tag:blogger.com,1999:blog-42141030995843206732024-03-25T21:58:46.196+08:00Deleporte Wentz Avocat - IT LawDELEPORTE WENTZ AVOCAT is a boutique law firm specializing in information technology law - computer law, internet, data privacy, digital media. We have offices in Paris and Singapore. In this blog, you will find articles on legal issues regarding IT law : legal news, description of new laws and regulations, analyses of recent case law.
Check the firm's web site at www.dwavocat.comDeleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-4214103099584320673.post-60421850044790305572023-07-05T00:02:00.000+08:002023-07-05T00:02:01.804+08:00Our new website is live!<p><span style="font-family: verdana;">The new website of Deleporte Wentz Avocat was launched on July 1st!</span></p><p><span style="font-family: verdana;">Our new website was reviewed and updated with a more modern design and a new digital identity, including a new logo.</span></p><p><span style="font-family: verdana;"> </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrIpehDKnHp3HndpbAGZ0NtTYPp98trGl5q8twgVsYz41mHw1_UszKfxvxOVNFPeWqBNtB7hByMW6iLPoHUxhJqKkaHg6alR2fCZ3jgJFlqx13YlBQeBTDCnKhUHtSxKH1Z7WgA7pOopF4vPDtMlZNmJyljfk08Zm7Ai7k-FbaOOzOlfO-MnaQ9F0fyOet/s1767/DWA%20+%20baseline%204%20.jpg.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="297" data-original-width="1767" height="54" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrIpehDKnHp3HndpbAGZ0NtTYPp98trGl5q8twgVsYz41mHw1_UszKfxvxOVNFPeWqBNtB7hByMW6iLPoHUxhJqKkaHg6alR2fCZ3jgJFlqx13YlBQeBTDCnKhUHtSxKH1Z7WgA7pOopF4vPDtMlZNmJyljfk08Zm7Ai7k-FbaOOzOlfO-MnaQ9F0fyOet/s320/DWA%20+%20baseline%204%20.jpg.jpg" width="320" /></a></div><span style="font-family: verdana;"><br /></span><p></p><p><span style="font-family: verdana;">If you wish to keep up with our news and publications, please click on <a href="http://www.dwavocat.com">www.dwavocat.com</a></span><br /></p>Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-26505455470289523632018-04-18T19:19:00.007+08:002024-03-15T00:34:02.712+08:00European experts against the creation of a legal status for robots<br /><div class="post-header">
<div class="post-header-line-1"></div>
</div>
<div style="text-align: justify;">
<span face=""Trebuchet MS", sans-serif"><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidhIv3rGtrsIAPAqUeDMy1WIJW9n8VTLyTNYgtEV586TSUgdeDwwLgmrOQiEcISXj2Pp8gkjMVeWySJUYmoDl-gxyAu-LhK6RH-62tyrL6or3XWi7PhsMBoonZ7s9g2nXPh-bkpE4MOXix/s1600/Robotique.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="608" data-original-width="1050" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidhIv3rGtrsIAPAqUeDMy1WIJW9n8VTLyTNYgtEV586TSUgdeDwwLgmrOQiEcISXj2Pp8gkjMVeWySJUYmoDl-gxyAu-LhK6RH-62tyrL6or3XWi7PhsMBoonZ7s9g2nXPh-bkpE4MOXix/s320/Robotique.jpg" width="320" /></a></div>
</span></div>
<div style="text-align: justify;">
<span face=""Trebuchet MS", sans-serif"> </span></div>
<div style="text-align: justify;">
<span style="font-family: verdana; font-size: medium;"><span face=""Trebuchet MS", sans-serif">With artificial intelligence applications developing and being rolled out fast, the European Commission is currently working on the development of a new area of the law focused on robotics. This could go as far as including the creation of a specific legal status for robots. However, hundreds of members of civil society are opposed to the creation of an "electronic person" which could make an "intelligent" machine independently responsible for damages.</span></span></div><div style="text-align: justify;"><span style="font-family: verdana; font-size: medium;"><span face=""Trebuchet MS", sans-serif"><br /></span></span></div><div style="text-align: justify;"><span style="font-family: verdana; font-size: medium;"><span>Two hundred European experts have recently co-signed an open letter against the creation of a legal status for robots. This letter, addressed to the European Commission, highlights the concern and opposition of AI experts on the creation of a legal electronic person and focuses specifically on the European Parliament Resolution on Civil law rules of robotics and its recommendation to the European Commission in its paragraph 59 f): "<i>Creating a specific legal status for robots in the long run, so
that at least the most sophisticated autonomous robots could be
established as having the status of electronic persons responsible for
making good any damage they may cause, and possibly applying electronic
personality to cases where robots make autonomous decisions or otherwise
interact with third parties independently (...).</i>"<br /></span></span></div><div style="text-align: justify;"><span style="font-family: verdana; font-size: medium;"><span> <br /></span></span></div><div style="text-align: justify;"><span style="font-family: verdana; font-size: medium;"><span face=""Trebuchet MS", sans-serif">The signatories of this open letter criticize the notion of electronic personality, whether based on the notion of natural persons, legal entities or legal trust. </span></span></div><div style="text-align: justify;"><span style="font-family: verdana; font-size: medium;"><span face=""Trebuchet MS", sans-serif"><br /></span></span></div><div style="text-align: justify;"><span style="font-family: verdana; font-size: medium;"><span face=""Trebuchet MS", sans-serif">We will keep following the discussions around the development of the law on robotics...<br /></span></span></div><p>
<br /><span face=""Trebuchet MS", sans-serif"></span><br /><span face=""Trebuchet MS", sans-serif"> <span style="font-family: verdana; font-size: small;"> * * * * * * * * * * * * </span></span><span style="font-family: verdana; font-size: small;"><span><br /></span></span></p><p><span style="font-family: verdana; font-size: small;"><span><span><span face=""Trebuchet MS", sans-serif">(1) <a href="http://Robotics-openletter.eu">Robotics-openletter.eu</a>, Open letter to the European Commission – Artificial intelligence and Robotics</span></span></span></span></p><p><span style="font-family: verdana; font-size: x-small;"><span>Photo © ClaudeAI.uk (</span></span><span style="font-size: x-small;"><a href="https://claudeai.uk/ai-blog/" style="-webkit-text-stroke-width: 0px; font-family: Helvetica; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">https://claudeai.uk/ai-blog/</a><span style="-webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; display: inline !important; float: none; font-family: Helvetica; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span class="Apple-converted-space"> )</span></span></span></p><p><span style="font-size: medium;"><span style="font-family: verdana;"><span face=""Trebuchet MS", sans-serif">Bénédicte DELEPORTE</span><br /><span face=""Trebuchet MS", sans-serif">Avocat</span><br /><br /><span face=""Trebuchet MS", sans-serif">Deleporte Wentz Avocat</span><br /><span face=""Trebuchet MS", sans-serif">www.dwavocat.com</span><br /><br /><span face=""Trebuchet MS", sans-serif">April 2018</span></span></span></p>Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-71837361796065544802018-03-07T01:58:00.004+08:002023-07-29T19:55:55.133+08:00Network security - the NIS directive was transposed in French law<p> </p>
<div class="post-header">
<div class="post-header-line-1"></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv4uFipKgHUPXrO5aoTO7zzKDMBiQIoRo0eZb5KfuFv31o5d9L2-C1kbwIg9-tiFoYocCbWmNY1eT1NA5HqVwBdUPzexkyAhOxlMivMC5Mn6GJDdu718fQ17oQIew8jAE8LA_mwOyX9bVp/s1600/cyberpadlocklg2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="200" data-original-width="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhv4uFipKgHUPXrO5aoTO7zzKDMBiQIoRo0eZb5KfuFv31o5d9L2-C1kbwIg9-tiFoYocCbWmNY1eT1NA5HqVwBdUPzexkyAhOxlMivMC5Mn6GJDdu718fQ17oQIew8jAE8LA_mwOyX9bVp/s1600/cyberpadlocklg2.jpg" /></a></div>
<br />
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana; font-size: medium;"><span><span lang="FR">The directive </span></span></span><span style="font-family: verdana; font-size: medium;">concerning measures for a high common level of security of network and information systems across the Union ("NIS Directive") was transposed in French law on 26 February 2018. (1)<span><span lang="FR"></span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR"><br />The new law provides additional obligations regarding digital security. (2)<br /> </span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR">Two new types of companies are identified </span><span lang="FR"><br /><br />
- Operators of </span></span><span><span lang="FR">essential</span></span><span><span lang="FR"> services (OES) (which are globally equivalent to the French definition of operators of vital importance (</span></span><span><span lang="FR"></span><span lang="FR">opérateurs d’importance vitale - OIV). These include companies operating in essential areas such as: energy, transportation, banking, financial markets infrastructures, health, production and distribution of potable water and the providers of digital infrastructures, and</span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR"><br /></span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR"> - Digital services providers (DSPs) which include companies providing cloud computing services, market places, search engines services, etc.</span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR"> </span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR">These companies will have to implement the cybersecurity measures set up by the National Agency for Information Systems Security (</span></span><span><span lang="FR">Agence nationale de la sécurité des
systèmes d’information - ANSSI). They will have to notify the ANSSI in case of security incidents which may have a significant impact on the continuity of the services provided. </span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR"> </span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR">Any failure to secure the networks, to declare a security incident or in case of blocking a control procedure, will be subject to fines between €75,000 and €125,000 for the OES, the amount of the fine depending on the type of violation, and fines between €50,000 and €100,000 for DSPs.</span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR"> </span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: medium;"><span><span lang="FR">A decree specifying the list of OES and FSEs operating in the French territory should be published before 9 November 2018.</span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: small;"><span><span lang="FR"></span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: small;"><span><span lang="FR"></span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: small;"><span><span lang="FR"></span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: small;"><span><span lang="FR"></span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: small;"><span><span lang="FR"></span></span></span></div><div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: small;"><span><span lang="FR"><br /></span></span><br /></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana; font-size: small;"><span lang="FR"> * * * * * * * * * * *</span></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;"><span style="font-family: verdana; font-size: small;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify;">
<span style="font-family: verdana; font-size: small;"><span><span lang="FR">(1) Directive (EU) 2016/1148 of the Europen Parliament and of the Council of 6 July 2016 </span></span></span><span style="font-family: verdana; font-size: small;"><span><span lang="FR"></span></span></span><span style="font-family: verdana; font-size: small;">concerning measures for a high common level of security of network and information systems across the Union ("NIS Directive") <span><span lang="FR"></span></span></span></div><div class="MsoNormal" style="text-align: justify;"><span style="font-family: verdana; font-size: small;"><span><span lang="FR"><br /></span></span></span></div><div class="MsoNormal" style="text-align: justify;"><span style="font-family: verdana; font-size: small;"><span><span lang="FR">(2) </span></span></span><span style="font-family: verdana; font-size: small;"><span><span lang="FR">Law #2018-133 of 26 February 2018 including several provisions adapting French law to European Union law in the area of security </span></span></span><span style="font-family: verdana; font-size: small;"><span><span lang="FR">(Loi n°2018-133 du 26 février 2018 portant diverses dispositions
d'adaptation au droit de l'Union européenne dans le domaine de la
sécurité)</span></span></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana; font-size: small;"><span lang="FR"><br /></span></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana; font-size: small;"><br /></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana; font-size: medium;"><span><span lang="FR">Bénédicte DELEPORTE</span></span></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana; font-size: medium;"><span><span lang="FR">Avocat</span></span></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana; font-size: medium;"><span><span lang="FR">Deleporte Wentz Avocat</span></span></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana; font-size: medium;"><span><span lang="FR"><br /></span></span></span></div>
<div class="MsoNormal" style="text-align: justify; text-justify: inter-ideograph;">
<span style="font-family: verdana; font-size: medium;"><span><span lang="FR">Mars 2018</span></span></span></div>Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-37466544266135387742018-02-21T00:55:00.002+08:002023-07-29T19:59:39.594+08:00Publication of 3 new decrees to improve the transparency of digital platforms<p><br /></p>
<div class="post-header">
<div class="post-header-line-1"></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYpXTivqZp98IMa75-YVwr9BfjPape-Jh0xtEVZCtkxj8iZz5IeNCvQ2y8jSz5NsmI4v16JJnWTaDjA3y7ZlZN7PGzVK1Q6KMbwH8aWvHVIa6KnrtVGW6NCOSTV1tCnvfX5tPqzMTnpZcc/s1600/Online+services.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="452" data-original-width="1600" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYpXTivqZp98IMa75-YVwr9BfjPape-Jh0xtEVZCtkxj8iZz5IeNCvQ2y8jSz5NsmI4v16JJnWTaDjA3y7ZlZN7PGzVK1Q6KMbwH8aWvHVIa6KnrtVGW6NCOSTV1tCnvfX5tPqzMTnpZcc/s320/Online+services.jpg" width="320" /></a></div><p>
<span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;">In order to improve the users' trust in digital services, and further to the publication of the Digital Republic Act ("Loi pour une République numérique") (1), three decrees to improve the transparency of digital platforms were published on 29 September 2017. (2) These decrees cover search engines, social networks, and comparison websites as well as market places and collaborative economy websites.</span></p><p style="text-align: justify;"><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;">1. <u>From 1st January 2018</u>, platforms which generate revenue from third party content, goods or services, e.g. search engines </span><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;">and comparison websites must publish the criteria used for referencing and dereferencing content, as well as the criteria used for the results rankings. These websites will also have to show how their revenue is related to the order in which contents are displayed.</span></p><p style="text-align: justify;"><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;">Collaboration platforms must include a section accessible from all the pages of the website providing information about the profile of the users selling goods or services (consumers or professional sellers), how buyers and sellers get connected to each other, the commission due to the platform for the connection between the users, etc. Such information is usually detailed in the platform's terms and conditions. </span></p><p style="text-align: justify;"><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;">B-to-C platforms must provide a section to allow professional sellers to post the mandatory data required pursuant to articles L.221-5 et seq. of the consumer code (i.e. description of the good or of the service proposed, price, delivery time, contact details, legal warranty, whether the buyer has a withdrawal right, dispute resolution conditions, etc.). </span></p><p style="text-align: justify;"><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;">Finally, websites which publish consumer reviews must specify whether the reviews are verified, and if so, how they are verified. When the reviews are verified, the </span><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;">website </span><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;">operator must insure that the personal data of the contributors are processed in compliance with the data privacy law (loi Informatique et Libertés).</span></p><p style="text-align: justify;"><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;">2. <u>From 1st January 2019</u>, platforms with an average of over 5 million unique visitors per month will have to apply good practice in terms of clarity, transparency and loyalty. These rules, which must be accessible online, correspond to the general obligation to provide precontractual information pursuant to articles L.111-1 et seq. of the consumer code.</span></p><p><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;"> </span></p><p style="text-align: center;"><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;"> * * * * * * * * * * * * </span><br /></p><p style="text-align: left;"><span face=""Trebuchet MS", sans-serif"></span><br /><span style="font-family: verdana; font-size: small;"><span><span face=""Trebuchet MS", sans-serif">(1) Loi #2016-1321 of 7 October 2016 for a Digital Republic (loi pour une république numérique)</span></span></span><span style="font-family: verdana; font-size: small;"><br /><br /><span><span><span face=""Trebuchet MS", sans-serif">(2)
</span></span></span><span><span><span face=""Trebuchet MS", sans-serif">Decree #2017-1434 of 29 September 2017 regarding information </span></span></span><span><span><span face=""Trebuchet MS", sans-serif">obligations </span></span></span><span><span><span face=""Trebuchet MS", sans-serif">by digital platform operators; </span></span></span><span><span><span face=""Trebuchet MS", sans-serif">Decree #2017</span></span></span><span><span><span face=""Trebuchet MS", sans-serif">-1435 </span></span></span><span><span><span face=""Trebuchet MS", sans-serif">of 29 September 2017 regarding </span></span></span><span><span><span face=""Trebuchet MS", sans-serif"> a connection threshold above which </span></span></span><span><span><span face=""Trebuchet MS", sans-serif">digital platform operators develop and post good practices to improve loyalty, clarity and transparency of the data provided to consumers; </span></span></span><span><span><span face=""Trebuchet MS", sans-serif">Decree #2017</span></span></span><span><span><span face=""Trebuchet MS", sans-serif">-1436 </span></span></span><span><span><span face=""Trebuchet MS", sans-serif">of 29 September 2017 regarding </span></span></span><span><span><span face=""Trebuchet MS", sans-serif">information </span></span></span><span><span><span face=""Trebuchet MS", sans-serif">obligations on online consumer reviews (Décret n°2017-1434 du 29 septembre 2017 relatif aux obligations
d'information des opérateurs de plateformes numériques ; Décret
n°2017-1435 du 29 septembre 2017 relatif à la fixation d'un seuil de
connexions à partir duquel les opérateurs de plateformes en ligne
élaborent et diffusent des bonnes pratiques pour renforcer la loyauté,
la clarté et la transparence des informations transmises aux
consommateurs ; Décret n°2017-1436 du 29 septembre 2017 relatif aux
