In November 2023, the administrative courts of Nice, Lille, and Caen issued rulings that provide an opportunity to revisit the GDPR compliance requirements for augmented cameras in public spaces. This article serves as a guide for publishers in this emerging technology sector, emphasizing the legal considerations necessary for compliance.

Augmented cameras represent a significant technological advancement. They integrate video capture with additional sensors like motion detectors and infrared for enhanced capabilities. These cameras, equipped with advanced processing units (either integrated or cloud-based), run sophisticated algorithms for real-time video analysis. They support various user interfaces, including mobile apps and web platforms, facilitating easy access to video streams, alerts, and system interaction. The technology’s analytical prowess enables object and individual tracking, facial recognition, and license plate identification, presenting a wide range of applications.

Understanding Augmented Cameras: Legal Considerations

Three key legal areas require attention from augmented camera publishers:

  • 1. GDPR Compliance in Personal Data Processing: augmented cameras, due to their advanced capabilities, must adhere to GDPR standards when processing personal data;
  • 2. Data and System Security: ensuring robust security measures is critical for protecting the data and systems involved;
  • 3. Intellectual Property Protection: safeguarding the proprietary technology and software against infringement.

GDPR Compliance Framework for Augmented Cameras

Currently, no specific law governs the use of augmented cameras, except for the temporary framework under Article 10 of the 2024 Olympic and Paralympic Games Act. Generally, the implementation of these cameras in public spaces is governed by the Code de la Sécurité Intérieure (CSI), which covers all video-protection systems.

Legal Requirements:

Duties of Augmented Camera Publishers: Advising Clients

Publishers must assist clients in evaluating the legitimacy, legal basis, proportionality, and necessary technical and organizational measures for deploying augmented cameras. This includes determining the necessity of a data protection impact assessment.

Modular Software vs. Separate Applications:

  • facial Recognition Concerns: Legal challenges arise particularly with facial recognition features. Recent court rulings indicate that owning software does not inherently lead to individual identification unless specific features are activated.
  • prudent Approach: Publishers should install only essential features for clients to minimize non-compliance risks.

Minimizing Liability:

  • recent rulings, such as the Court of Caen’s decision, emphasize the importance of data deletion in cases of illegal collection. This highlights the publisher’s reputational risk.
  • publishers should seek compliance validation from data controllers before deployment to limit liability and protect their reputation.

Our IT Contracts, Data & Compliance Department is ready to assist.

For inquiries, please feel free to reach out.

In the realm of IT service provision, accurately defining the scope of a contract is crucial for determining liability. The Paris Commercial Court, in its decision dated October 4, 2023, underlined the significance of precisely delineating the services included and excluded in such contracts.

Case Study: Ambiguity in Scope in Web Contracts

The case in question involved a company that hired an IT service provider for migrating its e-commerce website. The migration process encountered significant issues, resulting in damage to the website’s module, data corruption, and adversely affecting the site’s natural search rankings.

The client alleged that the service provider failed to meet its contractual obligations. However, the court found that the contract did not explicitly cover certain technical aspects like “front-end slowness” or “Search Engine Optimization (SEO).” The court concluded that the service provider was not at fault as these services were either declined by the customer or not specifically included in the contract.

This case underscores the potential pitfalls in web contract drafting, particularly the lack of specificity about excluded services.

The Need for Aligning Customer Expectations with Contractual Terms

Customers may have expectations for enhancements or services that are not typically included in standard contracts. These additional services, requiring specific technical interventions, are often not part of a standard migration contract. This discrepancy can lead to customer dissatisfaction and frustration.

Therefore, it is imperative to align the contract with the customer’s understanding and needs. This involves transparent communication, in line with article 1112-1 of the French Civil Code. Clear definition of exclusions and realistic customer expectations within the web contract is essential.

For comprehensive clarity, contracts should explicitly list all services that are not included but are available from the service provider.

Benefits of This Contractual Approach

This method of contract drafting aims to:

  • 1. Inform the customer adequately about the service provider’s liability limits.
  • 2. Shield the service provider from unwarranted breach of duty accusations.
  • 3. Prevent conflicts arising from miscommunication or unmet expectations.
  • 4. Foster trust and transparency between the involved parties.
  • 5. Clarify additional services and pricing, thereby highlighting the service provider’s expertise.

