France: TMT (3rd edition)

The In-House Lawyer Logo

This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in France.

This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/

  1. What is the regulatory regime for technology?

    Electronic communications services are regulated firstly by EU law. The current "Telecoms Package" consists mainly of five directives dating back to 2002: Directives 2002/21/EC on a common regulatory framework for electronic communications networks and services, 2002/19/EC on access to and interconnection of electronic communications networks and associated facilities, 2002/20/EC on the authorisation of electronic communications networks and services, 2002/22/EC on universal service and users’ rights, and Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector. These texts were amended in 2009 and have been supplemented by a variety of texts throughout the period to date, notably Regulation 2015/2020 enacting the principle of Net neutrality and laying down measures favoring open internet access.

  2. Are communications networks or services regulated?

    These European rules have just undergone a major reform with the adoption of a “European Code for Electronic Communications” (ECEC), which incorporates and adapts the provisions of the previous directives. The code was published on 17 December 2018 as Directive 2018/1972 and must be transposed by the Member States by 21 December 2020.

    The current Telecoms Package has been enacted into French law in the frame of the Post and Electronic Communications Code (CPCE). Under the CPCE the installation and operation of networks open to the public and the provision of electronic communication services to the public are free. Network operators and service providers (all of which are designated as ‘operators’) must only file a declaration with the national regulatory authority, the Autorité de Régulation des Communications Electroniques et des Postes (ARCEP). Pursuant to such declaration, they must comply with the telecom regulatory regime. As at 31 December 2018, a total of 2,829 operators were declared.

  3. If so, what activities are covered and what licences or authorisations are required?

    The declaration with ARCEP concerns, first, the networks open to the public, defined as consisting of any installation for the transportation, transmission or carriage of electronic communications, including switching and routing equipment. Second, it is also required for the provision of electronic communication services to the public, that is, the provision of electronic communications, defined as the transmission of signals over communications networks. The provision of on-line content or the exercise of editorial responsibility for such content are excluded.

    The scope of the regulated services is illustrated by a decision of the European Court of Justice of 5 June 2019, which determines that the services of Skype do not consist of electronic communications services, except the “Skype Out” functionality which enables users to call fixed and mobile phone numbers. The Court grounds its analysis on the fact that this functionality is delivered against payment by the users and requires Skype to execute interconnection agreements directly with the operators in order to deliver the calls.

    This distinction between transmission services and “Over The Top,” software based services should be narrowed down once the new ECEC code is transposed, since it will cover the services consisting wholly or mainly in the conveyance of signals, internet access services and, also, “interpersonal communications services.” The latter category addresses services enabling interpersonal and interactive exchanges of information between a finite number of persons, regardless whether they connect with publicly assigned numbering resources or not. Practically speaking, this means that Voice over IP and messaging services such as Skype, Whatsapp, Wechat or Facebook Messenger are likely to fall within the scope of regulated services.

    Alongside the declaratory regime, an individual authorization by the ARCEP is required for the use of certain frequency bands, such as those allocated to mobile telephony services (GSM, UMTS), radio local loops, radio-relay systems or satellite networks. In these cases, additional obligations are set out in the operators’ licenses.

    Conversely, a declaration to the ARCEP is still not required for ‘independent networks’ (referring to telecom services exchanged within closed user groups) and for radio installations which use short-range frequencies that are not dedicated to their users (e.g. WiFi, Bluetooth).

  4. Is there any specific regulator for the provisions of communications-related services?

    Communications networks and services are regulated by a national regulatory authority, the ARCEP. The ARCEP’s decisions on the definition of market segments and the remedies to potential lacks of competition are guided by the recommendations of the EU Commission, which also holds a veto power. The agency’s regulations on the terms of use of the different categories of telecom networks and services are homologated by the ministry in charge of electronic communications.