obligations d'information relatives aux avis en ligne de consommateurs)</span></span></span><br /></span><span style="font-family: verdana; font-size: medium;"><br /></span><span face=""Trebuchet MS", sans-serif" style="font-family: verdana; font-size: medium;"><br />Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />February 2018</span><span face=""Trebuchet MS", sans-serif" style="font-family: verdana;"></span></p><p><br /><span face=""Trebuchet MS", sans-serif"></span></p>Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-70726166512112586242017-09-04T17:23:00.000+08:002017-09-04T17:25:00.630+08:00Why you should be concerned by the GDPR even if your company is not located in the EU<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqnToSbyqR-KQJIFIGD7z3yIc1yStukEQDo0JNqyKNWSLZdJsqj3s8zY8Vr6Ncqt-Cd0qFJ6ZtuLpHSXTjdSLCM81NzpK7Ab-YUKSAWj-nJGfsr9UMRL5awbigdbNeBl3mhUk0CO9E1Nzm/s1600/Donne%25CC%2581es+perso.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="707" data-original-width="1000" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqnToSbyqR-KQJIFIGD7z3yIc1yStukEQDo0JNqyKNWSLZdJsqj3s8zY8Vr6Ncqt-Cd0qFJ6ZtuLpHSXTjdSLCM81NzpK7Ab-YUKSAWj-nJGfsr9UMRL5awbigdbNeBl3mhUk0CO9E1Nzm/s320/Donne%25CC%2581es+perso.jpg" width="320" /></a></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br />The European personal data protection directive of 24 October 1995 applied to data processing carried out by companies, i.e. data controllers, located within the European Union. Data processing activities carried out by data controllers located outside of the EU were generally not subject to the provisions of the European directive as transposed into the national laws of the Member States. (1) With the development of technology and of online services around data, many companies located outside of the European Union, such as Google, Amazon, Facebook or Apple (the “GAFA”) for example, collect and process data from Europeans and “escape” the European regulations, even though data transfers to these American companies can be subject to the Privacy Shield principles.<br /><br />Now, data and more specifically personal data is at the core of the digital economy. It then became necessary to update the European personal data laws to take into account the technology developments that have occurred since the 1995 directive, and assure a high and homogenous level of protection to personal data. This was done with the General Data Protection Regulation (GDPR). This European text was adopted on 27 April 2016 after over four years of intensive debates. It will become applicable on 25 May 2018. (2)<br /><br />One of the purposes of the GDPR is to take into account, cases where several data controllers and/or processors located in different regions in the world are involved in data processing; but also cloud computing and big data services (with servers installed and data collected in several regions); and the activities carried out by the GAFA, so that the personal data of the people living in Europe remain protected regardless of where the data controller is located in the world.<br /><br />The scope of the regulation covers not only businesses in the European Union but also non-EU companies targeting the European market. These non-EU companies are therefore concerned by the GDPR and must get compliant with these new rules.<br /><br /><br /><b>1. The GDPR is applicable in Europe and beyond </b><br /><br />The 1995 directive had to be transposed into national law of the Member States. These national data protection laws did however include differences between the Member States, certain countries having opted for a strict transposition of the European directive, whereas other countries chose a more liberal approach.<br /><br />The GDPR will become enforceable directly in all the European Union. Its provisions will apply almost identically in all the Member States, except for a few provisions which may differ slightly among the Member States. (3)<br /><br />But where the directive had moderate impact outside of the EU, the regulation will apply not only within the EU but will also produce extra-territorial effects, beyond the EU borders. (4)<br /><br /><b> 1.1 Application within the European Union</b><br /><br />The regulation shall apply to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing itself takes place within the EU. <br /><br />The establishment located in the EU implies the effective and real exercise of activity through “stable arrangements”. However the establishment is not subject to any particular legal form. It may be the headquarters, or a subsidiary or even a branch of a company itself located outside of the Union.<br /><br />The processing may be carried out in or outside the EU. With this provision databases hosted via a cloud computing service can be governed by the GDPR, regardless of where the servers are actually installed in the world.<br /><br /> <b> 1.2 Extra-territorial application</b><br /><br />The regulation shall also apply to processing regarding individuals located in the EU, carried out by a data controller or a processor not established in the Union where the processing activities are related to offering goods (e.g. e-commerce activity) or services (e.g. mobile applications, cloud hosting services) to such data subjects, whether connected to a payment or free of charge.<br /><br />To establish whether the data controller or the processor is actually targeting the European market by proposing goods or services to persons located in the EU, one must gather a number of elements such as the use of a European language or of a currency such as the euro and the fact that the products or services can be delivered in Europe. The mere accessibility of the web site of the company in Europe, or an email address are not sufficient to establish that that company targets the European market. <br /><br />The data processing of persons located in the Union by a company, controller or processor, which is not established in the Union is also subject to the GDPR when the purpose of such processing is to monitor the behaviour of these persons, if such behaviour takes place in the EU. This provision is mainly about online profiling, “<i>particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes</i>.” (5)<br /><br />One should also note that these provisions shall apply to data controllers and to processors. The latter should also take all necessary measures to comply with the GDPR.<br /><br />The GDPR is not limited to controllers and processors located in the European Union. Its geographical scope reaches beyond the EU borders whenever personal data of European data subjects are processed.<br /><br /><br /><b>2. What are the consequences for non-European businesses?</b><br /><br />Companies that have no establishments in the European territory but that target the EU for their commercial activities (see criteria above), and that in doing so collect and process personal data of European subjects will therefore have to comply with the GDPR, the deadline being 25 May 2018.<br /><br /><b> 2.1 The designation of a representative in the Union</b><br /><br />Beyond the GDPR compliance work to be carried out, controllers and processors that have no establishment in the EU must designate a representative in the EU, “in writing”. (6)<br /><br />This representative must be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are located. The representative, as the agent of the controller or processor shall be the point of contact for the supervisory authority and for the data subjects having questions about the processing. The controller and processor shall however remain primarily legally liable with regards to GDPR compliance and its due application.<br /><br />It must be noted that no representative must be designated in the following cases:<br />processing which is occasional,<br />which does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) or processing of personal data relating to criminal convictions and offences referred to in article 10, and<br />and is unlikely to require a privacy impact assessment (PIA) subject to article 35 of the GDPR.<br /><br />Also, non-European public authorities or bodies are not concerned by the designation of a representative.<br /><br /><b> 2.2 The United Kingdom after Brexit</b><br /><br />Once the United Kingdom is no longer a Member State, the European regulation will no longer apply to it. However, the UK government has declared that they wanted to pass a new law, repealing the Data Protection Act 1998 currently in effect, so as to include the GDPR into English law.<br /><br />The purpose of this Bill is to reassure businesses after Brexit, on the ability to keep transferring personal data between the UK and the EU. In doing so, the UK wants to ensure that its Data protection law will be considered as offering an adequate level of protection by the Brussels Commission, allowing businesses to keep transferring personal data between the UK and the EU without restrictions. (7)<br /><br /><b> 2.3 GDPR compliance</b><br /><br />The European regulation includes several new principles and existing rights that were reinforced. These principles and rights must be integrated in the internal procedures of businesses processing personal data of Europeans. This can be a costly, burdensome and time consuming process. These principles can be divided up between the rights of data subjects and the obligations of the controllers and processors.<br /><br />a) <i>The rights of data subjects</i> <br /> - The conditions to obtain <u>consent</u> from the data subjects are reinforced (art. 7): the terms regarding consent must be drafted in clear and explicit language;<br /> - The <u>right to be informed</u> is modified toward more transparency and simplification (art. 12, 13 and 14)<br /> - <u>Data portability</u> (art. 20) permits data subjects to request the controller to recover or to transfer their collected data to a new data controller; <br /> - For online services targeting children (i.e. children below 16, or 13 in certain Member States), <u>processing children data will be subject to the consent or authorisation of the person having parental authority</u>. (art. 8)<br /><br />b) <i>The obligations of the controllers and processors</i><br /> - <u>Automated process and profiling techniques</u> will be regulated. (art. 22) Such process will be authorised under certain conditions and provided the data subject has given his consent;<br /> - According to the <u>accountability principle</u>, the controller must implement clear and accessible internal rules to guarantee and demonstrate compliance with the regulation (art. 5 and 24);<br /> - During the development of new products or services, the controller must include personal data protection by default in the definition of the processing system and within the data process (“<u>privacy by design</u>” principle) (art. 5 and 25);<br /> - The GDRP imposes stronger <u>data protection security rules</u>. <u>Security breaches must be notified</u> by all controllers, regardless of their main activity (art. 5 and 32 to 34);<br /> - A <u>data protection officer</u> (DPO) must be appointed in all companies where the core activities of the controller or processor consist of processing data which require monitoring of data subjects on a “large scale” or processing of specific categories of data on a “large scale” (art. 37, 38 and 39).<br /><br />Finally, the GDPR includes the possibility for the supervisory authorities to impose <u>more stringent sanctions</u>. (art. 83) Depending on the type of infringement, the supervisory authorities can impose administrative fines up to 10 million euros or 2% of the total worldwide turnover of the company during the preceding financial year, whichever is higher, or up to 20 million euros or 4% of the total worldwide turnover of the company during the preceding financial year.<br /></span><span style="font-family: "trebuchet ms" , sans-serif;"> * * * * * * * * * * * * </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><span style="font-family: "trebuchet ms" , sans-serif;"><br /><br /><span style="font-size: x-small;">(1) See article 4 “National law applicable” of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data<br /><br />(2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)<br /><br />(3) For example, each Member State can choose the minimum age for a child to give his/her consent, between 13 and 16 years (art.8).<br /><br />(4) See GDPR, recitals 22 to 24 and article 3 “Territorial scope”<br /><br />(5) Recital 24<br /><br />(6) GDPR, article 27<br /><br />(7) “UK Government announces proposals for a new Data Protection Bill”, in Technology Law Dispatch, 16 August 2017<br /><br />(8) For a more detailed analysis of the GDPR, see our previous articles on this matter: <a href="https://dwavocatit.blogspot.sg/2016/06/new-european-general-data-protection.html">New European General Data Protection Regulation (GDPR): the compliance clock is ticking</a>, <a href="https://dwavocatit.blogspot.sg/2017/08/how-to-prepare-for-gdpr-compliance-and.html">How to prepare for GDPR compliance and be ready by May 2018</a></span><br /><br /><br />Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />September 2017</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-54793157819888410192017-08-11T18:59:00.001+08:002017-08-11T18:59:35.872+08:00How to prepare for GDPR compliance and be ready by May 2018<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijv403Cp1jtqWSWdfm1-3KUAt78Rrl2ghmaEqoO6TkRsi04gI2_CbRziksUYUTneTf2B1peOeJKIzibl5ZhwWcITrTZeJvENGOKxMGeuhDb4nRXRh1akCA7WUhGwdhTjASrRo8JWGomI64/s1600/DataPrivacy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1200" data-original-width="1600" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijv403Cp1jtqWSWdfm1-3KUAt78Rrl2ghmaEqoO6TkRsi04gI2_CbRziksUYUTneTf2B1peOeJKIzibl5ZhwWcITrTZeJvENGOKxMGeuhDb4nRXRh1akCA7WUhGwdhTjASrRo8JWGomI64/s320/DataPrivacy.jpg" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: "Trebuchet MS",sans-serif;">The General Data Protection Regulation (GDPR) will come into effect in the European Union in less than a year from now, on 25th May 2018. (1) The GDPR is a thorough and complex reform of data privacy law, which means that companies have to get organised to be compliant and ready by May 2018.<br /><br />There are many differences between the existing European data privacy legal system based on the 1995 Data Protection directive and the new GDPR. Whereas, the 1995 Data Protection directive had to be transposed into the legal systems of each member-state, with national data protection laws which didn’t come into effect at the same time (France transposed the 1995 directive in 2004!) and with some differences between the national data protection laws, the GDPR will apply (almost) identically across the European Union from 25th May 2018.<br /><br />The 1995 Directive was outdated regarding certain processing activities not available at the time, or regarding the development of the role of processors, especially those providing cloud computing services. The GDPR takes into account the evolution of technology and of data processing activities and aims to reinforce the rights of the individuals (data subjects) on their personal data with clearer rules regarding consent for data collection and processing and more stringent obligations on the data controllers and processors.<br /><br />With the GDPR, companies will be subject to a new “accountability” regime. Accountability under the GDPR includes the implementation of new procedures such as the privacy-by-design principle which implies that data privacy must be included into the design stage of a new product or service; data privacy impact assessments when new data processing is likely to result in a high risk for the rights of the data subjects; the obligation to maintain a record of processing activities listing the processing and procedures implemented and the obligation to notify personal data breaches to the supervisory authority (following a security breach or a cyber attack for example).<br /><br />The fines for breaching GDPR obligations will be much higher than before since depending on the nature of the breach, administrative fines may reach between 10 million euros or 2% of the worldwide revenue of the company and 20 million euros or 4% of the worldwide revenue of the company…<br /><br />The data privacy agencies of the member-states, and the members of the Article 29 Working Party (representatives of the data privacy agencies of the member-states) are working actively to help companies get prepared for GDPR. For example, the French data privacy commission (CNIL) has published a plan to help companies get organised to prepare GDPR compliance. And the members of the Article 29 Working Party (WP29) have adopted guidelines providing more detailed information on the new principles of the GDPR.<br /><br /><b><br />1. The compliance plan recommended by the French data privacy commission</b><br /><br />The French data privacy commission (CNIL) has published a plan to help companies work on GDPR compliance. (2) This plan is comprised of six steps, as follows:<br /><br /><i> - Step 1: Appoint a “compliance pilot”</i> <br />Given the complexity of implementing a GDPR compliance plan, an individual - or depending on the size of the organisation, a dedicated task force - should be specifically appointed to drive this phase. This individual, who may be an existing or future data privacy officer (DPO), or an external consultant, shall have several tasks, including informing, advising and consulting the internal teams. He/she should also perform internal audits and should be key in organising and coordinating the compliance tasks to be performed.<br /><br /><i> - Step 2: Map out the processing activities</i><br />The compliance team should carry out an inventory of the data processing activities carried out by the company and record them. This will allow the compliance team to assess the practical impacts of the GDPR on the data processed by the company.<br /><br /><i> - Step 3: Prioritise the tasks to be carried out</i><br />Based on the types of data processing activities, the team will then be able to identify the compliance tasks to be implemented. These tasks should be prioritised, taking into account the risks of the processing on the rights and freedoms of the data subjects.<br /><br /><i> - Step 4: Manage risk</i><br />If the team has identified data processing activities that are likely to generate high risk on the rights and freedoms of the data subjects, a data privacy impact assessment (DPIA or PIA) must be carried out for each such processing. Companies can use the PIA guidelines to help them implement these new procedures (see below).<br /><br /><i> - Step 5: Develop or update your internal procedures</i><br />The company’s internal procedures will have to be updated to be able to apply a high level of protection to personal data. These procedures must protect data at any time taking into account all the events which may happen during data processing (such as a data breach, managing correction or access requests, modification of the data collected, etc.).<br /><br /><i> - Step 6: Document compliance</i><br />To be able to prove that the company complies with the GDPR, the necessary documents must be drafted and regularly updated. These documents shall include the company’s internal procedures, data privacy impact assessment, internal audit reports, etc.<br /><br /><br /><b>2. The Article 29 Working Party guidelines </b><br /><br />The WP29 has published several support documents to help with GDPR compliance. The purpose of these documents is to clarify the new principles that must be implemented by the companies by May 2018. At the end of June 2017, the following guidelines were published:<br /><br /><i> - Guidelines on Data Protection Impact Assessment (“DPIA” or “PIA”) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679</i><br />These guidelines provide details on the types of processing activities that should trigger a privacy impact assessment, the existing methods to carry out a PIA, the rules governing the release of a PIA and/or notification to the supervisory authority and when the supervisory authority should be consulted in case of a potentially risky processing. Typically, a PIA will include the following four features: i) a description of the proposed processing and its purpose; ii) an assessment of the necessity and proportionality of the processing; iii) an assessment of risks to data subjects; and iv) the measures to address the risks and demonstrate compliance with the GDPR.