In conclusion, effective contractual drafting in IT services, particularly regarding scope and exclusions, is paramount for both customer satisfaction and provider protection.

Our IT Contracts, Data & Compliance Department is ready to assist .

For inquiries, please feel free to reach out.

The French National Commission on Informatics and Liberty (CNIL) has recently undertaken significant enforcement actions against two major corporations, highlighting the importance of compliance with personal data processing regulations.

In its landmark ruling (Deliberation SAN-2023-021, December 27, 2023), the CNIL identified several violations by AMAZON FRANCE LOGISTIQUE, a subsidiary managing the extensive warehouse operations of the Amazon group in France. The company was fined 32 million euros, primarily for breaches related to employee privacy monitoring.

The CNIL recognized Amazon’s need for efficiency in e-commerce order processing. However, it found the company’s practice of long-term storage and extensive access to warehouse employees’ scanner data as excessive. According to the CNIL, periodic data feedback, either real-time or weekly, would be adequate. Amazon’s current practice contravenes the data minimization principle outlined in Article 5.1.C of the General Data Protection Regulation (GDPR). Additionally, utilizing such data for employee evaluation and training was deemed as overstepping the minimization principle.

Furthermore, Amazon’s collection of data like scanner inactivity times or scanning speeds was seen as a violation of the lawfulness principle. Such practices could unduly pressure employees to justify their activities, making it excessively intrusive. Amazon also fell short in its duty to inform employees about its privacy policies, breaching its obligations for transparency and information dissemination.

The CNIL also found lapses in Amazon’s handling of its video surveillance systems. These systems were not adequately communicated to employees and visitors, nor were they sufficiently secured.

In a separate action (Deliberation SAN-2023-024, December 29, 2023), the CNIL imposed a 10 million euro fine on YAHOO EMEA LIMITED. An inspection in October 2020 revealed that Yahoo.com’s website, despite displaying a cookie consent banner, placed approximately twenty advertising cookies on users’ devices regardless of consent. This practice contravenes Article 82 of the French Data Protection Act, which requires explicit consent for such cookies.

Additionally, Yahoo was penalized for its method of dissuading users from withdrawing consent on the YahooMail service. Users attempting to withdraw consent were warned of losing access to the service and their mailboxes. The CNIL emphasized that service access linked to cookie usage must not penalize users for withholding consent.

Our IT Contracts, Data & Compliance department is equipped to assist in managing personal data effectively and compliantly within your business operations.

For further inquiries or assistance, please feel free to contact us.

The fear alone of data misuse does not suffice to demonstrate the inadequacy of a data controller’s protective measures under Articles 24 and 32 of the GDPR.

Judges must assess these measures in a detailed and case-specific manner, considering the risks of the processing involved and evaluating if the measures’ nature, scope, and implementation align with these risks. This approach directly reflects Article 32’s criteria under the GDPR.

Significantly, the Court offers insightful guidance on how national courts should evaluate damage claims under Article 82 of the GDPR.

Article 82, still underutilized, allows direct action against controllers for “any person who suffers material or non-material damage due to a GDPR violation,” ensuring full compensation for losses incurred.

In such cases, particularly concerning data breaches, the responsibility falls on the data controller to prove their security measures’ adequacy. A breach resulting from unauthorized disclosure, such as a cyberattack, does not automatically absolve the controller. They must demonstrate that the damage-causing event is not attributable to them.

The Court clarifies that expert evidence is not always necessary or sufficient for this purpose; national courts retain discretion in evaluating the controller’s proof.

However, the judgment’s key aspect lies in the Court’s final stance. Traditionally, damage claims require the claimant to show actual harm suffered. As ruled on May 4, 2023, this harm need not reach a specific severity level.

Consequently, the Court determines that mere apprehension over potential misuse of personal data post-GDPR breach can constitute compensable non-material damage. This decision draws on Recital 146 of the Regulation, advocating a broad interpretation of “damage.”

National courts must validate claimed damages based on the specific case and affected individual.

This ruling should ease such damage compensations, clarifying the admissibility of these claims.

This serves as both a reminder and an expansion of the potential dual penalties facing data controllers for negligence. Data breaches can lead to supervisory authority fines and compensation claims in civil courts.

Our IT Contracts, Data & Compliance Department is ready to assist with managing personal data in your business operations.