    The ARCEP reports to a commission comprised of members of Parliament (Commission Supérieure du Numérique et des Postes) and is frequently auditioned by the Parliament. Its regulatory decisions are subject to the jurisdiction of France’s highest administrative court, the Conseil d’Etat, and its decisions on individual disputes between operators may be brought before the Paris Court of Appeals.

  5. Are they independent of the government control?

    The ARCEP has been considered as an independent government agency (Autorité administrative indépendante) by the French Constitutional Court since its inception in 1996. It is now subject to the Act of 20 January 2017 which defines the rules applicable to all such agencies, such as incompatibilities, conflicts of interests, professional secrecy. Its members may not be revoked during their assignment and may not receive orders or instructions from the government.

    Pursuant to EU rules, national regulatory agencies (NRA) such as the ARCEP must be in possession of all the resources necessary for the performance of their tasks in terms of staffing, expertise, and financial means. In 2018, the ARCEP employed 170 agents and its budget reached 27,30 millions euros.

  6. Are platform providers (social media, content sharing, information search engines) regulated?

    The providers of online public communication services based on the classification or referencing of content, goods or services offered or posted online by third parties, by means of computer algorithms, or of services offering to connect various parties with a view to selling a good, provide a service, exchange or share a content, good or service, are considered “online platform operators” and governed by provisions introduced into the Consumer Code in 2016.

    Pursuant to these provisions, these operators must provide consumers with fair, clear and transparent information on the way their platform work, on any existing contractual or financial relationships that may influence the classification or referencing, and on the rights and obligations of the parties with whom connection is proposed. Besides, platform operators are encouraged to develop self-regulation through the elaboration of codes of conduct. The government officials in charge of competition, consumer affairs and fraud enforcement can investigate and record violations of the Code.

    Furthermore, when platform providers delivering services in France determine the features of the services provided or the goods sold and fix their price, they are subject to certain obligations towards self-employed workers whom they connect with their customers. For example, pursuant to the Labour Code and subject to exceptions, they must cover the insurance contribution covering the risks of accidents at work or the contribution to the vocational training of these workers. They must refrain from sanctioning union membership or strike movements defending professional demands.

    These provisions do not prevent the possibility that such workers be reclassified as employees if their relationship with a platform shows the features of an employment contract. Government bodies such as those in charge of the family allowances fund (URSSAF) ensure that the status of employees is respected and can initiate proceedings to collect the associated contributions, as has been seen in disputes brought against Über.

  7. If so, does the reach of the regulator extend outside your jurisdiction?

    The platform operators fall under the regulations mentioned above solely for their supply of services in France.

  8. Does a telecoms operator need to be domiciled in the country?

    An operator is not required to be domiciled in France (i.e. to create a subsidiary, register a branch, or other) in order to operate a network or provide communications services in the country. For example, a foreign operator may request the allocation of series of numbers from the national numbering plan, or of codes for the routing of electronic communications that do not fall under the Internet addressing system.

    Pursuant to EU directives, each EU Member State must ensure that access to its telecom market is not unduly restricted. The ministry in charge of electronic communications and the ARCEP must nonetheless ensure that equivalence of treatment is respected regarding outbound and inbound traffic with foreign countries, including as concerns the conditions of access to networks abroad.

  9. Are there any restrictions on foreign ownership of telecoms operators?

    Foreign investments in France may be subject to prior approval by the Ministry of Economy when pertaining to sectors which involve the country’s interests in terms of public order, public security or national defense. These interests are defined as including the integrity, security and operating continuity of electronic communications services and networks. Their scope was recently strengthened with regard to activities concerning technical equipment or devices for correspondence interception, remote detection of conversations, cryptology and more generally security provided by information technology products and systems.

    Conversely, pursuant to the CPCE the ARCEP’s missions include laying down the conditions necessary to promote investment and innovation in improved and new generation infrastructure, taking into account the necessity to diversify investment risk “in a manner that respects competition in the market and the principle of non-discrimination”. In this respect, the ECEC purports to define more predictable rules for co-investment in order to promote risk sharing in the deployment of very high capacity networks. This may explain why the possible reinforcement of investment control regulations regarding investments by mobile telecom operators in 5G network equipment is the subject of much debate.