<br /><br />The data protection impact assessment principle is defined under article 35 of the GDPR. PIAs are one of the mechanisms included in the principle of accountability. When performing a PIA, data controllers adhere to the GDPR and can demonstrate that appropriate measures have been developed to ensure GDPR compliance. Failure to carry out a PIA is subject to an administrative fine of up to 10 million euros or 2% of the worldwide revenue of the company for the preceding year.<br /><br /><i> - Guidelines on Data Protection Officers (“DPOs”)</i><br />These guidelines provide details on how a Data protection officer should be appointed, as well as the role and responsibilities of the DPO.<br /><br />Although this role is not new, the appointment of a DPO was not mandatory under the 1995 Directive. To be compliant with the GDPR, certain companies, data controllers and processors, will have to appoint a DPO. The role and responsibilities of the DPO are described under articles 37 to 39 of the GDPR.<br /><br />The DPO allows companies to ensure GDPR compliance (including, for instance, for internal audits, to act as a liaison between the different internal departments, and with the data subjects). However, DPOs are not liable in case of non-compliance to the GDPR. The data controller or the processor are responsible for GDPR compliance and implementation.<br /><br /><i> - Guidelines on the right to data portability</i><br />These guidelines define the data portability principle, identify the main aspects of this new right, identify when this right should apply, define how the rules concerning the data subjects apply to data portability, and define how the data should be conveyed to the data subject or to a new data controller.<br /><br />Data portability is slightly different from the right of access under the 1995 directive. Data portability allows the data subjects to receive the data provided to the data controller in a structured and machine-readable format, and to transfer this data to a new data controller. The right to data portability will typically be used when a consumer switches service providers. The right to data portability is defined under article 20 of the GDPR.<br /><br /><i> - Guidelines for identifying a controller or processor’s lead supervisory authority </i><br />The GDPR set up another new principle: the lead supervisory authority, to take into account transborder data processing.<br /><br />These guidelines identify the supervisory authority competent for transborder processing, especially when the principal place of business of the data controller is different from its European headquarters, when several companies within a multinational group of companies are concerned or when there are several joint data controllers. The issue of data processors is also addressed by the guidelines.<br /><br /><br /> Other guidelines are being developed and should be published before the end of 2017. These include guidelines on certification, guidelines on data privacy breach notifications, guidelines on consent by the data subjects, and guidelines on profiling.<br /> </span></div>
<div style="text-align: justify;">
<span style="font-family: "Trebuchet MS",sans-serif;"> * * * * * * * * * * * * <br /><span style="font-size: x-small;"><br />(1) Regulation (EU) 2016/619 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) <br /><br />(2) Available on the CNIL website (in French)<br /><br />(3) The WP29 Guidelines are available on the CNIL website (in English) : Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679 ; Guidelines on Data Protection Officers (“DPOs”) ; Guidelines on the right to data portability ; Guidelines for identifying a controller or processor’s lead supervisory authority</span><br /><br /><br />Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />August 2017</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-32009796900779274772017-05-09T16:22:00.001+08:002024-03-15T00:35:34.850+08:00From science fiction to law: the European Parliament proposes a legal framework for robotics<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicKiQ0n8BPLVAQuLoSmaNi6IZlugsqHrtuGhCeNFYa9FWyd0lrSI3ooFSj6scXnetxBh2i4l8Yt8V8f6hUE7s-GeGyG8XaI0lU6CT7G5Z7mS4b3_COQDOeTJpC4gdFXSg-R3Z93zh5Mzrz/s1600/Robotique.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicKiQ0n8BPLVAQuLoSmaNi6IZlugsqHrtuGhCeNFYa9FWyd0lrSI3ooFSj6scXnetxBh2i4l8Yt8V8f6hUE7s-GeGyG8XaI0lU6CT7G5Z7mS4b3_COQDOeTJpC4gdFXSg-R3Z93zh5Mzrz/s320/Robotique.jpg" width="320" /></a></div>
<div style="text-align: justify;">
<span face=""Trebuchet MS",sans-serif">On 16 February 2017, the European Parliament adopted a resolution which includes a series of recommendations to the European Commission regarding civil law rules on robotics. (1) With this document, the Parliament calls on the Commission to submit a proposal for a directive. These recommendations have been under review for two years, a time necessary to conduct a rich and thorough reflection on a multi-faceted matter which will deeply disrupt our civil, industrial and economic societies.<br /><br />Robotics includes not only robots and artificial intelligence (“AI”), but also bots, drones, autonomous vehicles. This area raises ethical and legal questions which must be addressed now at a supranational level, especially since robotics is already present in a number of industries, such as the automotive and electronics industries.<br /><br />The resolution of the Parliament stresses the necessity to define an ethical framework around the development, programming and use of robots, to define a legal framework around robotics to allow a harmonised and legally secured development, and to define new legal liability principles for actions performed by smart robots.<br /><br /><br /><b>1. An ethical framework based on Asimov’s laws of robotics</b><br /><br />Good science fiction has often been predicting the evolution of technology and society. Numerous technology tools appear in our daily environment which are directly inspired from communication “gadgets”, from the Star Trek saga (smart phones and connected things), to motion pictures such as Minority Report and Moneyball (predictive analysis), or 2001, A Space Odyssey and I, Robot (smart robots). (2)<br /><br />Prior to these movies, Isaac Asimov, the famous 20th century science fiction writer, set down the three laws of robotics governing the relationship between man and robot:<br /><i> 1. A robot may not injure a human being or, through inaction, allow a human being to come to harm;<br /> 2. A robot must obey the orders given it by human beings except where such orders would conflict with the First Law;<br /> 3. A robot must protect its own existence as long as such protection does not conflict with the First or Second Laws.</i> (3)<br /><br />These laws have inspired the members of the European Parliament to establish the foundation of their recommendations on a preliminary draft of European civil law on robotics, reminding “<i>the intrinsically European and universal humanistic values that characterise Europe’s contribution to society</i>”. These laws are directed primarily at the designers, producers and operators of robots.<br /><br />Based on these principles, the European Parliament recommends to develop a clear, precise and efficient ethical framework applicable to the design, development, production, use and modification of robots.<br /><br />Robots must serve humanity especially by performing repetitive, difficult or dangerous tasks. But robotics, through its social, medical and bioethical implications also comes with societal risks for humans, including in the areas of liberty, safety, health, privacy and personal data protection, integrity and dignity.<br /><br />This resolution takes a practical approach by integrating a Charter on robotics comprised of a Code of ethical conduct for robotics engineers, a Code for research ethics committees (REC), and licences for designers and for users.<br /><br />The Code of ethical conduct for robotics engineers covers all R&D activities and recalls the strict obligation for researchers and designers to respect the dignity, privacy and safety of humans. This ethical framework should be based on principles of beneficence (robots should act in the best interests of humans), non-maleficence (robots should not harm a human), autonomy (the capacity to make an informed, un-coerced decision about the terms of interaction with robots), and justice (fair distribution of the benefits associated with robotics; affordability of homecare and healthcare robots). The Code also defines principles of fundamental rights, rights of precaution, transparency, safety, reversibility and privacy.<br /><br />The Code for research ethics committees (REC) stresses the principle of independence to avoid conflicts of interest between the researchers and those reviewing the ethics protocol, and between the reviewers and the organisational governance structures. The Code also defines the role and constitution of a research ethics committee and monitoring rules.<br /><br /><br /><b>2. The foundations of a legal framework- to define the notion of “robot” and support the development of cyber technology</b><br /><br />The resolution also includes several recommendations aimed at setting the ground rules of a harmonised European legal framework adapted to robotics. Such legal rules must permit the cross-border use of robots (principle of mutual recognition), thereby avoiding fragmentation of the European market.<br /><br /> - The notion of “smart robot”<br />The Parliament calls on the Commission to propose common definitions within the European Union regarding the notions of cyber physical systems, autonomous systems and autonomous and smart robots, and their sub-categories. A “smart robot” would include the following characteristics:<br />. the acquisition of autonomy through sensors and/or by exchanging data with its environment (inter-connectivity);<br />. self-learning capacity from experience and by interaction;<br />. at least a minor physical support;<br />. the capacity to adapt its behaviour and actions to its environment; and<br />. absence of life in the biological sense.<br /><br />A Community system of registration for certain “advanced” categories of robots could be created for purposes of traceability.<br /><br /> - Intellectual property rights<br />The Parliament draws attention to the necessity to address the issue of intellectual property rights in robotics through a horizontal and technologically neutral approach applicable to the different sectors in which robotics could be used.<br /><br /> - Right to privacy and personal data protection<br />Extending the right to privacy and personal data protection to the relationship between humans and robots is fundamental. Indeed, the robots used by individuals in a domestic environment (autonomous vehicles, domestic robots, care robots and medical robots) will collect and process personal data. These robots will usually be connected, making it easy to analyse and shared the data collected.<br /><br />The Community rules on the right to privacy as well as the provisions of the General Data Protection Regulation (GDPR), especially the rules regarding systems security, must be extended to robotics. However, such rules must be complemented, where necessary, to take into account the specificities of robotics.<br /><br /> - Standardisation, safety and security<br />The development of robotics includes the creation of technical standards that must be harmonised internationally to avoid dividing up the European market, and foster a high level of product safety and consumer protection. Communication between robots shall also require the adoption of open and interoperable standards.<br /><br />To avoid the fragmentation of the European market, testing, certification and market approval in a Member State should be recognised in the rest of the EU. <br /><br /> - Education and employment<br />The development of the use of robots will create a new industrial and societal revolution. Even though its actual impact on employment is not fully known, less skilled jobs will be more severely affected as well as labour-intensive industries. Automation will lead to more flexibility of skills. For that matter, the Parliament calls on the Commission to monitor medium and long-term job trends as a result of the increased use of robots, and to support education to digital skills so as to align the job market with the demand. <br /><br />Finally, the Parliament recommends the creation of a designated EU Agency for Robotics and Artificial Intelligence to provide its technical, ethical and regulatory expertise at the Community and National levels.<br /><br /><br /><b>3. The issue of legal liability: can an autonomous robot be considered as a person responsible for its actions?</b><br /><br />An autonomous robot (having the ability to adapt and learn) can make decisions and implement them independently, which means that its behaviour includes a level of unpredictability. Such autonomy is however merely technical. Also, the more autonomous a robot is, the less it can be considered as a simple tool controlled by a human (manufacturer, operator, owner). Therefore, a specific status - the electronic person - could be created for autonomous robots.<br /><br />The current legal liability rules are not adapted to autonomous robots, which cannot be held liable in case of damages caused to a third party. Under the current state of the law, humans are liable, i.e. the manufacturer (product liability), the operator, the owner or the user of the robot (liability for damages).<br /><br />The Parliament calls for the Commission to review liability laws to determine the regime that will be more adapted to this matter, i.e. either a regime of strict liability (ability to prove the damage, the defect in the robot and the causality between the defect and the damage), or a liability regime based on risk management (ability to manage risk and its consequences).<br /><br />The liability of the parties involved should be proportional to the level of instructions given to the robot and its degree of autonomy (the greater the robot’s autonomy, the greater the responsibility of its trainer). In parallel, a specific insurance system for robots should be created.<br /><br /> As a conclusion, this resolution by the European Parliament manages to provide practical orientations about a very complex matter, especially since we don’t yet know the full extent of the impacts of robotics on our society. This document provides a good overview of the issues raised by robotics. This resolution draws the major trends of a legal framework with a purpose to secure the development of robotics and of its multiple uses. It lays necessary ethical foundations and tries to contain fears related to the consequences of an uncontrolled development of AI. The ball is now in the camp of the European Commission to propose a directive within a reasonable timeframe so that Europe is not overtaken by the evolution of robotics which is happening very fast.<br /><br /><br /> * * * * * * * * * * * * <br /><span style="font-size: x-small;"><br />(1) “European Parliament resolution of 16 February 2017 with recommendations to the Commission on Civil Law Rules on Robotics” (2015/2103(INL))<br /><br />(2) These movies are mostly adapted from books: Minority Report (by Philip K. Dick, published in 1956!); Moneyball (The Art of Winning an Unfair Game, by Michael Lewis, published in 2003); I, Robot (by Eando Binder, published in 1939 and re-written by Isaac Asimov in 1950)<br /><br />(3) Asimov’s three laws of robotics appear in “Runaround”, published in 1942.</span><br /><br /></span><p><span style="font-family: verdana; font-size: x-small;"><span>Photo © ClaudeAI.uk (</span></span><span style="font-size: x-small;"><a href="https://claudeai.uk/ai-blog/" style="-webkit-text-stroke-width: 0px; font-family: Helvetica; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">https://claudeai.uk/ai-blog/</a><span style="-webkit-text-stroke-width: 0px; caret-color: rgb(0, 0, 0); color: black; display: inline !important; float: none; font-family: Helvetica; font-style: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; text-align: start; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><span class="Apple-converted-space"> )</span></span></span></p><br /><span face=""Trebuchet MS",sans-serif">Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />May 2017</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-64074148692775261792016-12-29T16:28:00.000+08:002016-12-29T16:52:00.785+08:00Choosing an out-of-court procedure to recover domain names : a fast and cost effective process<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik6BsOxtMCMSXC1c7jwKnBFzZ_qQu96s4vI7aE-6dGC4SlvChyphenhyphenBOAVbGwNXDmvddAJOVMg9VXJg1ePmpP1gEUK0urUYSYZm-lqpklqeitfdi99teYgZqfv8aEvs0eEb0KGy_1Zt1MekbWN/s1600/domain+names.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEik6BsOxtMCMSXC1c7jwKnBFzZ_qQu96s4vI7aE-6dGC4SlvChyphenhyphenBOAVbGwNXDmvddAJOVMg9VXJg1ePmpP1gEUK0urUYSYZm-lqpklqeitfdi99teYgZqfv8aEvs0eEb0KGy_1Zt1MekbWN/s320/domain+names.jpg" width="320" /></a></div>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Cybersquatting consists in the practice of registering domain names using unauthorized third-party trademarks. The cybersquatter may then try to resell the domain names to their rights owners. Some cybersquatters use these “fraudulent” domain names to redirect online traffic to websites distributing similar competing products or services, while other cybersquatters use these domain names to operate websites selling infringing products or services.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The businesses most affected by cybersquatting are primarily fashion brands, followed by banking and finance services, and internet and IT services.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The rights owners can either enter into legal proceedings or opt for an out-of-court procedure to recover or remove the domain names that include their trademarks. Out-of-court procedures such as the ICANN Uniform Domain-Name Dispute Resolution Policy (UDRP) are now widely used as a fast and cost-effective process to recover domain names.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<b><span style="font-family: "trebuchet ms" , sans-serif;">1. Using the UDRP to recover a domain name</span></b><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The UDRP can be used by rights owners for disputes involving domain names registered abusively using their trademark, and only for domain names with the following generic extensions (gTLDs): .com, .net, .org, but also .aero, .asia, .biz, .cat, .coop, .info, .jobs, .mobi, .museum, .name, .pro, .tel, .travel and new gTLDs. (1)</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">UDRP cases are handled by ICANN-accredited dispute resolution organizations, including the WIPO Arbitration and Mediation Center (based in Geneva, with an office in Singapore), the National Arbitration Forum (United States) and the Asian Domain Name Dispute Resolution Center (ADNDRC) (based in Hong Kong, with offices in China, Korea and Malaysia). (2)</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">To be admitted, the rights owner’s complaint must meet three cumulative conditions:</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> i) <i>Identical or confusingly similar</i>: the allegedly fraudulent domain name must be identical or similar to a trademark owned by the rights owner and create confusion in the mind of the public/consumers ;</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> ii)<i> Rights or legitimate interests</i>: the registrant of the allegedly fraudulent domain name must have no rights on the domain name and no legitimate interest related to that domain name; and</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> iii) <i>Registered and used in bad faith</i>: the allegedly fraudulent domain name must have been registered and used in bad faith.