News

In an economic landscape where corporate value is increasingly derived from intangible assets, intellectual property (IP) litigation is becoming significantly more complex. The increasing judicialization of business, coupled with the technical intricacies of emerging digital challenges (Web3, AI, Data), imposes a requirement for absolute rigor upon legal practitioners. For international lawyers, General Counsels, and decision-makers, relying on standard technical support is no longer sufficient; it has become imperative to collaborate with professionals whose competence is recognized and validated by the highest jurisdictions.

It is in this context that the dual status of Court-Appointed Expert to the Cour de cassation (French Supreme Court – Specialization: Trademarks) and Expert to the Paris Court of Appeal (Specialization: Trademarks, Designs & Models) assumes its full strategic dimension. Beyond the honorific title, it represents a probative methodology and an anticipatory vision of judicial risk that are placed at the service of corporate strategy. This qualification offers reinforced legal certainty, which is essential for preserving the professional liability of legal counsel and ensuring the enforceability of rights holders’ assets.

The status of court-appointed expert: a guarantee of technical excellence and ethics

Inclusion on the lists of judicial experts is not a mere administrative formality. It is the culmination of a drastic selection process, validating indisputable technical competence and absolute moral probity.

Being a Court-Appointed Expert to the Cour de cassation constitutes the highest level of recognition for a legal technician in France. This implies that the highest court in the French judicial order recognizes the expert as an authority in their specialization. Similarly, accreditation by the Paris Court of Appeal, the central jurisdiction handling the vast majority of IP litigation in France, attests to a proven practice in complex cases.

For the lawyer or the final client, collaborating with a Court-Appointed Expert offers three major guarantees, indispensable to the solidity of a file:

1. Independence: The expert is bound to total objectivity, a pledge of credibility when establishing reports or audits.
2. Technical Competence: Mastery of the most specific aspects of the matter (distinctiveness, likelihood of confusion, revocation, materiality of infringement).
3. Ethics: Strict adherence to the guiding principles of the trial, notably the adversarial principle (due process), which permeates their entire practice, even in advisory roles.

You may verify these official registrations via the justice directories:

• Consult the official list of experts to the Paris Court of Appeal (2026)
• Consult the official list of experts to the Cour de cassation (2025)
• Consult the national directory of the National Council of Companies of Justice Experts (CNCEJ)

The added value of the judicial expert in the lifecycle of IP rights

A common misconception is that the Court-Appointed Expert only intervenes once litigation has arisen. On the contrary, it is precisely upstream, in the daily management of portfolios, that the judicial expert’s mindset provides superior legal certainty. Each act is performed with the perspective of its future enforceability before a tribunal.

Audit and availability searches: the judge’s eye before the trial

A standard availability search lists potential obstacles. A search conducted with “the eye of the Court-Appointed Expert” qualifies the risk with the perspective of the magistrate. The expert, accustomed to enlightening tribunals, understands how trial judges appreciate in concreto the similarity of signs or goods and services.

When analyzing your trademark availability searches, we do not merely apply theoretical criteria. We evaluate the probability that a judge would retain a likelihood of confusion, integrating the most recent jurisprudential trends. This allows for the elimination of false positives (theoretical risks that are judicially weak) and the identification of genuine litigation risks, thus protecting the company against future nullity actions.

Filings and procedures: procedural rigor at the service of protection

The solidity of an industrial property title is determined at the moment of its filing. A poorly drafted specification or imprecise classification constitutes a breach into which the opposing party will step during a nullity or revocation action.

The practice of pathological litigation teaches us a contrario how to draft robust wordings. We anticipate arguments of non-use or lack of distinctiveness. This preventive approach is at the heart of our trademark law practice, where each class is weighed to withstand the “fire” of judicial proceedings, guaranteeing maximum enforceability of the title. This is essentially legal engineering designed to preclude future vulnerability.

Management and valuation: credibility in audits (M&A)

In the context of Mergers & Acquisitions (M&A) or fundraising, the valuation of IP assets is critical. The intervention of an Expert appointed to the Cour de cassation to audit a portfolio provides a major “trust signal” to investors and auditors.

The financial valuation of trademarks requires rigorous methodology (relief from royalty method, excess earnings method, etc.) which the judicial expert masters perfectly for regular presentation before the courts. This rigor secures the valuation and strategy and minimizes the risks of liability warranties, thereby protecting the professional liability of the business lawyers managing the transaction.

