Software license audits challenged in French court

Software vendors (licensors) have increased the number of software license audits over the past few years to chase intellectual property infringement through illegal use of software. Infringing users (licensees) are required to pay additional licensing fees or else they will be sued. Even if the user is duly licensed to use the software, only limited rights are granted by the licensors. The purpose of license audits is to ensure that the licensee complies with the rights granted by contract.

However, licensees tend to challenge software license audits more often. Their claims are often legitimate: increased complexity of the license agreements, difficulty for the licensees to keep track of the licensing rights actually used, or even bad faith by certain vendors who would threat to launch an audit to pressurize the client at the time of contract renewal.

The amounts at stake are usually quite high for both parties, vendors and licensees.

Two recent French cases, both involving Oracle Corporation, illustrate the tension between vendors and licensees, especially at the time of renewing - or not - the existing licenses. (1) These cases raise the issue of the purpose, scope and limitations of a software license audit, and of the legal grounds on which a case may be brought when challenging the non-compliance between the rights granted and actual software use.


1. Purpose, scope and limitations of a software license audit

Software is protected by intellectual property law. (2) The author, or software publisher, enjoys exclusive rights over his/its work and is free to decide how to distribute it, including the scope of the rights granted and the licensing fees charged.

The rights granted to the licensees are provided in the software license agreement. The scope of the rights granted is different depending on the vendors. The licensing rights can be limited according to the type or number of terminals, or servers, number of named users or of CPUs, user volume, etc. Limitations can also be territorial, per location, facility, country or region.

Each vendor is also free to set its own fee system: through the payment of a one-time licensing fee, through a recurring subscription assessed according to the number of terminals or user volume, or through fees evolving with the software (upgrades), etc.

To ensure that the software is used in accordance with the rights granted, software vendors usually include software license audit clauses in their contracts.

However, one of the fundamental principles of civil law is that contracts must be performed in good faith (art. 1134 of the French civil code). Under this principle, software audits must not be carried out for a purpose other than the original objective or be used as a threat against the licensee at the time of renewing the contract, in order to put financial and operational pressure on the licensee or to overreach and access licensee’s proprietary confidential data.

Both examples were raised in the cases examined here.

- The Oracle vs. Carrefour judgment of 12 June 2014 (Summary judgment)
In this first case, Oracle sued Carrefour after the latter had resisted Oracle’s request to run its data collection scripts on Carrefour’s systems during the software audit process.

Two Carrefour affiliates, Carrefour SA and Carrefour Organisation et Systèmes Groupe had entered into a framework license agreement to use the Oracle Database Management software. On 27 January 2012, after the agreement had expired, Oracle France notified Carrefour its decision to conduct a software license audit to check the compliance of the software used with the rights granted under the license agreement. The notification included a request to run scripts allowing to assess the number of licenses used and to check the documents provided by Carrefour regarding the use of the software.

Carrefour didn’t resist the audit but refused the process imposed by Oracle, i.e. to run Oracle’s auditing tools. Carrefour considered that the scripts used by Oracle gave them access to Carrefour confidential information, which was unnecessary for the purpose of the audit and which imposed a security risk on its IT systems.

In a summary judgment rendered on 12 June 2014, the Civil court of Nanterre (Tribunal de grande instance de Nanterre) held that Oracle could not compel Carrefour to run Oracle’s scripts to collect data for the audit since this process was not imposed by the agreement nor by law.

The judges held that Oracle did however justify a legitimate reason to be granted an expert assessment to establish evidence of potential contractual breaches and intellectual property violations by the defendants. On the other hand, Carrefour was not compelled to run Oracle’s data collection scripts, but the judges confirmed that Oracle could use all necessary data collected during the expert assessment to check Carrefour’s compliance of the use of the software programs with the licenses granted.

- The Oracle vs. AFPA decision of 6 November 2014
In a second case opposing Oracle to the AFPA (Adult professional training association) before the Civil court of Paris (Tribunal de grande instance de Paris), the AFPA claimed that Oracle had overreached its software auditing right to put pressure on them at the time of their license renewal with the intent to limit competition and to abuse its right to bring legal action against the AFPA if they didn’t renew the licenses.

The AFPA claimed that Oracle was using their audit right abusively “by distorting its purpose” to put pressure on the AFPA to deter them to migrate to a competitor’s software at the time of the license renewal. This method allegedly resulted in limiting competition (per art. L.420-2 of the commercial code) on the SGF and RDBMS solutions markets.

