30 novembre 2021

Conférences

🎤Legal Focus : Compliance Ex Ante, in 📅Toward Automated Compliance in the Data Economy

par Marie-Anne Frison-Roche

â–ş RĂ©fĂ©rence complète : Frison-Roche, M.-A., Legal Focus: Compliance Ex Ante, in GAIA-X, Toward Automated Compliance in the Data Economy , 20 novembre 2021, en ligne. 

____

 

Lire le programme complet du colloque (en anglais).

Écouter l'intervention.

 

RĂ©sumĂ© de l'intervention : Compliance Law has two senses and GAIA-X is a perfect illustration. Firstly, to respect rules and show in Ex Ante permanently this respect (procedural definition) ; secondly, to pretend certain specific "Monumental Goals" (substantial definition).

In this second sens, Compliance Law is very different from Competition Law: it required in Ex Ante collaboration, transparency, stability to reach these Monumental Goals around the respect and protection of Humans, while Competition Law is based on fighting,  mobility and trade without obligation Ex Ante, just sanction Ex Post if a prohibitive behavior occurs. 

GAIA-X is based on Compliance Law, established for the purpose of a European Data Industry, a Monumental Goal linked to the Sovereignty and people's protection: it must structurally oblige its members to collabore for this goals, notably through its policy rules (first sens). 

It is also a part and subject of the European Union Law. In the sense, its members must obey European Regulatory system (second sens).

The both are narrowly linked because the European legal system has the same purpose of sovereignty, internalization of goals in enterprises and individuals' protection: GDPR, Cybersecurity, Digital Services Regulation, etc. : members must show permanently they do it actively.

Because the purposes of GAIA-X and the purpose of the European Union Law are now the same in the Compliance Law the respect of letter's Law but also the respect of spirit's Law matters.

Both are Ex Ante. Therefore, Compliance by design, which is also Ex Ante, is adequate.

 

 

Automated Compliance (and automated Certification) are tools to obey and reach the Monumental Goal.

GDPR has specific dispositions (articles 24 and 42) about them, but more generally the efficiency these tools are validated by Regulatory Body, and Courts notably through the design of Smart Contrats. 

It could be prudent to put in adition some human Compliance control because, by definition, an Automated Compliance is just the technological transposition (second level) of legal norme (first level) and cannot create new normes. 

This is why the more important in this conception in Ex Ante of Compliance by this marriage between Law and Technology is to keep in mind not only the letters put in the algorithms but only the spirit of Compliance Law.

______

 

 

 

But Europe has changed. Because the European Union wants to protect not only economic freedom but also directly people, and wants to organize a legal framework in favor of a European industrial dynamic. And in order to obtain it, Europe gives this charge not only to administrative and judicial bodies Ex Post but also to entities (essentially enterprises) Ex Ante.

This is why a new branch of Law, Compliance Law, has been created.

This branch of Law takes its definition in its Goals, which are “monumental”. For instance the prevention of systemic risk (“banking and financial Compliance”) or the prevention of systemic environmental crisis (climate change Compliance), or the protection of privacy (GDPR), or the construction of Information sovereignty, or the construction of cybersecurity.

The substantial principles of Compliance Law are made not only by European Parliament and Commission but also by Court of Justice ; they have given a lot of subjective rights to people : for instance the right to be forgotten (created by the Court) or the right to the portability.  

The charge of the effectivity of these new rules and these new rights have been given to the enterprises directly, which must “do it”. In short, Competition Law asks administrative and courts to sanction Ex Post enterprises which didn’t respect free competition. Compliance Law asks private entities to, effectively, not only respect legal rules but also to help publics bodies to concretize  personal data protection, cyber security, transparency, Information removal, etc.

 

Therefore today, European Union Law has two pilars : One Ex Post Competition Law (with the purpose of free market) and the other Ex Ante Compliance Law (with the purpose for these Monumental Goals).

European and National courts, regulatory bodies apply both : rules of Competition Law and Compliance Law.

But theses rules are not the same.

Firstly, because their purposes are not the same : here, we can see that Compliance Law is more to protect Innovation and people concerned by Innovation. European Law is building Compliance Law and GAIA-X is an example of this new way for Europe to help and control innovation.

Secondly, because the charge of concretization of Competition Law is given to public bodies while the charge of concretization of Compliance Law is given to private bodies.

 

When an entity is built on Data, such as GAIA-X, it is organized in Ex Ante by Compliance Law in the two senses of Compliance.