For inquiries, please feel free to reach out.

In this three-part series, the IP/IT team at Cloix Mendès-Gil delves into the Digital Services Act (DSA), exploring its objectives, impacted entities, and resulting obligations. Previously, we examined the Regulation’s general framework, affected parties, and associated penalties. This installment discusses intermediary service providers’ obligations and liability under the DSA.

1. Scope of the DSA Regarding Intermediary Service Providers

The DSA, enacted on October 19, 2022, targets intermediary service providers, a concept derived from Directive 2000/31/EC on electronic commerce. The Act categorizes these providers as follows:

  • Simple Transport Services: Involves transmitting information over a communication network or providing network access, typically performed by Internet Service Providers (ISPs).
  • Hosting Services: Entails storing information upon a service recipient’s request, including traditional data and IT hosting providers (such as Microsoft Azure, Amazon Web Services, OVH), content-sharing platforms (like YouTube, social networks), and online cloud services (Dropbox, iCloud, Mega, etc.).
  • Caching Services: Refers to the temporary and intermediate storage of information for efficient transmission upon request. This process involves a subset of data storage for quick access by website visitors.

2. Liability of Intermediaries for Content Transmission

Under the DSA, intermediaries provide the necessary technical infrastructure for information transmission or online publication. Similar to France’s law on digital economy confidence, intermediaries are not liable for transmitting information on behalf of clients or users, provided they adhere to specific conditions:

  • Simple Transport Services must not originate, select recipients, or alter the transmitted information.
  • Hosting Services should not be aware of illicit content and must act promptly to remove or restrict access upon awareness.
  • Caching Services are required not to alter cached information, adhere to access conditions, comply with industry standards, and promptly address removal requests or legal orders.

In all scenarios, judicial or administrative authorities can demand providers to halt or prevent violations via their services. Notably, the DSA does not mandate general content monitoring, aligning with the 2001 e-commerce directive. However, the DSA introduces a “Good Samaritan” clause, maintaining reduced liability for proactive content regulation efforts.

3. General Common Obligations

The DSA mandates service providers to establish easily accessible contact points for users/customers and authorities. Providers must promptly inform authorities of actions taken in response to injunctions and notify affected users, detailing injunction reasons and available remedies.

Providers outside the EU must appoint a legal representative for DSA services. The DSA also demands annual reports on moderation activities from each provider, exempting micro and small enterprises.

4. Revisions to Terms and Conditions

The DSA necessitates significant updates to service providers’ terms and conditions, including:

  • Moderation tools and procedures
  • User content and information restrictions
  • Moderation algorithms and human review processes
  • Internal complaint handling

Additionally, terms and conditions must be clear, simple, intelligible, and accessible. Services predominantly used by minors must ensure terms are comprehensible to this demographic.

The next article will cover additional obligations for hosting providers, content-sharing platforms, and B2C marketplaces.

For assistance with digital space legislation compliance, please contact the IT Contracts, Data & Compliance department.

For further inquiries, please feel free to reach out.

We are delighted to announce that four attorneys from our firm have been honored in the latest 2024 edition of Best Lawyers®, solidifying our leadership in various legal domains:

This recognition is a significant honor, reflecting their esteemed status among peers. The selection for this prestigious list is based on over 440,000 confidential peer reviews from more than 5,000 legal professionals in France.

This accolade underscores our firm’s unwavering dedication and commitment to delivering top-tier legal services.

We extend our heartfelt gratitude to all who played a role in this achievement, including our colleagues who supported our lawyers in the voting process. We remain committed to upholding the excellence that this recognition represents.

The Security Assurance Plan (SAP) is crucial in demonstrating to prospects that data management and access are secure, in line with established standards.

The SAP outlines the technical and organizational security measures implemented by a service provider to safeguard outsourced services. Typically presented during the pre-sales phase, it helps inform the customer’s decision-making process.

The absence of a SAP, or a poorly constructed one, signals potential security lapses to IT and procurement departments. Thus, it’s vital to consider the content of this document well in advance.

Having a ready SAP not only builds confidence at the crucial pre-sales stage but also offers a competitive edge. Prompt presentation of the SAP, or even proactively sharing it, can significantly influence negotiations.

