News Summary: In its ordinance of 13th of October 2020, Conseil national du logiciel libre (called Health Data Hub), the Conseil d'Etat (French Administrative Supreme Court) has determined the legal rules governing the possibility to give the management of sensitive data on a platform to a non-europeans firm, through the specific case of the decree and of the contract by which the management of the platform centralizing health data to fight against Covid-19 has been given to the Irish subsidiary of an American firm, Microsoft.
The Conseil d'Etat used firstly CJEU case law, especially the decision of 16th of July 2020, called Schrems 2, in the light of which it was interpreted and French Law and the contract linking GIP and
The Conseil d'Etat concluded that it was not possible to transfer this data to United-Sates, that the contract could be only interpreted like this and that decree and contract's modifications secured this. But it observed that the risk of obtention by American public authorities was remaining.
Because public order requires the maintenance of this platform and that it does not exist for the moment other technical solution, the Conseil d'Etat maintained the principle of its management by Microsoft, until a European operator is found. During this, the control by the CNIL (French Data Regulator), whose the observations has been taken into consideration, will be operated.
We can retain three lessons from this great decision:
There is a perfect continuum between Ex Ante and Ex Post, because by a referred, the Conseil d'Etat succeed in obtaining an update of the decree, a modification of the contractual clauses by Microsoft and of the words of the Minister in order to, as soon as possible, the platform is managed by an European operator. Thus, because it is Compliance Law, the relevant time of the judge is the future.
The Conseil d'Etat put the protection of people at the heart of its reasoning, what is compliant to the definition of Compliance Law. It succeeded to solve the dilemma: either protecting people thanks to the person to fight against the virus, or protecting people by preventing the centralization of data and their captation by American public authorities. Through a "political" decision, that is an action for the future, the Conseil found a provisional solution to protect people against the disease and against the dispossession of their data, requiring that an European solution is found.
The Conseil d'Etat emphasized the Court of Justice of The European Union as the alpha and omega of Compliance Law. By interpreting the contract between a GIP (Public interest Group) and an Irish subsidy of an American group only with regards to the case law of the Court of Justice of European Union, the Conseil d'Etat shows that sovereign Europe of Data can be built. And that courts are at the heart of this.
But, and the Compliance Mechanism has often been brought closer to the contractual mechanism, this is only relevant if both parties are willing to do so. This is technically true, for example for the Deferred Prosecution, which requires explicit consent. This is true in a more general sense that the company wants to choose itself how to structure its organization to achieve the goals politically pursued by the State. Conversely, the compliance mechanisms work if the State is willing to admit the economic logic of the global private players and / or, if there are possible breaches, not to pursue its investigations and close the file it has opened, at a price more or less high.
But just say No.
As in contractual matters, the first freedom is negative and depends on the ability to say No.
The State can do it. But the company can do it too.
The company sets out in a warning to the market that it is the object of a requirement on the part of the German Motor Authority (Kraftfahrt-Bundesamt) of an allegation of fraud, by the installation of a software, aimed at misleading instruments for measuring emissions of greenhouse gases on cars using diesel.
It is therefore an environmental compliance mechanism that would have been intentionally countered.
On this allegation, the Regulator both warns the company of what it considers to be a fact, ie compliance fraud, and attaches it to an immediate measure, namely the removal of the circulation of 42,000 vehicles sold or proposed by Daimler with such a device.
And the firm answers : "No".
_____
Which is probably only beginning, since a No ends the dialogue of Ex Ante to project in the Ex Post sanction procedures, calls 6 observations:
1. No doubt Daimler, a German car manufacturing company, has it in mind in this allegation of fraud calculating pollution of its diesel cars what happened to his competitor Volkswagen: namely a multi-billion dollar fine, for lack of compliance in a similar hypothesis (so-called dieselgate). The strategic choice that is then made depends on education through the experience of the company, which benefits as such from a previous case that has had a very significant cost. Thus educated, the question is to measure the risk taken to refuse any cooperation, when the company can anticipate that it will still result in such an amount ....
