The French regulatory framework is based on the historical distinction between telecoms and postal activities on the one hand, and radio and television activities on the other (sectors are still governed by separate legislation and by separate regulators). Amendments in the past 15 years reflect the progress and the convergence of electronic communications, media and technologies, and the liberalisation of the TMT sectors caused by the de facto competition between fixed telephony (a monopoly until 1998) and new technologies of terrestrial, satellite and internet networks. French law also mirrors the EU regulatory framework through the enactment of the three EU Telecoms Packages in 1996, 2002 and 2009, which have been transposed into French law.
The TMT sectors in France have been fully open to competition since 1 January 1998, and are characterised by the interactions of mandatory provisions originating from many sources and involving many actors (regulators, telecoms operators, and local, regional and national authorities). The TMT sectors are key to the French economy, and 2018 was once again an important year in many respects for these sectors' business.
i The regulators
There are four specialist authorities involved in the regulation of technology, media and telecommunications in France:
- ARCEP is an independent government agency that oversees the electronic communications and postal services sector. It ensures the implementation of a universal service, imposes requirements upon operators that exert a significant influence in the context of market analyses, participates in defining the regulatory framework, allocates finite resources (RFs and numbers), imposes sanctions, resolves disputes and delivers authorisations for postal activities.
- The Superior Audiovisual Council (CSA) is the regulatory authority responsible for the audiovisual sector. The CSA sets rules on broadcasting content and allocates frequencies by granting licences to radio and television operators. It also settles disputes that may arise between TV channels and their distributors, and is empowered to impose sanctions on operators in cases of breaches of specific regulations. Law No. 2013-1028 of 15 November 2013 relating to the independence of the French public broadcasting service has amended the legal nature of the CSA, its composition, the status and appointment procedure of its members and their powers.
- The High Authority for the Distribution of Works and the Protection of Copyright on the Internet (HADOPI), which was established in 2009, is in charge of protecting intellectual property rights over works of art and literature on the internet. The upcoming audiovisual reform to be implemented by early 2020 under French law will bring a significant change with the merger of the CSA with the HADOPI, which will be named the Authority of Regulation of Audiovisual and Digital Communication (ARCOM).
- The Data Protection Authority (CNIL) supervises compliance with data protection regulations, and is empowered to issue sanctions that range from warnings to fines up to €20 million or 4 per cent of total global annual turnover of the group of the preceding financial year, whichever is higher.
These authorities may deliver opinions upon request by the government, Parliament or other independent administrative authorities such as the French Competition Authority (FCA), and also renders decisions and opinions that may have a structural impact on these sectors (except for HADOPI). The National Frequencies Agency is also an important agency responsible for managing frequency spectrum and planning its use (see Section IV).
The CSA and ARCEP are the two main regulators of the TMT sectors. Discussions about merging these entities at the time of the convergence or to limit the powers of ARCEP occurred regularly during the past few years, but such merger was finally given up. Instead, it was argued that the two regulators should work in closer cooperation on certain common subjects.
ii Main sources of law
The prevailing regulatory regime in France regarding electronic communications is contained primarily in the Post and Electronic Communications Code (CPCE), and regarding audiovisual communications in Law No. 86-1067 of 30 September 1986 on Freedom to Communicate, as subsequently amended.
The main piece of legislation governing the law applicable to data protection is the GDPR2 and Law No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties (1978 Data Protection Law), as subsequently amended, which supplements or derogates to the GDPR.
Intellectual property rights are governed by the Intellectual Property Code.
iii Regulated activities
Telecoms activities and related authorisations and licences are regulated under the CPCE.
To become a telecoms operator, no specific licences or authorisations are required; the implementation and the operation of public networks and the supply of electronic communication services to the public is free, subject to prior notification to ARCEP (Articles L32-1 and L33-1 of the CPCE). Law No. 2015-990 of 6 August 2015 for the growth, activity and equality of economic opportunities (also known as the Macron Law) grants ARCEP the power to register on its own initiative any actor that infringed the notification obligation to declare itself to ARCEP.3
Conversely, the use of RFs requires a licence granted by ARCEP (Article L42-1 of the CPCE).
Authorisations and licensing in the media sector are regulated under Law No. 86-1067 of 30 September 1986.
Authorisations for private television and radio broadcasting on the hertz-based terrestrial frequencies are granted by the CSA following bid tenders and subject to the conclusion of an agreement with the CSA. The term of authorisations cannot exceed 10 years.4 Broadcasting services that are not subject to the CSA's authorisation – namely, those that are broadcast or distributed through a network that does not use frequencies allocated by the CSA (cable, satellite, ADSL, internet, telephony, etc.) – are nevertheless subject to a standard agreement or a declaration regime.5
iv Ownership and market access restrictions
General regulation of foreign investment
Since the entry into force of Law No. 2004-669 of 9 July 2004, discrimination of non-EU operators is prohibited, and they are subject to the same rights and obligations as EU and national operators.6 According to Article L151-1 et seq. of the French Monetary and Financial Code, when a foreign (EU or non-EU) investment is made in a strategic sector (such as security, public defence, cryptographics or interception of correspondence),7 the investor must submit a formal application dossier to the French Ministry of Economy for prior authorisation. Any transaction concluded without prior authorisation is null and void, and criminal sanctions (imprisonment of up to five years8 and a fine amounting to up to twice the amount of the transaction) are also applicable. A Decree of 14 May 20149 expanded the list of sectors in which foreign investors must seek prior authorisation from the Ministry of Economy. In particular, the Decree has added to the regulated activities referred to in Article R153-2 of the French Monetary and Financial Code activities relating to the integrity, security and continuity of the operation of networks and ECSs.