The judges were not convinced by the AFPA’s claim regarding an abuse of dominant position by Oracle, as they considered that in this case, Oracle’s dominant position on the RDBMS market was not ascertained.

Regarding the abuse to bring legal action, the judges recalled that engaging legal proceedings is a right. If this right is used abusively, then the claimants must prove that a fault was committed, under article 1382 of the civil code (fault, damages and causality between the fault and the damages suffered).

However, although Oracle threatened the AFPA to launch an audit at the time of license renewal, in the present case, the AFPA didn’t demonstrate having suffered specific damages, other than the cost incurred in this legal procedure.


2. Characterizing an alleged non-compliance to the license: intellectual property infringement or contractual breach?

The case opposing Oracle to the AFPA raised a second interesting legal issue regarding the characterization of the dispute over the alleged non-compliance to the software license.

- The facts
Oracle distributes an ERP solution called Oracle E-Business Suite, comprising over 70 software application programs dedicated to enterprise management and clustered into “suites” (“Financials” for accounting and finance software, “Procurement” for purchasing management and suppliers).

Unlike most enterprise software, the E-Business Suite licensing system doesn’t work with activation keys used to manage licenses (blocking and unblocking access to the software, managing the license term, etc.), but instead is delivered on a CD which includes all the programs. The client or its service consultant is then responsible for the installation of the licensed programs on the client’s systems.

Following an RFP launched in September 2001, the AFPA executed an agreement with Sopra Group (an Oracle distributor and consulting company) for the provision of the Oracle E-Business Suite - Finance, for an initial group of 475 users.

In July 2008, Oracle France notified the AFPA its decision to carry out a software audit. The audit was actually conducted in May/June 2009, when the AFPA launched a new RFP to roll out the Procurement solution. According to the audit results, the AFPA was using 885 Purchasing software licenses. This software program was part of the Procurement suite, which was not included in the license granted.

After failing to settle the matter amicably, Oracle decided to bring an action against the AFPA on the grounds of counterfeiting based on the unauthorized use of the Purchasing software suite. To this effect, Oracle claimed the AFPA (and Sopra Group, under the contractual indemnification terms) to pay 3,920,550 euros as lump sum indemnification for the unauthorized copy and use of the Purchasing software for 885 named users, plus 9,487,731 euros as indemnification for the unauthorized use of the technical support services and Purchasing software upgrades, i.e. a total of 13,408,281 euros.

The defendants claimed that Oracle knew that the Purchasing software suite was part of the solution proposed by Sopra to the AFPA under the contract, the solution having been approved with the purchase order issued by Oracle. Indeed, Sopra had invoiced the AFPA for the installation, use and support services for the Purchasing program. The AFPA also claimed that they had been using Purchasing in good faith since the beginning of the contract term and that they had committed no breach.

- Disagreement over the legal qualification of the audit conclusions
In this case, the parties’ claims were based on conflicting legal characterizations resulting in  distinct legal consequences: intellectual property infringement vs. breach of contract

Oracle claimed that since the AFPA wasn’t authorized to use the software under dispute, they were infringing (counterfeiting) Oracle’s intellectual property rights. Counterfeiting is a continuing offense, not subject to prescription, and the counterfeiter cannot claim good faith.

Contrary to Oracle, the AFPA claimed that this was a contractual issue. According to the AFPA, the Purchasing suite was included in Oracle’s licensed software programs. If not, the AFPA claimed that they had performed the contract in good faith since the software programs had been installed by Sopra. Contractual claims are prescribed after 5 years (art. 2224 of the French civil code). Indemnification is governed by the rules regarding contract performance set forth in the Civil code.

- The Court decision
To characterize the dispute, the judges recalled that the only existing issue between the parties was whether the license included the Purchasing suite. Oracle never claimed that the AFPA had used counterfeit software or rolled out software not supplied by Sopra, or that the number of licenses did not correspond to the number of users. The judges therefore held that the dispute was only focusing on the scope and performance of the contract and not on a counterfeiting issue. Therefore, the 5 year statute of limitation and contractual indemnification rules applicable to the damage suffered as outlined in the French civil code are applicable.

Regarding the performance of the contract, Oracle had delivered four CDs, including one containing the Oracle Applications/E Business Suite II i solution, with the Financial and Purchasing suites. Oracle’s position was that although the Purchasing software was on the CD, it was not included in the license.

