Legal Update in France – January 2015
IT law ｜ The protection of French websites against cyber-attacks
Employment law ｜ Professional training ｜ Personal training account: Are you ready ?
To download the full version of Newsletter N°50 here
New regulations applicable to terms and conditions
Terms and conditions shall indicate the amount of the lump indemnity due to the creditor for collection fees, regardless of the importance of the damage actually suffered, should the payment intervene after the due date specified in the invoice. The absence of such mention shall be punished by a 15,000-euro fine.
The implementing decree of October 2nd 2012 has specified a 40-euro amount for such lump indemnity. However, should the collection fees exceed such amount, the creditor may provide justifications in order to obtain additional indemnification.
Invoices must also specify the amount of such lump indemnity and the applicable late penalty rate. The absence of any of these mentions may be punished by a fine in an amount of 75,000 euros, which may be raised up to 50% of the total sum that has been or should have been charged.
Exceptional contribution on French assets
The second 2012 amended Finance Act provides for an exceptional contribution on French net assets due by individuals subject to French wealth tax (ISF) in 2012.
This exceptional contribution is:
– based on net assets as determined for 2012 French wealth tax;
– computed with respect to wealth tax brackets applied in 2011;
– decreased by 2012 French wealth tax as calculated before any offset of tax reductions with respect to family burden, investment in SMEs or donations.
The payment of this contribution differs depending on the net taxable value of the assets:
- Taxpayers whose net taxable asset is between 1.300.000 euros and 3.000.000 euros:
Receipt of a French wealth tax notice indicating exceptional contribution due without necessity to file a new wealth tax return and under which payment is to be made no later than November 15, 2012.
- Taxpayers whose net taxable asset is higher than or equal to 3.000.000 euros:
Receipt at the very beginning of October 2012 of a new wealth tax return to be filed, with French tax authorities and under which payment is to be made no later than November 15, 2012.
Writers : Tax team headed by Régis BERNARD.
The strict regulation applicable to the notification of unlawful contents to web-hosting providers under French law
Pursuant to Article 6 of Law No. 2004-575 of June 21st, 2004 on confidence in the digital economy (commonly known as the LCEN and hereinafter referred to as such), web-hosting providers may not be held liable for contents they host, unless they had knowledge of the illicit nature of such contents, or of any facts or circumstances making such nature obvious, or if they did not act promptly to remove (or prevent access to) such contents following the discovery of their unlawful nature.
In a decision dated February 17th, 2011, the Cour de cassation (French Supreme Court) required that courts examining a notice of unlawful contents check whether “such notice issued pursuant to (the LCEN) does contain all information required under the aforementioned law”.
The case under consideration was referred to the Bordeaux Court of Appeal, which delivered a decision that closely followed the Cour de cassation’s ruling, very pedagogically quoting the entire Article 6-I-5 of the LCEN.
Deeming that a letter sent by the claimant’s legal counsel to the web-hosting provider simply stating “I am Mr X’s counsel” does not meet the legal informational requirements, the Court of Appeal concluded that “the presumption of knowledge of unlawful contents (…) is not applicable to the company (being sued)”.
Website hosts and users should thus be aware that the completeness of the information required under the LCEN must be regarded as a condition for the validity of content notifications.
A new addition to the IT service providers’ duty to advise
Cour d’appel de Rouen, 9 mars 2011, Carr Oceans c. Lynx Concept
Cour d’appel de Paris, 16 mars 2012, Uzik c. Moralotop
The IT service providers’ duty to advise has been progressively shaped by French case law and usually consists of three obligations: a general duty to inform, a duty to advise its client as regards the choice of an IT solution and a duty to warn its client about the potential consequences of such choice. Meanwhile, the client is bound by a duty to collaborate with its provider, pursuant to which it shall precisely define its own needs.
Outlining the scope of these obligations and distinguishing between the client and the provider’s liabilities may prove difficult. A rich case law has thus developed itself on a case-by-case basis, taking into account various elements, such as the client’s technical knowledge and skills or the standard or customized nature of the IT solution.
In this context, judges have sometimes given a central importance to the existence of client-elaborated specifications, by considering that the provision of such specifications directly resulted in the fulfillment of the client’s duty to collaborate. The courts have also stated that, under such circumstances, the provider is not bound to verify whether its solution meets its client’s actual needs, so long as it provides its client with a solution that complies with the requirements defined in the client’s specifications.
