NEWSLETTER No 36 // Thursday 23 February 2023
|
|
|
|
THE DIGITAL SERVICES ACT: the new legal landscape for Internet intermediaries
|
|
|
|
This month, La Lettre du DPO interviewed Romain Darfeuille (Head of Legal of Bedrock), and Oscar Lourdin (DPO of Bedrock). Bedrock designs and manages high-performance streaming services, which it provides principally to SVOD platform operators.
They have provided La Lettre du DPO with their views on this new Regulation, certain provisions of which have already entered into force, and the rest of which will do so in February 2024, i.e. in less than 12 months’ time - which will come around very quickly bearing in mind the level of the changes that need to be adopted for certain companies, particularly all those operating online platforms.
The liberal ideology of the Internet in its infancy has had its day. Launched by Anglo-Saxon entrepreneurs with very liberal, even - for some - libertarian ideas, the Internet, the network of networks, has developed and prospered up to now by responding to a logic that is non-directive and unfavourable to regulation.
It is from this logic that the major founding texts of Internet law derive, first and foremost Directive 2000/31/EC of 8 June 2000, which established the cardinal principle of reduced liability for technical intermediaries of the Internet (access providers, hosts, etc.), a reduced liability the scope of which has been extended to operators who are sometimes far removed from a “technical” service and who have become unavoidable, and therefore powerful, in the digital space: i.e. the Internet platforms.
This turn, taken by an Internet that has become commercial and obeys a logic of traffic attractiveness with, in some cases, increasingly addictive content, has drawn a landscape that, more than two decades later, reveals some disturbing reliefs: the digital space is today massively dominated by a small number of large platform operators who have built up economic empires by exploiting their users’ data, often on the basis of a misunderstanding since the latter were hardly aware of this exploitation and its consequences, namely the extreme exposure of their private lives, but above all the oriented, even manipulative nature of certain content proposed according to hidden parameters or, at best, ambiguously described.
The very low level of investment by the public authorities (having failed to allocate sufficient police and judicial resources) to ensure effective compliance with common law in this digital space (respect for privacy, consumers, intellectual property, undistorted competition, etc.) has led to a certain level of mistrust, particularly in the wake of scandals, some of which have shown that operators such as the major social networks could be the vector for the propagation of hateful, manipulative or simply illegal content), likely to jeopardise the serenity of public debate or to destabilise democracy.
For this reason, it seemed urgent to make all Internet intermediaries accountable, by imposing obligations of vigilance “upstream”, in order to limit the harmful effects, “downstream”, of a digital space that is left open to excessive freedom.
The DSA: a twin text of the DMA, and part of a European strategy. Favouring new "ex ante" obligations, in addition to the "ex post" measures already provided for in positive law, the Community legislator has adopted, one after the other, two texts: Regulation n° 2022/1925 of 14/10/2022, known as the Digital Markets Act (DMA), and Regulation n° 2022/2065 of 19/10/2022, known as the Digital Services Act (DSA).
The first imposes new obligations on the digital giants which, through their economic supremacy (defined by means of thresholds), play the role of “gatekeeper”. The second imposes new obligations on all “intermediary service providers”, a broader category than the previous one (as it is not subject to any threshold) and includes, in particular, data forwarders, hosting providers, platforms (including intermediation platforms) and search engines.
Entry into force: two dates to remember! The DSA will apply from 17 February 2024, except for certain provisions that have been in force since 16 November 2022.
Among these early application provisions are those obliging online platform providers to (i) publish, by 17 February 2023 and at least every six months thereafter, information on the monthly average of active recipients of the service in the Union, and (ii) communicate such information to the authority responsible for compliance with this Regulation in the Member State of establishment (the “Digital Services Coordinator”) and to the European Commission, at their request and without undue delay.
|
|
|
|
“This desire for regulation is to be welcomed, provided however that the resulting obligations for the players concerned remain proportionate”
|
|
|
|
Charlotte de Dreuzy (VP Legal and Public Affairs at ManoMano, the French DIY marketplace unicorn) is a former lawyer specialising in digital law. For La Lettre du DPO, she goes back in detail over her career and provides her vision on the challenges of the Digital Services Act (“DSA”) for players in the digital economy.
|
|
|
|
1/- What is your background and what led you to take an interest in digital law and personal data?