Specific ownership restrictions applicable to the media sector
French regulations provide for media ownership restrictions to preserve media pluralism and competition. In particular, any single individual or legal entity cannot hold, directly or indirectly, more than 49 per cent of the capital or the voting rights of a company that has an authorisation to provide a national terrestrial television service where the average audience for television services (either digital or analogue) exceeds 8 per cent. In addition, any single individual or legal entity that already holds a national terrestrial television service where the average audience for this service exceeds 8 per cent may not, directly or indirectly, hold more than 33 per cent of the capital or voting rights of a company that has an authorisation to provide a local terrestrial television service.10
Regulation of the media sector is currently evolving in reaction to a number of changes in French media ownership. As a consequence, French lawmakers adopted Law No. 2016-1524 of 14 November 2016, which amends the Law of 30 September 1986.11 Its purpose is to ensure freedom, independence and pluralism in media ownership, for example by requiring media outlets to provide yearly information on their capital ownership and governing bodies,12 and reinforcing the powers of the CSA over French media governance with the creation of deontology committees.13
Regarding the radio sector, a single person cannot retain networks whose coverage exceeds 150 million inhabitants or 20 per cent of the aggregated potential audience.14 This regulation will, however, be subject to modification in the future, as it does not take into account local pluralism challenges. In this respect, a report was submitted to Parliament by the CSA in April 2014.15
Further, unless otherwise agreed in international agreements to which France is a party, a foreign national may not acquire shares in a company holding a licence for a radio or television service in France that uses RFs if this acquisition has the effect of raising (directly or indirectly) the share of capital or voting rights owned by foreign nationals to more than 20 per cent.16 Under the same circumstances, such licence cannot be granted to a company in which 20 per cent of the share capital or voting rights is owned (directly or indirectly) by foreign nationals.17 These provisions do not apply to service providers of which at least 80 per cent of the capital or voting rights are held by public radio broadcasters belonging to Council of Europe Member States, and of which at least 20 per cent is owned by one of the public companies mentioned in Article 44 of the Law of 30 September 1986.18 Specific rules restricting cross-media ownership also apply.19
v Transfers of control and assignments
The general French merger control framework applies to the TMT sectors, without prejudice to the above-mentioned ownership restrictions and to specific provisions for the media sector. The merger control rules are enforced by the FCA.20
Regarding the telecoms and post sectors, the FCA must provide ARCEP with any referrals regarding merger control, and ARCEP can issue a non-binding opinion.21
Regarding companies active in the radio or TV sector involved in a Phase II merger control procedure before the FCA, a non-binding opinion from the CSA is necessary.22
Any modification of the capital of companies authorised by the CSA to broadcast TV or radio services on a frequency is subject to the approval of the CSA.23
III TELECOMMUNICATIONS AND INTERNET ACCESS
i Internet and internet protocol regulation
Under the CPCE, ECSs other than voice telephony to the public may be provided freely.24
As regards the ADSL network, and following local loop unbundling, alternative operators must be provided with direct access to the copper pair infrastructure of France Télécom-Orange, the historical operator. Therefore, as with traditional fixed telephony, DSL networks are subject to asymmetrical regulation.
As regards services, internet service providers (ISPs) can operate freely and provide services, but they must file a declaration with ARCEP before commencing operations.25 A failure to comply with this obligation constitutes a criminal offence.26
More generally, ISPs must comply with the provisions of Law No. 2004-575 of 21 June 2004 on Confidence in the Digital Economy governing e-commerce, encryption and liability of technical service providers, as subsequently amended. Law No. 2004-575 of 21 June 2004 also sets out a liability exemption regime for hosting service providers. They are not subject to a general obligation to monitor the information they transmit or store; nor are they obliged to look for facts or circumstances indicating illicit activity. Nevertheless, when the provider becomes aware that the content stored is obviously illicit, it has the obligation to remove such content or render its access impossible, otherwise it may be held liable for such content. In that respect, the question of the qualification as 'host provider' is still widely debated before French courts.27 The hosting provider's neutrality or passivity criterion with regard to the stored content is a major element in the qualification. The provider will benefit from the liability exemption regime for hosting service providers if its role is limited to a purely technical, neutral and passive service (e.g., structuring and classifying the content made available to the public to facilitate the use of its service). However, if it plays an active role providing it with knowledge or control of such content (e.g., determining or verifying the content published, broadcasted or uploaded), the provider will qualify as a website publisher.28 In this case, it would be fully liable for any unlawful or harmful content published, broadcast or uploaded on its website.
ii Universal service
The EU framework for universal services obligations, which defines universal services as the 'minimum set of services of specified quality to which all end users have access, at an affordable price in the light of specific national conditions, without distorting competition',29 has been implemented by Law No. 96-659 of 26 July 1996 and further strengthened by Law No. 2008-3 of 3 January 2008. Universal service is one of the three components of public service in the telecoms sector in France (the other two being the supply of mandatory services for electronic communications and general interest missions).
Obligations of the operator in charge of universal service are listed in Article L35-1 of the CPCE and fall into two main categories of services:
- telephone services: connection to an affordable public telephone network enabling end users to take charge of voice communications, facsimile communications and data communications at data rates that are sufficient to allow functional internet access and free emergency calls; and
- enquiry and directory services (either in printed or electronic versions).
These services must be rendered under tariff and technical conditions that take into consideration the difficulties faced by some users, such as users with low incomes, and that do not discriminate between users on the ground of their geographical location. Following calls for applications (one per category), the Minister in charge of electronic communications designates the operator or operators in charge of the universal service for a period of three years. France Télécom-Orange was designated as such until 2020.30
Universal service currently only covers telephone provision and not information technologies.
