examination will take place in a "virtual data room" with Facebook's attorneys. In case of disagreement between Facebook and the investigators, the dispute could be solved by the director of information, communication and medias of the Directorate-General for Competition of the European Commission. 

___

We can draw three lessons from this ordinance: 

1. This decision shows that Procedural Law and Compliance Law are not opposed. Some often say that Compliance guarantees the efficacy and that Procedure guarantees fundamental rights, the protection of the one must result in the diminution of the guarantee of the other. It is false. As this decision shows it, through the key notion of sensitive personal data protection (heart of Compliance Law) and the care for procedure (equivalence between communication and inspection procedures; contradictory organization of the examination of sensitive personal data), we see once again that two branches of Law express the same care, have the same objective: protecting people. 
2. The judge is able to immediately find an operational solution, proposing "an alternative procedure" axed around the principle of contradictory and conciliating Commision's and Facebook's interests has shown that it was able to bring alternative solutions to the one it suspends the execution, appropriate solution to the situation and which equilibrate the interest of both parties. 
3. The best Ex Ante is the one which anticipate the Ex Post by the pre-constitution of evidence. Thus the firm must be able to prove later the concern that it had for human rights, here of employees, to not being exposed to sanctioning pubic authorities. This Ex Ante probatory culture is required not only from firms but also from public authorities which also have to give justification of their action. 

__________

Full reference: Frison-Roche, M.-A., Conditions for the legality of a platform managed by an American company hosting European health data​: French Conseil d'Etat decision, Newsletter MAFR - Law, Compliance, Regulation, 19th of October 2020

Read by freely subscribing the other news of the Newsletter MAFR - Law, Compliance, Regulation

___

News Summary: In its ordinance of 13th of October 2020, Conseil national du logiciel libre (called Health Data Hub), the Conseil d'Etat (French Administrative Supreme Court) has determined the legal rules governing the possibility to give the management of sensitive data on a platform to a non-europeans firm, through the specific case of the decree and of the contract by which the management of the platform centralizing health data to fight against Covid-19 has been given to the Irish subsidiary of an American firm, Microsoft. 

The Conseil d'Etat used firstly CJEU case law, especially the decision of 16th of July 2020, called Schrems 2, in the light of which it was interpreted and French Law and the contract linking GIP and

The Conseil d'Etat concluded that it was not possible to transfer this data to United-Sates, that the contract could be only interpreted like this and that decree and contract's modifications secured this. But it observed that the risk of obtention by American public authorities was remaining. 

Because public order requires the maintenance of this platform and that it does not exist for the moment other technical solution, the Conseil d'Etat maintained the principle of its management by Microsoft, until a European operator is found. During this, the control by the CNIL (French Data Regulator), whose the observations has been taken into consideration, will be operated. 

We can retain three lessons from this great decision:

• There is a perfect continuum between Ex Ante and Ex Post, because by a referred, the Conseil d'Etat succeed in obtaining an update of the decree, a modification of the contractual clauses by Microsoft and of the words of the Minister in order to, as soon as possible, the platform is managed by an European operator. Thus, because it is Compliance Law, the relevant time of the judge is the future. 
• The Conseil d'Etat put the protection of people at the heart of its reasoning, what is compliant to the definition of Compliance Law. It succeeded to solve the dilemma: either protecting people thanks to the person to fight against the virus, or protecting people by preventing the centralization of data and their captation by American public authorities. Through a "political" decision, that is an action for the future, the Conseil found a provisional solution to protect people against the disease and against the dispossession of their data, requiring that an European solution is found. 
• The Conseil d'Etat emphasized the Court of Justice of The European Union as the alpha and omega of Compliance Law. By interpreting the contract between a GIP (Public interest Group) and an Irish subsidy of an American group only with regards to the case law of the Court of Justice of European Union, the Conseil d'Etat shows that sovereign Europe of Data can be built. And that courts are at the heart of this. 

___________

Read the interview given on this Ordinance Health Data Hub

To go further about the question of Compliance Law concerning health data protection, read the news of 25th of August 2020: The always in expansion "Right to be Forgotten"​: a legitimate Oxymore in Compliance Law built on Information. Example of​ Cancer Survivors Protection 

♾️ follow Marie-Anne Frison-Roche on LinkedIn

♾️ subscribe to the Newsletter MAFR Regulation, Compliance, Law 

____

► Full reference: Frison-Roche, M.-A. (ed.), Pour une Europe de la Compliance, serie "Régulations & Compliance", Dalloz & Journal of Regulation & Compliance, 2019, 124 pages. 

____

 ​read the presentation of the Series in which this book is published 

► Book Summary: This book is written in French. The topic is : "For the Europe of the Compliance".