  10. Are there any regulations covering interconnection between operators?

    Interconnection between operators is a right and a duty and is regulated in various manners under the CPCE. In particular, operators of networks open to the public must accept interconnection with their peers, unless their refusal is duly motivated. The ARCEP may control any interconnection agreement as well as any agreement for the sharing of a radio network and may, in certain cases, impose specific requirements on the parties, in an ‘objective, transparent, non-discriminatory and proportionate manner’ to make sure they interconnect their networks and make their services interoperable.

    Similar duties apply to infrastructure managers such as highway operators and local authorities, as well as to those who set up or manage optical fibre broadband lines to end users.

  11. If so are these different for operators with market power?

    Indeed, the operators which enjoy a position equivalent to a dominant position (in terms of anti-trust law) on sub-segments of the telecom market are listed by the ARCEP as ‘operators with significant market power’ (SMP) and may be subject to specific obligations in terms, for instance, of transparency, non-discrimination, accounting separation of their activities, access to their network elements and associated facilities (e.g., buildings, cables, wiring, antennae, etc…). The ARCEP may also impose price control. In all cases the agency must fulfill this mission in accordance with the EU Commission's guidelines on market analysis and the assessment of significant market power.

    Nevertheless, other categories of operators which are not necessarily SMPs may also be subject to specific obligations. For instance, those which control access to end-users are required to ensure proper access to the services provided on other networks.

  12. What are the principal consumer protection regulations that apply specifically to telecoms services?

    In addition to the overall provisions of the Consumer code, an operator is subject to specific requirements concerning, in particular, real time information to the consumers on its offering and tariffs, on the consequences of unlawful use of its services by customers (e.g. in respect of copyright infringement), on the ways to protect individual security and personal data, on number portability, etc.. The same code requires the insertion in consumer agreements of certain provisions such as on indemnification in case of failure to maintain the proposed quality of service, and limits the possibility to require a minimum term of service.

    In addition, the CPCE poses the principle of correspondence secrecy and defines the rules concerning storage and access to consumers’ personal data. One year is in principle the maximum period to keep traffic data.

    The entry into force of the ECEC will trigger the enactment of new protections such as a cap on international calls within the EU, the duty to facilitate the comparison of the offers of the different service providers and to provide free of charge at least one independent comparison tool, to enable consumers to easily change their service provider whilst keeping the same phone number, to ensure more accurate caller location in emergency situations when calling the European emergency number 112, to name a few. The concept of universal service will be revamped with, for instance, the duty to provide for available adequate broadband internet access at an affordable price.

  13. What legal protections are offered in relation to the creators of computer software?

    Software programs are legally protected by copyright under the Intellectual Property Code (CPI), provided they are original. According to case law, ‘original’ means that the way a program is written reflects the author’s personality or personal efforts. Copyright grants the software publisher the exclusive right to authorize the use, copying and initial distribution of its program for a period of 70 years from the year of publication.

    This legal protection applies to source code and object code regardless of the kind, form of expression, merit or purpose of the program. Copyright may also apply to preparatory design materials (e.g. specifications), graphical user interfaces or embedded multimedia elements, or even to the title of the program. However, the software medium (e.g. CD Rom), the ideas and concepts embodied into the software and, more generally, its functionality, are not protected by copyright.

    Patent protection cannot apply to computer software programs “per se,” but only insofar as they are used within patentable inventions (i.e. may cause a "technical effect"). Filing a piece of software with a software registrar is still useful, however, because this will provide evidence of the date of its creation and sustain the demonstration of its originality on that date.

    Alongside these provisions, confidentiality remains the best protection for the program’s source code, all the more since the transposition in 2018 of the EU directive of 8 June 2016 on the protection of undisclosed know-how and commercial information (trade secrets). Trade secrets are now protected under the law whenever their legitimate holder can show it has taken reasonable protective measures to preserve their secrecy.

