As part of a procedure initiated for anti-competitive behaviors, the European Commission has three times requested, between the 13th of March and the 11th of November 2019, from Facebook the communication of information, reitarated in a decision in May 2020.
Facebook contests it alleging that the requested documents would contain sensitive personal information that a transmission to the Commission would make accessible to a too broad number of observers, while "the documents requested under the contested decision were identified on the basis of wideranging search terms, (...) there is strong likelihood that many of those documents will not be necessary for the purposes of the Commission’s investigation".
The contestation therefore evokes the violation of the principles of necessity and proportionality but also of due process because these probatory elements are collected without any protection and used afterwards. Moreover, Facebook invokes what would be the violation of a right to the respect of personal data of its employees whose the emails are transferred.
The court reminds that the office of the judge is here constraint by the condition of emergency to adopt a temporary measure, acceptable by the way only if there is an imminent and irreversible damage. It underlines that public authorities benefit of a presumption of legality when they act and can obtain and use personal data since this is necessary to their function of public interest. Many allegations of Facebook are rejected as being hypothetical.
But the Court analyzes the integrality of the evoked principles with regards with the very concrete case. But, crossing these principles and rights in question, the Court estimates that the European Commission did not respect the principle of necessity and proportionality concerning employees' very sensitive data, these demands broadening the circle of information without necessity and in a disproportionate way, since the information is very sensitive (like employees' health, political opinions of third parties, etc.).
It is therefore appropriate to distinguish among the mass of required documents, for which the same guarantee must be given in a technique of communication than in a technic of inspection, those which are transferable without additional precaution and those which must be subject to an "alternative procedure" because of their nature of very sensitive personal data.
This "alternative procedure" will take the shape of an examination of documents considered by Facebook as very sensitive and that it will communicate on a separate electronic support, by European Commission's agents, that we cannot a priori suspect to hijack law. This examination will take place in a "virtual data room" with Facebook's attorneys. In case of disagreement between Facebook and the investigators, the dispute could be solved by the director of information, communication and medias of the Directorate-General for Competition of the European Commission.
___
We can draw three lessons from this ordinance:
This decision shows that Procedural Law and Compliance Law are not opposed. Some often say that Compliance guarantees the efficacy and that Procedure guarantees fundamental rights, the protection of the one must result in the diminution of the guarantee of the other. It is false. As this decision shows it, through the key notion of sensitive personal data protection (heart of Compliance Law) and the care for procedure (equivalence between communication and inspection procedures; contradictory organization of the examination of sensitive personal data), we see once again that two branches of Law express the same care, have the same objective: protecting people.
The judge is able to immediately find an operational solution, proposing "an alternative procedure" axed around the principle of contradictory and conciliating Commision's and Facebook's interests has shown that it was able to bring alternative solutions to the one it suspends the execution, appropriate solution to the situation and which equilibrate the interest of both parties.
The best Ex Ante is the one which anticipate the Ex Post by the pre-constitution of evidence. Thus the firm must be able to prove later the concern that it had for human rights, here of employees, to not being exposed to sanctioning pubic authorities. This Ex Ante probatory culture is required not only from firms but also from public authorities which also have to give justification of their action.
On 22nd of September 2017, Transport of London (TFL), London Transport Regulator, refused to renew the licence, granted on 31st of May 2012 for 5 years, authorizing Uber to transport people because of criminal offenses committed by Uber's drivers. On 26th of June 2018, The Westminster Court prolonged Uber's licence for 15 months under the condition that the platform prevent the reproachable behaviors of its drivers. After these 15 months, the TFL refused once again to prolonge Uber's licence because of the persistence of aggressions against passengers. Uber, once again, contest this decision before the Westminster Court.
In a decision of 28th of September 2020, the Court observes that during the 15 months, the platform implemented many measures to prevent aggressions, that the level of maturity of these measures has improved over time and that the number of offenses was reduced over the period (passing from 55 in 2018 to 4 in 2020). The Court estimated the the implementation of this actions is sufficient to grant a new licence to Uber.
We can learn three lessons from this decision:
The Compliance obligation is not a result obligation but a mean obligation, which means that it is not reasonable to expect from a crucial operator (Uber, for instance) that it prevent every cases of agression but that it is salient to judge it on the effort it deploys to try to be closer to this ideal situation. Moreover, the crucial operator must be proactive, that is going away from the figure of passive subject of Law who apply measures enacted by the regulator in terms of fighting against aggressions to be an actor of the research of the best way to fight abusive behaviors, internalizing this "monumental goal.
The judge appreciates the violation committed by those whose the firm is responsible "in context", that is evaluates the concrete situation in a reasonable way.
It is the judge who decides in last resort and like the crucial operator, it must be reasonable.
The media sector is organized on an equilibrium between the principle of competition and other concerns like information pluralism. Generally, competition Law by making market accessible to many competitors ensures information pluralism. But, this is not the case if an operator get an excessive market power, running risk not only for competition but also for information pluralism. It is the reason why the Italian legal system forbids the constitution of an operator gathering more than 40% of the total income generated by the media sector or more than 10% of the total income generated by the Italian communication sector.
In 2016, Vivendi, a French media group, got more than 28% of the Mediaset Group's actions and around 30% of its voting right. The Italian communication regulation authority sized by Mediaset demands in 2017 to Vivendi to ends its participations in the group Mediaset. Vivendi contested this decision before the regional administrative court which referred to the Court of Justice of the European Union in order to know if freedom of establishment can legitimately be discarded in favor of information pluralism in this concrete case. The Court of Justice answered, in a decision of 3rd of September 2020, that the restriction of the freedom of establishment can in principle be justified by a general interest objective such as information pluralism protection but that in this concrete case, this is not justified because the fact that a firm is committed in the transmission of contents does not necessarily give it the power to control the production of such contents.