ARCEP determines the cost of the universal service and, when it is necessary to finance it in the event that it represents an excessive burden for the operator in charge, ARCEP also determines the amount of the other operators' contributions to the financing of USOs through a sectoral fund. In principle, every operator contributes to the financing, with each contribution being calculated on the basis of the turnover achieved by the operators in their electronic communications activities.31
iii Restrictions on the provision of service
Net neutrality is a growing policy concern in France. From the electronic communications regulator's standpoint, which focuses on the technical and economic conditions of traffic conveyance on the internet, the key question in the debate over net neutrality is how much control internet stakeholders can rightfully exert over the traffic. This implies examining operators' practices on their networks, as well as their relationships with some content and application providers.
The Digital Republic Law32 recently introduced the principle of net neutrality into the national legal framework and grants ARCEP with new investigatory and sanctioning powers to ensure compliance (see also Section VI.i).33 In particular, Arcep is now in charge of implementing net neutrality in accordance with Regulation No. 2015/2120 of 25 November 2015 establishing measures concerning open internet access.34 When Arcep identifies a risk of infringement by an operator, it can require said operator to comply ahead of time. The Digital Republic Law also reinforces the conditions under which the Minister in charge of electronic communications and Arcep can conduct an investigation.35
Since the adoption of the Digital Republic Law, ARCEP has published a courtesy French translation of the guidelines for national regulatory authorities on the implementation of Regulation No. 2015/2120 of 25 November 2015, which the Body of European Regulators for Electronic Communications published on 30 August 2016.36 In June 2018, for a second year, ARCEP also published its annual report on the state of the internet in France,37 which identifies various threats that could undermine the internet's proper functioning and neutrality, and sets out the regulator's actions to contain these threats. This document addresses issues regarding data interconnection, the transition to IPv6,38 the quality of fixed internet access, net neutrality and open platforms. Arcep issued in parallel a report devoted to the ways in which end user devices (mobiles and boxes) influence internet openness.39
As to content, pursuant to the Law of 21 June 2004, ISPs have a purely technical role, and they do not have the general obligation to review the content they transmit or store. Nevertheless, when informed of unlawful information or activity, they must take prompt action to withdraw the relevant content, failing which their civil liability may be sought. Since 2009, HADOPI has been competent to address theft and piracy matters. It intervenes when requested to by regularly constituted bodies for professional defence that are entitled to institute legal proceedings to defend the interests entrusted to them under their statutes (e.g., SACEM), or by the public prosecutor. After several formal notices to an offender, the procedure may result in a €1,500 fine.40
Finally, French e-consumers benefit from consumer law provisions and from specific regulations. In particular, they are protected against certain unsolicited communications via email if their consent has not been obtained prior to the use of their personal data.41 Moreover, consumers must be provided with valid means by which they may effectively request that such unsolicited communications cease.42 In addition, Article L223-1 of the French Consumer Code provides for the implementation of an opposition list on which any consumer can add his or her name so that advertising material may not generally be sent to him or her.43 With regard to phone-based advertising, the Bloctel service has been implemented since 1 June 2016 to prevent unsolicited communications to consumers registered on an opposition list.44 The Bloctel service had over 2 million registered users two months after its launch. All telephone operators also have the obligation to offer their users the possibility to register on an opposition list.45
iv Privacy and data security
The past few years have seen increasing terrorist security threats, resulting in substantial changes in the legal framework regarding security in telecommunications.
Law No. 91-646 of 10 July 1991 concerning the secrecy of electronic communications, now codified in the Internal Security Code, provides that the Prime Minister may exceptionally authorise, for a maximum period of four months (renewable only upon a new decision), the interception of electronic communications in order to collect information relating to the defence of the nation or the safeguarding of elements that are key to France's scientific or economic capacity. In addition, pursuant to Law No. 2015-912 of 24 July 2015 (new Article L851-3 of the Internal Security Code) and only for the purpose of preventing terrorism, the Prime Minister may impose on providers of electronic communication services the obligation to implement an automated data-processing system for a maximum period of two months (renewable only upon a new decision) with the aim of detecting connections likely to reveal a terrorist threat. Article L851-2 of the Internal Security Code as amended by Law No. 2016-987 of 21 July 2016 provides that the administration is authorised, for prevention of terrorism, to collect real time connection data concerning individuals, beforehand identified, likely to be linked to a terrorist threat.46
Further, Law No. 2013-1168 on Military Programming (LPM) introduced a new chapter in the Internal Security Code relating to administrative access to data connection, including real-time geolocation.47 The new regime, which entered into force on 1 January 2015,48 authorises the collection of 'information or documents' from operators as opposed to the collection of simply 'technical data'. In addition, access to data is exclusively administrative, namely without judicial control. Requests for implementing such measures are submitted by designated administrative agents to a 'chosen personality' appointed by the National Commission for the Control of Security Interceptions (CNCIS) upon the proposal of the Prime Minister. CNCIS is in charge of controlling (a posteriori) administrative agents' requests for using geolocation measures in the course of their investigation. The Minister for Internal Security, the Defence Minister and the Finance Minister can also issue direct requests for the implementation of real-time geolocation measures to the Prime Minister who, in this case, will directly grant authorisations.
Law No. 2014-1353 of 13 November 2014, implemented by Decree No. 2015-174 of 13 February 2015, also entitles the administrative authorities to request ISPs to prevent access to websites supporting terrorist ideologies or projects.49 Additionally, laws linked to the state of emergency created extraordinary means of data search and seizure and expanded the provisions of Law No. 2014-1353.