I have a Master’s degree in general private law from the University of Nanterre (option: literary and artistic property and media law), as well as in media management from Sciences Po Rennes. I started my career in press law by doing various internships in a firm specialised in this field, and in the print media department of Lagardère Active.
At the end of the internship, I was hired as a lawyer, keen to work on legal matters related to print media. In parallel with my professional activities, I was called to the Bar in 2011. The opportunity arose (also the necessity – due to the decline of print media) for me to turn to digital law by moving to a new position at Lagardère, involving the management of all the pure players that had been bought by the group, in particular platforms such as billetreduc.com, comparison sites and content provider sites such as doctissimo.com.
It was in this context that I began to develop a solid expertise in digital law, with in-depth knowledge of the world of start-ups. At the time, I also managed legal issues for a platform of the Lagardère group selling medicinal products, before joining a niche firm in eHealth law. Within that firm, from 2013 to 2016, I was in charge of consumer/competition law, IP/IT and data protection issues. I later joined the IP/IT department of KGA Avocats, and then a niche IT firm. During that period, the implementation of the GDPR for clients occupied most of my time.
In parallel, I had a personal clientele consisting mainly of intermediation platforms. So I have really worked in the world of platforms throughout my professional life. In March 2018, I joined ManoMano as a legal manager, initially to deal with GDPR compliance.
2/- What are your responsibilities and the tasks you carry out, in particular at the moment?
I am VP Legal and Public Affairs at ManoMano, a French platform created in 2013 which has a marketplace activity specialised in interior and exterior home furnishing (with both a B2B and a B2C marketplace). Today, the platform has 5 000 suppliers and 7 000 000 active customers.
ManoMano is present in Spain, Italy, Germany, the United Kingdom, France and Belgium. When I arrived in 2018, there was neither a legal department nor a public affairs department. So I created them both. I currently manage a team of 12 lawyers who deal with all subjects (corporate, real estate, insurance, IP/IT, compliance), except employment law which is managed by the HR department. I also have a person under my responsibility who deals with issues related to public affairs.
I was DPO for a long time before handing over the position to a member of my team who has followed personal data issues with me since the beginning. There is also a tech DPO who works with the tech and security team. We therefore work in tandem on personal data issues. Generally speaking, our activity is quite dense because we are constantly growing and developing new services.
This year, our attention is focused on the deployment of new regulations that have a strong impact on marketplaces, including, of course, the DSA, which will involve the mobilisation of all our teams, the general product safety regulation and the loi AGEC (anti-gaspillage pour une économie circulaire) (anti-waste and circular economy law), the implementation of which we have already begun.
3/- What is your vision on the future of digital law and the players in the digital economy?
The marketplace activity is starting to become a regulated activity. In recent years, we have seen an increase in the number of texts aimed at further regulating the activity of platforms. In this respect, the so-called “Platform to Business” regulation, which came into force on 12 July 2020, regulates the relationship between marketplaces and sellers. There is now the DSA, which clarifies the liability regime without overhauling it.
The DSA nevertheless creates new obligations for marketplaces. This desire for regulation is to be welcomed, provided however that the resulting obligations for the players concerned remain proportionate. It is indeed very complicated for emerging players to find the right balance between growth and compliance. This is even more true in the sluggish economic context from which tech companies are suffering.
Companies are always keen to comply with the relevant regulations, but this requires significant financial and technological investment, and human resources. In some ways, the larger players have a competitive advantage, as, for them, the investment required may appear to be of lesser importance. They can also anticipate and benefit from the services of consultants and lobbyists well in advance of the actual application of the texts.
The key point is that there should be real vigilance on the proportionality of obligations. If we take the example of the DSA, the status of “very large platforms” has been created, implying increased obligations (particularly in terms of reporting and auditing), which is a laudable intention. However, the law remains unclear on the calculation method to be used to define the threshold at which a platform should be considered as being very large.