Based on the documents disclosed during the proceedings, the judges held that Oracle maintained doubt and confusion on what was really included in the software solution licensed: either the Purchasing software program wasn’t included in the scope of the AFPA license, and then it shouldn’t have been delivered to them, or it was included in the license since it was actually delivered in execution of the purchase order.

The judges decided that the AFPA used the Purchasing software suite without fault since this program had been included in the CDs prepared by Oracle. Oracle must have always understood and admitted that the license included the use of that software suite.

As a consequence of this legal characterization, the judges held that the AFPA didn’t infringe Oracle’s intellectual property rights since the software was presumably included within the contractual scope of the license. The judges therefore decided that Oracle’s claims against the AFPA were prescribed and Oracle’s claims of 13,408,281 euros were unfounded. In addition, Oracle had to pay procedural fees to the AFPA and to Sopra amounting to 100,000 euros (art. 700 of the procedural code). This decision is pending appeal.


    Based on this case law, software license audits are indeed legitimate tools for vendors to check that the licenses are performed within the contractual boundaries. However, audits should not be used outside and beyond their original purpose. As shown with these two cases, given the amounts claimed by the vendors, users no longer hesitate to challenge such practice, claiming bad faith or abuse from the vendors (although such claims much be proved legally). Another potentially valid claim could be the complexity of certain types of licensing rights which can be extremely difficult for licensees to manage effectively.

Although these cases didn’t raise the issue of license complexities, but were brought essentially because of misunderstandings and communication issues between the parties, we recommend that software vendors ensure that licensing rights are set forth in clear terms and that licensees can easily keep track of the rights used.


                                                        * * * * * * * * * * *

(1) Nanterre civil court of first instance (Tribunal de grande instance de Nanterre), summary judgment, 12 June 2014, Oracle Corp., Oracle International Corp., Oracle France vs. Carrefour, Carrefour Organisation et Systèmes Groupe ; Paris civil court of first instance (Tribunal de grande instance de Paris) 6 November 2014, Oracle Corp., Oracle International Corp., Oracle France vs. Association Nationale pour la Formation Professionnelle des Adultes (AFPA) & Sopra Group

(2) Article L.112-2 of the Intellectual property code

 

Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

December 2015

Personal data transfers from the EU to the US after the cancellation of Safe Harbor by the CJEU

In a landmark decision on 6 October 2015, the Court of Justice of the European Union (CJEU) held that the Safe Harbor principles, in effect between the EU and the US since 2000, were invalid. All European companies working with US commercial organizations adhering to Safe Harbor must reassess the conditions under which they are transferring personal data to these entities. (1)

The purpose of this article is to review the main rules governing cross-border personal data transfers and to provide a few answers and solutions following this landmark decision.


1. Personal data transfers outside of the European Union and the cancellation of the Safe Harbor principles

Although the 1995 Data Protection Directive lifted all restrictions to cross-border personal data transfers within the EU, transfers outside of the Union remain prohibited in principle, except in limited cases. (2)

    1.1 Rules governing personal data transfers outside of the European Union

With the globalization of the economy, and even more so with the digital economy, most companies transfer data to third countries, either to their headquarters or affiliates, to subcontractors, or to service providers. While personal data transfers outside of the European Union are prohibited, there are however a few exceptions to this principle. The following cross-border personal data transfers are allowed:

    - data transfers to a country acknowledged by the European Commission as providing a sufficient, or “adequate” level of protection. Only a handful of countries outside of the EU are deemed to have enacted laws providing a level of protection equivalent to those in effect in Europe; (3)
    - data transfers between two entities (exporting and importing data) having signed the EU Standard contractual clauses (SCC) adopted by the European Commission. This contractual solution is applicable either between two data controllers or between a data controller and a subcontractor;
    - data transfers between two or more affiliates within a multinational corporation, subject to that multinational corporation having implemented Binding Corporate Rules (BCRs), applicable among all the affiliates and approved by one of the national data protection authorities (“national supervisory authorities”) such as the CNIL in France or the ICO in the UK;
    - data transferred in exceptional situations, if the data subject has given his consent to such transfer;
    - and until the 6 October 2015 decision, data transfers to the United States, subject to the importing company adhering to Safe Harbor.