In the context of the terrorism threat, the French legislator has amended the Criminal Proceedings Code to tackle organised crimes such as terrorism acts.50 Law No. 2016-731 of 3 June 201651 allows police officers, with the authorisation and under the control of a judge, to access, remotely and without consent, the correspondences stored in electronic communications available through identification.52 Police officers can also be authorised, by a judge and under his or her control, to use a technical disposal, such as an international mobile subscriber identity-catcher, to collect technical connection data to identify terminal equipment or users' subscription numbers as well as data regarding the location of the terminal equipment used.53 This Law also extended some existing investigating powers to all organised crimes, such as the real-time collection of computer data without consent, in the context of both preliminary investigations and investigations of flagrancy.54
In addition to the general rules applicable to the protection of personal data laid down in the 1978 Data Protection Law, the CPCE provides specific rules pursuant to which operators must delete or preserve the anonymity of any traffic data relating to a communication as soon as it is complete.55 Exceptions are provided, however, in particular for the prevention of terrorism and in the pursuit of criminal offences.
Unauthorised access to automated data-processing systems is prohibited by Articles 323-1 to 323-7 of the French Penal Code. In addition, with regard to cyberattacks, Law No. 2011-267 on Performance Guidance for the Police and Security Services (LOPPSI 2) introduced a new offence of online identity theft in Article 226-4-1 of the French Penal Code and empowers police officers, upon judicial authorisation and only for a limited period, to install software in order to observe, collect, record, save and transmit all the content displayed on a computer's screen. This helps with the detection of infringements, the collection of evidence and the search for criminals by facilitating the creation of police files and by organising their coordination. Cybersecurity threats are dealt by the National Agency for the Security of Information Systems (ANSSI), a branch of the Secretariat-General for Defence and National Security created in 2009.56
In terms of personal data protection, obligations were reinforced with the entry into application of the GDPR.57 The CNIL published in 2018 a new guide on the security of personal data, recalling basic precautions to be implemented systematically and providing risk management methodologies.58 Morevover, LOPPSI 2 increases the instances where authorities may set up, transfer and record images on public roads, premises or facilities open to the public in order to protect the rights and freedom of individuals,59 and recognises that the CNIL has jurisdiction over the control of video protection systems.60
With regard to the detection of cyberattacks, Law No. 2018-607 of 13 July 201861 created Article L33-14 of the CPCE that involves operators in the detection of cyberattacks. Pursuant to this article, electronic communications operators are entitled to use technical markers such as IP addresses to detect or prevent any potential threat that may affect the security of information systems of their subscribers. In this case, operators shall inform the ANSSI without delay.
With regard to the protection of children online, Article 45 of the 1978 Data Protection Law requires that clear information be provided to minors, using terms that are adapted to their age. Adequate vigilance and warning systems shall also be implemented (e.g., awareness messages, age gates with reliable controls, possibility of parental supervision, etc.). Regarding consent, specific rules apply in France. The age of a child's consent in relation to the offer of information society services is 15 years old (whereas it is, by default, 16 years old under Article 8 of the GDPR). Children under 15 years old may only give their consent after being duly authorised to do so by the holder of parental rights. The lawfulness of the processing activity, therefore, requires a double consent: that of the minor as well as that of the holder of parental rights.62
v The implementation of the Network and Information Security Directive
With regard to cybersecurity, the Network and Information Security Directive (NISD)63 has been implemented into French law by Law No. 2018-133 of 26 February 2018 and Decree No. 2018-384 of 23 May 2018. This framework imposes an obligation in terms of security of network and information systems on two categories of entities: (1) the operators of essential services (OESs) and (2) digital service providers (DSPs).
The categories of services considered as essential services are listed in the appendix of Decree No. 2018-384 (e.g., payment services, insurance, services involving preventive medicine, diagnosis and healthcare, selling of electricity and gas). The Prime Minister can designate operators as an OES if they provide at least one of the services listed.64 The operator is notified of the Prime Minister's intent to designate it as an OES and can formulate observations.65 The first designations are expected in November 2018.
DSPs are providers of cloud, online marketplace and search engine services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.66
Nevertheless, the French implementing law excludes from its scope certain types of entities already subject to information system security regulations, such as operators for their activities related to the operation of ECNs or the provision of ECSs and providers of trust services for electronic transactions subject to Article 19 of Regulation 910/2014 dated 23 July 2014.67
Both OESs and DSPs shall appoint a representative in charge of the contact with the ANSSI.68 For DSPs, this representative acts in the name of the provider for compliance with its obligations set forth of the NSID framework.69 DSPs shall keep an updated list of all networks and information systems necessary for the provision of their services within the European Union.70
As regards security measures that should be implemented, OESs shall comply with security measures defined by the Prime Minister in a specific regulation (which has not been adopted to date).71 DSPs shall ensure, based on the state of art, a level of security for all networks and information systems necessary for the provision of their services within the European Union appropriate to the existing risks.72 DSPs shall refer to Article 2 of the Commission Implementing Regulation of 30 January 2018 for the security measures that should be implemented.73 Documents attesting to this implementation should be made available to the ANSSI in case of control.74
Both OESs and DSPs shall report to the ANSSI, without delay, after becoming aware of any incident affecting networks and information systems that has or is likely to have a significant impact on the continuity of services.75
IV SPECTRUM POLICY
The management of the entire French RF spectrum is entrusted to a state agency, the National Frequencies Agency. It apportions the available radio spectrum, the allocation of which is administered by governmental administrations (e.g., those of civil aviation, defence, space, the interior) and independent authorities (ARCEP and the CSA) (see Section II).