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The proceedings are quite simple and include the following steps: a complaint is filed by the complainant, a response is sent by the respondent, the case is reviewed by an expert panel, the expert panel renders a decision and the decision is executed.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The case is usually handled over a period of 60 days. The administrative charges are reasonable and are usually between USD1,500 and USD5,000. The administrative charges are paid by the complainant unless the respondent requests a panel of several experts, in which case the cost is split between complainant and respondent. However, under this process, the complainant cannot request damages. A UDRP decision will either order the disputed domain names to be removed, transferred to the complainant (rights owner), or the complaint may be rejected if it doesn’t meet the three cumulative conditions mentioned above.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">In its 2016 annual report, the WIPO claims a 10.5% increase in the number of UDRP cybersquatting cases handled concerning 4,364 domain names, compared to the previous year. (3)</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><b>2. The Moncler case: an example of a cybersquatting case handled through UDRP</b> (4)</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The Moncler case, held in early 2016, is a good example of cybersquatting and how a rights owner can claim back disputed domain names under the UDRP process.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Moncler, an Italian high end fashion sportswear company owns several trademarks, including the Moncler trademark and several domain names including moncler.com.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Three Chinese individuals had registered fifty domain names including the Moncler trademark (<monclersaleie.com>, <monclersaleireland.com>, <ukmoncleroutlet.com>, <outletmoncleruk2015.com>, <moncleroutletbest.com>, etc.). Most of these domain names led to websites using the same format, wording and pictures from the Moncler official website and selling counterfeit goods. Other domain names led to parking pages offering pay-per-click links, some of which leading to competitors’ websites.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Moncler filed a UDRP complaint with the WIPO Arbitration and Mediation Center to claim back the infringing domain names.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The case was reviewed by the WIPO panel according to the three conditions of the UDRP :</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">- After confirming Moncler’s rights in the Moncler trademark, the panel found that each disputed domain name contained the full Moncler trademark. The panel held, citing a previous case, that “The fact that a domain name wholly incorporates a complainant’s registered mark is sufficient to establish identity or confusing similarity for purposes of the Policy.”</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Most of the disputed domain names also included the word “outlet” which, used with the trademark, was confusingly similar to that trademark.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">- Moncler argued that the respondents had no rights or legitimate interests in respect of the Moncler domain names. The respondents had not been authorized to include the Moncler trademark in the domain names or to make any other use of the trademark, and they were using the domain names to sell counterfeit goods online and to refer to activities in competition with Moncler’s activities.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The panel found that the complainant had established its prima facie case. Without any evidence from the respondent to the contrary, the panel held that the complainant had satisfied the second element of the policy.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">- The third element of the Policy is whether the domain name was registered and used in bad faith. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Moncler argued that the domain names were used in connection with websites offering counterfeit goods for sale, that the domain names were used in connection with PPC websites (parking pages) containing links to Moncler’s competitors and that by registering 50 domain names using the Moncler trademark, the respondents had engaged in a pattern of conduct that also constituted bad faith. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The panel held that the complainant had satisfied the third element of the policy.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Therefore, the Panel decided that the complainant had met the three conditions of the policy and ordered that the disputed domain names be transferred to Moncler.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">The decision was issued on 18 January 2016, less than six weeks after the complaint was filed with the WIPO Arbitration and Mediation Center.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> In conclusion, the UDRP process allows to resolve trademarks vs. domain names disputes within a few weeks and for a lesser cost than a full legal procedure. This process is also often used for international cases, when complainant and respondent are located in different jurisdictions. With a UDRP decision, the complainant may get the disputed domain names removed or transferred, without an exequatur process, which would usually be necessary to get a court decision recognized and enforced in another jurisdiction.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">However, as mentioned above, a UDRP complaint cannot include a claim for damages and the administrative costs are usually borne by the complainant. UDRP decisions are final, with no appeal process. This is the reason why complainants often choose to file legal proceedings in addition to a UDRP process, and claim damages especially if several domain names are involved and if they also have an intellectual property claim (such a the sale of counterfeit goods), an e-reputation claim or a fraud claim. </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> * * * * * * * * * * * </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><span style="font-size: x-small;"><br /><span style="font-family: "trebuchet ms" , sans-serif;"></span><br /><span style="font-family: "trebuchet ms" , sans-serif;">(1) See www.icann.org, Domain Name Dispute Resolution Policies. </span><br /><span style="font-family: "trebuchet ms" , sans-serif;"></span><br /><span style="font-family: "trebuchet ms" , sans-serif;">(2) Country domain names (ccTLDs) disputes can also be filed with the WIPO Arbitration and Mediation Center under their Domain Name Dispute Resolution Service. Not all ccTLDs are concerned though (see http://www.wipo.int/amc/en/domains/cctld/). Also, for .fr domain names, Afnic, the French registrar and country code manager has launched a domain names dispute resolution policy in 2011 called Syreli (https://www.syreli.fr/)</span><br /><span style="font-family: "trebuchet ms" , sans-serif;"></span><br /><span style="font-family: "trebuchet ms" , sans-serif;">(3) Report of the Director General to the 2016 WIPO Assemblies</span><br /><span style="font-family: "trebuchet ms" , sans-serif;"></span><br /><span style="font-family: "trebuchet ms" , sans-serif;">(4) WIPO Arbitration and Mediation Center, Administrative Panel Decision, Moncler S.p.A. v. Yao Tom, Lee Fei & Geriy Wang, Case n°D2015-2244</span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Bénédicte DELEPORTE</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Avocat</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Deleporte Wentz Avocat</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">www.dwavocat.com</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">December 2016</span>Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-61680427707392336342016-11-29T17:50:00.000+08:002016-12-04T17:53:22.590+08:00ICANN - The end of the US administration oversight on the internet <div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPX359hkOKOPnUT8qMN2MednyGj1IO33HoRKxv779A1asI_-nUhlPoCKv9KfRxvv8IU7g2jiVgaM4C_wBs9UHNAflXFLXaS_jCjLScHYRmWLLB4vgqSU5JoZcB-4GyNsp2QLRTGjRTE4zN/s1600/Internet.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPX359hkOKOPnUT8qMN2MednyGj1IO33HoRKxv779A1asI_-nUhlPoCKv9KfRxvv8IU7g2jiVgaM4C_wBs9UHNAflXFLXaS_jCjLScHYRmWLLB4vgqSU5JoZcB-4GyNsp2QLRTGjRTE4zN/s200/Internet.jpg" width="200" /></a></div>
<br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: "Trebuchet MS",sans-serif;">The Internet Corporation for Assigned Names and Numbers (ICANN) is a US-based not-for-profit public-benefit corporation which includes participants from all over the world. ICANN’s role has been to manage internet governance and to coordinate the global internet's systems of unique identifiers (allocation and assignment of domain names, internet protocol (IP) addresses and autonomous system numbers) and to facilitate the coordination of the operation and evolution of the Domain Name System (DNS) root name server system. (1)<br /><br />Despite last minute blocking attempts by several US Congressmen, including Texas Senator Ted Cruz, the NTIA contract (National telecommunications and information administration) for the stewardship of ICANN expired on 30 September 2016.<br /><br />From now on, ICANN will be supervised by the private sector represented by the “Global Internet Community”. The new ICANN governance model is based on the integration of stakeholders from a variety of horizons: corporations, professors, technical experts, members of the civil society, government representatives, etc.<br /><br />According to Ed Black, President and CEO of the Computer and Communications Industry, the transition process to ensure long term internet stability and perpetuate an open internet - which has direct repercussions on the US economy and national security, should be carried out to completion. However, for those against such transfer, the end of the NTIA supervision creates a risk to see ICANN be a victim of undue influence or any appropriation by governments, multilateral or intergovernmental organizations, or commercial or non-commercial stakeholders jeopardizing freedom on the internet. <br /><br />ICANN assures that the users will experience no change in their internet use after the transition.<br /><br /> * * * * * * * * * * * * <br /><br /><span style="font-size: x-small;">(1) See the Icann website at <a href="http://www.icann.org/">www.icann.org</a> and the Digital watch website at <a href="http://digitalwatch.giplatform.org/">digitalwatch.giplatform.org</a>, and the page on IANA transition and ICANN accountability</span><br /><br /><br />Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />December 2016</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-15614910098046129042016-06-21T22:12:00.000+08:002016-06-21T22:12:43.932+08:00New double tax convention between Singapore and France: when does the withholding tax apply to French companies for services performed in Singapore?<div style="text-align: justify;">
<span style="font-family: "Trebuchet MS",sans-serif;">A foreign company providing services - including consulting services, software or web development services, cloud services, etc. to a company based in Singapore (i.e. a Singapore company or a foreign company with a permanent establishment in Singapore) is in principle subject to a withholding tax of 15% in Singapore. (1)<br /><br />This withholding tax applies if the service is performed by the foreign company in Singapore. If the service is performed outside of Singapore, and the resulting work product is then sent to Singapore or made available to a Singapore company, then no withholding tax applies.<br /><br />The withholding tax may be reduced, or even avoided if there is a tax treaty between Singapore and the country of the company providing services. <br /><br />Singapore has signed several such double taxation avoidance conventions with foreign countries, including France.<br /><br />A new convention for the avoidance of double taxation between Singapore and France entered into force on 1st June 2016, replacing the previous convention dated 9 September 1974. (2)<br /><br />For example, for French IT companies providing services to Singapore companies, the application of the double taxation avoidance convention means that, provided that the French service company does not have a permanent establishment in Singapore (as defined in article 5 of the Convention), then the full revenue earned and invoiced by the French service company will be taxed in France and Singapore shall not tax this revenue. The Singapore company paying fees to the French company will not have to apply withholding tax, provided these conditions are met. (3)<br /><br />Singapore is an important trading partner for France and a growing number of French companies choose Singapore, often as a hub and a gateway to the ASEAN market, to develop their activity into Asia. The renewal of this double tax convention between the two countries should be an incentive for bilateral business relationships to further develop and thrive.<br /><br />For any specific questions about tax, withholding tax, VAT or GST, we recommend to consult a tax lawyer.<br /><br /><br /> * * * * * * * * * * * <br /><br /><span style="font-size: x-small;">Note: in this short article, we focus on service companies and withholding tax. However, the Convention encompasses many more tax issues, not addressed here.<br /><br />(1) The applicable rate depends on the service provided and nature of payment. For more details, check the Inland Revenue Authority of Singapore at www.iras.gov.sg<br /><br />(2) Convention between the Government of the Republic of Singapore and the Government of the French Republic for the avoidance of double taxation and the prevention of fiscal evasion with respect to taxes on income, concluded on 15 January 2015 and entered into force on 1st June 2016. The previous convention was concluded on 9 September 1974 and entered into force on 1st August 1975.<br /><br />(3) See article 7 §1 of the Convention (“Business Profits”)</span><br /><br /><br />Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />June 2016</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-42605837602508095872016-06-10T16:45:00.000+08:002016-06-10T16:45:57.971+08:00New European General Data Protection Regulation (GDPR): the compliance clock is ticking<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF5mWnj-Ewsbk3e5hRtnbgo9S8L-2HTv50yj4q3186QjTKA938R1eA0HY8dUzQPkycdQIlSjZ5sQ9zKJQFgv1sa13PwXG1mJ3ZBKPjXnNWdkm6W9ORorG-jo9i6dhhe1sKdsejELmHY_xd/s1600/Donne%25CC%2581es+perso.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF5mWnj-Ewsbk3e5hRtnbgo9S8L-2HTv50yj4q3186QjTKA938R1eA0HY8dUzQPkycdQIlSjZ5sQ9zKJQFgv1sa13PwXG1mJ3ZBKPjXnNWdkm6W9ORorG-jo9i6dhhe1sKdsejELmHY_xd/s320/Donne%25CC%2581es+perso.jpg" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: "Trebuchet MS",sans-serif;">After over four years of debates at the European level, the General data protection regulation (GDPR) was finally passed on 27 April 2016. The new regulation will apply in all the European member states in two years, as from 25 May 2018. (1) The compliance countdown is now running for all organisations processing personal data.<br /><br />The GDPR is part on a more global reform of European data protection law - the “data protection package”, which also includes a directive on data transfers for policing and judicial purposes, i.e. personal data processed by the European police and judiciary authorities.<br /><br />The GDPR will repeal Directive 95/46/EC of 24 October 1995 on the protection of personal data. The new text will be the base of our regulation of personal data protection in Europe, with a single set of rules (with a few exceptions).<br /><br />The regulation is based on existing data protection law. The main principles regarding the processing of personal data, such as the principles of lawfulness, fairness and transparency of the data process, the principles of specified and legitimate purpose, of adequacy of the process, of data conservation for a limited duration and of data security are preserved. (art. 5) But because of the technical and behavioural evolutions that have occurred in our society since the 1995 Directive, it was important to adapt and complement the existing principles and implement more homogenous rules within the European Union. This is however a complex text comprised of 173 recitals and 99 articles, when the directive included only 34 articles.<br /><br />We summarise below the main provisions of the GDPR regarding the rights of natural persons, followed by the rights of corporations (as data controllers or processors).<br /><br /><br /><b>1. The rights of natural persons under the GDPR</b><br /><br />Several provisions of the GDPR reinforce the existing rights on the data of natural persons (“data subjects”). We identified the major evolutions as follows:<br /><br /> - The conditions to obtain consent from the data subjects are reinforced (Art. 7): the terms regarding consent must be drafted in clear and explicit language. The data subject must be able to withdraw his consent at any time. The burden of proof of obtaining the data subject’s consent rests on the data controller who must be able to show that the data subject did give his consent to the process.<br /><br /> - The right to be informed is modified toward more transparency and simplification (art. 12, 13 and 14): the information must be concise, clear, intelligible and easily accessible. It must be drafted in clear and legible terms, especially when targeting children.<br /><br /> - The GDPR confirms the “digital right to be forgotten” (or right to erasure) as defined by the European court of justice (ECJ) in the Google Spain decision of 13 May 2014. (art. 17) The data subject can request the controller to erase his personal data without undue delay. Data erasure is however subject to certain conditions -including regarding the right to information, and is not automatic. These conditions and limitations to the right to be forgotten have been further defined since 2014 by subsequent case law.<br /><br /> - Data portability is a new right for the data subjects. (art. 20) Except in certain situations, data subjects can request the controller to recover or to transfer their collected data to a new data controller (e.g. transfer to a similar service proposed by a competitor). To prevent blocking or circumventing this obligation, the controller must transfer the data in a structured, commonly used, machine-readable format.<br /><br /> - Finally, the GDPR includes the principle of specific data protection rules for children below 16 years of age. (art 8) Children are intensive users of internet services (social networks, chat, SMS, MMS) but are not necessarily aware of the concept of personal data and of how their data can be used by third parties. The GDPR identifies children as a distinct category of data subjects and recognises the need to provide specific protection to their data. The 38th recital provides that children must receive specific protection from organisations using their personal data for marketing purposes or user profile set ups. For online services targeting children (i.e. children below 16, or 13 in certain member states), the processing of children data will be subject to the consent or authorisation of the person having parental authority. The controller must implement “reasonable” means, taking into account available technology, to ensure the effectiveness of such parental consent.<br /><br /><b><br />2. The rights of data controllers and processors under the GDPR</b><br /><br />Regarding the rights of the controllers and processors (corporations and any organisation processing personal data), we note a tendency toward simplification of formalities, but also toward more stringent obligations. Also, the level of the financial penalties was raised substantially. The major evolutions are as follows:<br /><br /> - Automated process and profiling techniques - which are used increasingly with big data projects for example, will be regulated. (art. 22) Such process will be authorised under certain conditions and provided the data subject has given his consent.