The Safe Harbor principles include a set of personal data protection rules, negotiated between the US authorities (US Commerce Department) and the European Commission in 2000, and approved by a Commission decision dated 26 July 2000. (4)

The Safe Harbor principles include rules concerning the protection of personal data, designed after the principles of the 1995 Data Protection Directive. The Safe Harbor framework only applies to those US companies that have voluntarily declared to adhere to the principles. The US Federal Trade Commission (FTC) is in charge of administering the Safe Harbor principles including publishing the list of companies adhering to the system.

However, the Safe Harbor principles were declared invalid by the European Court of Justice on October 6.

    1.2 The Schrems decision

In its decision issued on 6 October 2015, the Court of Justice of the European Union invalidated the Safe Harbor framework, deciding that a national supervisory authority could suspend personal data transfers from the EU to the United States.

The case concerns an Austrian citizen, Maximillian Schrems, a Facebook user since 2008.

The data provided by European Facebook users are stored by its subsidiary, located in Ireland, prior to some of it then being transferred to the United States. Mr Schrems lodged a claim before the Irish Data Protection Commissioner, considering that following Edward Snowden’s disclosure regarding the activities of the US intelligence services (including the NSA and the FBI), the United States didn’t properly protect the personal data provided by the European citizens and residents against surveillance activities. The Irish data protection authority dismissed the claim, arguing that in its 26 July 2000 decision, the European Commission had considered that the United States provided an adequate level of protection of personal data transferred under the Safe Harbor framework.

Mr Schrems then brought an action before the High Court of Ireland which decided to refer  two questions to the CJEU for a preliminary ruling. The Irish judges wanted to know if the 2000 European Commission decision prevented the national data protection authorities from investigating when a data subject claims that a non-EU country doesn’t provide an adequate level of protection to the personal data transferred. Is the plaintif irrevocably bound by the European Commission decision, without any possible legal recourse?

In its 6 October 2015 decision, the CJEU decided that the European Commission should have assessed whether the United States did provide adequate protection, through their legislation or through their international commitments, and at least, “a level of protection that is essentially equivalent to that guaranteed within the European Union by virtue of the European directive, read in the light of the Charter of Fundamental Rights of the European Union.”

The Court noticed that the US authorities practiced massive and indiscriminate surveillance over the data transferred without granting effective legal protection to the data subjects.

US companies are subject to US mandatory laws and regulations which supersede the Safe Harbor principles. According to the Court, the European Commission didn’t research whether the United States did provide an adequate level of protection to personal data, and the US authorities through their massive surveillance program overreached their power to circumvent the privacy principles. The Court decided that the 2000 Commission decision was therefore invalid.

According to the CJEU, even though the European Commission did acknowledge that the United States granted adequate protection to personal data, the national data protection authorities must be able to control whether data transfers of a data subject to a non-EU country comply with the requirements of the 1995 Data Protection Directive.

The Court concluded that if a national data protection authority had doubts about the adequacy decision of the Commission, that authority must be able to bring an action before the national courts so that they may then send the case to the European Court of Justice. The 2000 decision of the European Commission cannot prevent data subjects and the national data protection authorities from such legal recourse.


2. The consequences of the Schrems case: legal insecurity requiring action

Personal data transfers to the United States made under the Safe Harbor principles are therefore no longer valid. This implies that data transfers which were previously valid are no longer legal, but also that it is no longer possible to initiate new personal data transfers under the Safe Harbor principles.

    2.1 Consequences of the Schrems case

- The article 29 working party (art. 29 WP): the French data authority (CNIL) is currently reviewing, together with its colleagues of the art. 29 WP (representatives of the national data protection authorities of the Member States), the legal and operational consequences of the CJEU decision.

In the meantime, the art. 29 WP has requested the national data protection authorities to implement a solution to overcome the current legal insecurity caused by the CJEU decision. In a declaration made on 15 October, the art. 29 WP invited the European institutions to initiate discussions with their American counterparts to find a new system allowing the transfer of personal data in compliance with the European fundamental rights, such decision to be reached by 31 January 2016. (5)

If the parties fail to reach an agreement by this deadline, the national data protection authorities may then “launch any action necessary, including coordinated punitive actions.”

- The national supervisory authorities: further to the CJEU decision, several national authorities have already taken “preventative” measures.

The data protection authorities from the German Länder and the national German supervisory authority have announced that they would no longer authorize new data transfers to the United States, including under the EU Standard contractual clauses or BCR schemes.

The Spanish data protection authority (Agencia Española de Protección de Datos - AEPD) announced that they would send a message to the entities that had declared transferring personal data under the Safe Harbor principles, enquiring about the alternative solutions that they plan to implement.