ii Flexible spectrum use
The trend towards greater flexibility in spectrum use is facilitated in France by the ability of operators to trade frequency licences, as introduced by Law No. 2004-669 of 9 July 2004.78
The general terms of spectrum licence trading are defined by Decree No. 2006-1016 of 11 August 2006, and the list of frequency bands the licences of which could be traded are laid down by a Ministerial Order of 11 August 2006. A frequency database that provides information regarding the terms for spectrum trading in the different frequency brands open in the secondary market is publicly accessible. A spectrum licence holder may transfer all of its rights and obligations to a third party for the entire remainder of the licence (full transfer) or only a portion of its rights and obligations contained in the licence (e.g., geographical region or frequencies). The transfer of frequency licences is subject either to the prior approval of ARCEP79 or to notification to ARCEP, which may refuse the assignment under certain circumstances.80 Another option available for operators is spectrum leasing, whereby the licence holder makes frequencies fully or partially available for a third party to operate. Unlike in a sale, the original licence holder remains entirely responsible for complying with the obligations attached to the frequency licence. All frequency-leasing operations require the prior approval of ARCEP.
iii Broadband and next-generation mobile spectrum use
Spectrum in the 800MHz and 2.6GHz bands was allocated for the deployment of the ultra-high-speed 4G mobile network: in that respect, licences for the 2.6GHz frequency were awarded to Bouygues Telecom, Free Mobile, Orange France and SFR in September 2011,81 and in December 2011, licences for the 800MHz were awarded to the same operators except Free Mobile,82 which has instead been granted roaming rights in priority roll-out areas. New spectrum in the 700 and 800MHz bands was transferred in December 2015 to promote better network capacities in areas with low population density, but the transfer will only be made effective from October 2017 to June 2019. The French government launched a call for applications, to be sent before 2 October 2018, in order to reassign the 900MHz, 1,800MHz and 2.1GHz bands, whose authorisations will expire between 2021 and 2024.83 As a result of an agreement reached between ARCEP, the French government and operators on 14 January 2018, the reassignment procedure will take into account operators' stated commitments to improve voice and data coverage in all territories, making regional development targets a priority.
On 16 June 2017, ARCEP had authorised Bouygues Telecom and SFR to deploy 4G networks in the 2.1GHz band, historically used by French mobile operators' 3G networks, to improve 4G speeds.84
Additionally, under ARCEP supervision, 5G deployment is being prepared, with network coverage estimated to begin in 2020. The European Union's public–private partnership between the European Commission and telecom industries, the 5G-PPP, which was launched on 1 July 2015, provides a framework for national 5G development. On 30 September 2015, ARCEP gave Orange authorisation to conduct initial tests for 5G in the city of Belfort until the end of 2016. The authorisation delivered to Orange tests three formerly unused spectrum ranges, namely the 3,600–3,800MHz, 10,500–10,625MHz and 17,300–17,425MHz frequencies.85 ARCEP recently published a synopsis of the responses to its public consultation on 'New frequencies for superfast access in the regions, for businesses, 5G and innovation' launched on 6 January 2017.86 Following this consultation, ARCEP now seeks to prepare 5G deployment in the 26GHz and 1.5GHz bands.87 On 16 July 2018, the French government officially launched its 5G roadmap.88 Three main goals have been announced: (1) launching of several 5G pilot programmes in various regions; (2) allocation of new 5G frequencies and ensuring a commercial rollout in at least one major city by 2020; and (3) provision of 5G coverage for main transport routes by 2025. Additionally, four main working areas have been identified: (1) free-up and attribute RFs for the 5G network; (2) foster the development of new industrial uses; (3) accompany the deployment of 5G infrastructures; and (4) ensure transparency and dialogue on 5G deployments and the exposure of the public.
On 15 July 2019, ARCEP launched a public consultation in connection with its draft procedure for awarding licences to use frequencies in the 3,490–3,800MHz band.89 The contributions to this public consultation will enable ARCEP to finalise the procedure and the terms of allocation. The aim is to allocate frequencies in the autumn of 2019.
iv Spectrum auctions and fees
Spectrum auctions in the case of scarce resources
Pursuant to Article L42-2 of the CPCE, when scarce resources such as RF are at stake, ARCEP may decide to limit the number of licences, either through a call for applications or by auction. The government sets the terms and conditions governing these licensing selection procedures, and until now such proceedings have always been in the form of calls for applications.
Pursuant to Articles R20-31 to R20-44 of the CPCE, licensed operators contribute to the financing of the universal services.
Media are, in particular, subject to certain content requirements and restrictions.
i Content requirements
At least 60 per cent of the audiovisual works and films broadcast by licensed television broadcasters must have been produced in the EU, and 40 per cent must have been produced originally in French.90
Private radio broadcasters must, in principle, dedicate at least 40 per cent of their musical programmes to French music.91
In addition, pursuant to Law No. 2014-873 of 4 August 2014 for genuine equality between women and men, audiovisual programmes have the duty to ensure fair representation of both women and men. Furthermore, audiovisual programmes and radio broadcasters must combat sexism by broadcasting specific programmes in this respect.92
Law No. 2018-1202 of 22 December 201893 with regard to 'fake news' suggests several measures to limit the impact of false information on the public election process. For instance, Article 11 of the Law provides that certain operators of online platforms – in the context of public elections – should implement measures to combat the broadcasting of false information likely to trouble public order or alter polls' reliability. They should implement easily accessible and visible systems that will allow users to report such false information, including when they are financed by third parties.
Advertising is particularly regulated in television broadcasting.94 In particular, advertising must not disrupt the integrity of a film or programme, and there must be at least 20 minutes between two advertising slots. Films may not be interrupted by advertising that lasts more than six minutes.
Rules governing advertisements are stricter on public channels. In particular, since 2009, advertising is banned on public service broadcasting channels from 8pm to 6am. This prohibition does not, however, concern general-interest messages, generic advertising (for the consumption of fruits, dairy products, etc.) or sponsorships, which may continue to be broadcast.
In addition, some products are prohibited from being advertised, such as alcoholic beverages above a certain level of alcohol or tobacco products.