<br /><br /> - According to the accountability principle, the controller must implement clear and accessible internal rules to guarantee and demonstrate compliance with the regulation on process inventory, security, and if applicable, compliance with the preliminary formalities and with the appointment of a data protection officer. (art. 5 and 24)<br /><br /> - During the development of new products or services, the controller must include personal data protection by default in the definition of the processing means and within the data process (“privacy by design” principle). (art. 5 and 25) <br /><br /> - The GDPR creates a new “joint controllers” concept (art. 26), to take into account the technical evolutions, especially with cloud computing services under which the entity collecting the data no longer controls the technical data process. Two data controllers may then co-exist, i.e. the entity collecting and using the data, and the entity which determines the technical means of the data process (often the hosting service provider or the cloud service provider, as a subcontractor of the data collector/controller). In case of joint liability, the joint controllers must define the respective scopes of their liability in performing their obligations, especially concerning the data subjects. The liability of the subcontractor is now acknowledged at the same level as its client’s.<br /><br /> - The GDPR withdrew the preliminary filing obligation for new data processing (art. 30) except for data transfers outside of the European Union which are subject to a specific regime. In return, the controller must (i) either keep an internal record of processing activities listing the data process implemented, (ii) or consult the supervisory authority prior to launching a new data process if such process requires an impact assessment and includes specific risks.<br /><br /> - The GDRP imposes stronger data protection security rules. Security breaches must be notified by all controllers, regardless of their main activity. (art. 5 and 32 to 34) For example in France, this notification duty is currently limited to communications operators and to “vitally important operators” (OIV) i.e. operators of critical infrastructures or services. <br /><br /> - A data protection officer (DPO) must be appointed in all companies where the core activities of the controller or processor consist of processing data which require monitoring of data subjects on a “large scale” or processing of specific categories of data on a “large scale”. (art. 37, 38 and 39) The data protection officer (which in France will replace the current “correspondant informatique et libertés” - CIL) must be a competent law and personal data protection professional. This person may be employed by that organisation or be a third party consultant.<br /><br /> - The rules regarding data transfers outside of the European Union won’t change substantially. (art. 44 to 50) As a principle, all data transfers outside of the EU remain prohibited. This prohibition may be waived for transfers to a third country offering an adequate level of protection, as defined by the European Commission and for transfers to companies in third countries, provided one of the available contractual tools has been implemented between the exporting controller and the importing processor (EU model contractual clauses, Binding corporate rules (BCRs) or code of conduct). It is still unclear whether existing adequacy decisions will be upheld for all third countries currently listed. Since the GDPR includes new and more stringent provisions, the Commission may decide to reassess whether these countries are still providing an adequate level of protection under the new Regulation.<br /><br /> - Companies that operate in several member states will designate a supervisory authority as the lead competent authority, for cross-border processing and to handle complaints. (art. 56) This lead supervisory authority shall be the authority of the seat of the main establishment, construed as the place where the main decisions regarding the data process purpose, conditions and means are made.<br /><br /> - The GDPR includes the possibility for the supervisory authorities to impose more stringent sanctions. (art. 83) Depending on the type of infringement, the supervisory authorities can impose administrative fines up to 10 million euros or 2% of the total worldwide turnover of the company during the preceding financial year, whichever is higher, or up to 20 million euros or 4% of the total worldwide turnover of the company during the preceding financial year.<br /><br />Finally, the GDPR will apply not only within the European Union, but will also produce extra-territorial effects. (art. 3 and 27) The GDPR will apply:<br /> - to controllers located within the European Union, whether or not the data process is performed in the EU, and <br /> - to the data of EU citizens and residents processed by a controller or a processor (subcontractor) located outside the EU, if the products or services target the European market. Certain non-European companies may then have to comply with the GDPR. <br /><br /><br />Businesses should use this two-year transition period to work on their legal and operational compliance with the GDPR. This compliance exercise should include a legal review of their existing commercial terms and conditions and privacy policies applicable to their products and services, and a review of their internal corporate privacy policies. Certain types of data process will also require technical and/or operational review and upgrade (such as collecting the proof of consent by the data subject, especially for the processing of children’s data). <br /><br /><br /> * * * * * * * * * * * *<br /><br /><br /><span style="font-size: x-small;">(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General data protection regulation)</span><br /><br />Bénédicte DELEPORTE – Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />June 2016</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-88305886822767402742016-04-20T14:29:00.000+08:002016-04-20T14:41:24.449+08:00Legal requirements applicable to importing or exporting encryption software and equipment in/from France<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaFnKke4u3rD4sYkVz-Tk4EQgNUsuMbGgvo-BGG4m39CvwXwz-3U95OVrgxPSeSwczTUNZwRusNue3CpPpWkYLRYQ_bIl5YFrbWpEGxhp9rtDnMtIET1OoEAfmQqGE15VHxgRxDWPQT0sS/s1600/encryption-image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaFnKke4u3rD4sYkVz-Tk4EQgNUsuMbGgvo-BGG4m39CvwXwz-3U95OVrgxPSeSwczTUNZwRusNue3CpPpWkYLRYQ_bIl5YFrbWpEGxhp9rtDnMtIET1OoEAfmQqGE15VHxgRxDWPQT0sS/s320/encryption-image.png" width="320" /></a></span></div>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">Cryptography is part of our daily digital life: from online communication, through e-commerce, to online banking. Encryption ensures secure data transfers and storage, with data confidentiality, authentication requirements and data integrity. However, data encryption is used in very diverse situations, whether for civil or for military purposes, for legal but also for illegal purposes.<br /><br />In France, although the Digital Economy Act (“Loi pour la confiance dans l’économie numérique”, aka “LCEN”) of 21 June 2004 introduced more flexibility for the use and supply of means of cryptography, importing or exporting encryption software or services in or from France remains regulated. (1)<br /><br />The law distinguishes between the use and provision (including transfer, import and export) of means of cryptography and the provision of cryptography services. Means of cryptography are usually classified a dual use encryption products, i.e. technologies which can be used for both civil and military purposes. The provision of means of cryptography and of cryptography services remains regulated, even if certain areas are now exempted from any form of declaration or authorisation.<br /><br /><br /><b>1. The provision of means of cryptography</b><br /><br />The law defines “<u>means of cryptography</u>” as follows: “a means of cryptography (moyen de cryptologie) includes any hardware or software designed or modified to alter data, whether information or signals, through secret conventions (keys or encryption algorithms) or to proceed to the reverse operation with or without a secret convention. The main purpose of such means of cryptography is to safeguard the security of data storage or of data transmission to ensure its confidentiality, authentication or integrity check.” (art 29 of the Digital Economy Act)<br /><br />The law states the general principle of freedom to <u>use</u> means of cryptography. <br /><br />The law distinguishes between:<br /> - the provision of means of cryptography <u>ensuring exclusively</u> functions of authentication and integrity checks. Such means may be provided without restriction, including if the means of cryptography are exported to or imported from an EU member state or to/from third countries; and<br /> - the provision of means of cryptography <u>not ensuring exclusively</u> functions of authentication and integrity checks (including means ensuring data confidentiality). The provision of such means and their import is subject to a prior declaration to, or authorisation from ANSSI (Agence nationale de la sécurité des systèmes d’information - the government agency in charge of cybersecurity). <br /><br />Declarations are acknowledged within one month from submission to ANSSI, and within four months for requests for authorisation. These timeframes may be extended if the submitted file is incomplete or if ANSSI has additional questions on the filing.<br /><br />Declarations of means of cryptography are also valid for the intermediaries of the supplier (party having filed the declaration), i.e. the distributors of the means of cryptography. A single declaration is therefore sufficient and can be used by the supplier’s distributors.<br /><br />The provision and export of means of cryptography not ensuring exclusively functions of authentication and integrity checks is subject to an authorisation from ANSSI filed by the supplier of the means of cryptography and to an export license from SBDU (Service des Biens Double Usage) filed by the party exporting the means of cryptography. (2)<br /><br />Authorisations are granted for a maximum term of five years, at the end of which, a new request must be filed.<br /><br />Certain categories of means of cryptography may be exempted from prior declaration if their technical characteristics or conditions of use are such that their provision, transfer from a member state or import doesn’t challenge the interests of national defense or of the internal and external security of the State. These categories are identified by decree. They include the provision of equipment to the public, the provision of broadcasting or television equipment, mobile radio communication, mobile telephone equipment which cryptographic coding or encryption is not accessible by the user. The provision of cryptography services not consisting in delivering electronic certificates is also unrestricted. (3)<br /><br />The Prime Minister can prohibit the release and distribution of a supplier which does not comply with the requirements listed under article 30 of the Digital Economy Act (i.e. prior declaration or request for authorisation). Such prohibition would also include the distributors of the means of cryptography and the equipment used with the means of cryptography.<br /><br />Suppliers not complying with the prior declaration or request for authorisation requirements may incur criminal penalties, including a maximum fine of €15,000 and one year imprisonment.<br /><br />Exporting a means of cryptography without the required authorisation is subject to a maximum fine of €30,000 and two years imprisonment.<br /><br /><b><br />2. The provision of cryptography services</b><br /><br />The law defines “<u>cryptography services</u>” as follows: “a cryptography service (prestation de cryptologie) includes any process used to implement a means of cryptography, on behalf of a third party.” (art 29 of the Digital Economy Act)<br /><br />The provision of cryptography services must be declared to ANSSI. The exemptions to such declaration are similar to the exemptions for means of cryptography (see above).<br /><br />The entities providing cryptography services are subject to a duty of professional secrecy (“secret professionnel”). Professional secrecy is defined in article 226-13 of the French criminal code, which provides that “the disclosure of secret information by a person who is entrusted either because of his status or his profession, because of a function or a temporary mission, is subject to one year imprisonment and a maximum fine of €15,000.”<br /><br />These entities are fully liable for damages caused to the entity or person on behalf of whom they manage the secret conventions in case of breach of the integrity, confidentiality or availability of the encrypted data.<br /><br />The entities providing electronic certificates are liable for the damages caused to the persons who relied on the certificates presented as “qualified” (art. 33 of the Digital Economy Act). These entities must contract an insurance policy sufficient to cover the risks related to their activity.<br /><br />Pursuant to article 31 of the French Digital Economy Act, the provision of cryptography services for confidentiality purposes without the required prior declaration is subject to two years imprisonment and a maximum fine of €30,000.<br /><br /><br />Importing or exporting encryption software or services in/from France remains a complex matter. The supplier must first check whether the means or service is exempted or subject to a regulatory prior declaration or authorisation from ANSSI, then take into account the delays in obtaining a declaration certificate or an authorisation to distribute the software or application, or to provide a cryptography service. Suppliers or importers who breach these legal requirements may incur severe criminal charges. <br /><br /> * * * * * * * * * * * * <br /><span style="font-size: x-small;"><br />(1) Loi n°2004-575 pour la confiance dans l’économie numérique, 21 June 2004 - LCEN (French Digital Economy Act). The provisions regarding cryptography are enacted under articles 29 et seq.<br /><br />(2) The supplier filing a declaration or requesting an authorisation must submit a file to ANSSI. The format and content of the file are listed in an administrative ruling (Arrêté) dated 29 January 2015<br /><br />(3) Decree No 2007-663 dated 2 May 2007</span><br /><br />Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />April 2016</span>Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-80438533727860245662016-03-22T21:38:00.000+08:002016-04-20T17:51:30.508+08:00Personal data transfers from the EU to the US: a new Privacy Shield to replace the Safe Harbor principles<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3YOt4Uxscnoeu3Soks_FwBVwwFDNRigXT761lp75ecC-DRT4BreIfrhxQP1T-XKJUny7KM6euncbXVAelfA2ti9lgl662m7t27mGNVvJFawAVj4eHudrsDM-pLhVSy_zmPYjiIVBlk9Rv/s1600/Privacy-Shield.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3YOt4Uxscnoeu3Soks_FwBVwwFDNRigXT761lp75ecC-DRT4BreIfrhxQP1T-XKJUny7KM6euncbXVAelfA2ti9lgl662m7t27mGNVvJFawAVj4eHudrsDM-pLhVSy_zmPYjiIVBlk9Rv/s320/Privacy-Shield.jpg" width="320" /></a></span></div>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">The 1995 European directive on personal data protection allows companies to transfer personal data between Member States without restrictions. (1) However personal data transfers outside of the European Union are prohibited, except to a limited number of countries providing an adequate level of protection (such as EEA Member States and countries ensuring an adequate level of protection subject to a decision from the European Commission). The Safe Harbor principles provided the legal framework for data transfers to the US.<br /><br />In its ruling dated 6 October 2015, the Court of Justice of the European Union (CJEU) decided to cancel the Safe Harbor privacy principles. (2) Since July 2000, European companies working with US companies adhering to Safe Harbor could transfer personal data legally to the United States. Such data transfers occur between companies belonging to a multinational group located on both sides of the Atlantic, or between a European client company and a service company located in the US (e.g. a US hosting company, a cloud service company or a company providing any types of data management services). With the cancellation of Safe Harbor, personal data can no longer be transferred legally from the EU to the US under these privacy principles.<br /><br />The European Commission and the United States have been negotiating to set up a new privacy framework to better protect personal data transfers of the European citizens to the United States. The goal of the Commission was to reach an agreement on a “2.0 Safe Harbor” before the end of January 2016. (3) An agreement was reached at the beginning of February 2016 and on 29 February, the text of the EU-US Privacy Shield was released.<br /><br />We describe below the main principles applicable to the new Privacy Shield framework and recall the other legal “tools” available for European companies which have to transfer personal data to the United States.<br /><br /><br /><b>1. The main principles of the EU-US Privacy Shield framework</b><br /><br />The text of the new EU-US Privacy Shield framework regarding personal data transfers between the European Member States and the United States was published on 29 February 2016. (4)<br /><br />The purpose of the Privacy Shield framework is to provide protection principles for the personal data of the European citizens transferred to the United States, equivalent to the principles applicable within the European Union. More specifically, with the Privacy Shield, the authorities wanted to fix the issues identified with the Safe Harbor principles and put an end to the mass surveillance practice developed by the US National Security Authority (NSA), disclosed by Edward Snowden in 2013. <br /><br />The Privacy Shield principles include the following rights which are similar to the rights issued form the EU privacy regulation: <br /> - a) <i>notice</i> to the data subject regarding the data processed by the organization, details about the data processed and how to contact the company with enquiries and complaints; <br /> - b) <i>choice</i> to opt out if the data is to be disclosed to a third party or used for a purpose which is different from the original purpose when the data was collected. Sensitive data process is subject to an opt in consent from the data subject; <br /> - c) <i>accountability</i> for onward transfers to a third party; <br /> - d) <i>security</i> of the data process against loss, misuse, unauthorized access, disclosure, alteration and destruction; <br /> - e) <i>data integrity</i> and purpose limitation. As in the EU, personal data collected must be limited to data relevant for the purpose of the processing being carried out; <br /> - f) <i>access</i> by the data subjects to their personal data to ensure that they can correct, amend or delete their data; <br /> - g) <i>recourse</i>, enforcement and liability mechanisms for individuals affected by non-compliance with the Privacy Shield.<br /><br />The main provisions of the Privacy Shield framework, which differ from the Safe Harbor principles, can be summarized as follows:<br /><br />- Companies will adhere to the Privacy Shield through self-certification. These organizations will be subject to strict compliance obligations. The US Department of Commerce will monitor and verify compliance by the companies which have registered. Companies adhering to the Privacy Shield principles must publicly declare their commitment to comply with the Privacy Shield, disclose their privacy policies (which must be in line with the Privacy Shield principles), and implement the Privacy Shield.