The Schrems decision has also spread beyond the boundaries of the European Union, including  for those non-EU countries providing an adequate level of protection, regarding their data transfers to the US.

The Israeli data protection authority (Israeli Law, Information and Technology Agency - ILITA) has decided to suspend personal data transfers to the United States.

And the Swiss authority announced that as long as a new agreement with the US government hadn’t been reached, the “U.S.-Swiss Safe Harbor Framework” would no longer be considered as legal basis for transfers of personal data to the US in compliance with the Swiss law on data protection.

Other third countries are also reconsidering the conditions of cross-border data transfers to the United States and other countries.

- The EU Commission: on 6 November 2015, the Commission issued guidance on transatlantic data transfers which will remain effective until a new system is implemented.

The Commission analyzed the repercussions of the Schrems case and proposed alternatives to transfer personal data legally to the United States (including the EU Standard contractual clauses or BCR). (6)

- Toward Safe Harbor 2.0?: the EU Commission had already decided to review the Safe Harbor framework following disclosure by Edward Snowden in 2013 on the surveillance program of the NSA since the American security laws came into effect after the 9/11 terrorist attacks. In November 2013, the Commission issued 13 recommendations to improve the then current Safe Harbor rules.

Since the Schrems decision of 6 October 2015, the EU Commission has been accelerating negotiations with its US counterparts to set up a new framework improving the legal protection for  transfers of European personal data to the United States. The goal is to reach a new framework agreement by the end of January 2016.

    2.2 Data transfers during the interim period

The cancellation of the Safe Harbor principles creates uncertainty for companies that were transferring data cross-border under the Safe Harbor framework.

Can organizations transferring personal data to the United States pursue their operations without switching to a new legal framework until new Safe Harbor rules are issued by the EU Commission? Should they plan for the longer term and implement alternative solutions?

Should all data transfers to the United States be suspended, or should they be confined to Europe, or transferred to a country providing an adequate level of protection?

For data transferred under a cloud computing service agreement, what should the client do if the  US service provider refuses to amend the transfer terms?

The three months deadline to reach agreement on a new Safe Harbor framework may seem “aggressive” and nothing warrants that this deadline will be met by the authorities.

Until the authorities and institutions find a solution and a new 2.0 Safe Harbor framework comes to life, corporations must find legal and technical solutions to limit legal risks and circumvent transfer restrictions. Penalties for illegal cross-border data transfers can reach up to €300,000 and 5 years in prison. 

- Legal and technical compliance audits: as a first step, entities exporting personal data to be processed in the United States should conduct a legal and technical audit of current data transfers as well as a risk analysis. The data processes, types of data transferred and legal regime under which the data are transferred must be clearly identified and characterized. Once a map of the data transfers has been set up, the impacts of the cancellation of Safe Harbor will be assessed on a case by case basis, with a short and a medium term evaluation.

- Compliance solutions: further to the compliance audit, alternative compliance solutions may have to be adopted. Three options can be considered : the EU Standard contractual clauses (SCC), private ad hoc contracts, and Binding corporate rules (BCRs) within a multinational group of companies.

The EU Standard contractual clauses (SCC) may appear as the easier short term option. It is however necessary to identify the types of Standard clauses that are relevant to the data processes, and have them executed “as is” by each party. Should any of the clauses be amended, the document will have to be approved by a national data protection authority.

Unless an agreement is reached with its US service providers to operate under the EU Standard contractual clauses, the European client entity may have no other solution than terminating the current agreement with its American service provider and select an alternative European provider, or a company located in a country providing an adequate level of protection.

The ad hoc contractual option, i.e. a contract drafted by the parties and adapted to the data process under consideration could be the best option. An ad hoc contract is indeed more flexible and adapted that the Standard contractual clauses. It is however necessary to take into account the cost, process and delays to receive an authorization from the national data protection authority. This contractual option may be used between two commercial entities or between affiliates (in lieu of BCRs).

Binding Corporate Rules (BCRs) can only be used within a multinational group of companies and are not an alternative to govern the relationship with third party commercial partners or service providers. BCRs also usually require several months to be drafted, then get approval from a national authority prior to being rolled out within the group of affiliated companies.