A new decree, Decree No. 2017-159 dated 9 February 2017, extended the media owners' transparency requirements in order to protect advertisers of digital advertisement. According to Article 2 of the Decree, the media owners have to provide advertisers with the date and place of diffusion of the advertisements; the global price of the advertising campaign; and the unitary price charged for each advertising space.
VI THE YEAR IN REVIEW
i The 'blockchain' legal framework
On 9 December 2017, the French government published Ordinance No. 2017-1674 relating to the use of the blockchain technology for the record of the issuance and assignment of certain securities.
Pursuant to Article L211-3 of the French Monetary and Financial Code, securities must be recorded in an account (compte-titres) kept by the issuer of the titles or an intermediary. As of 1 July 2018, blockchain technology should be accepted as a parallel form of records for all transactions involving securities that are not listed, provided that the issuer of the securities formally accepts the use of such technology.
The Decree of 24 December 2018 sets out the conditions applicable to this mechanism.95
The distributed ledgers used to register securities are required to comply with the four following technical conditions: (1) they must be 'conceived and implemented' in a manner that preserves the integrity of the information recorded; (2) they must allow 'directly or indirectly' the identification of the owners of the securities: it must be possible to determine the nature and quantity of the securities held through the distributed ledger; (3) they must set out a business continuity plan including an external data recording system; and (4) the owners of the securities registered on the distributed ledger must be able to access statements of transactions.
After the adoption of a specific tax regime for crypto-assets (flat tax and exemption of crypto-to-crypto transactions) in the Budget Act for 2019 and the clarification of the accounting treatment of crypto-assets and initial coin offerings (ICOs) by the French Accounting Rules Authority (ANC),96 another significant milestone has been reached with the entry into force of the Law Pacte in 24 May 2019, which establishes a framework for fundraising via the issuance of virtual tokens (ICOs) and digital assets services providers.97
ii The overhaul of the data protection law
Since then, the 1978 Data Protection Law was redrafted by Ordinance No. 2018-1125 dated 12 December 2018 for better readability and to ensure the coherence of the French legislation with EU legislation on data protection. It entered into force on 1 June 2019, together with a new implementing Decree No. 2019-536 dated 29 May 2019.
iii The first GDPR sanctions
On 21 January 2019 the CNIL imposed a €50 million fine on Google LLC for breach of its transparency and information obligations and lack of legal basis for the processing of targeted advertising.100
This €50 million fine is the first fine imposed by the CNIL under the GDPR and seems intended to be exemplary. It is the highest ever imposed by the CNIL. The CNIL stated that a €50 million fine was appropriate on the grounds that (1) the breached GDPR obligations were fundamental and central provisions of the GDPR (Articles 6, 12 and 13); (2) a significant number of data subjects was concerned; (3) the alleged infringements were continuous (and continuing) breaches of the GDPR; and (4) the significance of targeted advertising revenues to Google's economic model.
On 28 May 2019, 13 June 2019 and 18 July 2019, the CNIL imposed three other fines under the GDPR regime, mainly for failure of the infringers to implement technical and organisational measures to ensure security and confidentiality of personal data (article 32 of the GDPR).101
iv The CNIL's new guidance on cookies
On 4 July 2019, the CNIL published new guidance on cookies providing general requirements for obtaining valid consent to the placement of cookies and other tracking devices.102
According to the guidance, organisations shall not place cookies or process personal data obtained through them unless users have previously positively accepted the placement in a free, specific, informed and unambiguous manner, in line with the definition and conditions of Articles 4(11) and 7 of the GDPR. As a result, the guidance repeals the CNIL's 2013 guidance, pursuant to which users who continued browsing a website after being informed of cookie placement were deemed to have given consent.
The guidance also details conditions under which certain audience management cookies may be exempted from the opt-in consent requirement.
The CNIL announced that the guidance will be followed by supplemental guidance, which will specify the practical arrangements for obtaining valid consent, including by industry sectors.
v The implementation of Article 15 of the Copyright Directive under French law
The Copyright Directive 2019/790 came into force on 7 June 2019. The Directive is part of a wider strategy to reform the laws relating to digital marketing, e-commerce and telecommunications, to bring the EU into the digital age and achieve greater harmonisation of the laws governing these areas. Member States have until 7 June 2021 to transpose the Directive into national law.103
France recently became the first Member State to transpose Article 15 of the Copyright Directive by the Law of 24 July 2019, creating a neighbouring right to the benefit of press publishers and news agencies for the online reproduction and representation of their publications by an online communication service provider.104 The Law will enter into force as from 24 October 2019 but will not apply to press publications published for the first time before the entry into force of the Copyright Directive on 6 June 2019.
It introduces new provisions under the French Intellectual Property by implementing an obligation to obtain an authorisation from publishers of online news services or news agencies before any reproduction or communication to the public of all or part of their press publications in a digital form by an online communication service provider. These rights will expire two years after the press publication is published, a term calculated from 1 January of the year following the date on which that press publication is published.
Press publishers and news agencies shall be granted compensation by online communication service providers using all or part of a press publication based on the exploitation revenues of any kind, direct or indirect, of the said communication service provider and if not possible on a flat-rate basis. Furthermore, the Law went beyond the provision of the Directive by specifying that such compensation shall take into account quantitative and qualitative elements such as 'human, material and financial investments made by publishers and news agencies', as well as 'the contribution of press publications to political and general information and the importance of the use of press publications by an online communication service to the public'.
Finally, the Law has duly included the exceptions to such neighbouring right that relate to: hypertext links, the use of isolated words and the use of 'very short extracts' of a press publication and outlines that the use of isolated words or very short extracts may not impact the effectiveness of the new neighbouring right and that this effectiveness is 'notably affected when the use of very short extracts replaces the press publication itself or exempts the reader from referring to it'.
