Newsletter March 2025
✨ARTIFICIAL INTELLIGENCE✨
➡️CNIL recommendations on the development of innovative and responsible AI in Europe:
On 7 February 2025, the French Data Protection Authority (CNIL) published two new recommendations for the use of AI in a way that respects personal data.
Companies are increasingly using AI systems for human resources, management, surveillance and recruitment. These systems are likely to use individuals’ personal data.
-
Recommendations on the obligations to inform data subjects about data processing in AI systems.
-
Recommendations on respecting and facilitating the exercise of the rights of data subjects.
AI systems that use personal data to train their models are obliged to inform the people concerned. The process of providing information may take the form of individual information (emails or letters sent for initial contact, pre-recorded voice message, online form) or general information (banner on website, public notice board).
Access to information must be transparent and easy, enabling data subjects to make informed decisions about their data.
Additionally, these recommendations reiterate the need for companies to adapt in the context of transparency and data protection for their employees.
It is therefore recommended that they adopt concrete measures such as :
– Mapping the use of AI on the premises
– Providing information, in the interests of transparency, to inform users about the use of their data
– Respect for the exercise of user rights by users.
– Anonymisation of data right from the design stage of AI models
These recommendations are part of a broader framework of AI regulation in Europe aimed at ensuring the ethical and responsible deployment of AI.
FIRSH expert feedback : FIRSH supports its customers in their responsible use of AI. This approach is a win-win situation for companies, employees and users alike. Confidence in AI is acquired in this way.
Find out more 👉 AI and RGPD: the CNIL publishes its new recommendations to support responsible innovation | CNIL
➡️Rapport from the OECD on the challenges facing IP in the face of AI trained on scraped data:
The rise of generative AI is based on the use of massive volumes of data to train ever more powerful models. Yet much of this data is collected via scraping techniques, raising growing concerns about copyright, database protection, trademarks and privacy in particular.
🔍 What is ‘scraping’?
The automated extraction of data from the web and other digital sources using software or scripts. This method is characterised by:
✔️ Automation: rapid retrieval in large quantities with little human intervention.
✔️ Scalability: the ability to extract data from multiple sources simultaneously.
What does this report propose?
– State of play: major issues at the intersection of AI and intellectual property (IP).
– Analysis: of the various scraping techniques, their uses and the players involved.
– Overview: legal and regulatory responses adopted around the world.
– Recommendations: ways of thinking about how to regulate these practices while encouraging technological innovation.
💡 Main issues identified by the OECD:
– Growing legal ambiguity: legislation varies from country to country, making the legal classification of scraping for AI purposes uncertain.
– Increased risk of IP rights infringement: many protected works find their way into training datasets without the consent of the rightful owners.
– Increasing number of disputes: major tech actors are now being sued for using protected data to train their models.
– The need for a regulatory framework and protection tools.
FIRSH expert feedback : To ensure compliance with regulations, FIRSH assists numerous AI actors using scraping in the training model of their tool. Appropriate legal documentation is key in this type of activity.
➡️Publications by the European Commission of two documents accompanying the implementation of the AI Regulation:
The IA Act is the first regulation in the world to regulate artificial intelligence, establishing a uniform legal framework, in particular for the development, marketing, commissioning and use of artificial intelligence systems, while respecting the values of the European Union.
The IA Act applies to all players in the AI system value chain, even if they originate from outside the EU, and as long as the output data generated by the AI is intended to be used on EU territory.
1️⃣ Guidelines on Prohibited AI Practices (provisions which came into force on 2 February 2025):
Certain uses of AI are deemed unacceptable due to their impact on fundamental rights and security, and are therefore prohibited (art. 5 AI Act). These guidelines detail the practices prohibited by the AI Act, including:
❌ Cognitive and behavioural manipulation: AI exploiting psychological vulnerabilities to influence users’ decisions in harmful ways ;
❌ Social rating: the evaluation of citizens by public authorities on the basis of their social behaviour or other irrelevant criteria ;
❌ Real-time biometric recognition in the public space: the use of facial identification tools by law enforcement agencies, with rare strictly regulated exceptions.