The benefit of these alternative solutions to Safe Harbor is their stability and the fact that they can remain the preferred solution after a new Safe Harbor framework is launched. If the authorities reach an agreement on a 2.0 Safe Harbor framework, the Schrems decision recalls that in case of alleged breach of their legal obligations, data subjects have a legal recourse against US companies adhering to the Safe Harbor principles.

                                                        * * * * * * * * * * * *


(1) CJEU, Gd Chamb., 6 October 2015, Maximillian Schrems / Data Protection Commissioner

(2) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

(3) The countries providing an adequate level of protection, and to which personal data may be transferred without additional formalities or authorizations are: Argentina, Canada, Iceland, Israel, Liechtenstein, Norway, New Zealand, Switzerland, Uruguay

(4) EU Commission Decision 2000/520 dated 26 July 2000

(5) Brussels 15 October 2015 : “Statement of the Article 29 Working Party”.

(6) EU Commission press release dated 6 November 2015 “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case”


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

December 2015

Drone use regulation: legal perspectives from France and Singapore

 

In January 2014, an 18 year-old used a drone (or unmanned aircraft system - UAS) equipped with a GoPro camera to fly over and record a video of the city of Nancy, in eastern France. He then posted his video on the internet. The video received more than 400,000 views! Unfortunately, this young man didn’t realize that the use of a drone with a camera over a populated area is regulated in France.

The video was identified by the authorities, who contacted the young man. The regional department of civil aviation (Direction régionale de l’aviation civile - DRAC) notified the rules applicable to the use of a UAS and required him to get all necessary authorizations. The young man was then subpoenaed before the criminal court for endangering third parties’ lives.(1)

A few weeks before in the US, Amazon had announced its drone delivery project, engaging a battle on flight regulation and safety with the Federal Aviation Administration (FAA).(2)

Earlier this month in Singapore, SingPost announced the first 2km test flight using an unmanned aircraft to deliver mail and a small parcel to an identified recipient.(3)

Although the drone market is developing fast not only in Europe, but in many other regions in the world, there are still few drone-specific laws regulating their use and the level of skills requested to operate these aircrafts. Issues with public safety and privacy are also surfacing with the increasing use of drones. France was the first country to issue a regulatory framework for the use of civilian drones in 2012. Singapore enacted its own drones regulation in May this year.

In this article, we review the issues of public safety and privacy, followed by the French and new Singapore UAS regulations.


1. The development of drone use: public safety and privacy concerns

Drones are commonly defined as aircrafts without on-board pilots that are operated by remote control or with a smartphone.

There are many types of drones, from lightweight devices of a few hundred grams with limited flight radius and battery life, usually used for recreational activities, to larger, professional, aircrafts which can weigh up to a few hundred kilos and are able to fly long distances at high altitudes (several hundred meters).

Drones can be equipped with photo or video cameras, temperature or air sensors, or be used to launch pesticides or other types of loads.

Unmanned aircrafts have been used for many years for a wide variety of purposes, including for public safety (surveillance of demonstrations in public areas, firefighting, securing areas after industrial accidents - such as the Fukushima nuclear disaster -, monitoring infrastructures and buildings, filming or for recreational purposes). New uses are also emerging, such as parcel or medication delivery in emergency situations or to remote areas, or simply to cut costs.

The use of civil drones has soared in recent years, with a whole new market open to consumers. However, their use raises a number of legal issues in areas such as public safety and privacy.

    - Public safety : uncontrolled use of drones can interfere with other categories of aircrafts, such as ultralights, helicopters and airplanes at take-off and landing. No actual accidents have been reported so far, but several drones have been reported flying around airports, in restricted areas, in the past months.

A drone flying over a crowded area may crash down and injure people in the public. And one cannot ignore the possibility of using drones for illegal or terrorist activities. In 2014, drones were detected flying over nuclear plants and military facilities in France and over the presidential Elysée palace in Paris. In January 2015, a drone landed on the lawn in front of the White House in Washington DC.

Although these areas are no-flight zones, the operators are seldom identified and it is hard to know whether these incidents were merely provocative, or test cases for future attacks.

Patrick Ky, Executive director of the European Aviation Safety Agency (AESA) has expressed concerns regarding the use of drones in Europe and the increasing number of incidents. After collating the comments of a public consultation closed a few days ago, AESA should publish a “technical opinion” by the end of 2015. This document should then be used as preliminary work for a future regulation of drones under 25kgs (currently, AESA is only comptent for aircrafts above 150kgs).(4)

    - Privacy : drones can be used to invade one’s privacy if equipped with high performance cameras or video recorders, challenging the right to privacy and personal data protection.