1 Myria Saarinen and Jean-Luc Juhan are partners at Latham & Watkins. This chapter was written with contributions from associates Lea Margono and Camille Dorval.
2 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
3 Article L33-1 I of the CPCE.
4 See Articles 28 to 32 of the Law of 30 September 1986, which determine the CSA's allocation procedures.
5 Articles 33 to 34-5 of the Law of 30 September 1986.
6 Article L33-1 III of the CPCE.
7 Article R153-2 of the French Monetary and Financial Code.
8 Article L165-1 of the French Monetary and Financial Code.
9 Decree No. 2014-479 of 14 May 2014.
10 Articles 39-I and 39-III of the Law of 30 September 1986.
11 Law No. 2016-1524 of 14 November 2016 strengthening media freedom, independence and pluralism.
12 Article 19 of the Law No. 2016-1524 of 14 November 2016.
13 Article 11 of the Law No. 2016-1524 of 14 November 2016.
14 Article 41 of the Law of 30 September 1986.
16 Article 40 of the Law of 30 September 1986.
17 Article 14 of the Law of 14 November 2016.
18 Article 40 of the Law of 30 September 1986.
19 Article 41-1 to 41-2-1 of the Law of 30 September 1986.
20 For recent examples of mergers in the TMT sectors, see, e.g., FCA, Decision No. 17-DCC-76 of 13 June 2017, in which the FCA ruled on the acquisition of Group News Participations by SFR Group.
21 Article L36-10 of the CPCE.
22 Article 41-4 of the Law of 30 September 1986.
23 Article 42-3 of the Law of 30 September 1986.
24 Article L32-1 of the CPCE.
25 Article L33-1 of the CPCE.
26 Article L39 of the CPCE.
27 This issue now seems resolved regarding video-sharing sites: see, for instance, the judgment of the French Supreme Court (Cass., Civ. 1ère, 17 February 2011, No. 09-67896, Joyeux Noël) in which the Supreme Court recognised a simple hosting status for Dailymotion. The Supreme Court ruled that host websites did not have to control a priori the content they host but need to ensure the content is not accessible once it has been reported as illegal (Cass., Civ. 1ère, 12 July 2012, No. 11-15165 and No. 11-15188, Google and Auféminin.com). This issue is still to be debated with respect to online marketplaces such as eBay from which it follows that French courts, which are favouring a very factual analysis of the role of the services provider, will give significant importance to judges' discretion. In that respect, see Cass., Com,. 3 May 2012, No. 11-10.507, Christian Dior Couture, No. 11-10.505, Louis Vuitton Malletier and No. 11-10.508, Parfums Christian Dior, in which the Supreme Court confirmed an earlier decision of the Paris Court of Appeals that did not consider eBay as a 'host provider', and therefore refused to apply the liability-exemption regime. See, in contrast, Brocanteurs v. eBay, Paris Court of Appeals, Pôle 5, ch 1, 4 April 2012, No. 10-00.878, in which second-hand and antique dealers accused eBay of encouraging illegal practices by providing individuals with the means to compete unfairly against professionals, and in which the Paris Court of Appeals considered eBay as a host provider able to benefit from the liability-exemption regime. The Court of Appeals based its decision on the fact that eBay had no knowledge or control of the adverts stored on its site. If the seller was asked to provide certain information, it was for the purpose of ensuring a more secure relationship between its users. The issue is also debated in the context of online forums. The Supreme Court ruled on 3 November 2015 that publishing directors are responsible for 'personal contribution spaces' from the moment they become aware of their content and must be held criminally liable for failing to take down defamatory comments (Cass., Crim., 3 November 2015, No. 13-82645).
28 See Judgment of the High Court of Paris, 4 December 2015, Goyard St-Honoré v. LBC France.
29 Article 1(2) of Directive No. 2002/22/EC.
30 See Ministerial Order of 27 November 2017 designating Orange (JORF No. 0282 of 3 December 2017).
31 Article L35-3 of the CPCE.
32 Law No. 2016-1321 of 7 October 2016 for a Digital Republic.
33 Articles 40 to 47 of Digital Republic Law.
34 Article 40 of Digital Republic Law.
35 Article 43 of Digital Republic Law.
37 2017 report: 'The state of internet in France', ARCEP report, May 2017 (available at ARCEP https://www.arcep.fr/uploads/tx_gspublication/State-Of-Internet-in-France-2017_may2017.pdf). 2018 report: 'The state of internet in France', ARCEP report, June 2018 (available at ARCEP https://www.arcep.fr/uploads/tx_gspublication/rapport-etat-internet-2018_conf050618.pdf).
38 IPv6 is the most recent version of the Internet Protocol, the communications protocol that provides an identification and location system for computers on networks and routes traffic across the internet. IPv6 has been developed to deal with the issue of IPv4 address exhaustion, and is intended to replace IPv4.
39 'End-user devices – Analysis of their influence on Internet Openness', ARCEP report, 30 May 2017 (available at https://www.arcep.fr/uploads/tx_gspublication/study-end-user-devices-internet-openness-may2017.pdf).
40 See Articles L331-25, L336-3 and R335-5 of the Intellectual Property Code.
41 See Article L34-5 of the CPCE.
42 See Article L34-5 of the CPCE.
44 See Ministerial Order of 25 February 2016 designating SA Opposetel (JORF No. 0050 of 28 February 2016).
45 The red list service ensures that contact information will not be mentioned on user lists. The orange list service ensures that contact information will not be communicated to corporate entities with the goal of advertisement. The contact information remains available on universal directories made available to the public.