  14. Do you recognise specific intellectual property rights in respect of data/databases?

    Pursuant to EU directive 96/9/EC of 11 March 1996, a database may be subject to both copyright, which may benefit its author in respect of his original selection or arrangement of the contents of the database, and to a specific, sui generis right that will inure to its ‘producer’ for a period of 15 years, irrespective of the originality of the database.

    Under the CPI, the ‘producer’ of a database is defined as the person who initiated the investments in the database and assumed the associated risks, when the investment in the obtaining, verification or presentation of the contents is substantial from a financial, material or human standpoint. Due to this sui generis database right, the effort made in developing a database that is a compilation of information or commonplace data, such as a telephone directory or football match listing, may still be protected despite its lack of originality. This protection enables the producer to prohibit extraction or re-utilization of the whole contents or of a substantial part thereof.

    Nevertheless, under the above rules, only the database is protected, not data per se: data is indeed considered as information. In principle, information should circulate freely. Legally speaking, exceptions occur where data has been made confidential or is secret or where it is regulated as personal data.

  15. What key protections exist for personal data?

    The General Data Protection Regulation 2016/679 issued by the EU Parliament and Council on 27 April 2016 (RGPD) replaced the existing legislation on 25 May 2018, leaving only a residual room for implementing legislation at the national level.

    Under the GDPR, personal data may be collected and further processed only under certain conditions, such as when the concerned person (‘data subject’) has consented; when it is necessary for the performance of a contract to which the data subject is a party, or to comply with a legal obligation imposed on the data controller; where it is necessary to safeguard an individual’s vital interests or for the performance by the data controller of its public interest mission or official authority; or where there is a ‘legitimate reason’ for the processing, provided this does not harm the data subject's fundamental rights and freedoms.

    The ‘data controller’ (i.e. the person who determines the purposes and means of the data processing) must comply with other key protections such that the personal data is processed lawfully, fairly and in a transparent manner; it is collected for specified, explicit and legitimate purposes and is subsequently processed in accordance with these purposes; it is collected only in as far as it is adequate, relevant, and non-excessive in view of the purposes for which it is collected (‘data minimisation’); it is accurate and, when necessary, kept up to date; it is not retained for longer than necessary in light of the purposes for which it is processed. Most importantly, the data controller must implement appropriate organizational and technical measures to ensure the security and confidentiality of the personal data, both against unauthorized or unlawful processing and against accidental loss, destruction or damage.

    More stringent rules are provided for in respect of sensitive data, defined as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, and data concerning health, sex life or sexual orientation.

    Data subjects are granted certain specific rights that include the right to access their personal data and to request correction, deletion and/or portability of such data.

    Individuals residing in France may file claims with the national regulatory authority, the Commission Nationale de l’Informatique et des Libertés (CNIL). Due to the notoriety of the RGPD, the number of such claims rose by 32% in 2018.

  16. Are there restrictions on the transfer of personal data overseas?

    The transfer of personal data out of the territory of the European Union is permitted only if the destination country provides a level of protection that is considered as “adequate” by the EU Commission, that is, equivalent to the protection afforded within the EU, or if the controller or processor has provided appropriate safeguards so that data subjects may still be able to enforce their rights when their data is exported.

    It should be emphasized that accessing remotely to data from any location abroad, irrespective of where data is stored, is considered as a transfer to that location and, therefore, requires compliance with the GDPR.

    In the absence of an EU decision recognizing the country of destination as adequate, the appropriate safeguards which the data controller or data processor in the third country must provide may consist of a joint commitment, with the data exporter, to comply with the standard data protection clauses adopted or approved by the EU Commission for this purpose; the data importer’s commitment to binding corporate rules applied within the group of companies to which it belongs, if the data exporter is an affiliate of the same group; a legally binding and enforceable instrument, if the parties are government bodies; adherence to a code of conduct approved by the CNIL and entailing binding and enforceable commitments; or compliance with an approved certification mechanism.