See below its general presentation in English. 

The political dimension is intrinsic to the Compliance Law. Indeed, compliance mechanisms consist of internalizing in certains companies the obligation to implement goals of general interest set by Public Authorities. These public bodies control the Ex Ante reorganization that implies for these companies and punish Ex Post the possible structural inadequacy of these compagnies, becoming transparent for this purpose. 

This new mode of governance establishes a continuum between Regulation, Supervision, Compliance (book published in 2017) and renew the links between Companies, Regulators and Judges!footnote-1600. 

This political dimension must be increased: the Compliance Law of Compliance must today be used to build Europe.

One can observe not only the construction of the  European Compliance Law, object-by-object, sector-by-sector, purpose-by-purpose, but also the construction of the European Compliance Law that transcends and unifies them. Becoming independent of American Law and ceasing to be in reaction, even on the defensive, the Compliance Law contributes to the European project, offering it a higher ambition, that Europe can carry and, by this way, can carry the Europe itself, not only to preserve the European economy from corruption or money laundering, but by claiming the protection of nature and human beings.

This is why the book describes the "reasons and objectives" of the Europe of the Compliance, which makes it possible to describe, detect and even predict the ways and means.

____

Authors: Thierry Bonneau, Monique Canto-Sperber, Jean-Jacques Daigre, Charles Duchaine, Marie-Anne Frison-Roche, Arnaud de La Cotardière, Koen Lenaerts, Jean-Claude Marin, Didier Martin, Xavier Musca, Pierre Sellal et Pierre Vimont.

Each mention of an author refers to a summary of his contribution. 

Read the book's foreword by Marie-Anne Frison-Roche, translated in English.

Read the working paper written in English by Marie-Anne Frison-Roche, base for her article published in French in the book : What the Law of Compliance can build relying of the European Humanist tradition.

________

La collection Droit & Economie sort son 33ième volume. 

Il est consacré à l'Europe, c'est-à-dire à l'amitié franco-allemande, puisqu'aujourd'hui c'est sur cette amitié-là que l'on peut croire encore à l'Europe.

Si l'on a une vision politique des espaces, alors c'est la notion d'amitié qui doit ressortir.

C'est autour d'elle que Bruno Le Maire a construit sa préface : lire la préface que le ministre de l'économie et des finances a fait à l'ouvrage. 

Référence complète : Rabagny-Lagoa, A., La conformité dans le règlement UE n° 2016/679, du 27 avril 2016, relatif à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation de ces données, in Petites Affiches, octobre 2018, n°215, pp. 8-14.

Les étudiants de Sciences po peuvent lire l'article via le Drive dans le dossier "MAFR - Régulation & Compliance".

Full reference: European Commission, 18th of July 2018, Decision relating to a proceeding under Article 102 of the Treaty on the Functioning of the European Union and Article 54 of the EEA Agreement, Google Android, Case AT.40099

Read a summary of the decision

Le cycle de conférences Pour une Europe de la compliance débutant le 2 mars 2018 est organisé par le Journal of Regulation & Compliance (JoRC), en collaboration avec l’École d'affaires publiques de l’École d’Affaires Publiques de Sciences po (Paris), le Département d’Économie de Sciences po,,École de Droit de l'Université Panthéon-Sorbonne (Paris I), l’École doctorale de Droit privé de l'Université Panthéon-Assas (Paris II) et les Éditions Dalloz.

__________

Consulter la présentation générale du cycle

Consulter la liste des conférenciers.

Consulter les informations relatives aux conférences :

Consulter la manifestation publique du 2 mars 2018.

Consulter la manifestation publique du 12 avril 2018.

Consulter la manifestation publique du 30 mai 2018.

Consulter la manifestation publique du 7 juin 2018.

Consulter la manifestation publique du 6 septembre 2018.

Consulter la manifestation publique du 4 octobre 2018.

Consulter la manifestation publique du 15 novembre 2018.

Consulter la manifestation publique du 13 décembre 2018.

Référence complète : M., Mezaguer, Approche transactionnelle et garanties procédurales en droit antitrust de l'Union européenne in Revue de l'Union européenne, n° 389, 2015, p. 353.

Les étudiants de Sciences-Po peuvent lire l'article via le drive " MAFR – Régulation & Compliance "

Full reference: European Parliament and European Council, Regulation (EU) No 596/2014 of 16 April 2014 on market abuse (market abuse regulation) and repealing Directive 2003/6/EC of the European Parliament and of the Council and Commission Directives 2003/124/EC, 2003/125/EC and 2004/72/EC

Read the regulation