2. In addition, we find the difficulty of the distinction of Ex Ante and Ex Post. Indeed, saying No will involve for the company a cost of confrontation with the Regulator, then the peripheral jurisdictions or review courts. But in Germany, the Government itself, concerning a bank threatened with compliance proceedings and almost summoned by the US regulator to pay "of its own free will" a transactional fine, felt that this was not normal, because it must be the judges who punish, after a contradictory procedure with due process and after established facts.
3. However, this is only an allegation, of probable assertions, of what legally allows to continue, but which does not allow to condemn. The confusion between the burden of proof, which presupposes the obligation to prove the facts before being able to sanction, and the burden of the allegation, which only supposes to articulate plausibility before being able to prosecute, is very damaging, particularly if we are committed to the principles of Repressive Law, such as the presumption of innocence and the due process. This distinction between these two probationary charges is at the heart of the probatory system in the Compliance Law. Because Compliance Law always looks for more efficiency, tends to go from the first to the second, to give the Regulator more power, since businesses are so powerful ....
4. But the first question then arises: what is the nature no so much of the future measure to be feared, namely a sanction that could be taken later, against Daimler, if the breach is proven, or which will not be applied to the firm if the breach is not established; but what is the nature of the measure immediately taken, namely the return of 42,000 vehicles?
This may seem like an Ex Ante measurement. Indeed, the Compliance assumes non-polluting cars. The Regulator may have indications that these cars are polluting and that the manufacturer has not made the necessary arrangements for them to be less polluting (Compliance) or even organized so that this failure is not detected ( Compliance fraud).
This allegation suggests that there is a risk that thiese cars will polluting. They must immediately be removed from circulation for the quality of the environment. Here and now. The question of sanctions will arise after that, having its procedural apparatus of guarantees for the company that will be pursued. But see the situation on the side of the company: having to withdraw 42,000 vehicles from the market is a great damage and what is often called in Repressive Law a "security measure" taken while the evidence is not yet met could deserve a requalification in sanction. Jurisprudence is both abundant and nuanced on this issue of qualification.
5. So to withdraw these cars, it is for the company to admit that it is guilty, to increase itself the punishment. And if at this game, taken from the "cost-benefit", as much for the company immediately assert to the market that this requirement of Regulation is unfounded in Law, that the alleged facts are not exacts, and that all this the judges will decide. It is sure at all whether these statements by the company are true or false, but before a Tribunal no one thinks they are true prima facie, they are only allegations.
And before a Court, a Regulator appears to have to bear a burden of proof in so far as he has to defend the order he has issued, to prove the breach which he asserts exists, which justifies the exercise he made of his powers. The fact that he exercises his power for the general interest and impartially does not diminish this burden of proof.
6. By saying "No", Daimler wants to recover this classic Law, often set aside by Compliance Law, classic Law based on burden of proof, means of proof, and prohibition of punitive measures - except imminent and future imminente and very serious damages - before 'behavior could be sanctioned following a sanction procedure.
Admittedly, one would be tempted to make an analogy with the current situation of Boeing whose aircraft are grounded by the Regulator in that he considers that they do not meet the conditions of safety, which the aircraft manufacturer denies , Ex Ante measurement that resembles the retraction measure of the market that constitutes the recall request of cars here operated.
But the analogy does not work on two points. Firstly, flight activity is a regulated activity that can only be exercised with the Ex Ante authorization of several Regulators, which is not the case for offering to sell cars or to drive with. This is where Regulatory Law and Compliance Law, which often come together, here stand out.Secundly, the very possibility that planes of which it is not excluded that they are not sure is enough, as a precaution, to prohibit their shift. Here (about the cars and the measure of the pollution by them), it is not the safety of the person that is at stake, and probably not even the overall goal of the environment, but the fraud with respect to the obligation to obey Compliance. Why force the withdrawal of 42,000 vehicles? If not to punish? In an exemplary way, to remind in advance and all that it costs not to obey the Compliance? And there, the company says: "I want a judge".
The "Confederadion Empresarios del Juego COFAR" (the Spanish Confederation of the Game) have organized a symposium on 20 June in Barcelona, in which European regulators expressed including the France, the Spain, the Italy and the Portugal. The chairmen of the national regulatory authorities first emphasized their concern for common standards to a European market of a market of online games, including in what could become a domain identified name to refer to European players. In addition, the conference showed their desire for a stronger opening of a European market of online games. This fact also achieved through domain names.