    Once such safeguards are in place, the concerned data may be transferred outside the EU without the need for an individual authorization, provided that enforceable data subject rights and effective legal remedies for data subjects remain available. As an alternative safeguard, the data exporter and data importer may agree on their own terms and conditions (rather than the EU standard clauses), but then the data transfer will be subject to prior authorization by the competent national regulatory authority.

    It should be noted that a data transfer required from the data importer by a judgment or an administrative decision issued in the third country will only be recognised or enforceable under EU law if it is based on an international agreement, such as a mutual legal assistance treaty. In light of applicable sanctions, such requirement may work as a deterrent to providing personal data to foreign governments acting outside the control of a judge (such as under a proposal for a deferred prosecution agreement in the US).

  17. What is the maximum fine that can be applied for breach of data protection laws?

    Under the GDPR, the maximum amount that may be imposed by the CNIL amounts to 20 million euros or 4% of the data controller’s global turnover, whichever is greater. However, this only concerns certain types of breaches, such as non-compliance with the rights conferred on data subjects. The GDPR provides for graduated sanctions regarding other types of breaches.

  18. What additional protections have been implemented, over and above the GDPR requirements?

    The adaptation of French law to the new European framework was carried out in several stages. The national texts now consist of an order of 12 December 2018 and of a new implementing decree dated 29 May 2019. These texts complement the RGPD where room is left for implementation at State level: for example, in respect of the processing of health data or data relating to offenses; the setting at 15 years of the age limit for minors' consent to using online services; the provisions relating to digital death; etc. Finally, State law retains full competence for all "repressive" files, whether in the criminal area or in the field of intelligence and State security.

  19. Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?

    Most, if not all, cloud-based services involve the processing and/or transfer of personal data within the meaning of the RGPD. Consequently, the clients of such services should be considered as ‘data controllers’ and must assume full responsibility to comply with the associated obligations from the beginning to the end of the processing (including those described in Questions 9 and 10), despite any belief that delegating their IT activities to cloud service providers should exempt them therefrom.

    When qualifying as ‘data processors,’ cloud service providers must comply with a series of specific obligations also set forth in the RGPD, including, in particular: to process data only in accordance with documented instructions from their clients; to take all measures required to ensure a level of security appropriate to the risks incurred by the data and data subjects; and to provide information as necessary (including through audits) to demonstrate that they comply with their obligations.

    Where the cloud service provider plays a role in defining the ways and means and, possibly, the purposes of the data processing, the provider may appear to be jointly liable with its client towards the persons concerned (‘data subjects’). This is why the RGPD requires ‘data controllers’ and ‘data processors’ (or ‘joint data controllers’) to specifically define, in their agreements, the allocation of their obligations and responsibilities regarding personal data processing.

    In order to help clarify such situations, efforts are being made to nurture the development of codes of conduct (such as by software end user groups), standards (for instance, “SecNumCloud,” a set of reference requirements initiated by a government agency, ANSSI), as well as certifications.

    Aside from general texts, sector-specific regulations may apply, such as in regard to the national health data system (SNDS) destined to health professionals and organizations (Act n°2016-41 of 26 January 2016), or to the outsourcing of IT activities through cloud based services (for example, guidelines issued by the CNIL or, in the bank and insurance sector, the Autorité de Contrôle Prudentiel et de Résolution (ACPR).

    From another perspective, cloud-based services are addressed through regulations aiming at the security of information systems and data, both on the supply and demand side. Thus, since the transposition in 2018 of directive 2016/1148 of 6 July 2016 (NIS - network and information security), cloud services providers must identify the risks that threaten the security of the networks and information systems and must take the necessary and proportionate measures to monitor them, in order to reduce their impact to a minimum and to guarantee the continuity of their services. They must declare to the national information systems security agency (ANSSI) all significant incidents affecting networks and information systems necessary for the provision of their services in the European Union.