Right to privacy
French law has a strict regulation regarding the right to privacy, whether one is an “anonymous” person or a celebrity. In theory, the publication of photographs taken with a photo camera placed on a drone is subject to the prior consent of the person concerned. However, consent is usually impossible to collect when using a drone.

The right to privacy is waived when people are in a public setting (e.g. attending a concert, a tennis or a football game) and when the photograph or the video doesn’t focus on a single person, but is a global photograph of the public, is not degrading and is within the scope of the right to inform the public. Unless these general principles are applied, the person appearing on a photograph or a video made via a drone may sue the aircraft operator (or the company employing the operator) for violating his/her right to privacy.

So far, Singapore has no laws regulating the use of drones invading people’s personal spaces (such as a drone video-recording a person in his/her garden or at a private party without that person’s knowledge).

Personal data regulation
The act of taking a photograph or a video of a given person is deemed personal data collection under French and European personal data regulation. Under French law, personal data treatments, i.e. the collection of data relating to a natural person, who is either identified or identifiable, must be filed with the French data commission (“Commission de l’informatique et des libertés” or CNIL). Such data treatment is subject to the French data protection law (Loi informatique et libertés).(5)

Drone use was unforeseen when the French data protection law was first enacted in 1978, and again with the European directive of 1995. Applying these legal requirements to the use of drones is therefore quite problematic. However, the European data protection authorities are starting to tackle this issue: the French CNIL has been working on the issue of drones and privacy since 2012 and last June the European G29 working group issued a list of recommendations on this topic.(6)

The recent Singapore Personal Data Protection Act doesn’t provide any drone-specific provisions either.(7) The Personal Data Protection Act requires the subject’s consent before taking photographs or a video for commercial use. However, this applies to private space only and not public space.

The use of drones for civil purposes is not prohibited but is beginning to be regulated.


2. French law and the use of civil drones in the airspace

France was the first country to issue specific regulation for the use of unmanned aircrafts. Two administrative orders (“arrêtés”) were published on 11 April 2012 relating respectively to the design, use and capacity required to operate such devices, and to the use of the airspace by unmanned aircrafts.(8)

These two complementary texts have a common purpose: to guarantee public safety. They classify unmanned aircrafts in different categories, define the types of authorized activities, and provide rules regarding the use of the airspace based on the different purposes for operating unmanned aircrafts.

Although these rules don’t solve all the legal issues raised by the use of drones, they provide a useful framework for the companies designing and distributing new aircraft models and for users to operate the drones within the legal boundaries.

Civil drones are classified (categories A to G) according to weight, type of propulsion, limitations, and types of activities contemplated. The resulting obligations depend upon the proposed use of the drone: speed, altitude (in-sight flights or out-of-sight flights), zones flown over and purpose.

Only category A aircrafts, i.e. drones weighing less than 25kgs, with a single propulsion system, without a camera and only flying in-sight are exempted from the airworthiness document and are therefore authorized to fly without any restrictions regarding the capacity of their operator.

All other unmanned aircraft categories are subject to a preliminary authorization issued by the Minister in charge of civil aviation, and to the following requirements: the installation of specific devices to allow the operator to monitor the altitude of the aircraft and a fail-crash system for forced landing, a minimum skill level of the operator and the possession of specific documents (user and maintenance manuals, airworthiness document, etc.).

Finally, the operator of an unmanned aircraft is responsible for implementing all necessary safety procedures to ensure third party safety and for complying with all applicable regulations.

Using a drone outside of these legal boundaries is subject to criminal penalties set forth in the French Code of transport, the Code of civil aviation and the Criminal code. For example, using an unmanned aircraft without the required airworthiness documents or with expired documents, or if the drone does not comply with the technical airworthiness document or with the general safety rules is subject to one year prison term and/or a fine of €75,000.(9)


3. The new Singapore Unmanned Aircraft Act

Drones are also becoming very popular in Singapore and the same concerns regarding public safety and privacy are being raised. Several incidents involving drones were reported in the past 12 months, including drones crashing on the MRT (metro) tracks and drones seen flying over prohibited or restricted zones.

Singapore enacted the Unmanned Aircraft (Public Safety and Security) Act 2015 in May, with an aim to clarify the rules regarding drone use. The unmanned aircraft act amended the existing Air Navigation and Public Order Acts.