However, drafting this document requires a delicate balance. It should provide enough information to reassure the customer without compromising your infrastructure’s security by revealing too much.

Crafting a Security Assurance Plan: balancing disclosure and confidentiality

The challenge in creating a SAP lies in finding a balance between reassuring information and maintaining confidentiality to avoid security risks.

Start by gathering existing information on the security measures in place. These typically include technical measures (like AES-256 encryption) and organizational measures (such as authorization policies). For online services, consider data flow security measures like HTTPS.

Once you’ve assessed the current security measures, decide which to include in the SAP and which to keep confidential. The level of detail in the SAP should be carefully considered, as there’s no one-size-fits-all list of security measures to include. This decision varies based on the service provider’s scope and the strategic nature of the digital services offered.

Achieving the right balance requires an in-depth understanding of the services provided and experience in negotiating outsourcing contracts.

A well-crafted SAP provides a strategic advantage, positioning the service provider favorably against competitors.

From the customer’s perspective, the SAP can be annexed to the contract, allowing for termination at the service provider’s expense if the promised measures are not implemented.

The SAP should always be shared within a confidential framework, particularly in the pre-sales phase, to protect sensitive information.

Our IT Contracts, Data, and Compliance Department offers expert guidance in creating tailored security assurance plans. We ensure strategic information remains confidential while helping you expand your business.

For further assistance, please feel free to contact us.

In partnership with Abilways, Cloix Mendès-Gil lawfirm offers a certified contract management training. Targeting professionals in this evolving field.

Aligned with this training, lawfirm presents its third article in the “Avoiding IT Project Failure” series. After addressing project management through negotiations and legal tools, we now turn to contract management, a critical component for any project’s success.

Effective contract management is vital in preventing failures in IT integration projects. It minimizes legal and financial risks while ensuring successful project delivery[1].

This process covers the entire lifecycle of a contract, from its inception through to completion, including the negotiation phase.

Contract management rests on four pillars: administration, relationship management, claims management, and performance evaluation.

This article delves into how each pillar can help circumvent failures in IT integration projects.

1. Administrative contract management

The contract serves as the legal backbone for mutual obligations. It’s the primary reference for project implementation[2].

However, contracts can face issues like lengthiness, ambiguity, and non-exhaustiveness, especially as projects evolve.

A lengthy contract might lead to overlooked conditions during execution. Ambiguities may not be evident without legal expertise and could surface as problems during project progression. The non-exhaustiveness of contracts can become apparent post-signing or upon encountering issues.

Hence, establishing an administrative contract management system is crucial. This responsibility typically falls to the contract manager, who ensures clarity in roles and responsibilities, thereby mitigating risks and preventing project failure.

2. Managing relationships with parties involved

The contract manager plays a pivotal role in facilitating communication between parties, promoting transparency in general communication, change management, and negotiation.

2.1. Transparent communication

Open communication about risks and problems is crucial, especially in IT integration projects, to foresee and manage them appropriately.

2.2. Change communication

Careful and transparent communication is necessary when proposing changes, as they can destabilize project control. Common communication errors in change management, as identified by John Kotter[3], include underestimating the urgency, vision clarity, and obstacle management[4].

2.3. Negotiating commercial levers

Using contractual obligations as commercial levers can solidify the relationship between parties and prevent project failure.

3. Complaints management

Addressing customer complaints effectively is vital. The contract manager collaborates with management teams to provide appropriate responses, referencing the contract and proposing remedial solutions.

4. Performance assessment

Approaches to examining human error include focusing on individual actions or recognizing systemic factors described by James Reason[5]. Performance evaluation is crucial for identifying mistakes and updating project management processes to prevent failures.

For example, during the design phase, misunderstandings of customer requirements can lead to unsuitable developments. The evaluation phase should establish processes to identify divergences and avoid inappropriate developments, with agile methods like Scrum being effective solutions.

This approach enables the contract manager to keep IT projects on track and prevent failures.

Upcoming in our series on avoiding IT project failure:

  • #4 Project methodology for customer collaboration: Agile method.
  • #5 Tools for litigation avoidance.
  • #6 Litigation conduct.
  • #7 Types of expertise.

For any inquiries, please contact us.

[1] G. Leveau, “Practice of Contract Management,” Gualino Eds, 2019, 3rd edition.

[2] Detailed legal framework available at Legifrance.