Indeed, in a substantial definition, as a set of Ex Ante Rules, to reach this monumental goal of a European Sovereign Industry of Data, Compliance gives the legal spirit of GAIA-X.  It is very important to keep that in mind in order to apply the rules governing the application of rules of GAIA-X to its members.

But also in a more mechanical sense, every member of GAIA-X must concretize the effectivity of the regulatory rules of European Compliance Law on Data and show it Ex Ante.

 

------------------

 

Legally, GAIA-X is built on its “Policy rules” and Standards, framework written by the governance entity of GAIA.

The term of “Compliance” is very often used. It is used in its first meaning : to obey.

Indeed, in this legal document, it expresses this sense of Compliance Law : the obligation for every member of GAIA-X to respect all regulatory rules and standards of these policy rules.

It is more mechanical, but this is also an Ex Ante obligation and these two senses are narrowly linked.

Because the obligation to respect what is written in this document is the “letter” of the Law and the reason why every member of GAYA-X must comply, i-e. the “monumental goal” of a European sovereign data industry, is the “spirit of the Law”.

The document, as it is written, “is of the paramount importance” : why ? For two reasons, articulated because all the principles it declares are required for two purposes (this is why the obligations are Ex Ante) :

  • The legal obligations is specific to GAIA-X, corresponding to the purpose of GAIA-X : building a sovereign European Data Infrastructure. In this sense, these Policy rules express the Identity of GAIA-X itself. In this sense, GAIA-X is not only an economic and technological ecosystem, it is also a legal ecosystem, articulating the data building, the cybersecurity and the individuals protection
  • The legal obligation is also necessary because GAIA-X is inside the European legal system and every GAIA-X member must comply with the more general European Compliance legal framework itself : therefore, the Policy rules internalize a lot of European Regulations, such as the GDPR, the texts about Cybersecurity or about digital services.

 

This is why if any entity asks to enter GAIA-X or wants to remain in GAIA-X, because legally GAIA-X is an association to concretize this “Monumental Goals” of a European sovereign Data Industry, it must comply to these policy rules, which is also a very efficient Ex Ante to increase the effectivity of European Law.

 

What is the legal place of “automated Compliance” or Compliance by design

Automated Compliance, or Compliance by Design is very efficient, because it is also an Ex Ante conception of the respect of rules.

It is a sort of happy marriage between Law and Technology.

This quite new tool is central, not only about the application of GDPR ( article 24 referring to the necessary to implement technology to insure the effective protection of personal data in the technical design, through the “Compliance by design” ) and the legal use of personal data but more generally .

The idea of the automated Compliance is to inject algorithms blocking everything which can be against the legal requirements of Compliance Law and to implement Compliance requirements into structures and behaviors in the enterprises directly, for instance into the “smart contracts”.

The European and National Regulatory bodies are in favor of Compliance by design, if the creation of technological tools by firms is only about the implementation of rules, not about the substance of rules itself.

The distinction between the rules (first level) and the technical implementation of the rules (second level) is not that easy…  ; it may be not easy to understand the sense of the rules to be apply … ; and it might be wise to organize some Compliance controls made by humans, in addition to an automated compliance.

But the existence of automated Compliance offers the proof that the entity using it respects the rules required in the “policy rules” (to take our example).

But it is sure that the tools of automated Compliance constitutes a sort of pre-constitution of proof of Compliance, that the legal technique of “certification” may increase (example of the GPDR article 42 ).

The probationary system is always a question of degree of binding force. For instance the self-declaration is a less performant probationary technique than an association of an automated compliance and a compliance control done by humans.

A permanent compliance control done by humans is always the best, because humans understand not only the Letter of Regulatory obligations but also the Spirit of them, and can really express what Courts and Legislation say.

At the end, it is always the Judge who will appreciate not only the mechanical application of regulations but more what is their spirit: in Europe, the purpose to build a data industry for human beings in respect of them.

In this sense, in the technological construction of automated Compliance, by Design, letter by letter of every regulation…., it is very important to keep in mind the Monumental Goal of GAIA-X, which is the same as the Monumental Goal of European Regulatory system, such as GDPR or Cybersecurity : people’s Information and people’s protection. If two solutions are in balance, the design must prefer the solution serving this goal rather than the solution against them or the neutral solution.

_____

 

Ecouter la précédente intervention faite à propos de l'adéquate du Droit de la Compliance pour GAIA-X (novembre 2020).

 

les commentaires sont désactivés pour cette fiche