Some decisions from the Cour de cassation have thus affirmed that the client shall be regarded as solely liable for any malfunctions resulting from imprecisions or inaccuracies in its specifications and that the provider shall not be held liable provided that it had verified its solution’s compliance with such specifications (Com., May 11th, 1999, n°96-16322; Civ. 1ère, October 2nd, 2001, n°99-16329).
Meanwhile, the Cour de cassation has however reinforced the provider’s duty to inform and advise those of its clients that have not defined specifications on their own, by requiring the provider to analyze such client’s needs in order to provide it with a suitable solution (Com., May 15th, 2001, n°98-18603; Com., February 19th, 2002, n°99-15722).
Two recent rulings by French Cours d’appel seem to further extend the scope of the IT service providers’ duties towards their clients, in the presence of client-elaborated specifications.
In a ruling dated March 9th, 2011, the Cour d’appel of Rouen deemed that an inexperienced client should not be considered in breach of its duty to collaborate merely because the specifications it communicated to its provider appeared imprecise. Indeed, according to this decision, the provider should have requested any additional information it needed from its client in order to allow such client to make its choice with a full knowledge of the facts. In the court’s opinion, if the provider deemed that its client’s needs were insufficiently documented, “it was the provider’s responsibility, in order to properly understand them, to request any necessary clarification from its client in the course of the negotiations”. As a result, in this case, the court found the provider in breach of its duty to advise.
In a ruling dated March 16th, 2012, following the same trend, the Cour d’appel of Paris stated that a provider’s duty to warn includes an obligation to alert its client whenever requirements defined in such client’s specifications appear impossible to achieve. In this respect, the court reproached the provider with the unilateral termination of the fixed-term contract it had passed with its client, whereas it should have foreseen its inability to perform the project and to meet its client’s specific needs from the get-go, upon reading the specifications. In that case, the judges therefore concluded that the provider was in breach of its duty to warn.
In light of these rulings, it appears that providers must now assist their clients in the drafting of specifications, especially if the client has limited technical skills. If the client does not define its needs precisely enough, it shall be the provider’s duty to ask for their development; if the client defines needs that are impossible to satisfy, it shall be the provider’s duty to bring them back in line with reality.
From now on, IT service providers should systematically proceed to a complete audit of their clients’ requests before providing them with any service, so as to be in a position to express any warning or recommendation that may appear necessary in regard of any potential inaccuracies in their clients’ specifications.
Web hosting service providers do not have to retain and to supply the authorities with a user’s password
Pursuant to the Law for Trust in the Digital Economy of June 21, 2004, service providers that provide access to online communication services or that store information provided by users of such services, shall hold and retain any kind of data that is likely to help identify a person who has contributed to creating the content of the services.
The main purpose of this obligation is to allow the communication of such data to the judicial authorities.
A decree published on March 30, 2012 has restricted the login information that web hosting service providers must retain: they shall now only retain data that allows a user to check or to change his password, but not the password itself. In practice, the decree is aimed at retaining and supplying the authorities with secret questions and answers relating to a user’s account.
This text does not meet the expectations of the Conseil National du Numérique (CNN), which advised the Government, in an opinion dated November 21, 2011, to suppress the obligation to retain any kind of data relating to passwords, including data that allows a user to check or to change his password.
The CNN pointed out that such an obligation would result in the retention of sensitive data in a non-encrypted form, and that supplying the judicial authorities with such data would violate one’s privacy rights, as the information collected by web hosting service providers (notably through the secret questions and answers) is not necessarily data that is likely to help identify a person.
The combinaison of personal data across databases in light of the recent discussions between the Article 29 Working Party, the CNIL and Google
On January 24th 2012, Google announced the harmonization of the privacy policies governing its various services, which shall allow the company to track users as they move from one service to another. Indeed, since March 1st 2012, every Google service shares and combines the data it collects regarding each user with the data already collected by other Google services.
This new policy was introduced by Google as a mere optimization of its services, but it still caught the attention of the Article 29 Working Party, a European body gathering the various data protection authorities of the EU, such as the French CNIL.
The CNIL concludes its letter by indicating that it intends to send Google a full questionnaire regarding this matter before the end of mid-March 2012, in order to bring the necessary light onto Google’s new policies, and by calling the company for a pause in their implementation.
This matter gave the Article 29 Working Party and the CNIL an opportunity to clarify the rules applicable to the combination of personal data across distinct services under European law.