    On the side of customers and pursuant to the same texts, the entities that may be declared as offering essential services to the functioning of society or the economy and whose continuity could be seriously affected by incidents affecting the networks and information systems they use must also define appropriate measures to prevent such incidents or to limit their impact, in order to ensure the continuity of the essential services they provide.

    Pursuant to the National Defense Code, further steps may be required from the entities which operate establishments or use installations and works, the unavailability of which could significantly reduce the war or economic potential, security or survivability of the nation. In particular, these Operators of Vital Importance (OIV) must declare the critical information systems (SIIV) they operate.

  20. Are there specific requirements for the validity of an electronic signature?

    According to the Civil Code provisions that implement EU legislation governing this matter (latterly, EU regulation 910/2014 of 23 July 2014.), an electronic signature is considered as a ‘signature,’ that is, as effectively identifying the author of an act and showing his consent, only when it results from a reliable identification process that guarantees its connection with the act. “Qualified” electronic signatures are deemed by statute to offer such reliability and, consequently, to have the same legal effects as a handwritten signature, because they fulfil certain requirements that are set out in regulations.

    These requirements include the use of a qualified certificate which must be delivered to the signatory in person, as well as other requirements that, in practice, are seldom fully satisfied. Accordingly, so called ‘electronic signatures’ in current use on the market may most often not be considered as ‘qualified electronic signatures’ under the law. This means that, when challenged before the courts, their users will have to demonstrate their probative value.

  21. In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?

    According to the Labor Code (Art. L.1224-1), which implements EU directive 2001/23/EC of 12 March 2001 on safeguarding employees’ rights in the event of transfers of undertakings, businesses or parts thereof, an automatic transfer of all employment contracts may occur in the event of a change in the employer’s legal situation, in particular as a result of a sale or merger of an undertaking, provided the outsourced activities constitute an “autonomous economic entity” as defined by case law, i.e., an organised group of persons and assets that will be able to continue business to reach a specific goal.

    As regards assets, an automatic transfer may take place in the context of a company merger, a corporate split, or the contribution of a whole business branch that involves a transfer of all associated assets and liabilities. Agreements personally inherent to the co-contracting party (“intuitu personae”) may not follow the transfer, however, if such other party does not grant its consent thereto.

  22. If a software program which purports to be a form of A.I. malfunctions, who is liable?

    Currently, the general principle is that a person shall be considered as liable not only for damages he/she causes through his/her own act, but also for those caused by items under his/her custody (Civil Code, Art.1242). To further develop this liability principle and following EU legislation, a strict liability regime was enacted in 1998, which applies to the producer of a product in regard to damages caused by a defect to his product. This liability applies irrespective of whether or not the producer is bound to the victim by contract (French Civil Code, Art.1245 et seq.). Strict liability makes things easier for the victim, who may sue the manufacturer, a supplier of individual parts or, ultimately, the reseller of the product. The victim must only prove the lack of security of the item.

    The scope of application of this principle may decrease as items that are prompted by Artificial Intelligence deviate from their owner’s custody. Furthermore, this might address situations where AI is embedded or associated to pieces of equipment or hardware, but less so in respect to a software program on its own, insofar as this is not (yet) considered as a ‘product.’ The main other option that seems to emerge would be to recognize the legal personality of robots. However, this approach might only shift the problem, since legal personality means patrimony and this would then require finding ways to endow this patrimony with assets and not just liabilities.

    In this context, the European Parliament adopted a resolution on 12 February 2019 in favour of developing an EU industry policy and of implementing governance measures concerning Artificial Intelligence. The Parliament proposes, among other steps, to define a legal framework, based on the notion of ethics and applicable as from the conception of the application. The Parliament considers that "any comprehensive AI law or regulation should be carefully considered, as sectoral regulation may provide for policies that are sufficiently general, but also refined to a level that is significant for the industrial sector".