Find out more 👉 https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act
2️⃣ Compendium of AI mastery practices, resulting from a survey of AI Pact signatory organisations:
This compendium aims to encourage good practice and exchange between suppliers and deployers of AI systems; and contributes to the implementation of Article 4 of the AI Regulation.
It will be updated regularly.
Find out more 👉 https://digital-strategy.ec.europa.eu/en/library/living-repository-foster-learning-and-exchange-ai-literacy
✨DATA ✨
➡️ CNIL’s expansive interpretation of the concept of ‘personal data’:
On 15 March 2019, the CNIL received a complaint against the company Qwant which developed, a search browser launched in 2013, which anonymises the data collected before transmitting it to Microsoft. The complaint concerned the classification of the data transmitted: was it really anonymous?
Two investigations revealed that the data transmitted to Microsoft was essentially technical, enabling :
– The display of contextual advertising linked to user searches.
– Counting the number of ad displays.
🔍 Following in-depth technical analysis, the CNIL concluded that the data transmitted was not anonymous but only pseudonymous. Qwant had not mentioned in its privacy policy the advertising purpose of this transmission, nor the legal basis for the processing, which led the CNIL to issue a reminder to the search operator of its legal obligations.
🚨 This case highlights the importance of transparency and legal compliance in the processing of personal data. Data, if it relates to a person, fulfils one of the essential criteria for qualification as ‘personal data’. In particular, its processing enables that person to be treated differently, for example by displaying targeted advertising.
Find out more 👉 QWANT: CNIL considers that the search browser processes personal data and reminds it of its legal obligations | CNIL
➡️CNIL fines for healthcare professionals in 2024 and Regulation modifying the health data ecosystem:
In 2024, the CNIL handed down 84 fines totalling €55.2 million. Among them, the healthcare sector was particularly under the spotlight, with sanctions targeting both individual healthcare professionals and more structured organisations.
💡 Sanctions targeting a variety of breaches
The grounds for sanctions ranged from failure to secure data to failure to respect patients’ rights to access their medical records. Some striking examples:
✅ Liberal professionals: several dental surgeons, doctors and a speech therapist have been fined between €2,000 and €5,000 for breaches of the RGPD and failure to cooperate with the CNIL.
✅ Establishments and businesses: a clinic and a training organisation were fined €15,000 for failures to cooperate and ensure data security.
✅ Major failings: a medical software publisher was fined €800,000 for failing to obtain CNIL authorisation for a health data warehouse.
The RGPD applies to everyone! Whether you’re a sole practitioner or a large healthcare group, compliance with the RGPD is essential.
📌 Good practices to adopt:
– Secure patient data 🔐
– Respect people’s rights (access, erasure, information) 📄
– Manage relations with subcontractors 📑
– Anticipate the CNIL’s expectations, particularly on AI in healthcare, the key topic of its 2025-2028 Strategic Plan.
In other news, on 11 February 2025 the European Parliament and the Council of the EU adopted a regulation on the European Health Data Space.
This will have an impact on all the players in the chain:
➡️Patients who will be granted new rights over their data,
➡️ Healthcare professionals, who will be able to obtain and share more information about their patients,
➡️ Those involved in electronic medical records, whose products will be subject to a new regulatory framework,
➡️ Those holding health data (public bodies and private companies) will be required to provide access to the data they hold. This obligation carries heavy fines of up to €20 million or 4% of turnover. It should be noted that IP rights and business secrets will not always be able to stand in the way of access.
FIRSH expert feedback : FIRSH is keeping a specific close look at the regulations in the pipeline. The use of AI in healthcare is necessary to advance medicine, combat medical deserts and increase access to preventive medicine. A well-trained AI can detect cancers before the human eye, even those of an expert in the field for 40 years… FIRSH is proud to support clients who have developed predictive AI.
