Friday, 29 June 2012

Cloud Computing: The French Data Protection Authority Publishes Its Recommendations


In 2011, the French data protection authority, the CNIL, launched a public consultation on cloud computing.

Using these contributions, on 25 June 2012, the CNIL published recommendations for French companies that want to use cloud services.

As the CNIL explains, many cloud-computing services are available on the market:  infrastructure hosting (IaaS – Infrastructure as a Service), supplying of development platforms (PaaS - Platform as a Service) or online software (SaaS – Software as a Service). These services are proposed in public clouds (service shared between many clients), private clouds (cloud dedicated to one client) or hybrid clouds (combination of both models, public and private).

In order to comply with personal data protection law, businesses have to deal with matters such as security, applicable law, transfers of personal data, guarantees given by the service providers, etc.

As the CNIL points out, the service providers usually have standardised contracts and it is difficult for businesses, especially for small and medium-size companies, to negotiate clauses relating to security, liability, etc.

In the recommendations, the CNIL gives clear explanations in order to help businesses comply with the French personal data law, and provides ready-made clauses to cover most types of situations, which can be inserted in the contracts entered into with the service and hosting providers.


Read the CNIL's presentation (in English): The CNIL's presentation


Read the CNIL's recommendations (in French): The CNIL's recommendations

Friday, 22 June 2012

French e-Commerce Is Growing Fast


French e-commerce is continuing its rapid growth, says the Federation of e-commerce and distance selling (Fevad), in a report published on 10 May 2012 on the sales through Internet during the first quarter of 2012 (Report).

Internet sales continued to grow during the first quarter of 2012, as they did during 2011: 24% during one year.

In total, the amount of sales on the Internet in France is valued at €11 billion during this period, and transactions have grown by 30% on the same period.

The number of commercial websites has also increased by 22% during the first quarter, with 104,100 sites (18,800 more than last year).


Read the report: Fevad Report

Tuesday, 12 June 2012

eBay: The French Courts Do Not Have Jurisdiction If a Website Is Not In French

Court of Appeal of Paris, 22 May 2012, Würburg Holding / eBay, www.legalis.net 

Following a ruling of 20 September 2011 of the French Supreme Court annulling a previous judgement, the Court of Appeal of Paris had to decide whether the French courts have jurisdiction for trademark infringement cases when a website is not in French.


In its judgement, the Supreme Court had ruled that the fact that a website can be accessed from France is not sufficient to consider that the French Courts have jurisdiction in a case of trademark infringement, the case in question concerning the trademark "Marithé et François Girbaud". One of the criteria is the place where the prejudice is suffered, but it is necessary to verify whether the adverts are actually aimed at the French public.

The Court of Appeal of Paris, in its judgement of 22 May 2012 ruled that the adverts on the site ebay.com are not aimed at the French public, and that the French courts therefore do not have jurisdiction, since:

- access to the website ebay.com was through Google, because the site that is proposed to the French public is ebay.fr;
- the adverts were in English, as was the procedure for ordering the products.




Read the judgement: Judgement of 22 May 2012

Monday, 11 June 2012

The Obligation to Notify the Breach of Personal Data


Article 34 prime of the 1978 French Act on personal data protection implements the obligation to notify the breach of personal data provided by the directive 2002/58/EC ("Telecom pack"). The Decree 2012-436 of 30 March 2012 specifies the application measures.

In a note dated 28 May 2012, the French data protection authority CNIL explains how this new obligation is to be understood and applied (CNIL's note).

The service providers concerned by this obligation are the providers of electronic communication services to the public, which have to be declared to the French Telecommunications and Post Regulator ARCEP (article L33-1 paragraph 1 of the French Postal and Electronic Communications Code).

A breach of personal data has to be notified when personal data is destroyed, lost, altered, disclosed or accessed without authorisation. Such a breach can be either accidental or unlawful.

The CNIL gives a few examples of what would constitute a breach of personal data:
- intrusion into the customer database of an Internet service or access provider (ISP),
- intrusion into the online shop of a mobile operator, resulting in the disclosure of the credit card numbers of clients who ordered a new phone as part of their subscription,
- a confidential e-mail sent to the client of an ISP, and forwarded to other persons by mistake.

The following breaches would not constitute a breach under article 34 prime of the 1978 Act:
- a breach that does not concern the personal data processed by the ISP such as a virus attacking the PCs of the ISP clients in order to collect personal data,
- a breach that does not concern the provision of electronic communication services, such as a breach of the ISP's human resources data.

In the event of a breach of personal data, the CNIL has to be notified systematically forthwith. The notification has to (1) describe the nature and consequences of the breach, (2) the measures that have been taken in order to remedy the breach, (3) the persons that can be contacted in order to obtain additional information, and (4), if possible, an estimation of the number of people likely to be concerned by the breach.

Whenever the violation is likely to breach personal data security or the privacy of a subscriber, the ISP also has to notify the party affected. Such notification will however not be necessary if the CNIL considers that the service provider has implemented appropriate protection measures to ensure that the personal data is undecipherable by unauthorised individuals.

In case of violation, the service provider will have to draw up and keep an inventory that will contain, in particular: what has happened, the consequences of what has happened, and the measures implemented in order to remedy the breaches.


Read the CNIL's note: CNIL's note