46 Initially, this article provided that the collection could be authorised against the individual's relatives. However, the Constitutional Council, in decision No. 2017-648 QPC of 4 August 2017, censored this provision because it infringes the balance between public security and right to privacy.
47 New Article L246-1 et seq. of the Internal Security Code introduced by Article 20 of the LPM.
48 Article 20 IV of the LPM.
49 See Article 6-1 of Law No. 2004-575 of 21 June 2004 on Confidence in the Digital Economy as introduced by Article 12 of Law No. 2014-1353 of 13 November 2014 reinforcing regulations relating to the fight against terrorism.
50 However, the Constitutional Council established boundaries in the fight against terrorism regarding infringements of the freedom of communication. In Decision No. 2016-611 QPC of 10 February 2017, the Council considered as unconstitutional Article 421-2-5-2 of the French Criminal Code introduced by Law No. 2016-731 of 3 June 2016, which punishes any person who frequently accesses online public communication services conveying messages, images or representations that directly encourage the commission of terrorist acts or defend these acts when this service has the purpose of showing images or representations of these acts that consist of voluntary harm to life.
51 Law No. 2016-731 of 3 June 2016 reinforcing the fight against organised crime and terrorism and their funding, and improving the efficiency and the protection of guarantees of criminal proceedings.
52 Articles 706-95-1 to 706-95-3 of the French Criminal Proceedings Code added by Article 2 of Law No. 2016-731 of 3 June 2016.
53 Articles 706-95-4 to 706-95-10 of the French Criminal Proceedings Code added by Article 3 of Law No. 2016-731 of 3 June 2016.
54 Article 706-102-1 of the French Criminal Proceedings Code amended by Article 5 of the Law No. 2016-731 of 3 June 2016.
55 See Articles L34-1 and D98-5 of the CPCE.
56 See Decree No. 2009-834 of 7 July 2009 as modified by Decree No. 2011-170 of 11 February 2011.
57 See Article 32 of the GDPR.
59 See Article L. 251-2 of the French Internal Security Code.
60 See Article L. 253-2 and L. 253-3 of the French Internal Security Code.
61 Law No. 2018-607 of 13 July 2018, Military Planning Law 2019–2025 (LPM).
62 Article 45 of the 1978 Data Protection Law.
63 Directive No. 2016/1148 of 6 July 2016.
64 Article 3 of Decree No. 2018-384 dated 23 May 2018.
65 Article 3 of Decree No. 2018-384 dated 23 May 2018.
66 Article 10 of Law No. 2018-133 of 26 February 2018.
67 Article 2 of Law No. 2018-133 of 26 February 2018.
68 Articles 5 and 16 of Decree No. 2018-384 dated 23 May 2018.
69 Article 16 of Decree No. 2018-384 dated 23 May 2018.
70 Article 17 of Decree No. 2018-384 dated 23 May 2018.
71 Article 10 of Decree No. 2018-384 dated 23 May 2018.
72 Article 12 of Law No. 2018-133 of 26 February 2018.
73 Article 18 of Decree No. 2018-384 dated 23 May 2018.
74 Article 19 of Decree No. 2018-384 dated 23 May 2018.
75 Articles 7 and 13 of Law No. 2018-133; Articles 11, 12, 20 and 21 of Decree No. 2018-384 dated 23 May 2018.
76 Article 9 of Law No. 2018-133 of 26 February 2018.
77 Article 15 of Law No. 2018-133 of 26 February 2018.
78 Article L42-3 of the CPCE.
79 Article R20-44-9-2 of the CPCE.
81 ARCEP, Decision No. 2011-1080 of 22 September 2011.
82 ARCEP, Decision No. 2011-1510 of 22 December 2011.
83 See ARCEP press release of 2 August 2018.
84 ARCEP, Decisions No. 2017-0734 (Bouygues Telecom) and No. 2017-0735 (SFR) of 13 June 2017.
85 See ARCEP press release of 30 September 2015.
86 See ARCEP press release of 22 June 2017.
87 See ARCEP press release of 30 July 2018.
89 See ARCEP Draft Decision of 15 July 2019 proposing the procedure for awarding the 3,490–3,800MHz band in Metropolitan France.
90 Articles 7 and 13 of Decree No. 90-66 of 17 January 1990.
91 Article 28 2°-bis of the Law of 30 September 1986.
92 Article 56 of the Law of 4 August 2014.
93 Law No. 2018-1202 of 22 December 2018 regarding the fight against the manipulation of information.
94 Decree No. 92-280 of 27 March 1992.
95 Decree No. 2018-1226 of 24 December 2018.
96 See Ruling of the ANC of 10 December 2018 modifying the Ruling of 5 June 2014.
97 Law No. 2019-486 of 22 May 2019 on Business Growth and Transformation known as the Law Pacte.
98 Law No. 2018-493 of 20 June 2018 on the protection of personal data.
99 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
100 CNIL Decision No. SAN - 2019-001 of 21 January 2019 imposing a pecuniary sanction against GOOGLE LLC.
101 CNIL decision No. SAN - 2019-005 of 28 May 2019 imposing a financial penalty on SERGIC; CNIL decision No. SAN-2019-006 of 13 June 2019 imposing a financial penalty on UNIONTRAD COMPANY; CNIL decision No. SAN - 2019-007 of 18 July 2019 imposing a financial penalty on ACTIVE ASSURANCES.
102 CNIL decision No. 2019-093 of 4 July 2019 adopting guidelines on the application of Article 82 of the amended law dated 6 January 1978 to the reading or writing operations in a user's terminal (in particular cookies and other tracking devices) (corrigendum).
103 Directive 2019/790 of 17 April 2019 on copyright and related rights in the Digital Single Market.
104 Law No. 2019-775 of 24 July 2019