<br /><br />- Access to personal data by the US authorities will be regulated and only allowed for specific purposes, including law enforcement and national security. General access to data is prohibited.<br /><br />- Several legal redress mechanisms are included in the new arrangement. Such legal recourse rights will be available to European as well as US citizens. One of the issues raised with Safe Harbor was that the European citizens had not legal recourse in the US if a US company using their data and adhering to Safe Harbor did not comply with its legal obligations. From now on, European citizens will have the option among several legal recourse mechanisms in case of personal data misuse:<br /> (i) <i>Mediation</i>: a mediation service through an Ombudsperson mechanism, independent from the US security services, will be set up within the US Department of State;<br /> (ii) <i>Complaints to the US data processor</i>: individuals will be able to send a claim to the US companies adhering to the Privacy Shield for problems regarding their personal data. Companies will have to respond to such claims within 45 days;<br /> (iii) <i>Claims to the national supervisory authority</i>: individuals will be able to send a claim to their national supervisory authority (such as the ICO in the UK or CNIL in France). Each national data supervisory authority will communicate with the Department of Commerce and the Federal Trade Commission (FTC) so that the claims are actually processed and settled;<br /> (iv) <i>Alternative dispute resolution</i>: an out-of-court settlement mechanism will be available, free of charge;<br /> (v) <i>Arbitration</i>: an arbitration mechanism will be available as a last resort by a Privacy Shield panel.<br /><br />US companies may also choose to comply with the advice and guidelines issued by the national supervisory authorities. Companies processing human resources data will however have to comply with such guidelines. <br /><br />The Department of Commerce will maintain an updated list of current companies adhering to the Privacy Shield and a list of companies which have left the Privacy Shield arrangement.<br /><br />- Finally, the Privacy Shield framework includes an annual joint review mechanism between the European Commission and the US Department of Commerce, and national surveillance experts working with the US and European data protection authorities. The purpose of this annual reassessment exercise will be to check the effectiveness of the Privacy Shield and the actual compliance regarding access to personal data for law and order and national security purposes. <br /><br />The main differences between Safe Harbor and the new Privacy Shield principles are the rights of recourse by the European citizens who feel that their personal data has been misused, a strong commitment by the US authorities regarding supervision and enforcement, and a joint annual review process between the EU and US authorities.<br /><br />However, this new privacy framework is not yet in effect. The European Commission must issue its adequacy decision on the new EU-U.S. the new Privacy Shield, pursuant to article 31 of the 1995 directive on the protection of personal data. The adequacy decision means that the safeguards provided when personal data are transferred under the Privacy Shield are equivalent to data protection standards in the EU. Indeed, absent such adequacy decision, European companies cannot yet transfer personal data to US companies unless an alternative contract is in place. The legal adequacy assessment of the EU-US Privacy Shield will be conducted by the article 29 working party (art. 29 WP - representatives of the national data protection authorities of the Member States).<br /><br />Meanwhile, European companies that must transfer personal data to the United States may still use the other existing legal tools available for transborder data transfers.<br /><br /><br /><b>2. The other legal “tools” available to transfer personal data to the US</b><br /><br />Until the Privacy Shield adequacy decision of the European Commission is released, the European companies which must transfer data to the United States must implement alternative legal tools. (5)<br /><br />As experienced with the October 2015 CJEU ruling cancelling Safe Harbor, and with the new annual joint review mechanism of the Privacy Shield, companies adhering to such privacy frameworks are no longer assured of a stable long-term privacy protection environment for their transborder data transfers. The existing legal options are strong and stable alternatives to the Privacy Shield.<br /><br />Three options are available : the EU Standard contractual clauses (SCC), private ad hoc contracts, and Binding corporate rules (BCRs).<br /><br />The <i>EU Standard contractual clauses</i> (SCC) are relatively easy to implement subject to identifying the types of Standard clauses that are relevant to the data processes, and have them executed “as is” by each party. Should any of the clauses be amended by the parties, the document will have to be approved by a national data protection authority.<br /><br />The <i>ad hoc contractual option</i>, is a contract drafted by the parties and adapted to the data process under consideration. This may be the best option. An ad hoc contract is indeed more flexible and adapted than the Standard contractual clauses. It is however necessary to take into account the cost, process and delays to receive an authorization from a national data protection authority. This contractual option may be used between two commercial entities or between affiliates (in lieu of BCRs).<br /><br />Lastly, the <i>Binding Corporate Rules</i> (BCRs) option can only be used within a multinational group of companies. BCRs are not an alternative to govern the relationship with third party commercial partners or service providers. BCRs also usually require several months to be drafted and approved by a national authority prior to being rolled out within the group of affiliated companies. However, once the BCRs are approved and rolled out, this system is then a stable option.<br /><br /><br />As a reminder, penalties for illegal cross-border data transfers can reach up to €300,000 and 5 years in prison. This includes data transferred to the United States under the Safe Harbor principles, which are no longer valid.<br /><br /> * * * * * * * * * * * * <br /><br /><span style="font-size: x-small;">(1) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data <br /><br />(2) CJEU, Gd Chamb., 6 October 2015, Maximillian Schrems / Data Protection Commissioner<br /><br />(3) European Commission - Press release dated 6 November 2015 “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case” : and see our article “Personal data transfers from the EU to the US after the cancellation of Safe Harbor by the CJEU”, published on this blog in December 2015<br /><br />(4) European Commission - Press release dated 29 February 2016 “Restoring trust in transatlantic data flows through strong safeguards: European Commission presents the EU-U.S. Privacy Shield”<br /><br />(5) The decision concluding the Umbrella agreement including the Privacy Shield should be adopted by the European Council after obtaining the consent of the European Parliament.</span><br /><br /><br />Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />March 2016</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-85771236182651859282015-12-16T16:33:00.000+08:002016-04-20T17:52:20.297+08:00Software license audits challenged in French court<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCduJoBg_gq7ZiQ6BadA2HKAWnrCNnarAjCXsIsEKW3Q3JKQ9YKJur-V_QoDTDmEMzROKriG6JaOuXEkPOVwo7HzDefNsmmTYfYs9MbfdSqjTPp-IsClZI9jJngiBw7bUY6aK6cPu-anel/s1600/audit-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCduJoBg_gq7ZiQ6BadA2HKAWnrCNnarAjCXsIsEKW3Q3JKQ9YKJur-V_QoDTDmEMzROKriG6JaOuXEkPOVwo7HzDefNsmmTYfYs9MbfdSqjTPp-IsClZI9jJngiBw7bUY6aK6cPu-anel/s320/audit-1.png" width="320" /></a></div>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">Software vendors (licensors) have increased the number of software license audits over the past few years to chase intellectual property infringement through illegal use of software. Infringing users (licensees) are required to pay additional licensing fees or else they will be sued. Even if the user is duly licensed to use the software, only limited rights are granted by the licensors. The purpose of license audits is to ensure that the licensee complies with the rights granted by contract.<br /><br />However, licensees tend to challenge software license audits more often. Their claims are often legitimate: increased complexity of the license agreements, difficulty for the licensees to keep track of the licensing rights actually used, or even bad faith by certain vendors who would threat to launch an audit to pressurize the client at the time of contract renewal.<br /><br />The amounts at stake are usually quite high for both parties, vendors and licensees. <br /><br />Two recent French cases, both involving Oracle Corporation, illustrate the tension between vendors and licensees, especially at the time of renewing - or not - the existing licenses. (1) These cases raise the issue of the purpose, scope and limitations of a software license audit, and of the legal grounds on which a case may be brought when challenging the non-compliance between the rights granted and actual software use.<br /><br /><br /><b>1. Purpose, scope and limitations of a software license audit</b><br /><br />Software is protected by intellectual property law. (2) The author, or software publisher, enjoys exclusive rights over his/its work and is free to decide how to distribute it, including the scope of the rights granted and the licensing fees charged.<br /><br />The rights granted to the licensees are provided in the software license agreement. The scope of the rights granted is different depending on the vendors. The licensing rights can be limited according to the type or number of terminals, or servers, number of named users or of CPUs, user volume, etc. Limitations can also be territorial, per location, facility, country or region.<br /><br />Each vendor is also free to set its own fee system: through the payment of a one-time licensing fee, through a recurring subscription assessed according to the number of terminals or user volume, or through fees evolving with the software (upgrades), etc.<br /><br />To ensure that the software is used in accordance with the rights granted, software vendors usually include software license audit clauses in their contracts.<br /><br />However, one of the fundamental principles of civil law is that contracts must be performed in good faith (art. 1134 of the French civil code). Under this principle, software audits must not be carried out for a purpose other than the original objective or be used as a threat against the licensee at the time of renewing the contract, in order to put financial and operational pressure on the licensee or to overreach and access licensee’s proprietary confidential data.<br /><br />Both examples were raised in the cases examined here.<br /><br /><i>- The Oracle vs. Carrefour judgment of 12 June 2014 (Summary judgment)</i><br />In this first case, Oracle sued Carrefour after the latter had resisted Oracle’s request to run its data collection scripts on Carrefour’s systems during the software audit process.<br /><br />Two Carrefour affiliates, Carrefour SA and Carrefour Organisation et Systèmes Groupe had entered into a framework license agreement to use the Oracle Database Management software. On 27 January 2012, after the agreement had expired, Oracle France notified Carrefour its decision to conduct a software license audit to check the compliance of the software used with the rights granted under the license agreement. The notification included a request to run scripts allowing to assess the number of licenses used and to check the documents provided by Carrefour regarding the use of the software.<br /><br />Carrefour didn’t resist the audit but refused the process imposed by Oracle, i.e. to run Oracle’s auditing tools. Carrefour considered that the scripts used by Oracle gave them access to Carrefour confidential information, which was unnecessary for the purpose of the audit and which imposed a security risk on its IT systems. <br /><br />In a summary judgment rendered on 12 June 2014, the Civil court of Nanterre (Tribunal de grande instance de Nanterre) held that Oracle could not compel Carrefour to run Oracle’s scripts to collect data for the audit since this process was not imposed by the agreement nor by law.<br /><br />The judges held that Oracle did however justify a legitimate reason to be granted an expert assessment to establish evidence of potential contractual breaches and intellectual property violations by the defendants. On the other hand, Carrefour was not compelled to run Oracle’s data collection scripts, but the judges confirmed that Oracle could use all necessary data collected during the expert assessment to check Carrefour’s compliance of the use of the software programs with the licenses granted.<br /><i><br />- The Oracle vs. AFPA decision of 6 November 2014</i><br />In a second case opposing Oracle to the AFPA (Adult professional training association) before the Civil court of Paris (Tribunal de grande instance de Paris), the AFPA claimed that Oracle had overreached its software auditing right to put pressure on them at the time of their license renewal with the intent to limit competition and to abuse its right to bring legal action against the AFPA if they didn’t renew the licenses.<br /><br />The AFPA claimed that Oracle was using their audit right abusively “by distorting its purpose” to put pressure on the AFPA to deter them to migrate to a competitor’s software at the time of the license renewal. This method allegedly resulted in limiting competition (per art. L.420-2 of the commercial code) on the SGF and RDBMS solutions markets.<br /><br />The judges were not convinced by the AFPA’s claim regarding an abuse of dominant position by Oracle, as they considered that in this case, Oracle’s dominant position on the RDBMS market was not ascertained.<br /><br />Regarding the abuse to bring legal action, the judges recalled that engaging legal proceedings is a right. If this right is used abusively, then the claimants must prove that a fault was committed, under article 1382 of the civil code (fault, damages and causality between the fault and the damages suffered).<br /><br />However, although Oracle threatened the AFPA to launch an audit at the time of license renewal, in the present case, the AFPA didn’t demonstrate having suffered specific damages, other than the cost incurred in this legal procedure. <br /><br /><br /><b>2. Characterizing an alleged non-compliance to the license: intellectual property infringement or contractual breach?</b><br /><br />The case opposing Oracle to the AFPA raised a second interesting legal issue regarding the characterization of the dispute over the alleged non-compliance to the software license.<br /><br /><i>- The facts</i><br />Oracle distributes an ERP solution called Oracle E-Business Suite, comprising over 70 software application programs dedicated to enterprise management and clustered into “suites” (“Financials” for accounting and finance software, “Procurement” for purchasing management and suppliers).<br /><br />Unlike most enterprise software, the E-Business Suite licensing system doesn’t work with activation keys used to manage licenses (blocking and unblocking access to the software, managing the license term, etc.), but instead is delivered on a CD which includes all the programs. The client or its service consultant is then responsible for the installation of the licensed programs on the client’s systems.<br /><br />Following an RFP launched in September 2001, the AFPA executed an agreement with Sopra Group (an Oracle distributor and consulting company) for the provision of the Oracle E-Business Suite - Finance, for an initial group of 475 users.<br /><br />In July 2008, Oracle France notified the AFPA its decision to carry out a software audit. The audit was actually conducted in May/June 2009, when the AFPA launched a new RFP to roll out the Procurement solution. According to the audit results, the AFPA was using 885 Purchasing software licenses. This software program was part of the Procurement suite, which was not included in the license granted.<br /><br />After failing to settle the matter amicably, Oracle decided to bring an action against the AFPA on the grounds of counterfeiting based on the unauthorized use of the Purchasing software suite. To this effect, Oracle claimed the AFPA (and Sopra Group, under the contractual indemnification terms) to pay 3,920,550 euros as lump sum indemnification for the unauthorized copy and use of the Purchasing software for 885 named users, plus 9,487,731 euros as indemnification for the unauthorized use of the technical support services and Purchasing software upgrades, i.e. a total of 13,408,281 euros.<br /><br />The defendants claimed that Oracle knew that the Purchasing software suite was part of the solution proposed by Sopra to the AFPA under the contract, the solution having been approved with the purchase order issued by Oracle. Indeed, Sopra had invoiced the AFPA for the installation, use and support services for the Purchasing program. The AFPA also claimed that they had been using Purchasing in good faith since the beginning of the contract term and that they had committed no breach.<br /><br /><i>- Disagreement over the legal qualification of the audit conclusions</i><br />In this case, the parties’ claims were based on conflicting legal characterizations resulting in distinct legal consequences: intellectual property infringement vs. breach of contract<br /><br />Oracle claimed that since the AFPA wasn’t authorized to use the software under dispute, they were infringing (counterfeiting) Oracle’s intellectual property rights. Counterfeiting is a continuing offense, not subject to prescription, and the counterfeiter cannot claim good faith.<br /><br />Contrary to Oracle, the AFPA claimed that this was a contractual issue. According to the AFPA, the Purchasing suite was included in Oracle’s licensed software programs. If not, the AFPA claimed that they had performed the contract in good faith since the software programs had been installed by Sopra. Contractual claims are prescribed after 5 years (art. 2224 of the French civil code). Indemnification is governed by the rules regarding contract performance set forth in the Civil code.<br /><i><br />- The Court decision</i><br />To characterize the dispute, the judges recalled that the only existing issue between the parties was whether the license included the Purchasing suite. Oracle never claimed that the AFPA had used counterfeit software or rolled out software not supplied by Sopra, or that the number of licenses did not correspond to the number of users. The judges therefore held that the dispute was only focusing on the scope and performance of the contract and not on a counterfeiting issue. Therefore, the 5 year statute of limitation and contractual indemnification rules applicable to the damage suffered as outlined in the French civil code are applicable.<br /><br />Regarding the performance of the contract, Oracle had delivered four CDs, including one containing the Oracle Applications/E Business Suite II i solution, with the Financial and Purchasing suites. Oracle’s position was that although the Purchasing software was on the CD, it was not included in the license.<br /><br />Based on the documents disclosed during the proceedings, the judges held that Oracle maintained doubt and confusion on what was really included in the software solution licensed: either the Purchasing software program wasn’t included in the scope of the AFPA license, and then it shouldn’t have been delivered to them, or it was included in the license since it was actually delivered in execution of the purchase order. <br /><br />The judges decided that the AFPA used the Purchasing software suite without fault since this program had been included in the CDs prepared by Oracle. Oracle must have always understood and admitted that the license included the use of that software suite.