Newsletter n°2 (February 2024)
✨ ARTIFICIAL INTELLIGENCE ✨
➡️ Adoption of the European Regulation on Artificial Intelligence
Adopted on February 2, 2024, the European Regulation on Artificial Intelligence aims to provide a framework for the development of AI. This is groundbreaking legislation at global level to regulate artificial intelligence.
This regulation provides the first legal definition of artificial intelligence: an artificial intelligence system is software developed using one or more of the following techniques: (i) machine learning approaches (ii) logic and knowledge-based approaches (iii) statistical approaches, Bayesian estimation, search and optimization methods.
In particular, these regulations prohibit the following artificial intelligence practices if they can cause physical or psychological harm:
-
AI system using techniques to manipulate human behavior in order to circumvent free will;
-
AI systems exploiting possible vulnerabilities due to an individual’s age or disability;
-
AI systems designed to evaluate or rank the trustworthiness of people based on their social behavior or personal characteristics, and social rating based on social behavior or personal characteristics;
-
emotion recognition in the workplace and educational establishments;
-
real time remote biometric identification systems in publicly accessible areas for law enforcement purposes, with the exception of certain cases (crime investigation, prevention of a specific, substantial and imminent threat to the life or security of persons or prevention of a terrorist attack, etc.).
In particular, citizens will have the right to (i) lodge complaints about AI systems, but also to (ii) receive explanations about decisions based on high-risk AI systems that affect their rights.
Failure to comply with the rules could result in fines ranging, depending on the size of the company and the infringement, from €7.5M or 1.5% of turnover to €35M or 7% of worldwide turnover.
Firsh tip: it is recommended that companies using AI conduct an audit relating to the use that they themselves, but above all their employees, would make of AI as part of their activity / work. Firsh supports companies in developing their AI strategy governance, provides awareness training for employees and teams, and drafts charters for the use of AI.
(Proposal for a) REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL laying down harmonized rules on artificial intelligence
✨ NEW TECHNOLOGIES ✨
➡️ Digital Services Act comes into force
The Digital Services Act (DSA) is a European regulation dated October 19, 2022, which aims to reduce the distribution of illegal content and establish greater transparency between online platforms and their users.
In force since August 25, 2023 for online platforms and search engines with more than 45 million users in the European Union, it now applies to all online platforms and intermediaries offering their services (goods, content or services) on the European market since February 17, 2024.
This regulation introduces new obligations for online platforms, which will be required to :
-
inform their users of any significant changes to their general terms and conditions ;
-
formulate general terms and conditions in a simple, intelligible, easily accessible and unambiguous manner, with the information provided including the redress and redress mechanisms available to the user;
-
provide transparency reports on their internal complaints handling systems and content moderation activities;
-
suspend, for a reasonable period and after warning, the provision of their services to users who frequently disseminate manifestly illicit content;
-
take appropriate and proportionate measures to guarantee a high level of protection for the privacy, safety and security of minors
Nota Bene: small businesses (less than 50 employees and annual turnover or annual balance sheet total < €10M) and micro-businesses (less than 10 employees and annual turnover or annual balance sheet total < €2M) are exempt from the application of certain measures.
In the event of a breach of the DSA, a fine of up to 6% of annual worldwide turnover in the previous financial year may be imposed on the platform. In the event of serious and repeated breaches by a platform, a temporary restriction of access to the service may be applied.
Lastly, Member States may also impose a penalty payment on very large platforms alone, of up to 5% of the platform’s average daily worldwide revenues or turnover over the previous financial year, per day of penalty payment, from the date specified in the decision in question.
Firsh tip: companies are advised to take stock of their obligations under the new regulations, and to set up internal processes to ensure compliance. Firsh is currently preparing this inventory for a streaming platform.
REGULATION (EU) 2022/2065 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act)
✨ PERSONAL DATA ✨
➡️ Data breach at two third-party payment operators
The CNIL is investigating the data breach that affected operators Viamedis and Almerys in order to determine, in particular, whether the security measures implemented prior to the incident and in response to it were appropriate with regard to the obligations of the GDPR.
The authority was informed by operators Viamedis and Almerys, which manage third-party payments for complementary healthcare providers, of the computer attack they suffered at the end of January.
This attack, which affected over 33 million people, resulted in the leakage of certain categories of personal data of policyholders and their families (civil status, date of birth, social security number, name of health insurer, policy cover).
Since then, it has been up to the complementary health insurance companies using the Viamedis and Almerys service providers to inform individually and directly all the people concerned by the breach.
Although contact data has not been affected by the breach, it is possible that the data that has been breached is linked to other information from previous data leaks. It is therefore up to policyholders to be vigilant about the solicitations they receive, and to monitor their account movements.
Firsh tip: companies and individuals are advised to be vigilant about solicitations and messages they may receive, to avoid identity theft and phishing (email bombs).
Data breach by two third-party payment operators: CNIL opens investigation and reminds policyholders of precautions to take
➡️ CNIL fines PAP 100,000 euros
On January 31, 2024, the French Data Protection Authority (CNIL) imposed a 100,000 euro fine on PAP, publisher of the pap.fr (De Particulier à Particulier) website, notably for failing to comply with its obligations in terms of data retention periods and security.
PAP had set a data retention period of 10 years for certain customer accounts using the website’s paid services, without this period being justified by the provisions of the French Consumer Code. It had also defined a 5-year retention period for data relating to users of the website’s free services, but failed to apply this, as it retained data for longer periods.
PAP informed individuals by means of an incomplete and imprecise privacy policy under the GDPR (Article 13). A contract concluded between the company and a subcontractor did not include the mentions required by the RGPD (article 28).
Several security flaws exposed data to the risk of computer attacks and leaks (insufficient robustness of passwords, unencrypted storage of passwords in particular).