Permits are required for drones used for professional or commercial purposes, usually equipped with a photo or a video camera, as well as for drones weighing more than 7kgs and drones to be flown over sensitive or restricted areas (“protected areas”).

Unmanned aircrafts used for recreational or private purposes and weighing less than 7kgs are exempted.

Two types of permits, an operator permit and an activity permit, are required for operating drones weighing more than 7kgs, for any purpose (private or professional), and for operating drones for commercial purposes regardless of the weight. An activity permit is required to operate an unmanned aircraft in a restricted area, or within 5kms of a military base.

A list of security-sensitive areas (special outdoors events, certain public facilities and government buildings, the Istana Presidential palace, military bases, etc.) is to be published.

Permits are issued by the Civil Aviation Authority of Singapore (CAAS).

Using a drone illegally in Singapore is subject to a fine of S$20,000 and/or one year prison term. However, if the drone carries dangerous materials (such as weapons or hazardous chemicals), the operator or the owner is subject to a fine of S$100,000 and/or five years prison term.

     Despite the growing interest of both the public and businesses in using drones for recreational purposes but also for more and more diverse commercial purposes, such as short distance delivery, there is no European or international concerted approach on drone use regulation (and on the related issues of privacy and personal data protection). A number of countries (including the United States and Japan) are beginning to regulate the use of drones, limiting or prohibiting their use. We may see a first effort at producing regional rules with the latest position of the European Aviation Safety Agency on this matter, and increased pressure from the commercial airline pilots.

                                                       * * * * * * * * * * * *

(1) “Poursuivi en justice pour avoir filmé Nancy avec un drone”, published on 13 February 2014 in le Figaro (http://etudiant.lefigaro.fr)

(2) “Amazon unveils futuristic plan: Delivery by drone”, published on 1st December 2013 on cbsnews.com

(3) “Mail sent to Pulau Ubin by drone in world-first SingPost trial”, published on 8 October 2015 on Channel NewsAsia (www.channelnewsasia.com)

(4) “Les drones volent n'importe où, n'importe comment en Europe" (AESA), published on 9 October 2015 in La Tribune (www.latribune.fr)

(5) French data protection law n°78-17 of 6 January 1978 referred to as “Loi informatique et libertés”. The law was amended in 2004 when the 1995 European directive on personal data protection was transposed into French law. The national data protection laws will be replaced by the future European data protection regulation, which should become effective by the end of 2015 and enforceable within 2 years thereafter.

(6) Article 29 Data Protection Working Party, Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones, 16 June 2015 (WP 231).

(7) Singapore Personal Data Protection Act (2012) ; see also the Personal Data Protection Commission of Singapore website, at www.pdpc.gov.sg

(8) Administrative order of 11 April 2012 regarding the use of the airspace by unmanned aircrafts (“Arrêté relatif à l’utilisation de l’espace aérien par les aéronefs qui circulent sans personne à bord”)  ; Administrative order of 11 April 2012 regarding the design of unmanned aircrafts, to the conditions of their use and to the required capacities of their operators (“Arrêté du 11 avril 2012 relatif à la conception des aéronefs civils qui circulent sans aucune personne à bord, aux conditions de leur emploi et sur les capacités requises des personnes qui les utilisent”) ; Articles R.133-1-2 and D.131-1 to D.133-10 of the French Code of civil aviation.

(9) Article L.6232-4 of the French Code of transport.


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

October 2015

Deleporte Wentz Avocat opens an office in Singapore

Deleporte Wentz Avocat, founded in Paris in 2007, is a boutique law firm focused on technology law - software, internet, e-commerce, data privacy, digital media, intellectual property. We advise companies on their IT projects, from startups to multinational corporations, in French and European laws through our network of independent firms located across Europe. 

This expansion towards South-East Asia gives us the opportunity to help our clients developing in this region, but also to advise Asian companies to extend their business activities in France and Europe.

Singapore, a city-state of 5.5 million people, located at the Southern tip of the Malay peninsula, is the economic hub of South-East Asia and ASEAN, and a premier financial, business and technology center.

Singapore is also a perfect hub for companies wishing to extend their business activities across the region, toward very dynamic countries such as Indonesia, Malaysia, Thailand, Vietnam or the Philippines.

Deleporte Wentz Avocat is therefore developing a network with local law firms in these countries to advise our clients in local law (especially company and business law).

For any questions or pending IT projects, don't hesitate to contact us.