    On its side, the European Commission adopted in April 2019 a coordinated plan drawn up with the Member States to promote the development and use of AI in Europe. This initiative includes the works of an independent expert group on Artificial Intelligence which published ethics guidelines in April 2019. These guidelines place emphasis on the need for a human-centric approach to AI, in particular accountability and the need for mechanisms to ensure adequate redress when unfair negative impacts occur. The EU Commission declared that as a next step it aims to build an international consensus on AI ethics guidelines.

  23. What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?

    a) obligations as to the maintenance of cybersecurity; and

    Key legal provisions in respect of cybersecurity include in particular:

    • Article 32 et seq. of the GDPR which require the data controller and the data processor to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk incurred by the personal data they process, and to notify breaches to the supervisory authority (the CNIL), except those unlikely to result in a risk to the rights and freedoms of natural persons;
    • the Military Programming Act of 18 December 2013, pursuant to which the State must rule on certain obligations such as the prohibition of certain systems connected to the internet; encourage the implementation of detection systems by certified providers; audit the security level of critical information systems; and, in the event of a major crisis, impose the necessary measures on Operators of Vital Importance (OIV);
    • EU directive 2016/1148 of 6 July 2016 and the Act no.2018-133 of 26 February 2018 which provide for, amongst other measures, a high common level of security of networks and information systems between member States, including through standardization; for security and notification requirements on operators of ‘essential services’ as well as on digital service providers; for the creation of a computer security incident response team network (see Question 13);
    • the European Cybersecurity Act adopted on 7 June 2019 reinforces the missions of ENISA, the European Cybersecurity Agency, to coordinate and develop cybersecurity policies throughout the Union, and sets up a European cybersecurity certification framework.

    b) the criminality of hacking/DDOS attacks?

    The Act no.88-19 of 5 January 1988 on software fraud creates various offenses such as fraudulent access or continued presence within all or part of an automatic data processing system and covers the criminality of hacking and DDOS attacks. This act was amended recently in order, in particular, to increase the quantum of applicable penalties.

  24. What technology development will create the most legal change in your jurisdiction?

    The blockchain is probably the development that generates the most substantial legal change, in France like elsewhere. As this technology relies on a chronological transactions database that is both distributed and encrypted, it ensures the integrity of the identification of the author of a legal act as well as the apparently flawless traceability of the origin and subsequent stages of a transaction.

    While countries are competing to attract Initial Coin Offerings (ICOs) with crypto-currencies based on this technology, this type of transaction challenges lawmakers because it potentially by-passes the rules applicable to public tenders on stock markets, enables start-ups and businesses to raise funds beyond government agencies’ control, and offers anonymity despite anti-money laundering regulations. Similar challenges will be posed by the blockchain in other areas of the law such as with regard to financial transactions, land registration, royalty collection societies, the issuance of bonds, etc..

  25. Which current legal provision/regime creates the greatest impediment to economic development/ commerce?

    The French tax regime appears to be cumbersome for many projects, due to its complexity and tax impact. As an example, while efforts are being made to foster the development of Initial Coin Offerings in France, the tax regime applicable to such type of transactions appears not to be fully settled. Should a token be considered as a share or an interest in future revenues, it might then be subject to income taxes, which would act as a deterrent compared with other countries.

  26. Do you believe your legal system specifically encourages or hinders digital services?

    Digital services are ruled in essence by EU legislation, which has largely shaped French consumer law over the last twenty years or so. Therefore, national specificities will less be found in the legal system than in the economy.

    However, France has become an ardent proponent of digital administration, in particular through simplifying and transferring procedures for the internet (for instance, with public procurement platforms and digital invoicing mechanisms) and through disseminating an increasing volume of open data (www.data.gouv.fr).

  27. To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?

    French authorities have for many years understood the importance of setting up mechanisms to foster pilot projects as well as large-scale experiments in the area of Artificial Intelligence (for instance, ‘France is AI,’ ScanR, etc.), but also the necessity to develop a regulatory framework that will protect consumers and citizens at large. Many initiatives show that the legal system will be adapted as much as necessary to the problems posed by AI - perhaps even faster than in-country developments of the AI itself.