Firsh tip: it is advisable for companies to take stock of the personal data they process, and to circumscribe this storage according to precise internal security and archiving procedures.
Deliberation SAN-2024-002 of January 31, 2024
➡️ CNIL publishes two factsheets on encryption and data security
Having received numerous questions about the use of cloud services, particularly in view of the complexity of the offerings available, the CNIL has recently published two initial factsheets to enlighten organizations consuming these services on the use of encryption and security and performance tools.
Firstly, the CNIL offers a detailed analysis of the different types of encryption applied to a cloud service.
Secondly, the CNIL presents the various security products needed to secure a cloud service. In doing so, it makes a clear distinction between security functionalities and performance functionalities, which are often marketed together. Lastly, the CNIL suggests a number of points to watch out for when using these different products.
Firsh tip: companies are advised to take stock of the security measures they have put in place, check their security policy and the procedure in place in the event of a data breach (resilience and communication plan)
CNIL’s fact sheets to be read again on (i) tools for securing web applications in the cloud and (ii) encryption practices in the public cloud
✨ INTELLECTUAL PROPERTY ✨
➡️ Trademark: lapse due to degeneration
An application for revocation of the figurative trademark CITY STADE, registered on July 1, 2013 to designate “transportable metal constructions, i.e. constructions for the practice of sports ; complete steel structure clad in wood or metal allowing the practice of various sports (tennis, basketball, soccer)”, was filed on February 24, 2021 on the basis of Article 58, § 1, sub b) of Regulation (EU) 2017/1001 on the European Union trade mark in that the mark had allegedly become the usual designation in the trade of the goods for which it had been registered and, in particular, to designate generically multi-sports constructions, structures or fields intended for the practice of basketball, soccer and other sports.
The EU Court affirms that the conditions of Article 58(1)(b) of Regulation (EU) 2017/1001 of June 14, 2017 are cumulative. Thus, revocation on grounds of degeneration is pronounced if evidence is provided that (i) the sign has become the designation customary in the trade for the goods for which the trademark was registered on the one hand, and (ii) if this degeneration is due to the action and/or inaction of its proprietor on the other hand.
Firstly, use of the trademark must have become so widespread that the sign constituting it tends to designate the category, kind or nature of the goods and services covered by the registration, and no longer the goods or services originating specifically from a particular enterprise; the trademark then no longer fulfils its distinctive function.
Secondly, the degeneration of a trademark depends to a certain extent on the activity, but above all on the inactivity, of the trademark owner, through his/her lack of vigilance and passivity in defending his/her trademark and using the sign constituting the trademark as a generic term (absence or delay in initiating pre-litigation proceedings, for example, to stop certain uses).
Firsh tip: companies are advised to exploit their trademarks seriously and to implement a defense strategy to avoid potential degeneration of their brand.
Trib. UE 7 févr. 2024, Sports et loisirs (Casal sport) c/ EUIPO, aff. T-220/23
✨ IMAGE RIGHTS – PROTECTING OUR CHILDREN’S RIGHTS ✨
➡️ Legislation adopted to ensure respect for children’s image rights
This new law, adopted on February 19, aims to ensure that parents respect children’s right to their image on social networks.
This new legislation could strengthen the protection of minors on the Internet with regard to the activities of influencers, whose children have become assets for triggering partnership operations.
The Civil Code is amended to:
-
introduce the notion of privacy into the definition of parental authority, enshrining parents’ obligation to ensure respect for their child’s private life;
-
allow the family court to prohibit a parent from publishing or broadcasting any image of his or her child without the consent of the other parent;
-
stipulate that “parents shall jointly protect their minor child’s right to an image” and that “parents shall involve the child in the exercise of his or her right to an image, in accordance with his or her age and degree of maturity”, as required by the 1989 International Convention on the Rights of the Child.
In addition, a forced partial delegation of parental authority has been created in the event of dissemination of the child’s image seriously undermining his or her dignity or moral integrity.
Lastly, the CNIL now has the power to refer a case to the interim relief judge to request any measure to safeguard a child’s rights in the event of failure to comply with or respond to a request for the deletion of personal data (amended article 21 of the French Data Protection Act).
Firsh tip: Firsh regularly assists companies that use child models, and contracts are drawn up scrupulously.
Law no. 2024-120 of February 19, 2024 to guarantee respect for children’s image rights
✨ « FIRSH » NEWS ✨
Find out more about Firsh’s contributions to the advancement of law and innovation:
-
Claire Poirson’s contribution to the White Paper “the insurability of blockchain and cryptoasset-related activities (myths and realities)” edited by BDJ, LSN Assurances, NEOTech and Diot-Siaci. You can view the white paper in detail by clicking on the link: https://lnkd.in/eX224HfX
In February, Firsh assisted clients with the following projects:
-
Infringement by imitation of copyright and parasitism acts in the context of plagiarism of sketches between humorists
-
Pleadings before the Bordeaux Court of Appeal in a summary infringement seizure
-
Further confirmation of the renown of the TESLA trademark, thanks to the firm, by decision of the INPI in the context of a trademark opposition (public decision)
-
Negotiation of a framework agreement for intellectual design services in the field of luxury cosmetics and perfumes
-
Strategy for bypassing a trademark registration to deal with prior trademarks
-
Review of the cookies policy and cookies banner of an international group operating in the fashion and leather goods sector in France
-
Submission to a tender to respond to an AI governance strategy for a logistics and transport group
-
Pre-litigation in the context of an alleged partial breach of established commercial relationship.
📢To follow us on LinkedIn and receive our newsletter, click here: https://www.linkedin.com/company/firshlaw/.
📢There is no direct collection of your personal data and therefore no emailing from FIRSH !