A few tips regarding the combination of personal data across distinct services
Such combinations are not illegal per se, but they must not result in an infringement of the rights of the concerned users on their personal data.
Instead of implementing a policy that would be indistinctly applicable to any and all services, the Article 29 Working Party recommends to the concerned companies the use of a multi-layered approach, with a general-purposes short notice as first layer and more detailed second and third layers, which would focus on each service individually.
European law and the preventive filtering of social networks
A ruling of the Court of Justice of the European Union, dated February 16th 2012, in response to a preliminary question referred by a Belgian Court, has confirmed that directive 2000/31/EC, commonly known as the Directive on electronic commerce, “Member States are prevented from imposing a monitoring obligation on service providers only with respect to obligations of a general nature ”.
Thus, social network operators may not be forced to implement information filtering systems aiming at preventing the publication of illegal contents by users.
In the Court’s opinion, implementing such duty would result in imposing a general obligation to monitor information on hosting service providers, which would constitute a serious infringement on the providers’ freedom to conduct business, as they would be compelled to install complex, costly and permanent computer systems at their own expense.
This decision is also based on two other legal grounds, whose invocation is more unusual in disputes regarding the liability of hosting providers. The Court underlines that the effects of an injunction imposing the implementation of a filtering system would not be limited to the hosting service provider: such filtering system may also infringe on the users’ fundamental rights, namely their right to protection of their personal data and their freedom to receive or impart information, which are both safeguarded by the Charter of fundamental rights of the European Union.
On the one hand, such filtering system would require the identification, systematic analysis and processing of data relating to the user profiles created on the social network, whereas such information is to be regarded as personal data as it allows the identification of the concerned users.
On the other hand, such filtering system would also undermine freedom of information, since the distinction between unlawful contents and lawful contents operated by the system may prove unreliable. Lawful communications could thus be inconsiderately blocked.
This preliminary ruling by the Court of Justice of the European Union thus prevents national judges from issuing orders that would force service providers to introduce general filtering systems, as it deems that such systems which would not be in line with the requirement for a fair balance between intellectual property rights, on the one hand, and the freedom to conduct business, the protection of personal data and the freedom to receive or impart information, on the other hand.
Yet another decision from a French court deems the operation of vertical search engines legally valid
Unlike mainstream search engines such as Google or Bing, vertical search engines focus on a specific industry or type of content and only index websites and databases dedicated to the selected theme. As vertical search engines and the websites they index are targeting the same audience, the editors of several indexed websites have initiated legal action to find out if such search engines are indeed legal.
In early 2011, a decision from the Tribunal de Grande Instance of Paris (TGI Paris, 3ème chambre, 1ère section, Adenclassifieds v. Solus Immo, February 1st, 2011) had warmly welcomed these search engines of a new kind, ruling that their operation shall be considered an indexation rather than an illicit data-mining.
Another ruling delivered by the same court (TGI Paris, 3rd chamber, 4th section, Pressimmo on Line v. Solus Immo, Yakaz, Gloobot, January 26th, 2011) recently confirmed this distinction, while providing further details regarding its scope. In that case, Pressimmo on Line, the editor of a classified real-estate ads website called www.seloger.com, filed a lawsuit against three different companies whose search engines were indexing its contents, on grounds of copyright infringement, unfair competition and parasitism.
Although the court agrees that the contents of www.seloger.com do constitute a database, it however deems that “the sole pooling of classified real-estate ads by Pressimmo on Line (…) does not constitute acts of creation, verification or presentation of the contents of the database”. In the absence of sufficient elements to determine the importance of the company’s contribution to the database, the court refused to acknowledge it as its producer, thus preventing it from successfully bringing a copyright infringement claim.
The court also noted that the most important piece of information contained in each ad – the seller’s contact information – is not displayed by the search engines. Any user interested in an ad is thus referred to the original website. In addition, the court insists on the fact that simple methods could have prevented the crawler robots used by search engines from accessing and indexing the website. On this basis, the court confirms that the defendants’ websites are to be considered search engines and do not, as such, qualify as competitors of www.seloger.com. As a consequence, the court also dismisses the unfair competition claim.
Finally, after establishing that the operation of the search engines consists in an indexation – rather than in the data-mining – of third parties’ websites and that any interested user is required to refer to the original website, the court deems that such facts do not constitute a case of parasitism either.
This new ruling may thus be seen as a confirmation of the favorable inclination that recent case law has shown towards vertical search engines.