Find out more👉Les sanctions prononcées par la CNIL | CNIL et https://eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=OJ:L_202500327
✨ INTELLECTUAL PROPERTY ✨
➡️ Copyright: Is Birkenstock fashionable and copyrighted?
On 20 February 2025, the German Federal Court of Justice (BGH) ruled that Birkenstock sandals cannot be considered as ‘works of art’ protected by copyright.
According to the Court, a work must reflect a freedom of artistic creation that goes beyond mere technical or functional requirements in order to benefit from this protection.
⚖️ Legal implications:
✅ Distinction between functional design and work of art: A design, however iconic, does not automatically become a protected work.
✅ A threshold of creativity required: Copyright protection presupposes a sufficient degree of originality, which Birkenstock has not demonstrated.
🔍 To be continued: The BGH recently referred a case to the ECJ (I ZR 96/22 USM Haller) to clarify the level of requirements for the protection of design works. The European Court could question this strict approach and favour broader protection for utilitarian works.
🥐 This outcome under French law?
While there are differences between German and French law, they are based on similar principles when it comes to protecting works of design. In France, as in Germany, designers must demonstrate a sufficient degree of originality and creativity to benefit from copyright. Otherwise, they can turn to other legal mechanisms, such as design protection, to secure their creations.
FIRSH expert feedback : Necessary legal alternatives: Trademarks, designs and unfair competition remain key levers for protecting a design.
Read the full judgment (in German) 👉 https://juris.bundesgerichtshof.de/cgi-bin/rechtsprechung/document.py?Gericht=bgh&Art=en&nr=140774&pos=0&anz=1
➡️Copyright : Copyright on an Amélie Poulain as Zorro?
On 19 December 2024, the Paris Court of First Instance handed down a long-awaited decision in the case between UGC Images and the co-writers of the film ‘Le Fabuleux Destin d’Amélie Poulain’ and ME Group France. At issue? The use of a character strongly reminiscent of the film’s heroine in an advertising campaign.
⚖️ Legal issues:
The Court dismissed the infringement claim, ruling that the Amélie Poulain character was not sufficiently original to be protected by copyright. This decision is a reminder that not all fictional characters automatically benefit from legal protection.
On the other hand, ME Group France was found guilty of parasitism. By adopting the character’s visual codes (young brunette woman, dark eyes, dark outfit, presence in a photo booth) and openly claiming inspiration, it sought to capitalise on the film’s notoriety.
ME Group France will have to pay €25,000 in damages and remove the offending advert.
🔍 What should we remember?
✔ A fictional character only benefits from copyright protection if it is sufficiently original.
✔ Even in the absence of infringement, economic parasitism can be sanctioned.
✔ The use of a famous cinematographic universe in a marketing strategy must be supervised to avoid any abusive exploitation.
A decision that serves as a reminder of the importance of intellectual property in the creation and exploitation of iconic works.
Read the full judgment 👉 TJ Paris, 19 décembre 2024, n°22/13834
➡️Copyright : IA and Copyright: the place of the artist!
On 30 January 2025, the US Copyright Office (USCO) recognised for the first time the protection of an AI-generated image. The Invoke platform convinced the USCO of the decisive role of human intervention in the creative process, paving the way for protection under copyright.
🔍 What should we remember?
- Human intervention: Although the image was generated by AI, the use of the ‘inpainting’ tool and the selection, organisation and coordination work of Kent Keirsey, CEO of Invoke, demonstrated sufficient creative control.
- Creative process: 35 prompts were required to modify the initial image, and the choice of elements was under human control.
- Extended protection: Protection applies to the composition as a whole, not to individual elements.
⚖️ Legal implications:
✅ Case-by-case assessment: Each AI-generated work will be examined according to the degree of human involvement.
