Newsletter February 2025
✨ ARTIFICIAL INTELLIGENCE ✨
➡️IA Act’s application : Prohibition of AI on unacceptably risky AI & training in mastering AI
The Artificial Intelligence Act is the first regulation in the world to adopt a risk-based approach.
Coming into force on 1 August 2024, this regulation establishes a structured legislative framework, to be applied progressively over two years.
🔔Its first application will be on 2 February 2025, with the aim of prohibiting the use of AIs that pose an unacceptable risk and requiring employees to be trained to master them.
An AI system is considered to present an unacceptable risk when its use is contrary to the fundamental values of the European Union and fundamental rights.
AI systems at unacceptable risk include:
-
Unconscious manipulation
-
Exploitation of vulnerabilities
-
Social rating
-
Biometric categorisation
The main risk of these systems lies in their ability to identify or deduce the emotions and intentions of individuals from their biometric data, which could lead to discriminatory results. The prohibition therefore aims to protect privacy, human dignity and fundamental freedoms in the face of these intrusive systems.
Entities, whether public or private, that fail to comply with these bans are liable to severe penalties of up to €35 million or 7% of their annual worldwide turnover. However, these sanctions will only take effect from 2 August 2025.
📈 The training obligation
Since 2 February, Article 4 of the AI Act has required suppliers and deployers of AI systems to train their teams in the deployment and use of artificial intelligence in-house.
🔍What Article 4 says:
‘Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training and the context the AI systems are to be used in, and considering the persons or groups of persons on whom the AI systems are to be used.’
📅 In practical terms, this means that companies must:
✅Ensure compliance with the regulatory framework while fostering innovation.
✅ Assess the current AI skills of their employees who will be involved in operating or using these systems.
✅ Implement appropriate training to ensure effective and responsible use of these technologies.
This new obligation is part of an overall approach to the AI Act, the first application of which is aimed at banning “unacceptable risk” AI. From next August, the regulatory framework will extend to AI systems classified as “high risk”.
🚀A key issue for businesses: beyond compliance, training teams makes it possible to adopt an IA that is more transparent, controlled and aligned with ethical and legal imperatives.
FIRSH expert voice: FIRSH, which already uses productivity AI and legal AI tools for its own needs, offers a comprehensive service to legal departments and businesses to implement ‘off-the-shelf’ or ‘custom-created’ AI tools with technical service providers in compliance with current regulations.
FIRSH also provides training for all employees to remind them of the company’s good practices and to raise awareness of IP and data confidentiality.
Don’t hesitate to move up a gear with AI to boost the productivity of your teams and focus on higher added-value tasks.
Find out more 👉 https://www.linkedin.com/feed/update/urn:li:activity:7290731249495678978 et https://www.linkedin.com/feed/update/urn:li:activity:7292466935244439554
✨DATA ✨
➡️CNIL announces its 2025-2028 strategic plan: 4 key areas for a secure digital society
Over the next four years, CNIL will structure its action around four major areas, responding to the growing challenges of data protection in an increasingly digital society. This ambitious programme includes more controls, coordination with other regulators and a proactive approach to new threats.
1️⃣Intelligence Artificial intelligence
Faced with the risks associated with generative AI (deepfakes, disinformation, invasion of privacy), the CNIL will clarify the legal framework, develop its audit capabilities and continue to raise awareness of compliance issues among professionals and the general public.
Coordinated controls with other regulators are also planned.
2️⃣Protection of minors online
The focus will be on platforms used by young people (social networks, educational applications, video games), with particular attention paid to advertising practices and compliance with consent rules.
The aim of combating cyberbullying, exposure to inappropriate content and the abusive collection of young people’s personal data is to ensure a safer digital environment for children and teenagers.
3️⃣ Cybersecurity
In the face of increasing cyber-attacks, the CNIL will ensure that organisations adopt robust protection measures, and will step up its checks after data breaches to verify that effective corrective measures have been implemented.
Increased coordination with other competent authorities is also on the agenda.
4️⃣ Mobile applications and digital identity
CNIL will continue to monitor mobile applications, updating its recommendations and ensuring their compliance.
