Month: February 2015

It’s a fact: data hacking and computer fraud are in a permanent evolution.  The increased number of attacks linked to cyber terrorism has been making headlines these past few years. In some instances, such attacks have had disastrous consequences for the targeted companies, from both a financial and reputation perspective.

For example, in May 2014 eBay had personal data from over 233 million clients stolen. More recently, over two million of personal data information belonging to the subscribers of the national broadcaster, TF1’s were hacked.

Cyber-threats are capable of silently and efficiently infecting on an extremely large scale without distinction as to the branch of activity, the size of the company or location.

However, the French data protection act (the “Act”) requires that companies which process personal data “ensure the security of the data and in particular prevent them from being distorted, damaged or accessed by unauthorized third parties” (cf. article 34) or they could face sanctions up to 5 years in prison and a 300.000 euros fine (1.500.000 euros for companies). This sanction can be further increased by damages payable to the victims of such leaked and thus may be the subject of class action suits which are now authorized in France. These attacks are all the more problematic given that insurance companies are increasingly refusing cover cyber-attack risks in their civil liability coverage.

Faced with the ingenuity of the hackers and the fact that security measures become obsolete even before they are implemented, how can companies respect the obligations relating to data protection and avoid the sanctions?

The Act requires data controllers to take all “necessary measures” and accordingly must implement all adapted technical and organizational measures in order to guarantee the security, the integrity, and the confidentiality of the data. Data controllers will be exonerated from any liability to the extent that they have properly implemented such measures.

Unfortunately, there are no lists of which technical measures should be put in place in general or in respect of any particular data. In any event, in light of the rapidity with which the technology is evolving, such a list would soon be irrelevant.

As a result, in order to avoid sanctions, the data controller will have to:

  • Always keep up to date with the new technology and the technical measures that can counter cyber attacks;
  • Implement these technical measures if they are adapted to the processing in question;
  • Follow the CNIL recommendations regarding security;
  • Raise awareness at all levels throughout the company with respect to issues linked to the protection of personal data (56% of French companies that suffered attacks revealed that they were perpetrated by someone in-house); and
  • manage employees while still respecting their right to privacy.

It is also important to underline the fact that the data controller could still be held liable for the pirating of data managed by a subcontractor (data processor), such as a hosting service provider. Accordingly, it is of the utmost importance to contractually require that every subcontractor implement strict security measures (but in any event, no less stringent than those internally implemented by data controller).

A vast majority of subcontractors being based abroad or using adhesion contracts; such process can prove to be difficult but remains absolutely necessary.


Questions relating to the applicable law and identifying the correct defendant are particularly complex when the dispute concerns the Internet, and in particular when dealing with data protection issues.

Consider the following hypothesis: a data controller (website publisher, ISP, search engine, etc.) is located on foreign soil, but has a subsidiary in France that is potentially liable for the failure to respect data privacy rights of a French Internet user.

The French Internet user who intends to bring an action against the data controller must ask himself the following questions:

  • Is French law applicable to rule on the liability of the data controller?
  • Which entity must the French Internet user sue? Can he hold the French subsidiary liable for the violation the data privacy rights he suffered?

These questions were answered very recently by the courts of Paris, in two summary judgments rendered on September 16th, and December 19th of 2014, relating to the search engine giant Google. In both cases, individuals, invoking their right to be forgotten, asked Google to remove certain hyperlinks.

1/ Regarding the Applicable Law

It should first be noted that article 5 of the French Data Protection Act (dated January 6th, 1978) provides:

« The processing of personal data is subject to this act when:

The data controller is deemed to be established on French territory. The data controller who carries out his activity on French territory within an establishment, whatever its legal form, is considered established on French territory ».

Accordingly, pursuant to this Article, the establishment on French soil by a data controller renders French law applicable.

What of Google?

It is first important to note that the processing of personal data via Google’s search engine is directed and controlled by Google, Inc., based in the United States. The American giant only uses its subsidiaries (including its French subsidiary) to promote, facilitate, and carry out the sales of its online advertising products and services in the country in which the subsidiary is established. Such a subsidiary does not perform any processing of personal data.

However, the Paris civil court of first instance, held that notwithstanding that Google France does not perform any data processing, it qualifies as an establishment under article 5-1 of the French Data Protection Act because its activities relate to the sale of advertising space are inextricably linked to those of Google Inc. that operates the search engine.

French law is consequently applicable in respect of the data processing performed by Google.

2/ Which entity to sue?

Now that we have resolved the question of applicable law, it remains to be determined against which company legal action should be taken. In this respect, the above-mentioned summary judgments of the Paris civil court of first instance are in complete opposition.

In its summary judgment dated September 16th, 2014, the Court held that the plaintiff’s claims against Google France were admissible and ordered the company to remove several links to content deemed defamatory.

The Court advanced arguments previously formulated by the ECJ in its notworthy decision dated May 13th, 2014, that established the right to be forgotten, and in particular noted that:

  1. If Google Inc. is in fact the operator of the search engine, the activity of Google France, its wholly-owned subsidiary, which sells advertising space connected the U.S. search engine, finances Google Inc. through such activities.
  2. The “activities of the operator of the search engine and those of its establishment located in the Member State are inextricably linked”.

On the other hand, surprisingly, in its most recent summary judgment, dated December 19th, 2014, the Paris court held that the right to be forgotten could only be exercised against Google, Inc. given that Google France does not exploit, whether directly or indirectly, the search engine, and does not qualify as the data controller.

As a result, the question of which entity to sue, that seemed to have been resolved by the ECJ, remains unclear. Until such time as there is established case law on the matter, any plaintiff who wishes to invoke the right to be forgotten by removing links to defamatory content, would be prudent to sue both Google France and Google, Inc.

