SOLOCAL_Registration Document_2017

2

RISK FACTORS 2.5 Regulations

The LCEN Act also states that hosting providers are not subject to a general obligation to monitor the information they transmit or store, nor a general obligation to investigate the facts or circumstances surrounding illegal activity. However, the judicial authorities may order targeted and temporary monitoring in individual cases. Furthermore, within the context of their identification obligations, hosting providers are required to retain all the information required to identify the person who created any content of the services they host in order to be able to provide this information to the legal authorities upon request (LCEN Act, Article 6, paragrpah II). The LCEN Act also strengthens consumer protection, in particular through provisions regarding the obligation to provide the exact identification of the vendor and by establishing principles guaranteeing the validity of online contracts. The Hamon Act of 17 March 2014 transposed into French law Directive 2011/83/EU of 25 October 2011 on consumer rights and strengthened the requirements for distance selling – pre-contractual information, the withdrawal period and the period required for online contracts to become valid – in favour of consumers. The Law for a Digital Republic dated 7 October 2016 has strengthened the information obligations incumbent on digital platforms having a search engine activity, marketplace, comparison of goods and services, social network or dedicated to collaborative economics. Several decrees have been issued to clarify stakeholder obligations regarding loyalty and online notices. Decree No. 2017-159 dated 9 February 2017 strengthens the transparency rules from the Sapin Act of 29 January 1993 by specifying the information to be provided to advertizers in the context of digital advertizing. This decree came into effect on 1 January 2018. The European Framework Directive 95/46/EC of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, defines the legal framework necessary to protect individuals’ rights and freedoms. This framework directive was supplemented by a European Sectoral Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (e-privacy directive), replacing Directive 97/66/EC of 15 December 1997. This Directive has itself been amended by Directive 2009/136/EC dated 25 November 2009. Finally, a draft European regulation on e-Privacy was proposed by the European Commission on 10 January 2017, the text of which must be approved by the Member States and the European Parliament. This draft regulation envisages, in particular, reviewing the default settings for third-party cookies in browsers, as well as changing the presence of natural persons in telephone directories to opt in for fixed-line numbers. On 27 April 2016, a new European regulation on the protection of individuals with regard to the processing of personal data and the free movement of personal data (RGPD) was passed, and Directive 95/46/EC was repealed. Although it does not challenge the fundamental principles of the protection of privacy, this text profoundly revises the obligations to which companies are subject, PROTECTION OF PERSONAL DATA 2.5.1.2

in particular by moving from a priori control logic of personal data protection authorities to a principle of “accountability”. This law significantly strengthens people’s rights: businesses will have to obtain, except in limited circumstances, l the consent of the persons concerned for profiling processes; the right to be forgotten is reinforced and anyone may request l the deletion of their personal data by any company or organisation that has no legitimate reason to keep it. In addition, the response time in the event of individuals exercising their rights has greatly decreased: one month instead of two; businesses will be required to notify the CNIL and their l customers of personal data breaches in a very short time; when personal data is processed outside Europe, users will be l entitled to contact the data protection authority in their country, even when their data is processed by a company based outside the European Union if this company collects their data to market goods and services or for behavioural marketing purposes; the new rules will give national data protection authorities the l powers they need to ensure stricter compliance with European Union laws. Financial penalties will be increased, with fines of up to €20 million or 4% of the Company’s global revenues. The goals of this set of directives were: to harmonise European law on personal data; l to facilitate their circulation (provided that the country to which l the personal data is being transferred offers an appropriate level of protection); and to protect individuals’ privacy and freedoms. l One of the main impacts of the RGPD for the Group is the transformation of practices related to the processing of personal data: the obligation to work with a “Privacy by design” approach is being integrated into the Group’s strategic projects. The Group is particularly sensitive to the protection of the personal data it processes, since a Data Protection Correspondent has been appointed since 2011 and consequently, several obligations of the RGPD will not be new for the Group, for example the obligation to keep a register of treatments. However, compliance with the new European legislative framework is necessary. To this end, a compliance programme with the RGPD was launched in July 2017 at the initiative of the Group’s Data Protection Correspondent. A Steering Committee and working groups have been created. In this context, various actions have already been carried out, for example: mapping of processing, training of employees, creation of new processes, acquisition of a tool to document the Group’s compliance (treatment register, data breach registry, impact studies, exercise of people’s rights). The target is to set up a robust quality approach within the Group in order to make the protection of privacy a competitive argument (obtaining certifications/labels). The CNIL can perform online checks and thus quickly remotely see and act in case of security breaches on the Internet. It can also easily check the compliance of the legally required information provided on online forms and the rules that govern Internet user consent. This new power applies to “data that is freely accessible or made accessible” online and of course does not allow the CNIL to override security measures to penetrate an information system.

44

2017 Registration Document SOLOCAL