It will also support the development of privacy-friendly digital identity services, in cooperation with regulatory control authorities and European bodies, particularly in the context of the European digital identity portfolio (eIDAS regulation).
Find out more 👉 https://www.cnil.fr/sites/cnil/files/2025-01/plan_strategique_cnil_2025-2028.pdf
➡️ Cybersecurity & Finance: the EU steps up its game with DORA
In 2021, 28% of European SMEs were the victims of a cyber-attack, a figure that is even more alarming in certain countries such as Greece (41%) and Portugal (48%) (source: Eurobarometer).
These attacks are not limited to small businesses: since 2014, major financial institutions have suffered cyber-attacks with far-reaching consequences, impacting their image, public confidence and sometimes even their business.
In response to the growing threats, the European Union has adopted DORA (Digital Operational Resilience Act), a regulation aimed at strengthening cybersecurity and the resilience of financial services.
Adopted in November 2022, this text requires companies in the sector to strengthen their digital resilience by:
✅ Assessing their level of preparedness in the face of cyber attacks and computer breakdowns
✅ Identifying the risks and acceptable levels of disruption for users
✅ Implementing intrusion tests, Backup and recovery plans
✅ Ensuring rapid recovery of systems after an incident to limit the impact
✅ Analysing each incident and implementing corrective actions
✅ Notifying the competent authorities according to standardised reporting templates
🔍 Who is impacted by DORA?
The regulation applies to a wide range of actors in the financial sector, including:
-
Banks and credit institutions
-
Payment institutions
-
Investment companies
-
Crypto-asset service providers
-
Insurance companies
-
Third-party providers of critical IT services
💰 Penalties for non-compliance:
DORA leaves it to the Member States and competent authorities to determine the applicable sanctions.
📜 These may include financial penalties, compliance injunctions, or even business restrictions for financial entities that do not comply with their obligations (Article 50.4 c).
Third-party providers playing a key role in the digital security of financial services are also in DORA’s sights.
Article 30 of DORA establishes a specific supervisory framework for providers of critical IT services (cloud, hosting services, network management, etc.). These providers must comply with strict requirements in terms of risk management, security and transparency.
Companies will also have to map their third-party providers and include contractual clauses guaranteeing their compliance with DORA, in anticipation of any checks by the authorities.
The competent authorities will be able to demand detailed reports on their operational resilience, carry out documentary or on-site inspections, restrict certain services in the event of proven non-compliance and even impose corrective measures in the event of non-compliance. These sanctions can go as far as daily penalty payments representing 1% of worldwide turnover, for a maximum period of six months (article 35).
📅 DORA has been in force in all EU Member States since 17 January 2025.
FIRSH expert voice: Regulations are becoming increasingly complex. In order to carry out a project to bring IT service contracts into line with the DORA regulations, it is particularly important to identify the providers concerned, to determine the methods for assessing the risks associated with the services provided and to draft the appropriate contractual clauses.
It’s up to you to comply with the Nis1/Nis2/DORA regulations, and not just to ensure the long-term viability of your business in the face of the cyber risks that are increasing with AI.
Find out more 👉 https://www.linkedin.com/feed/update/urn:li:activity:7293561641764311040
➡️ RGPD and Rail Transport: Unnecessary data collection?
The CJEU recalls a fundamental principle of the RGPD: a company may only collect information that is strictly necessary for the purpose of the processing.
This CJEU decision highlights the importance of the data minimisation principle enshrined in the RGPD: a company may only collect information that is strictly necessary for the purpose of the processing.
In this case, the mention of a person’s title, which implies a presumed gender identity, is not essential data for the purchase of a train ticket.
Companies must therefore justify the need for each item of data collected, or risk being penalised, by ensuring that their processing complies with the requirements of the RGPD. The CJEU also points out that commercial practices must evolve towards greater inclusiveness, in particular by opting for less intrusive alternatives, such as the use of neutral forms of address.