To end on a positive note, I think that what is useful and relevant in the DSA is the incentive for marketplaces to develop proactive measures to combat the presence of counterfeit, illicit and dangerous products, while maintaining the regime of limited responsibility. This is a good way to encourage them to do so.
|
|
|
|
Increased transparency that goes beyond the interface
|
|
|
|
Bedrock is a joint venture formed by Groupe M6 and RTL Group (Bertelsman). It designs and manages high-performance streaming services, provided principally to SVOD (subscription video on demand) platform operators. Thanks to its state-of-the-art, secure, and scalable technology, Bedrock is renowned for being able to absorb record traffic peaks, such as those that characterise the high-audience sports events broadcast by its customers. Respectively Bedrock’s Head of Legal and DPO, Romain Darfeuille and Oscar Lourdin have agreed to share with La Lettre du DPO their views on the DSA, which will apply to most of Bedrock’s customers.
The DSA requires platforms to make substantial changes to their interface.
“Essentially, this text imposes new obligations on online platform operators (representing most of our customers) that will impact their interface:
- firstly, to designate and make known the identity and contact details of single points of contact (one for public authorities and another for users of their service);
- then, to provide further details in their general terms and conditions (in particular concerning restrictions on the use of their service, moderation measures, how the algorithms work, etc.);
- also, the obligation to publish at least annually a so-called ‘transparency report’ (indicating retrospectively the events and actions taken concerning the moderation of content on the platform, the average monthly number of active users, etc.);
- further, the obligation to provide their users with access to a complaints handling system;
- lastly, the obligation to work together with a certified out-of-court dispute settlement body, and publishing, on their online interface, the information enabling their users to have access thereto.
All these new obligations of increased transparency, which seemingly force platform operators to modify essentially their interface (i.e. the ‘visible’ part, for users, in which their services are presented), will in reality imply a partial rethinking of the ergonomics of their services and will also be an opportunity for such operators to reconsider their policy in terms of the choice of content put forward, their economic model, their management of complaints... Because revealing these facets of their services, which until now have not been given much prominence, will perhaps push them into providing more guarantees in terms of complaint responses, or even personal data protection (which is sometimes undermined by free business models).”
The DSA also involves developing new internal resources to deal effectively with complaints and illegal content.
“Platform operators will have to combine their ergonomic development with a clear strengthening of their complaints and illegal content management system, since the DSA requires them, for example, to acknowledge receipt of all notifications of illegal content that they receive and then, in the event of a response restricting or suspending access to a content or service, to explain the precise reasons therefor.
It is thus not possible to resort excessively, as some operators may do to reduce their costs, to artificial intelligence devices, entrusting them with the management of complaints and content removal. It will be necessary to involve more staff dedicated to such tasks, and who will need to be qualified because the DSA requires a ‘case-by-case’ assessment and ‘taking into account the relevant facts and circumstances’ (Art. 23, §3), which prohibits automatic response devices depending on the pre-drafted texts for such cases.”
|
|
|
|
CNIL sanctions in 2022: platforms particularly sanctioned for non-compliance with the cookie regulations
|
|
|
|
In 2022, the CNIL issued 21 sanctions, 13 of which were made public, for a total amount of over €100 million. The largest sanctions concern platforms, including Microsoft (60 million euros), Apple (8 million euros), Tiktok (5 million euros) and Voodoo (3 million euros). The main issue at stake is the failure of GAFAMs to comply with their obligations to provide information and to obtain the necessary consent for the deposit and reading of cookies, tracers and identifiers used for advertising purposes. The sanctions are not limited to the digital giants, since the CNIL has used the new simplified sanction procedure to impose fines of between 5,000 and 15,000 euros on doctors or a university, for example. Most of these sanctions were imposed as a result of complaints received by the CNIL. It also issued 147 formal notices, confirming the strong increase in the use of this injunction power, observed in 2021.