Surveillance and defense: qualifying infringement with precision

Online brand enforcement often generates significant “noise.” Distinguishing between a minor infringement and a substantiated counterfeiting case requiring immediate action is crucial for cost control and defense strategy.

The Court-Appointed Expert possesses the necessary acuity to detect the constitutive elements of infringement (identical reproduction, imitation, risk of association) and to compile a body of probative evidence. This precise qualification allows for advising on the most adapted gradual response, from the cease-and-desist letter to the seizure (saisie-contrefaçon), avoiding reckless threats that could lead to liability for disparagement.

The synergy between lawyers and IP attorneys in complex litigation

The success of intellectual property litigation often rests on the alliance between the procedural strategy of the lawyer and the technical analysis of the Trademark Attorney (CPI). When a specialized lawyer collaborates with a CPI holding the status of Court-Appointed Expert, they significantly reinforce the probative value of their file.

This technical collaboration materializes at several levels:

• Expert Consultation (Party-Appointed Expertise): Even before the introduction of proceedings, we can draft an independent technical consultation. Although produced at the request of a party, the signature of an Expert appointed to the Cour de cassation confers major technical weight upon the document. This report serves to objectify technical facts and provides the lawyer with robust arguments for their pleadings, which can be pivotal in IP litigation advice.
• Assistance during Saisie-Contrefaçon (Seizure): The preparation of the motion and assistance to the Bailiff during operations require surgical precision to avoid the nullity of the official report. Judicial expertise ensures scrupulous respect for the limits of the court order and the accurate description of material facts.
• Validity Analysis and Counterclaims: In a defense strategy, we assist the lawyer in identifying technical flaws in the opposing party’s patent or trademark (prior art, lack of novelty, descriptiveness) to construct a solid counterclaim for nullity.

This synergy allows for the delivery of a “turnkey” file to the judge, where law and technique articulate perfectly, maximizing the chances of success.

FAQ: The judicial expertise in practice

What is the difference between a Party-Appointed Expert and a Court-Appointed Expert?
The Court-Appointed expert is designated by the judge to enlighten the tribunal on a technical question with total impartiality. The Party-Appointed expert is retained by one of the parties. However, when the party expert also holds accreditation from the Cour de cassation or Court of Appeal, their private consultation benefits from superior moral and technical authority. They remain bound by their ethics and duty of rigor, which confers greater probative force to their analysis than a simple technical note.

How does judicial expertise secure a trademark financial valuation in an M&A context?
The financial valuation of intangible assets is often contested by tax authorities or during shareholder disputes. The judicial expert applies standardized methodologies recognized by the courts. Their valuation report is argued, documented, and justified point by point. In the event of an audit or post-acquisition litigation, this report constitutes a master piece of evidence to justify the transfer price, thus protecting executives and their legal counsel.

Can we retain a Court-Appointed Expert for a private consultation before litigation starts?
Yes, and it is highly recommended. Retaining a Court-Appointed Expert for a pre-litigation consultation allows for an objective assessment of the chances of success of an action (analysis of the materiality of infringement, validity of the title). This enables the lawyer and client to define the best strategy: settle, attack, or withdraw. It is an indispensable risk management tool to avoid long, costly, and uncertain proceedings.

What is the role of the expert during a saisie-contrefaçon?
During a seizure, the Bailiff describes what they see, but they do not always possess the technical competence to identify specific elements of infringement, particularly in complex fields (software, designs). The expert assisting the Bailiff guides them to ensure that the seized evidence corresponds exactly to the judge’s order, thus avoiding out-of-scope seizures that could lead to the nullity of the report.

Why trust Dreyfus Law Firm

Dreyfus Law Firm is not merely a firm of Trademark Attorneys; it is a reference in Intellectual Property and Digital Law.

Founded by Nathalie Dreyfus, Expert to the Cour de cassation and Expert to the Paris Court of Appeal, the firm combines the agility of a dedicated team with the power of a global network. Our transversal approach allows us to accompany lawyers and legal departments across the entire value chain: from filing strategy to aggressive defense of rights on the Internet (Domain names, UDRP, Phishing) and in the physical world.