Beyond the rail sector, this decision could set a precedent for other areas where the collection of personal data is imposed without any real justification. It thus strengthens the protection of individuals’ fundamental rights in the face of potentially discriminatory data processing, and encourages companies to adopt policies that are more respectful of privacy.
🔍 What are the key points?
The CJEU considers that the obligation imposed by SNCF Connect to fill in one’s title (‘Mr’ or ‘Mrs’) when purchasing a train ticket online violates the RGPD’s data minimisation principle.
✅ How should this ruling be applied?
If you collect the civility of your customers, whether as part of an online sale or commercial prospecting by email, ask yourself the right questions:
– Is this information really necessary?
– Is there a less intrusive alternative? Rather than imposing a binary choice, opt for inclusive and neutral forms of politeness, suitable for all your customers.
FIRSH expert voice: Firsh will help you to comply with the regulations on personal data in a practical and pragmatic way. The documentation that Firsh has designed is simple, clear, practical and easy to use, and FIRSH remains on the hotline to ensure implementation and any updates.
Read the full judgment👉 CJUE, January 9th 2025, C-394/23
➡️ Netflix has been fined €4,750,000 for failing to comply with its obligation to provide information and the right of access.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens – AP) has fined Netflix €4.75 million for failing to comply with its obligation to provide information and users’ right of access, following complaints lodged by NOYB.
Relying on the guidelines of the European Data Protection Committee (EDPS), the PA recalled that the GDPR requires data controllers to provide clear, comprehensive and accessible information to all data subjects.
⚖️ Breaches identified:
-
Data recipients: Netflix should have mentioned the precise names of the entities receiving the advertising data, and not just their categories. Netflix has since corrected this point by adding a link to a detailed list.
-
Purposes and data processed: Netflix did not make it sufficiently clear what data was used for personalising content, analysing target groups and preventing fraud. The AP insists on the need to explicitly link each piece of data to its purpose.
-
Retention periods: The platform indicated a vague period (‘as required or permitted by law’), whereas it had more precise information that should have been included in its privacy policy.
-
Transfers outside the EEA: Netflix did not specify the destination countries for transferred data or the applicable guarantees, nor did it mention users’ rights in the event of a transfer outside the European Economic Area.
💡Legal implications:
In light of the GDPR, this decision strengthens the transparency obligation of major digital platforms. It reminds us that all information relating to the processing of personal data must be communicated in a clear, precise and accessible manner, thereby guaranteeing the full exercise of the rights of the data subjects. Netflix is thus obliged to adopt exemplary communication practices to avoid any violation of users’ rights, confirming that compliance with the RGPD is non-negotiable for digital actors.
FIRSH expert voice: Firsh will help you to comply with the regulations on personal data in a practical and pragmatic way. The documentation that Firsh has designed is simple, clear, practical and easy to use, and FIRSH remains on the hotline to ensure implementation and any updates.
Read the full judgment👉 https://www.autoriteitpersoonsgegevens.nl/actueel/boete-netflix-voor-niet-goed-informeren-klanten
✨ INTELLECTUAL PROPERTY ✨
➡️ Trademark
On 21 October 2024, INPI declared inadmissible a former franchisee’s application for revocation of the LADY CONCEPT trademark for lack of genuine use. This application was deemed to constitute an abuse of rights, arising more from a desire to harm than from a genuine dispute over the use of the trademark.
🔍 What should be noted?
Although an interest in bringing an action for revocation before INPI is not required, this does not rule out the possibility of abuse of rights.
An action for revocation can be diverted from its legitimate objective if it is initiated with malicious intent.
In this case, the plaintiff, a former franchisee, had himself exploited the trade mark for five years prior to the application, thereby demonstrating that it was not a case of genuine misuse.
⚖️ Legal implications:
This decision marks a step forward in the fight against abusive trademark litigation, by strictly regulating the use of revocation actions. INPI is thus affirming its ability to dismiss a manifestly abusive application, preventing it from being misused as a means of contractual retaliation. It also points out that the right to bring a revocation action is not absolute: a franchisee cannot challenge a trademark that it has itself exploited in an opportunistic or malicious manner.