<br /><br />As a consequence of this legal characterization, the judges held that the AFPA didn’t infringe Oracle’s intellectual property rights since the software was presumably included within the contractual scope of the license. The judges therefore decided that Oracle’s claims against the AFPA were prescribed and Oracle’s claims of 13,408,281 euros were unfounded. In addition, Oracle had to pay procedural fees to the AFPA and to Sopra amounting to 100,000 euros (art. 700 of the procedural code). This decision is pending appeal.<br /><br /><br /> Based on this case law, software license audits are indeed legitimate tools for vendors to check that the licenses are performed within the contractual boundaries. However, audits should not be used outside and beyond their original purpose. As shown with these two cases, given the amounts claimed by the vendors, users no longer hesitate to challenge such practice, claiming bad faith or abuse from the vendors (although such claims much be proved legally). Another potentially valid claim could be the complexity of certain types of licensing rights which can be extremely difficult for licensees to manage effectively.<br /><br />Although these cases didn’t raise the issue of license complexities, but were brought essentially because of misunderstandings and communication issues between the parties, we recommend that software vendors ensure that licensing rights are set forth in clear terms and that licensees can easily keep track of the rights used.<br /><br /><br /> * * * * * * * * * * * <br /><br /><span style="font-size: x-small;">(1) Nanterre civil court of first instance (Tribunal de grande instance de Nanterre), summary judgment, 12 June 2014, Oracle Corp., Oracle International Corp., Oracle France vs. Carrefour, Carrefour Organisation et Systèmes Groupe ; Paris civil court of first instance (Tribunal de grande instance de Paris) 6 November 2014, Oracle Corp., Oracle International Corp., Oracle France vs. Association Nationale pour la Formation Professionnelle des Adultes (AFPA) & Sopra Group<br /><br />(2) Article L.112-2 of the Intellectual property code</span></span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br /> </span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;">Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />December 2015</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-55546558225799878402015-12-11T17:38:00.000+08:002016-04-20T17:53:05.556+08:00Personal data transfers from the EU to the US after the cancellation of Safe Harbor by the CJEU<div style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixfhsOWlBJUzrVuEvtMfTOrjFRHWb3WHVjFY_-PW-8cqtdhkBkGsZArbr8q4vJFmo8LJUl3V_4gN5vMxf51OGgmnQ5HUOBKKHafsGH4y3t8p-SBcGBSqrxiD8ehcGydIAVjyf8lS-XomI0/s1600/Safe-Harbor.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="124" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixfhsOWlBJUzrVuEvtMfTOrjFRHWb3WHVjFY_-PW-8cqtdhkBkGsZArbr8q4vJFmo8LJUl3V_4gN5vMxf51OGgmnQ5HUOBKKHafsGH4y3t8p-SBcGBSqrxiD8ehcGydIAVjyf8lS-XomI0/s320/Safe-Harbor.jpg" width="320" /></a></span></div>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">In a landmark decision on 6 October 2015, the Court of Justice of the European Union (CJEU) held that the Safe Harbor principles, in effect between the EU and the US since 2000, were invalid. All European companies working with US commercial organizations adhering to Safe Harbor must reassess the conditions under which they are transferring personal data to these entities. (1)<br /><br />The purpose of this article is to review the main rules governing cross-border personal data transfers and to provide a few answers and solutions following this landmark decision. <br /><br /><br /><b>1. Personal data transfers outside of the European Union and the cancellation of the Safe Harbor principles</b><br /><br />Although the 1995 Data Protection Directive lifted all restrictions to cross-border personal data transfers within the EU, transfers outside of the Union remain prohibited in principle, except in limited cases. (2) <br /><br /> <b>1.1 Rules governing personal data transfers outside of the European Union</b><br /><br />With the globalization of the economy, and even more so with the digital economy, most companies transfer data to third countries, either to their headquarters or affiliates, to subcontractors, or to service providers. While personal data transfers outside of the European Union are prohibited, there are however a few exceptions to this principle. The following cross-border personal data transfers are allowed: <br /><br /> - data transfers to a country acknowledged by the European Commission as providing a sufficient, or “adequate” level of protection. Only a handful of countries outside of the EU are deemed to have enacted laws providing a level of protection equivalent to those in effect in Europe; (3)<br /> - data transfers between two entities (exporting and importing data) having signed the EU Standard contractual clauses (SCC) adopted by the European Commission. This contractual solution is applicable either between two data controllers or between a data controller and a subcontractor;<br /> - data transfers between two or more affiliates within a multinational corporation, subject to that multinational corporation having implemented Binding Corporate Rules (BCRs), applicable among all the affiliates and approved by one of the national data protection authorities (“national supervisory authorities”) such as the CNIL in France or the ICO in the UK;<br /> - data transferred in exceptional situations, if the data subject has given his consent to such transfer;<br /> - and until the 6 October 2015 decision, data transfers to the United States, subject to the importing company adhering to Safe Harbor.<br /><br />The Safe Harbor principles include a set of personal data protection rules, negotiated between the US authorities (US Commerce Department) and the European Commission in 2000, and approved by a Commission decision dated 26 July 2000. (4) <br /><br />The Safe Harbor principles include rules concerning the protection of personal data, designed after the principles of the 1995 Data Protection Directive. The Safe Harbor framework only applies to those US companies that have voluntarily declared to adhere to the principles. The US Federal Trade Commission (FTC) is in charge of administering the Safe Harbor principles including publishing the list of companies adhering to the system.<br /><br />However, the Safe Harbor principles were declared invalid by the European Court of Justice on October 6. <br /><b><br /> 1.2 The Schrems decision</b><br /><br />In its decision issued on 6 October 2015, the Court of Justice of the European Union invalidated the Safe Harbor framework, deciding that a national supervisory authority could suspend personal data transfers from the EU to the United States.<br /><br />The case concerns an Austrian citizen, Maximillian Schrems, a Facebook user since 2008.<br /><br />The data provided by European Facebook users are stored by its subsidiary, located in Ireland, prior to some of it then being transferred to the United States. Mr Schrems lodged a claim before the Irish Data Protection Commissioner, considering that following Edward Snowden’s disclosure regarding the activities of the US intelligence services (including the NSA and the FBI), the United States didn’t properly protect the personal data provided by the European citizens and residents against surveillance activities. The Irish data protection authority dismissed the claim, arguing that in its 26 July 2000 decision, the European Commission had considered that the United States provided an adequate level of protection of personal data transferred under the Safe Harbor framework.<br /><br />Mr Schrems then brought an action before the High Court of Ireland which decided to refer two questions to the CJEU for a preliminary ruling. The Irish judges wanted to know if the 2000 European Commission decision prevented the national data protection authorities from investigating when a data subject claims that a non-EU country doesn’t provide an adequate level of protection to the personal data transferred. Is the plaintif irrevocably bound by the European Commission decision, without any possible legal recourse?<br /><br />In its 6 October 2015 decision, the CJEU decided that the European Commission should have assessed whether the United States did provide adequate protection, through their legislation or through their international commitments, and at least, “<i>a level of protection that is essentially equivalent to that guaranteed within the European Union by virtue of the European directive, read in the light of the Charter of Fundamental Rights of the European Union</i>.”<br /><br />The Court noticed that the US authorities practiced massive and indiscriminate surveillance over the data transferred without granting effective legal protection to the data subjects.<br /><br />US companies are subject to US mandatory laws and regulations which supersede the Safe Harbor principles. According to the Court, the European Commission didn’t research whether the United States did provide an adequate level of protection to personal data, and the US authorities through their massive surveillance program overreached their power to circumvent the privacy principles. The Court decided that the 2000 Commission decision was therefore invalid.<br /><br />According to the CJEU, even though the European Commission did acknowledge that the United States granted adequate protection to personal data, the national data protection authorities must be able to control whether data transfers of a data subject to a non-EU country comply with the requirements of the 1995 Data Protection Directive.<br /><br />The Court concluded that if a national data protection authority had doubts about the adequacy decision of the Commission, that authority must be able to bring an action before the national courts so that they may then send the case to the European Court of Justice. The 2000 decision of the European Commission cannot prevent data subjects and the national data protection authorities from such legal recourse.<br /><br /><br /><b>2. The consequences of the Schrems case: legal insecurity requiring action</b><br /><br />Personal data transfers to the United States made under the Safe Harbor principles are therefore no longer valid. This implies that data transfers which were previously valid are no longer legal, but also that it is no longer possible to initiate new personal data transfers under the Safe Harbor principles. <br /><br /> <b> 2.1 Consequences of the Schrems case</b><br /><br />- <u>The article 29 working party (art. 29 WP)</u>: the French data authority (CNIL) is currently reviewing, together with its colleagues of the art. 29 WP (representatives of the national data protection authorities of the Member States), the legal and operational consequences of the CJEU decision.<br /><br />In the meantime, the art. 29 WP has requested the national data protection authorities to implement a solution to overcome the current legal insecurity caused by the CJEU decision. In a declaration made on 15 October, the art. 29 WP invited the European institutions to initiate discussions with their American counterparts to find a new system allowing the transfer of personal data in compliance with the European fundamental rights, such decision to be reached by 31 January 2016. (5)<br /><br />If the parties fail to reach an agreement by this deadline, the national data protection authorities may then “launch any action necessary, including coordinated punitive actions.”<br /><br />- <u>The national supervisory authorities</u>: further to the CJEU decision, several national authorities have already taken “preventative” measures.<br /><br />The data protection authorities from the German Länder and the national German supervisory authority have announced that they would no longer authorize new data transfers to the United States, including under the EU Standard contractual clauses or BCR schemes.<br /><br />The Spanish data protection authority (Agencia Española de Protección de Datos - AEPD) announced that they would send a message to the entities that had declared transferring personal data under the Safe Harbor principles, enquiring about the alternative solutions that they plan to implement.<br /><br />The Schrems decision has also spread beyond the boundaries of the European Union, including for those non-EU countries providing an adequate level of protection, regarding their data transfers to the US.<br /><br />The Israeli data protection authority (Israeli Law, Information and Technology Agency - ILITA) has decided to suspend personal data transfers to the United States.<br /><br />And the Swiss authority announced that as long as a new agreement with the US government hadn’t been reached, the “U.S.-Swiss Safe Harbor Framework” would no longer be considered as legal basis for transfers of personal data to the US in compliance with the Swiss law on data protection.<br /><br />Other third countries are also reconsidering the conditions of cross-border data transfers to the United States and other countries.<br /><br />- <u>The EU Commission</u>: on 6 November 2015, the Commission issued guidance on transatlantic data transfers which will remain effective until a new system is implemented.<br /><br />The Commission analyzed the repercussions of the Schrems case and proposed alternatives to transfer personal data legally to the United States (including the EU Standard contractual clauses or BCR). (6)<br /><br />- <u>Toward Safe Harbor 2.0?</u>: the EU Commission had already decided to review the Safe Harbor framework following disclosure by Edward Snowden in 2013 on the surveillance program of the NSA since the American security laws came into effect after the 9/11 terrorist attacks. In November 2013, the Commission issued 13 recommendations to improve the then current Safe Harbor rules.<br /><br />Since the Schrems decision of 6 October 2015, the EU Commission has been accelerating negotiations with its US counterparts to set up a new framework improving the legal protection for transfers of European personal data to the United States. The goal is to reach a new framework agreement by the end of January 2016.<br /><b><br /> 2.2 Data transfers during the interim period</b><br /><br />The cancellation of the Safe Harbor principles creates uncertainty for companies that were transferring data cross-border under the Safe Harbor framework. <br /><br />Can organizations transferring personal data to the United States pursue their operations without switching to a new legal framework until new Safe Harbor rules are issued by the EU Commission? Should they plan for the longer term and implement alternative solutions?<br /><br />Should all data transfers to the United States be suspended, or should they be confined to Europe, or transferred to a country providing an adequate level of protection?<br /><br />For data transferred under a cloud computing service agreement, what should the client do if the US service provider refuses to amend the transfer terms?<br /><br />The three months deadline to reach agreement on a new Safe Harbor framework may seem “aggressive” and nothing warrants that this deadline will be met by the authorities.<br /><br />Until the authorities and institutions find a solution and a new 2.0 Safe Harbor framework comes to life, corporations must find legal and technical solutions to limit legal risks and circumvent transfer restrictions. Penalties for illegal cross-border data transfers can reach up to €300,000 and 5 years in prison. <br /><br />- <u>Legal and technical compliance audits</u>: as a first step, entities exporting personal data to be processed in the United States should conduct a legal and technical audit of current data transfers as well as a risk analysis. The data processes, types of data transferred and legal regime under which the data are transferred must be clearly identified and characterized. Once a map of the data transfers has been set up, the impacts of the cancellation of Safe Harbor will be assessed on a case by case basis, with a short and a medium term evaluation.<br /><br />- <u>Compliance solutions</u>: further to the compliance audit, alternative compliance solutions may have to be adopted. Three options can be considered : the EU Standard contractual clauses (SCC), private ad hoc contracts, and Binding corporate rules (BCRs) within a multinational group of companies.<br /><br />The <i>EU Standard contractual clauses </i>(SCC) may appear as the easier short term option. It is however necessary to identify the types of Standard clauses that are relevant to the data processes, and have them executed “as is” by each party. Should any of the clauses be amended, the document will have to be approved by a national data protection authority.<br /><br />Unless an agreement is reached with its US service providers to operate under the EU Standard contractual clauses, the European client entity may have no other solution than terminating the current agreement with its American service provider and select an alternative European provider, or a company located in a country providing an adequate level of protection.<br /><br />The <i>ad hoc contractual option</i>, i.e. a contract drafted by the parties and adapted to the data process under consideration could be the best option. An ad hoc contract is indeed more flexible and adapted that the Standard contractual clauses. It is however necessary to take into account the cost, process and delays to receive an authorization from the national data protection authority. This contractual option may be used between two commercial entities or between affiliates (in lieu of BCRs).<br /><br /><i>Binding Corporate Rules</i> (BCRs) can only be used within a multinational group of companies and are not an alternative to govern the relationship with third party commercial partners or service providers. BCRs also usually require several months to be drafted, then get approval from a national authority prior to being rolled out within the group of affiliated companies. <br /><br />The benefit of these alternative solutions to Safe Harbor is their stability and the fact that they can remain the preferred solution after a new Safe Harbor framework is launched. If the authorities reach an agreement on a 2.0 Safe Harbor framework, the Schrems decision recalls that in case of alleged breach of their legal obligations, data subjects have a legal recourse against US companies adhering to the Safe Harbor principles.<br /><br /> * * * * * * * * * * * * <br /><br /><br /><span style="font-size: x-small;">(1) CJEU, Gd Chamb., 6 October 2015, Maximillian Schrems / Data Protection Commissioner<br /><br />(2) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data<br /><br />(3) The countries providing an adequate level of protection, and to which personal data may be transferred without additional formalities or authorizations are: Argentina, Canada, Iceland, Israel, Liechtenstein, Norway, New Zealand, Switzerland, Uruguay<br /><br />(4) EU Commission Decision 2000/520 dated 26 July 2000<br /><br />(5) Brussels 15 October 2015 : “Statement of the Article 29 Working Party”.<br /><br />(6) EU Commission press release dated 6 November 2015 “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case”</span><br /><br /><br />Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />December 2015</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-84432760360038084332015-10-12T18:31:00.001+08:002023-11-22T02:26:12.636+08:00Drone use regulation: legal perspectives from France and Singapore<div><div><div class="separator" style="clear: both; text-align: center;">