Choosing Dreyfus means choosing the security of technical expertise recognized by the highest French jurisdictions to protect your most valuable assets and secure your litigation strategies.

Are you a lawyer or General Counsel looking to secure the technical aspect of a complex file?

Contact us for a confidential analysis of your issues.

Dreyfus & Associés is a partner of a global network of lawyers specializing in Intellectual Property.

Introduction

The protection of plant varieties is a major strategic issue for breeders, seed companies, research institutes and investors. Within the European Union, the plant variety right (PVR) provides a harmonised, demanding and highly technical legal framework. Certain mistakes—often made prior to filing—may result in the definitive loss of rights.

It was Regulation (EC) No. 2100/94 of 27 July 1994, known as the Basic Regulation, which established at EU level a specific system for the protection of plant varieties, referred to as the Community Plant Variety Protection system (CPVP).
This system provides for the grant of a single intellectual property title: the Community Plant Variety Right (Community PVR), issued by the Community Plant Variety Office (CPVO), the sole authority competent at EU level for implementing this protection system.

Unlike national plant variety rights, which are granted by national offices and are strictly limited in territorial scope to the State concerned, the Community plant variety right allows, through a single filing, the securing of exclusive rights covering the entire European market.

The purpose of this article is to provide a comprehensive, structured and chronological checklist designed to anticipate risks and to effectively secure an application for plant variety protection within the European Union.

Ensuring, at an early stage, that the variety is eligible for protection

Before taking any steps, it is essential to verify that the variety in question actually meets the conditions for protection under EU law. Above all, the variety must result from a characterised breeding activity, excluding any mere discovery.

Beyond this initial assessment, attention must focus on compliance with the fundamental criteria for protection: novelty, distinctness, uniformity and stability.
• Novelty requires that the variety has not been commercialised, with the breeder’s consent, beyond the authorised time limits prior to filing. Even limited or indirect marketing may be sufficient to destroy novelty.
• Distinctness means that the variety must be clearly distinguishable from any other known variety at the filing date, by at least one relevant and observable characteristic.
• Uniformity requires that the plants constituting the variety show sufficient consistency in the expression of their characteristics, taking into account the mode of reproduction.
• Stability, finally, means that the essential characteristics of the variety remain unchanged after repeated propagation or at the end of each cycle of reproduction.

These criteria are assessed globally as part of the technical examination conducted by the CPVO. The absence of any one of them is sufficient to justify rejection of the application.

In practice, novelty is very often the main point of concern. Any marketing activity, even on a limited scale, occurring prior to filing may lead to an irreversible loss of rights. Field trials, exchanges of plant material or inadequately controlled technical communications are frequently at the origin of subsequent difficulties.

Securing ownership of the plant variety right from the outset

Ownership of rights is a central issue in the plant variety protection procedure. It is essential to identify precisely the breeder in the legal sense, whether a natural person or a legal entity.

Where the variety results from collective work involving employees, industrial partners or research institutes, an in-depth analysis of the contractual relationships is required. Employment contracts, collaboration agreements or research conventions may contain decisive clauses regarding ownership of results. In the absence of prior clarification, the applicant exposes itself to subsequent claims likely to seriously weaken the protection.

Formal requirements for filing

The preparation of the filing dossier should not be treated as a mere administrative formality. It requires the collection of precise and consistent technical information relating to the variety, its origin and its breeding method.

The filing dossier notably includes:
• the full identity of the breeder and, where applicable, its representative,
• the exact botanical designation of the variety,
• the proposed variety denomination, compliant with European rules,
• a detailed technical questionnaire specific to the species concerned.

Particular care must be taken with the variety denomination. This is subject to specific rules, distinct from trademark law, and must allow clear, stable and non-misleading identification of the variety. A poorly chosen denomination may give rise to objections, delay the procedure or result in refusal.

Applications before the CPVO may be filed in several official EU languages; however, English remains the preferred working language.
Representation by a specialised advisor helps to avoid formal irregularities likely to delay the procedure.

Filing the application and conduct of the procedure before the CPVO

Once the application has been filed and the fees paid, a formal examination is carried out before the technical examination phase is opened. This phase involves the designation of a competent examination office for the species concerned, responsible for carrying out the distinctness, uniformity and stability tests.

