Further to the French Digital Republic Law on October 7, 2016, Dreyfus presents a trilogy of articles on three major aspects of law.
As soon as the online consultation on the Digital Republic Law came into force in September 2015, the right to data portability was at the heart of debates. The participants displayed a keen interest and votes in favour of article were positive (out of 796 votes, 704 were in favour of the article).
The provisions of the Digital Republic Law on the recovery and portability of data will not enter into force until May 2018, with the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The Act therefore inserted a new subsection 4 in Section 3 of Chapter IV of Book II of the French Consumers Code entitled “Data Recovery and Portability”. According to the new article L. 224-42-1 of the French Consumer Code, “The consumer has at all times a right of recovery of all his data.”
A right to data recovery in accordance with European Union law
So as not to be in conflict with its future provisions, the drafting and coming into force of the Digital Republic Law followed the new European Regulation on the protection of personal data
The new Article L. 224-4-2 provides that the recovery of personal data introduced by the Law for a digital Republic is in conformity with the provisions of Article 20 of the Regulation of April 27, 2016.
However, there is a difference between the Digital Republic Law and the Regulation: while the latter speaks of data portability, the Digital Republic Law only mentions data recovery, regardless of what the title of the new subdivision 4 implies.
Difference between data portability and data recovery
As the name suggests, recovery allows for the retrieval of one’s data from an online provider of communication services to the public, in an open and easily reusable way. Thus, the data possessed by this provider shall not be lost when unsubscribing from its services.
Portability, however, not only makes it possible to retrieve data from the provider but also to transfer data to another. This can be initiated by the owner of the files himself, or if technically feasible, directly between the operators. Its scope is therefore larger than mere data retrieval.
The difference between data portability in the Regulation and data recovery in the Act is that the former covers only personal data and not “all files uploaded by the consumer”, contrary to the Digital Republic Law. The aim is therefore to target data processors in the Regulation and to target online providers of communication services to the public through the Law..
The choice between portability and recovery therefore becomes clearer: personal data is sensitive data and it is normal for a person to make use of this information. “All the files uploaded by the consumer” however, makes the question to be asked a little more complex. It is understandable that the legislator did not wish to impose portability on the providers: this would have required considerable technical efforts and very high costs in terms of compliance. Nothing however, prevents the user from subsequently transmitting files to another provider, even if technically possible.
What data is involved in the recovery according to the Digital Republic Law?
The legislator sought to go further than personal data under the Regulation. The aim of these provisions is indeed to facilitate the access of new providers, in particular young innovative startups, to markets very often closed or at the very least dominated by oligopolies. The choice was made to lower the barriers to changes of service providers and to promote competition among different digital service providers. Thus, the choice was made to include, for example, online bank statements, order history on an electronic sales site or the content of music preferences progressively posted on an online streaming site.
The Act therefore provides that recovery must be a free-of-charge service for all providers of online communication services to the public. It therefore covers
- “all the files uploaded by the consumer”;
- “all the data resulting from the use of the user account of the consumer and viewable online by him, other than those that were subject to significant enhancements by the provider”;
- And “other data related to the consumer’s user account that meets the following requirements: a) these data enables the change of service provider or allows access to other services; b) data identification takes into account the economic importance of services involved, the intense competition between providers, the usefulness to the consumer, the frequency and the financial issues in the use of those services.”
The data involved in the recovery is therefore significant and the criteria provided by the law allows for a wide scope of retrievable data. It includes files uploaded by the consumer, data available online on the consumer’s user-account, other data associated with the account as well as that of economic importance, useful for the consumer, that bear financial issues, etc.
However, there is one significant exception: data “that were subject to significant enhancements by the provider” are not in the scope of the recovery. This involves making a distinction between raw data and significantly enriched data. The latter are those that concern services offered by the platform; data transmitted by the consumer that have been modified, enhanced using algorithms created by the service provider. The contribution of this algorithm cannot therefore be retrieved by the consumer while recovering the data.
Furthermore, it is only information visible to the public and not that of the “back office” that is concerned.
What are the new obligations on online communication service providers?
They must set up this data recovery feature and offer it free of charge.
The service provider must take all necessary measures, in terms of interface programming and transmission of the information necessary for the change of provider. The consumer must be able to retrieve all of his/her data or files through a single request made to the provider.
The data must be recovered using an open standard, easily reusable and exploitable by an automated processing system. However, when this is impossible, the provider must clearly and transparently inform the consumer. Otherwise, where appropriate, the provider informs the consumer of the alternative methods of such data recovery and specifies the technical characteristics of the recovery file format, in particular its open and interoperable character.
A decree is expected to specify the list of the types of enrichments deemed to be insignificant that can not give rise to a recovery refusal to the consumer. In case of a dispute, the burden of proving the alleged insignificant enrichment will be that of the professional.
To this extent, the new Article L. 224-42-4 of the French Consumer Code specifies that these provisions do not apply to providers of an online public communication service with a number of user accounts subject to an active connectionion during the last six months less than a threshold number defined by decree.
What do these new provisions bring about?
The ability to retrieve data from an online communication service was highly anticipated by Internet users. For some, this is even the corollary of the recognition of the right to the free disposal of personal data.
The challenge here was to balance the needs of consumers with business economic needs. The aim was not to disadvantage young innovative companies struggling to find a place among the giants within the markets concerned .
Time will tell us whether this objective is achieved and the impact of these provisions. We will have to wait until May 25, 2018 to notice the first visible effects, when the European Regulation and these provisions on data portability and recovery will come into force.
Part 1 – A law for digital French Republic – online platforms
Part 3 – French Digital Republic Law – right to privacy