[3] J.P. Kotter, “Leading Change,” Harvard Business Review Press, 2012, Chapter: “The Change Problem and its Solution.”

[4] Kotter identifies eight common errors in change management in this work. We will focus on the six most relevant to IT project management.

[5] J. Reason, “Human Error: Models and Management,” BMJ, Vol. 320, No. 7237, March 2000, pp. 768-770.

[6] The contract manager’s role includes creating a project event repository for the company. They develop numerous tools for monitoring and controlling project execution in accordance with the contract, documenting events and their resolutions, listing risks, evaluating commercial levers, and proposing solutions to issues.

This article, the second in a series on avoiding IT project failures, delves into the legal frameworks crucial for IT contract [1] execution, such as specifications, quality assurance plans (QAP), and delay penalties.

Often, operational staff may perceive these legal tools as a means for clients to exert undue pressure on service providers. However, such a perspective can overlook the collaborative essence vital to IT project success. Moreover, the actual contract in play often differs from the original concept [2].

We advocate for the strategic use of legal tools to foresee and adapt to potential disruptions in fulfilling obligations, rather than rigidly binding parties.

Some argue that flexible performance clauses invite chaos and undermine project success. We believe this view is outdated. Transparency and acknowledging project realities should guide such initiatives.

Reframing these tools allows clients to tailor projects to their specific contexts, armed with mechanisms to preempt failure. This approach often transcends the limitations of inflexible contracts.

Here, we present practical tools that balance the client’s need for rigidity with the service provider’s preference for flexibility, focusing on three fundamental IT project aspects: needs, timelines, and costs [3].

1. Best practices and legal tools for evolving customer needs

Challenges arise when customers believe they have fully articulated their needs, only to find the final product misaligned with their expectations. Conversely, service providers might perceive customer dissatisfaction despite diligent work.

This disconnect can derail IT projects. Often, a few months into the project, it’s discovered that customer needs were inadequately expressed. This could be seen as a fault of the service provider[4] or an oversight by the customer[5]. In either case, unclear goals can lead to endless project revisions.

Tools to anticipate these risks include:

  • Specifications: Crucial for avoiding surprises at system acceptance. For projects exceeding 1,500 man-days, additional documentation is essential.
  • Documentation and Process Documentation: Specific documents, such as existing management rules, are necessary alongside specifications.
  • User Involvement: Users should participate in all project phases, from pre-sales to acceptance, ensuring their needs are accurately represented and validated[7].

2. Legal tools for flexible timelines

While project timelines are inherently tied to scope and budget, a rigid timetable can be counterproductive. A transparent yet adaptable schedule, subject to changes in original parameters, is more practical.

For setting realistic timelines, a collaborative discussion between parties is essential. The schedule must account for both parties’ corporate cultures and constraints, detailed in appendices like a PERT chart[11].

3. Legal tools for budget flexibility

Project scoping is crucial for accurate cost estimation. We recommend:

  • A Scoping Phase: This allows for a budget discussion post-scoping, with an option for parties to withdraw if no agreement is reached.
  • Capped Fee Structure: This structure prompts discussion and includes an uncertainty index for justified cost adjustments[13].
  • Transparent Cost Determination: Collaboratively determine costs with the customer, detailing the methods used in the contract.

4. Preparing a quality assurance plan (QAP)

The QAP is central to project management, outlining:

  • Project committees and their roles.
  • Documentation management.
  • Change management.
  • Roles and responsibilities (RACI).
  • Monitoring indicators.
  • Project phase definitions and deliverable acceptance.

It’s a contract in itself and should be drafted with legal oversight for clear, transparent project management.

Conclusion

Balancing rigidity with flexibility in IT projects is crucial. This balance hinges on collaboration and transparency between the customer and service provider. Both parties must engage actively in the project, sharing fundamental information for informed decision-making.

These tools—requirements documents, change management processes, adaptable schedules, and collaboratively defined equations for deadlines or budgets—are essential for legal certainty.

Upcoming in our series on avoiding IT project failure:

  • #3 Contract management strategies.
  • #4 Agile methodology for customer collaboration.
  • #5 Tools for litigation avoidance.
  • #6 Litigation conduct.
  • #7 Types of expertise.

For any inquiries, please contact us.