The current legal uncertainty is problematic for any potential plaintiff who will be compelled to sue Google, Inc. and will thus be faced with long and expensive court proceedings. Further, in the event of legal action, the plaintiff will have to endure the damaging articles published online for a longer period of time.


Press agencies, publishers, and photographers’ unions signed on July 15th, 2014 a code of good professional practices aiming at setting a framework for the compensation of photographers when their images are published in the news, and at regulation the exploitation of photographs. In the event that these rules are not respected, the code provides for damages to the benefit of photographers, coupled with a decrease or a cut in financial aid for the press.

The goal of this code of good practices is to attempt to reset the economic balance in the relations between publishers and photographers (and/or their agencies), since the situation of the latter has been consistently deteriorating.

The key points of the code are the following:

  • Photographic credits. It will be possible to ask the publisher, in the event of a total lack of credit, for damages at least equal to the license fee for the photograph in question. That amount is reduced to 50% of such license fee in the event of an incomplete or erroneous credit.Furthermore, use of the credit “all rights reserved” must be limited to the sole situation in which the photographer or the agency does not wish for their name to be public, or when the author of the photograph cannot be identified, despite real research efforts on the part of the publisher. If the photograph comes from a third party but does not bear the name of its author, the publisher shall at least mention its source. If the “all rights reserved” credit remains even after having identified the photographer, it will be possible to ask the publisher for damages.
  • Compensation of photographers and agencies.
  • Assignment of rights.
  • The rules regarding the shared responsibility between publishers on the one hand, and agencies and photographers on the other hand, in the event of claims arising from the publication of the photograph.In this respect, the code provides that the people involved in the creation, distribution, or publication of the photograph, can only be found liable in the limited cases provided for by the law. For instance, publishers can be held liable when they write the caption of a photograph themselves, or disregard the meaning of the one that is given to them when they use the photograph in an article that has no relation with what it represents, or when using the photograph would lead the viewer to believe that the person photographed is the one the article it is attached to is about.On the other hand, agencies and photographers can be held liable when they do not have certain authorizations (from the photographer for the agencies, from persons or owners of objects for photographers), when they do not provide captions, or provide an erroneous one.
  • The implementation of a common standard for the definition and the transmission of metadata, or the affixing of digital protection measures on the photographs in order to prevent or limit their download and re-exploitation without authorization. This common standard shall be the subject of a specific agreement between the parties, to be entered into within twelve months of the signature of the code.

However, despite the apparent goodwill of the code, it has been widely criticized and numerous journalists’ unions like the SNJ (National Union of Journalists), the SNJ-CGT, the CDFT Journalistes, the SNJ-FO, and certain photographers’ organizations like the UPP (Union of Professional Photographers) have refused to sign it.

According to them, the code “does not provide any solution to the catastrophic social situation of an agonizing profession and will, on the contrary, ensure the durability of practices that cut the input of editorial photography to the news”.

The future of these negotiations should thus be followed closely.


You can find this code here.



Last October 21st, the ECJ expanded its case law regarding the online sharing of content previously released on the Internet by extending it to embedding, effectively rendering such case law consistent with previous decisions regarding hyperlinks.

In the Svensson decision dated February 13th, 2014 (C-466/12), the ECJ ruled that the practice of broadcasting a hyperlink without the author’s authorization does not constitute an infringement of author’s rights when such initial content had been previously published without restrictions. According to the Court, the new publication made via hyperlink does not constitute either a communication via different technical means, or a communication to a new public. The premise of the Court’s ruling was that, in each instance, the entirety of Internet users were freely able to access such content and accordingly there was no basis for an infringement claim.

In Bestwater, the Court applied the same reasoning to embedding, a technique that consists of inserting in the frame of a web page, an element originating from another website. This technique is widely used and enables Internet users to access content from another website without having to leave the original website they came to visit.

BestWater, a German company noticed that videos which it originally published on the video platform YouTube, were copied via embedding onto the websites of its competitors, and therefore asked the German courts to order that these videos be taken down.

After opposite decisions rendered by the trial court and court of appeals, the German Supreme Court, the Bundesgerichtshof, decided to refer the case to the ECJ for its determination as to whether, according to article 3 of the 2001/29 Directive, embedding content without the rights holders’ permission qualified as a “communication to the public” and therefore an infringement of the author’s rights.

The judges of the ECJ unequivocally answered no to that question, explaining that in order for there to be a “communication to the public” according to the directive, the content needs to be:

  •  communicated via a “specific technical mode, different from those previously employed, or
  • communicated to a “new public i.e. a public that has not already been targeted by the rights holders when they authorized the initial communication to the public of their work”.

However in “BestWater”, the embedding technique used to communicate the work was not a different technique and the targeted public was not new given that the same content was already available to the Internet users on another website with the authorization of the rights holders”.

The Court added that, in authorizing the publication of the relevant content via the video platform YouTube, the rights holders had already targeted the entire Internet community of users. Given the rights holders’ decision not to avail themselves of a wide array of means to privatize content on the Internet, the public must accordingly be deemed as all Internet users, and not only the visitors of the website.

The Court concluded that embedding content does not constitute a “communication to the public” and therefore an infringement upon the author’s rights if such content was originally published on the Internet with no restrictions.

It is worth noting that if embedding does not constitute public performance, the ECJ acknowledges that it allows for the bypass of provisions relating to reproduction rights.

The ECJ’s ruling is consistent with the decision rendered in 2012 by the 7th Circuit, Flava Works Inc. v. Gunter wherein Judge Posner held that embedding does not constitute copyright infringement as the embedding by the website myVidster was solely a connector between the server that hosts the video, and the computer of the website user. Accordingly, such embedding does not constitute copyright infringement given the absence of any form of copying or distribution of, copies of protected works.