✅ Precedent created: This decision paves the way for the protection of hybrid works created with AI.
✅ Human intervention becomes key: USCO requires human control over the selection, arrangement and modification of AI-generated elements. Where do we draw the line between human contribution and automatic generation?
Please note:
- The case of Jason Allen, whose AI-generated image was denied copyright protection in the absence of human intervention, is currently under appeal. This decision could clarify the conditions for granting copyright protection to creations resulting from AI and human collaboration.
- In 2019, computer scientist Stephen Thaler created an AI system, Creativity Machine, which autonomously generated the work entitled ‘A recent Entrance to Paradise’. Thaler applied to the USCO for copyright protection of the work.
After the USCO rejected the application on the grounds of lack of human intervention in the creation of the work, Thaler appealed.
On 18 March 2025, the US District Court of Appeals of Columbia Circuit rejected copyright protection for a work generated autonomously by the AI, Creativity Machine.
This decision is a reminder that human authorship is a fundamental requirement of the Copyright Act. To qualify for copyright protection, the creation must first and foremost be created by a human being, who must have an intention, and therefore not be a machine!
🥐 And in France?
This decision reopens the debate on the protection of AI-assisted works and could influence the way French courts interpret the originality of these works.
Several questions arise:
🔹 What threshold of human creativity must be reached to claim copyright?
🔹 Is it acceptable for a 100% human work to be considered banal, while an AI-assisted creation could be protected?
Read the full judgment 👉 https://publicrecords.copyright.gov/detailed-record/37990563
✨ NEWS ‘ FIRSH ’ ✨
Firsh, which celebrates its 2nd anniversary this month, is expanding once again by welcoming Samuel Brami as an associate.
Member of the Paris Bar since January 2024, Samuel Brami specialises in intellectual property, media, new technologies and personal data law, as well as commercial law.
With a wealth of experience in IP and media law, he will be joining the team to strengthen its focus on AI, media & entertainment projects.
Find out more about Firsh’s contributions to the advancement of law and innovation:
➡️ On 18 March, Claire Poirson, our partner, led a training session on Artificial Intelligence Law at Side Quest – formations.
On the agenda:
– IA Act: Understanding the new obligations and the timetable for application
– Intellectual property: Who owns the rights to works generated by AI?
– RGPD & AI: How to reconcile data protection and generative AI?
– Lawyers’ ethics & AI: Guaranteeing professional secrecy in the face of new tools
➡️ As part of its innovation laboratory, FIRSH has published its first White Paper! This marks the official launch of FIRSH LAB, which is publishing its first study on a high-stakes social issue: deepfakes (hypertrucages generated by artificial intelligence). Addressing one of the major issues facing society in the future, this White Paper required more than 6 months of in-depth work and an in-depth study of the technical, sociological, economic and legal aspects of deepfakes, involving numerous French and international experts in artificial intelligence. The legal thinking that emerges is based on a detailed analysis of legislation, legal doctrine and court rulings. The White Paper provides legal and practical recommendations for public authorities, businesses and anyone interested in the subject.
Please contact us at the following e-mail address to receive a copy of the White Paper 👉 contact@FIRSH.LAW
➡️ In March, Firsh assisted its clients with the following projects:
- Initiation of the implementation of an AI in a group of production and audiovisual companies, as well as training to make the best use of this new tool.
- Arbitration pleading before the Paris Chamber of Commerce and Industry in a case of unfair termination of a software distribution contract.
- Pleading before the Toulouse Court of Appeal in connection with the liquidation of a fine for non-recalled products.
- Negotiation of a settlement agreement in an IT solution implementation dispute.
- Negotiation of an outsourced HR commercial agreement for a major on-sales platform operator.
📢 To follow us on LinkedIn and receive our newsletter, click here : https://www.linkedin.com/company/firshlaw/ .
📢 There is no direct collection of your personal data and therefore no emailing from Firsh!