This case law therefore gives trade mark owners leverage to protect themselves against unfounded attacks aimed at weakening their rights after a commercial dispute.
FIRSH expert voice: Trademarks are intangible assets that are essential to the value of a company. Firsh assists you in administrative disputes before the trade mark offices and in legal disputes concerning trade marks, in order to defend your rights and create this asset.
Read the full judgment👉 Requête en déchéance totale n° 0903217 du 29/11/2023 : BOPI 2024-01 du 05/01/2024
➡️Copyright : The ECJ puts an end to the reciprocity rule in copyright law for works of applied art
Knud Bugge BV and Vitra Collections AG, which own the copyright in a model of furniture designed by a Danish designer, accuse Kwantum Nederland BV, a Dutch retailer, of having marketed a copy of the design.
The work in question, a piece of furniture with an original design, is protected by copyright in the European Union. However, Kwantum invoked Article 2(7) of the Berne Convention to challenge the protection, on the grounds that the work originated in a non-EEA country.
The question put to the ECJ was whether a Member State could refuse copyright protection on this basis.
⚖️ Legal implications:
✅ Directive 2001/29 and the EU Charter of Fundamental Rights prevent Member States from applying material protection conditional on reciprocity.
✅ This decision follows on from the RAAP v PPI judgment (ECJ, 8 Sept 2020) on non-discrimination in copyright matters.
✅ It has a direct impact on the European harmonisation of copyright and the recognition of the rights of foreign authors.
Member States can no longer limit copyright protection for works of applied art according to the work’s country of origin. This decision promotes a more uniform application of copyright in Europe and strengthens the primacy of EU law over the international commitments of Member States.
🔍 What should be noted?
The ECJ neutralises the reciprocity rule laid down in Article 2(7) of the Berne Convention for works of applied art originating in a non-EEA country, where their author is a national of a country linked to the European Union.
FIRSH expert voice: Europe protects its creators!
Read the full judgment👉 ECJ, October 24th 2024, C-227/23, Kwantum Nederland BV c/ Knud Bugge BV/Vitra Collections AG
✨ FIRSH NEWS ✨
Find out more about Firsh’s contributions to the advancement of law and innovation:
➡️ Our founding partner, Claire Poirson shed some legal light on the legal uses of on online scams, a fast-growing phenomenon on La Matinale de TF1, one of the major French TV channel.
Watch a replay of the program 👉 https://www.tf1.fr/tf1/bonjour-la-matinale-tf1/videos/bonjour-la-matinale-de-tf1-du-5-fevrier-2025-41800583.html
➡️ As part of its innovation laboratory, FIRSH has published its first White Paper! Ill marks the official launch of FIRSH LAB, which has published its first study on a high-stakes social issue: deepfakes (hypertrucages generated by artificial intelligence). This White Paper, after a documented study of the technical aspects and a legal reflection on the texts in presence of the doctrine and court decisions, gives legal and practical recommendations: to public authorities, to companies as well as to individuals.. This White Paper represents more 6 months of work, more than 6 months of research, legal analysis, drafting, corrections, reflection and rich interviews with French and foreign experts in artificial intelligence, both technical and legal, to understand a major social issue with multiple stakes, and to provide concrete solutions for all players in society, from schools to public authorities.
To receive your copy of the White Paper, please contact us at👉 contact@FIRSH.LAW
➡️ In January, Firsh assisted its customers with the following projects:
– Implementation of legal AI tools within an audiovisual production company
– Analysis of the intellectual property rights of an interior design firm in the context of the reproduction of their creations for two hotels and 3 restaurants
– Negotiation of a settlement agreement putting an end to the infringing use of a trademark
🔔 Upcoming seminar, sign up :
Artificial Intelligence Law
Tuesday 18 March, 9am to 12pm : Claire Poirson trains lawyers on the law of artificial intelligence
250€ HT – ️ New seminar Details of this module here are here.
📢 To follow us on LinkedIn and receive our newsletter, click here : https://www.linkedin.com/company/firshlaw/.
📢 There is no direct collection of your personal data and therefore no emailing from Firsh!