[1] By ‘contract’, we refer to the comprehensive agreement including its often numerous annexes in IT contracts, encompassing Quality Assurance Plans (QAP), Security Assurance Plans (SAP), and Pricing.

[2] Le Tourneau, Philippe. “Digital Contracts: IT and Electronic.” Eleventh Revised and Expanded Edition, updated to June 26, 2020. Dalloz Reference. Paris: Dalloz, 2020, §116.21, p. 144.

[3] Insights derived from A. Durand’s work, “Mastering IT Project Management,” Dunod, Paris, 2004.

[4] Grenoble, June 4, 2015, Case No. 11/01817.

[5] Paris, July 8, 1981, M. Claude B. vs. SARL Kienzie Informatique.

[6] This refers to a scenario without a service for redefining business processes, which in such cases would require new discussions between the provider and client to modify existing procedures. Existing processes might still be necessary, albeit to a lesser extent.

[7] It is important to consider all interfaces and migration within this framework if it is an integration project.

[8] This also applies to needs, which can be constrained by budget and duration. However, we believe that defining needs in a specification document before the initial contact with a provider means it should originate from the determination of timelines and budgets. Needs might be limited after this initial contact, but overly ambitious specifications are relatively rare.

[9] Refer to A. Durand’s book, op. cit, p. 91, for more details.

[10] Costly, yet still a service.

[11] Program Evaluation and Review Technique.

[12] As mentioned above, a specification document alone is insufficient. Subsequent choices must be made by the client based on the specifics of the software or website they desire.

[13] This could be based on the anticipated volume of needs, current workload, etc.

The illusion of anonymity on social networks, especially when it comes to offensive content, was dispelled by a summary order from the Paris Judicial Court on August 11, 2023.

In this case, Ms. X became the target of online abuse, receiving recurring degrading messages, indicative of cyber-harassment as defined under article 222-3-2-2 of the French Penal Code. Seeking justice, Ms. X aimed to identify the message authors for potential legal action, necessitating access to their identifying data from LinkedIn, mandated to retain such information under article R. 10-13 of the French Post and Electronic Communications Code.

After an initial rejection from the Paris Court of First Instance, an interlocutory action was brought to obtain the identities of the accounts involved. LinkedIn, prioritizing user data protection, challenged the request with various legal arguments:

  • Jurisdiction of the Paris Court of Justice: LinkedIn disputed the Court’s competency, given the online nature of the messages. However, the messages clearly targeted the French audience, published on the French version of LinkedIn and accessible throughout France. Therefore, the Paris Judicial Court was deemed competent per article 46 of the Code of Civil Procedure.
  • Evidence of Offending Remarks: LinkedIn questioned the evidence’s validity, despite a bailiff’s report confirming the messages’ authenticity.
  • Utility of the Data: LinkedIn argued that the data would be useless for subsequent legal actions, predicting failure and contradicting article 145 of the Code of Civil Procedure. Yet, the judge recognized the messages as ‘malicious’, supported by evidence of their impact on Ms. X’s health.
  • Host Status: LinkedIn denied being legally obliged to retain user identification data, challenging its status as a host. However, the legal definition of ‘host’ applies to platforms like LinkedIn.

LinkedIn’s key argument involved differentiating ‘electronic communication’ from ‘private correspondence’, with jurisprudence and the Court’s interpretation seeming to support data access for judicial purposes, especially in proven cyberstalking cases.

Despite LinkedIn’s defense, the Court mandated the information’s release. This outcome underscores LinkedIn’s assertive strategy in user data protection. Despite obvious violations of its community policy and guidelines emphasizing respect among members, LinkedIn remains cautious in granting data access. Confronted with Ms. X’s demand, the platform vigorously deployed its legal arsenal in response, yet this stance raises questions about its effectiveness and balance

This stance by LinkedIn, arguably overprotective of user data confidentiality, seems to extend beyond its role as a mere hosting company. This approach could inadvertently encourage inappropriate behavior by some users.

This case underscores the need for social networks to develop balanced procedures for handling legitimate requests while safeguarding user privacy. LinkedIn’s legal defense, skewed against the victim, highlights the challenge of balancing individual rights and responsibility for online misconduct.

Our IT Contracts, Data, and Compliance Department supports platforms and social networks with contract and legal analysis. For inquiries, feel free to contact us.