|
|
|
|
Sanction of TIKTOK and VOODOO: the CNIL continues its controls on cookie management.
|
|
|
|
The CNIL started the year by announcing two important sanctions, thus wishing to show its will to continue its pursuit against the bad management of cookies, the analysis of which often reveals one or more breaches of Article 82 of the French Data Protection Act. In its first decision of 29 December 2022, the CNIL sanctioned the social network TIKTOK for a total amount of 5 million euros, on the one hand, for lack of information (the purposes of the cookies not being precisely defined in either of the two levels of information) and, on the other hand, for the collection of lawful consent, as users of "tiktok.com" could not refuse the cookies with the same degree of simplicity as they had to accept them. In its second decision, the CNIL fined VOODOO, a publisher of smartphone games, 3 million euros for using an essentially technical identifier (IDFV) to display advertising without the user's consent. The CNIL took the opportunity to point out that the regime applicable to the IDFV (identifier made available to publishers by APPLE, used to track the use of their applications by users), which falls within the scope of Article 82 of the French Data Protection Act, and its consistent position on the matter cannot be debated, since its guidelines of 17 September 2020 concerned, "in particular, [...] identifiers generated by operating systems (whether advertising or not : IDFA, IDFV, Android ID, etc. ) [...] ". The CNIL also cuts short any debate that might focus on the unstable nature of the legal framework for trackers, recalling that "the wording of Article 82 of the French Data Protection Act has not been amended since 2011, apart from replacing the word "agreement" with "consent" and changing the numbering of the article following the rewriting of the Act by Order No. 2018-1125 of 12 December 2018".
|
|
|
|
The right of the data subject to obtain the exact recipients of his data, the CJEU advocates transparency
|
|
|
|
On 12 January 2023, the Court of Justice ruled on the interpretation of Article 15(1)(c) of the GDPR related to the right of access (which states that the data subject may obtain "(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, [...]"). The question arose as to whether this provision, as drafted, grants a discretionary choice to the controller as to the information he intends to communicate to the data subject, or, on the contrary, if the latter is entitled to demand the exact and complete list of these recipients insofar as this article relates to the scope of a right he has. After clarifying that this provision does not establish any order of priority between the terms 'recipients' and 'categories of recipients', the CJEU favours the interests of the data subject and holds that the right of access means that the data subject must obtain the list (and therefore the identity) of the recipients when the controller discloses his data to recipients. While the Court refrains from commenting on a possible parallel with Article 13(1)(e) of the GDPR, one may wonder about the possible transposition of this interpretation. However, we can doubt it, although in practice, it is strongly recommended that controllers indicate, at the stage of informing data subjects, the exact list of recipients once they are aware of these latters, and that they update these information for each new agreement concluded with a new service provider.
|
|
|
|
Tuesday 4 April 2023 at 11am to 12pm |
|
|
|
CNIL Webinar “Evolution of the rules governing cookies and other trackers: assessment and prospects”
|
|
|
|
This webinar will be an opportunity for the CNIL to review the rules on cookies and other trackers, and the recurring breaches that were severely sanctioned by the authority in 2022.
It will also discuss new practices, which may include "cookie walls" and "paywalls", the practice of a cookie banner that allows access to the site and its consultation only after acceptance of the processing of cookies for targeted advertising purposes or, failing that, after payment of a subscription.
Registration opens on 23 March (places are limited). For more information, click here
|
|
|
|
The Intellectual Property and Digital Law Team at klein • wenner
Fortified by in-depth experience, klein • wenner's attorneys in the Intellectual Property and Digital Law Team, who are experts in the digital sector and in GDPR, have developed a transversal practice unique in the area of data law. We work with other experts (in cybersecurity, SI/data governance and other areas), and our team offers a global, cooperative approach to all issues relating to data (privacy, intellectual property, cybersecurity and open data - *with klein • wenner's Public Law team).
|
|
|
|
La Lettre du DPO is a publication of klein • wenner which processes your data in accordance with the regulation regarding personal data. To learn more, click here
|
|
|
|
|
|
|
|