<br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrmzkj6QdSX8nf4n_8UvBmTf-ZuwTrYzQEz_4NZak7lSwyy-Zd7vVZJvzxSLrGQIo3G_88FZdFGEocrf6W_KfBtPL5KANmiLtboyUBnOxwW04HG5K4gbLCIcDgD_n7vbOweip_Mq4reC9geWeULcuSU2Ektslijg_EISGHAMbuSB0iQPxBQ5MV-CvsfuGg/s1280/drone-3702464_1280.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="848" data-original-width="1280" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrmzkj6QdSX8nf4n_8UvBmTf-ZuwTrYzQEz_4NZak7lSwyy-Zd7vVZJvzxSLrGQIo3G_88FZdFGEocrf6W_KfBtPL5KANmiLtboyUBnOxwW04HG5K4gbLCIcDgD_n7vbOweip_Mq4reC9geWeULcuSU2Ektslijg_EISGHAMbuSB0iQPxBQ5MV-CvsfuGg/s320/drone-3702464_1280.png" width="320" /></a><span face=""trebuchet ms" , sans-serif"> </span></div><div class="separator" style="clear: both; text-align: justify;"><span face=""trebuchet ms" , sans-serif">In January 2014, an 18 year-old used a drone (or unmanned aircraft system - UAS) equipped with a GoPro camera to fly over and record a video of the city of Nancy, in eastern France. He then posted his video on the internet. The video received more than 400,000 views! Unfortunately, this young man didn’t realize that the use of a drone with a camera over a populated area is regulated in France.</span></div><span face=""trebuchet ms" , sans-serif"><br /></span></div><div style="text-align: justify;"><div style="text-align: justify;"><span face=""trebuchet ms" , sans-serif">The video was identified by the authorities, who contacted the young man. The regional department of civil aviation (Direction régionale de l’aviation civile - DRAC) notified the rules applicable to the use of a UAS and required him to get all necessary authorizations. The young man was then subpoenaed before the criminal court for endangering third parties’ lives.(1)</span><br /><br /><span face=""trebuchet ms" , sans-serif">A few weeks before in the US, Amazon had announced its drone delivery project, engaging a battle on flight regulation and safety with the Federal Aviation Administration (FAA).(2)</span><br /><br /><span face=""trebuchet ms" , sans-serif">Earlier this month in Singapore, SingPost announced the first 2km test flight using an unmanned aircraft to deliver mail and a small parcel to an identified recipient.(3) </span><br /><br /><span face=""trebuchet ms" , sans-serif">Although the drone market is developing fast not only in Europe, but in many other regions in the world, there are still few drone-specific laws regulating their use and the level of skills requested to operate these aircrafts. Issues with public safety and privacy are also surfacing with the increasing use of drones. France was the first country to issue a regulatory framework for the use of civilian drones in 2012. Singapore enacted its own drones regulation in May this year.</span><br /><br /><span face=""trebuchet ms" , sans-serif">In this article, we review the issues of public safety and privacy, followed by the French and new Singapore UAS regulations.</span><br /><br /><br /><span face=""trebuchet ms" , sans-serif"><b>1. The development of drone use: public safety and privacy concerns</b></span><br /><br /><span face=""trebuchet ms" , sans-serif">Drones are commonly defined as aircrafts without on-board pilots that are operated by remote control or with a smartphone.</span><br /><br /><span face=""trebuchet ms" , sans-serif">There are many types of drones, from lightweight devices of a few hundred grams with limited flight radius and battery life, usually used for recreational activities, to larger, professional, aircrafts which can weigh up to a few hundred kilos and are able to fly long distances at high altitudes (several hundred meters). </span><br /><br /><span face=""trebuchet ms" , sans-serif">Drones can be equipped with photo or video cameras, temperature or air sensors, or be used to launch pesticides or other types of loads.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Unmanned aircrafts have been used for many years for a wide variety of purposes, including for public safety (surveillance of demonstrations in public areas, firefighting, securing areas after industrial accidents - such as the Fukushima nuclear disaster -, monitoring infrastructures and buildings, filming or for recreational purposes). New uses are also emerging, such as parcel or medication delivery in emergency situations or to remote areas, or simply to cut costs.</span><br /><br /><span face=""trebuchet ms" , sans-serif">The use of civil drones has soared in recent years, with a whole new market open to consumers. However, their use raises a number of legal issues in areas such as public safety and privacy.</span><br /><br /><span face=""trebuchet ms" , sans-serif"> - <i>Public safety</i> : uncontrolled use of drones can interfere with other categories of aircrafts, such as ultralights, helicopters and airplanes at take-off and landing. No actual accidents have been reported so far, but several drones have been reported flying around airports, in restricted areas, in the past months.</span><br /><br /><span face=""trebuchet ms" , sans-serif">A drone flying over a crowded area may crash down and injure people in the public. And one cannot ignore the possibility of using drones for illegal or terrorist activities. In 2014, drones were detected flying over nuclear plants and military facilities in France and over the presidential Elysée palace in Paris. In January 2015, a drone landed on the lawn in front of the White House in Washington DC.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Although these areas are no-flight zones, the operators are seldom identified and it is hard to know whether these incidents were merely provocative, or test cases for future attacks.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Patrick Ky, Executive director of the European Aviation Safety Agency (AESA) has expressed concerns regarding the use of drones in Europe and the increasing number of incidents. After collating the comments of a public consultation closed a few days ago, AESA should publish a “technical opinion” by the end of 2015. This document should then be used as preliminary work for a future regulation of drones under 25kgs (currently, AESA is only comptent for aircrafts above 150kgs).(4)</span><br /><br /><span face=""trebuchet ms" , sans-serif"> - <i>Privacy</i> : drones can be used to invade one’s privacy if equipped with high performance cameras or video recorders, challenging the right to privacy and personal data protection. </span><br /><br /><span face=""trebuchet ms" , sans-serif">Right to privacy</span><br /><span face=""trebuchet ms" , sans-serif">French law has a strict regulation regarding the right to privacy, whether one is an “anonymous” person or a celebrity. In theory, the publication of photographs taken with a photo camera placed on a drone is subject to the prior consent of the person concerned. However, consent is usually impossible to collect when using a drone.</span><br /><br /><span face=""trebuchet ms" , sans-serif">The right to privacy is waived when people are in a public setting (e.g. attending a concert, a tennis or a football game) and when the photograph or the video doesn’t focus on a single person, but is a global photograph of the public, is not degrading and is within the scope of the right to inform the public. Unless these general principles are applied, the person appearing on a photograph or a video made via a drone may sue the aircraft operator (or the company employing the operator) for violating his/her right to privacy. </span><br /><br /><span face=""trebuchet ms" , sans-serif">So far, Singapore has no laws regulating the use of drones invading people’s personal spaces (such as a drone video-recording a person in his/her garden or at a private party without that person’s knowledge).</span><br /><br /><span face=""trebuchet ms" , sans-serif">Personal data regulation</span><br /><span face=""trebuchet ms" , sans-serif">The act of taking a photograph or a video of a given person is deemed personal data collection under French and European personal data regulation. Under French law, personal data treatments, i.e. the collection of data relating to a natural person, who is either identified or identifiable, must be filed with the French data commission (“Commission de l’informatique et des libertés” or CNIL). Such data treatment is subject to the French data protection law (Loi informatique et libertés).(5)</span><br /><br /><span face=""trebuchet ms" , sans-serif">Drone use was unforeseen when the French data protection law was first enacted in 1978, and again with the European directive of 1995. Applying these legal requirements to the use of drones is therefore quite problematic. However, the European data protection authorities are starting to tackle this issue: the French CNIL has been working on the issue of drones and privacy since 2012 and last June the European G29 working group issued a list of recommendations on this topic.(6)</span><br /><br /><span face=""trebuchet ms" , sans-serif">The recent Singapore Personal Data Protection Act doesn’t provide any drone-specific provisions either.(7) The Personal Data Protection Act requires the subject’s consent before taking photographs or a video for commercial use. However, this applies to private space only and not public space. </span><br /><br /><span face=""trebuchet ms" , sans-serif">The use of drones for civil purposes is not prohibited but is beginning to be regulated.</span><br /><br /><br /><span face=""trebuchet ms" , sans-serif"><b>2. French law and the use of civil drones in the airspace</b></span><br /><br /><span face=""trebuchet ms" , sans-serif">France was the first country to issue specific regulation for the use of unmanned aircrafts. Two administrative orders (“arrêtés”) were published on 11 April 2012 relating respectively to the design, use and capacity required to operate such devices, and to the use of the airspace by unmanned aircrafts.(8)</span><br /><br /><span face=""trebuchet ms" , sans-serif">These two complementary texts have a common purpose: to guarantee public safety. They classify unmanned aircrafts in different categories, define the types of authorized activities, and provide rules regarding the use of the airspace based on the different purposes for operating unmanned aircrafts.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Although these rules don’t solve all the legal issues raised by the use of drones, they provide a useful framework for the companies designing and distributing new aircraft models and for users to operate the drones within the legal boundaries.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Civil drones are classified (categories A to G) according to weight, type of propulsion, limitations, and types of activities contemplated. The resulting obligations depend upon the proposed use of the drone: speed, altitude (in-sight flights or out-of-sight flights), zones flown over and purpose.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Only category A aircrafts, i.e. drones weighing less than 25kgs, with a single propulsion system, without a camera and only flying in-sight are exempted from the airworthiness document and are therefore authorized to fly without any restrictions regarding the capacity of their operator.</span><br /><br /><span face=""trebuchet ms" , sans-serif">All other unmanned aircraft categories are subject to a preliminary authorization issued by the Minister in charge of civil aviation, and to the following requirements: the installation of specific devices to allow the operator to monitor the altitude of the aircraft and a fail-crash system for forced landing, a minimum skill level of the operator and the possession of specific documents (user and maintenance manuals, airworthiness document, etc.).</span><br /><br /><span face=""trebuchet ms" , sans-serif">Finally, the operator of an unmanned aircraft is responsible for implementing all necessary safety procedures to ensure third party safety and for complying with all applicable regulations.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Using a drone outside of these legal boundaries is subject to criminal penalties set forth in the French Code of transport, the Code of civil aviation and the Criminal code. For example, using an unmanned aircraft without the required airworthiness documents or with expired documents, or if the drone does not comply with the technical airworthiness document or with the general safety rules is subject to one year prison term and/or a fine of €75,000.(9)</span><br /><br /><br /><span face=""trebuchet ms" , sans-serif"><b>3. The new Singapore Unmanned Aircraft Act </b></span><br /><br /><span face=""trebuchet ms" , sans-serif">Drones are also becoming very popular in Singapore and the same concerns regarding public safety and privacy are being raised. Several incidents involving drones were reported in the past 12 months, including drones crashing on the MRT (metro) tracks and drones seen flying over prohibited or restricted zones.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Singapore enacted the Unmanned Aircraft (Public Safety and Security) Act 2015 in May, with an aim to clarify the rules regarding drone use. The unmanned aircraft act amended the existing Air Navigation and Public Order Acts.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Permits are required for drones used for professional or commercial purposes, usually equipped with a photo or a video camera, as well as for drones weighing more than 7kgs and drones to be flown over sensitive or restricted areas (“protected areas”). </span><br /><br /><span face=""trebuchet ms" , sans-serif">Unmanned aircrafts used for recreational or private purposes and weighing less than 7kgs are exempted.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Two types of permits, an operator permit and an activity permit, are required for operating drones weighing more than 7kgs, for any purpose (private or professional), and for operating drones for commercial purposes regardless of the weight. An activity permit is required to operate an unmanned aircraft in a restricted area, or within 5kms of a military base.</span><br /><br /><span face=""trebuchet ms" , sans-serif">A list of security-sensitive areas (special outdoors events, certain public facilities and government buildings, the Istana Presidential palace, military bases, etc.) is to be published.</span><br /><br /><span face=""trebuchet ms" , sans-serif">Permits are issued by the Civil Aviation Authority of Singapore (CAAS).</span><br /><br /><span face=""trebuchet ms" , sans-serif">Using a drone illegally in Singapore is subject to a fine of S$20,000 and/or one year prison term. However, if the drone carries dangerous materials (such as weapons or hazardous chemicals), the operator or the owner is subject to a fine of S$100,000 and/or five years prison term.</span><br /></div><br /></div><span face=""trebuchet ms" , sans-serif"><br /></span></div><div style="text-align: justify;"><span face=""trebuchet ms" , sans-serif"> Despite the growing interest of both the public and businesses in using drones for recreational purposes but also for more and more diverse commercial purposes, such as short distance delivery, there is no European or international concerted approach on drone use regulation (and on the related issues of privacy and personal data protection). A number of countries (including the United States and Japan) are beginning to regulate the use of drones, limiting or prohibiting their use. We may see a first effort at producing regional rules with the latest position of the European Aviation Safety Agency on this matter, and increased pressure from the commercial airline pilots.</span><br /></div><div><span face=""trebuchet ms" , sans-serif"><br /> * * * * * * * * * * * * <br /><span style="font-size: x-small;"><br />(1) “Poursuivi en justice pour avoir filmé Nancy avec un drone”, published on 13 February 2014 in le Figaro (http://etudiant.lefigaro.fr) <br /><br />(2) “Amazon unveils futuristic plan: Delivery by drone”, published on 1st December 2013 on cbsnews.com <br /><br />(3) “Mail sent to Pulau Ubin by drone in world-first SingPost trial”, published on 8 October 2015 on Channel NewsAsia (www.channelnewsasia.com)<br /><br />(4) “Les drones volent n'importe où, n'importe comment en Europe" (AESA), published on 9 October 2015 in La Tribune (www.latribune.fr)<br /><br />(5) French data protection law n°78-17 of 6 January 1978 referred to as “Loi informatique et libertés”. The law was amended in 2004 when the 1995 European directive on personal data protection was transposed into French law. The national data protection laws will be replaced by the future European data protection regulation, which should become effective by the end of 2015 and enforceable within 2 years thereafter.<br /><br />(6) Article 29 Data Protection Working Party, Opinion 01/2015 on Privacy and Data Protection Issues relating to the Utilisation of Drones, 16 June 2015 (WP 231).<br /><br />(7) Singapore Personal Data Protection Act (2012) ; see also the Personal Data Protection Commission of Singapore website, at www.pdpc.gov.sg <br /><br />(8) Administrative order of 11 April 2012 regarding the use of the airspace by unmanned aircrafts (“Arrêté relatif à l’utilisation de l’espace aérien par les aéronefs qui circulent sans personne à bord”) ; Administrative order of 11 April 2012 regarding the design of unmanned aircrafts, to the conditions of their use and to the required capacities of their operators (“Arrêté du 11 avril 2012 relatif à la conception des aéronefs civils qui circulent sans aucune personne à bord, aux conditions de leur emploi et sur les capacités requises des personnes qui les utilisent”) ; Articles R.133-1-2 and D.131-1 to D.133-10 of the French Code of civil aviation.<br /><br />(9) Article L.6232-4 of the French Code of transport.</span><br /><br /><br />Bénédicte DELEPORTE<br />Avocat<br /><br />Deleporte Wentz Avocat<br />www.dwavocat.com<br /><br />October 2015</span></div>Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0tag:blogger.com,1999:blog-4214103099584320673.post-39921909082904724162015-06-16T09:29:00.000+08:002015-12-16T16:34:18.925+08:00Deleporte Wentz Avocat opens an office in Singapore <h3 class="post-title entry-title" itemprop="name">
<span style="font-family: "arial" , "helvetica" , sans-serif;"></span>
</h3>
<div class="post-header">
</div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;">Deleporte Wentz Avocat, founded in Paris in 2007, is a boutique law firm focused on technology law - software, internet, e-commerce, data privacy, digital media, </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">intellectual </span>property. We advise companies on their IT projects, from startups to multinational corporations, in French and European laws through our network of independent firms located across Europe. </span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br />This expansion towards South-East Asia gives us the opportunity to help our clients developing in this region, but also to advise Asian companies to extend their business activities in France and Europe.</span></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;">Singapore, a city-state of 5.5 million people, located at the Southern tip of the Malay peninsula, is the economic hub of South-East Asia and ASEAN, and a premier financial, business and technology center.</span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br />Singapore is also a perfect hub for companies wishing to extend their business activities across the region, toward very dynamic countries such as Indonesia, Malaysia, Thailand, Vietnam or the Philippines.</span></div>
<div style="text-align: justify;">
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">Deleporte Wentz Avocat is therefore developing a network with local law firms in these countries to advise our clients in local law (especially company and business law).</span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div style="text-align: justify;">
<span style="font-family: "trebuchet ms" , sans-serif;"><br />For any questions or pending IT projects, don't hesitate to contact us.</span></div>
Deleporte Wentz Avocathttp://www.blogger.com/profile/00946396283039984690noreply@blogger.com0