We can learn three lessons form this case:
The Court precises that even if the principle is the freedom of establishment, it is possible to discard it to protect information pluralism protection under the condition that the concerned member State do not use this legitimate power to create a political monopoly, the burden of proof falling on the person attacking national legislation and not on the Member State.
The Court distinguishes transmission of contents and production of contents and explains that if the State rejects this decision, the burden falling to it to prove the concrete links between these two activities.
This case shows that the power to share the respective places of the "principle" and of the "exception" always comes back to the judges.
The "right to be forgotten" is an invention of the Court of Justice of the European Union during the case Google Spain in 2014. It implies that digital firms block the access to personal data of someone who asks it. This "right to be forgotten", which permits to impose secret to third parties has largely been generalized by GDPR in 2016. This new fundamental subjective right is a very political and European right. United-States which, on the contrary of Europe, did not experience nazism, links the "right to be forgotten" to the protection of consumer, conception which especially leads California Consumer Privacy Act adopted in 2018 to link this right to a situation of absence of necessity of this data for the firm which obtained it.
In Europe, this willingness to protect directly the person increases the scope of such a subjective right. Thus, in France and in Luxembourg, since 2020, a cancer survivor can thus ask that such an information is not accessible among his or her health data, especially for insurance companies which use them in their risk calculus to set premium amount. Netherlands will do the same in 2021 to fight against discrimination between banks' and insurances' clients.
The "monumental goal" is therefore not so much here the protection of individual freedoms as the protection of the vulnerable person, which is bye the way the keystone of a Compliance Law, concealing sometimes prohibition to circulate information (as here) and sometimes obligation to circulate information (in other cases, where the alert must be given) depending on whether vulnerable people are protected either by one or by the other.
The ‘Autorité des Marchés Financiers’ (French Financial Markets Authority) published a guidebook on the information to be provided in listed securities’ registration documents.
In Congo (Brazzaville), following the dissolution of the {Direction Générale de l’Administration Centrale des Postes et Télécommunications} (DGACPT — General Direction of the Central Administration of Posts and Telecommunications), two bodies have been implemented: the “Direction Générale des Postes et Télécommunications” (General Direction of Posts and Telecommunications), and the “Agence de Régulation des Postes et des Communications Electroniques” (ARPCE – Congolese Postal and Telecommunications Regulatory Agency).
FRENCH
Loi n° 11-2009 du 25 novembre 2009 portant création de l’agence de régulation des postes et des communications électroniques (Arpce)
Au Congo, après la dissolution de la Direction Générale de l'Administration Centrale des Postes et Télécommunications (DGACPT), deux organismes ont été mis en place : la Direction Générale des Postes et Télécommunications et l’« Agence de régulation des postes et des communications électroniques» (ARPCE), créé par la loi du 25 novembre 2009.
GERMAN
Kongolesisches Gesetz Nr. 11-2009 vom 25. November 2009 bezüglich auf der Durchführung der Agence de Régulation des Postes et des Communications Electroniques (ARPCE, Post- und elektronische Kommunikationsregulierungsagentur).
Nach der Auflösung der Direction Générale de l'Administration Centrale des Postes et Télécommunications (DGACPT - Hauptführung der Post- und Telekommunikationszentralverwaltung), wurden zwei Behörde eingefürht: die Direction Générale des Postes et Télécommunications (Hauptführung für Post- und Telekommunikationsdienst) und die Agence de Régulation des Postes et des Communications Electroniques (ARPCE, Post- und elektronische Kommunikationsregulierungsagentur).
SPANISH
Ley n° 11-2009 del 25 de noviembre del 2009 sobre la creación de la “Agence de Régulation des Postes et des Communications Electroniques” (ARPCE- una agencia de reglación de servicios postales y telecomunicaciones del Congo).
En Congo (Brazzaville), después de la disolución de la Direction Générale de l’Administration Centrale des Postes et Télécommunications (DGACPT —la Dirección General de la Administración Central de servicios postales y telecomunicaciones del Congo), dos cuerpos han sido introducidos : la “Dirección Générale des Postes et Télécommunications” (la Direccion General de Servicios Postales y Telecomunicaciones) y la “Agence de Régulation des Postes et des Communications Electroniques” (ARPCE– la agencia de regulación de servicios postales y telecomunicaciones del Congo).
After the publication of the 21 January 2010 Ordinance implementing the Autorité de contrôle prudentiel (ACP - Prudential Control Authority), two decrees published on 3 March 2010 complete this legislation and define the institutional and budgetary workings of the new Authority.
Two Ministerial Orders of 5 March 2010 and a Ministerial Order of 8 March 2010 nominate the members of the Autorité de Contrôle Prudentiel (Prudential Control Authority), created by the Ordinance of 21 January 2010. Besides the Presidency, which will be exercised by Christian Noyer, governor of the Banque de France, the composition reveals the prevalence of banking regulators, which is a pragmatic consequence of the fact that insurers propose products equivalent in risk to those proposed by banks.
The implementation of a common repertory of information on Social Security tax payments provides the opportunity to gather real-time information on a vast majority of taxpayers, but is highly criticized for its possible violation of privacy rights.