The choice of this office may have a significant impact on the duration of the procedure and on subsequent technical exchanges. In addition, the timely submission of plant material in accordance with the required conditions is a critical step. Any failure in this respect may result in rejection of the application or a substantial extension of time limits.

The DUS Examination: a lengthy and decisive phase

The DUS examination lies at the heart of the plant variety protection procedure. It is based on in-depth comparative tests, generally spread over several growing cycles.
In practice, this examination is entrusted to an authorised examination office competent for the species concerned, in accordance with Article 55 of the Regulation.

The examination generally involves:
• the supply of compliant plant material,
• trials conducted over one or more growing cycles,
• strict adherence to a timetable, which varies depending on the species and the filing period.

The duration of the examination depends in particular on the growing season applicable to the variety. In practice, the full procedure most often extends over two to three years, or even longer for certain perennial species.

At this stage, objections may be raised if the variety appears insufficiently distinct from existing varieties or if difficulties are identified in terms of uniformity or stability.

This phase requires rigorous technical preparation and anticipation of the examination office’s expectations. An incorrect assessment of the criteria or insufficient documentation may lead to failure, sometimes after several years of proceedings.

Applicants outside the European Union: key regulatory points of attention

Where the applicant is established outside the European Union, additional regulatory constraints must be taken into account at an early stage of the project. The transfer of plant material into the EU may be subject to strict phytosanitary rules, specific customs formalities and, depending on the country of origin and the species concerned, prior authorisations.

Furthermore, certain States apply particular restrictions on the export of biological resources or specific tax regimes likely to affect the circulation of plant material or the structuring of financial flows.
Failure to anticipate these aspects may result in delays, unforeseen costs or even prevent continuation of the procedure. A prior analysis of the applicable regulatory, customs and tax constraints is therefore essential.

Anticipating common errors and international coordination

Among the most frequent errors are:
• premature disclosure of the variety; strict traceability of the first uses of the variety is therefore essential,
• a non-compliant or conflicting denomination, making it necessary to conduct a thorough availability search prior to filing, not only in respect of existing variety denominations but also relevant prior rights,
• poor coordination between national, European and international filings.

The filing of a community plant variety right is only one component of an international protection strategy. It must be coordinated with systems in place in third countries that are members of the International Union for the Protection of New Varieties of Plants (UPOV), which, although based on common principles, present significant national specificities.

Poorly managed timing between initial commercialisation, Community filing and filings in third countries (United States, Latin America, Asia, Africa) may lead to irreversible loss of protection in strategic territories.

Conclusion

Filing a plant variety right in the European Union requires a rigorous approach, combining law, agronomic expertise and economic strategy. A comprehensive legal and administrative checklist is the most effective tool to secure the breeder’s rights and optimise the long-term valorisation of the variety.

Dreyfus & Associés is in partnership with a global network of lawyers specialising in Intellectual Property.

Nathalie Dreyfus with the assistance of the entire Dreyfus team

Q&A

1.What is a Community plant variety right (CPVR)?
A Community plant variety right is a unitary intellectual property title granted by the Community Plant Variety Office (CPVO). It confers on its holder an exclusive right to exploit a new, distinct, uniform and stable plant variety throughout the entire territory of the European Union.

2.What is the difference between a national plant variety right and a Community plant variety right?
A national plant variety right has effect only within the territory of the State that granted it. By contrast, a Community plant variety right provides uniform protection in all EU Member States through a single filing, making it the preferred option for breeders targeting the European market as a whole.

3.What do the DUS tests carried out as part of the procedure involve?
DUS tests are designed to verify that the variety is distinct, uniform and stable. They are conducted by authorised examination offices and focus on specific technical characteristics. These tests may extend over several growing cycles and represent the longest and most technical stage of the CPVR procedure.

4.When should an application for plant variety protection be filed?
Ideally, before any commercialisation or public disclosure likely to affect the novelty of the variety.

5.Can a variety be protected both by a plant variety right and a trademark?
Yes, but these protections serve different purposes. The variety denomination is subject to specific rules and must not be confused with a commercial trademark.

6.How long does the plant variety protection procedure take?
The duration varies depending on the species, but the DUS examination generally extends over several years.

7.What happens in the event of an error regarding ownership of rights?
An ownership error may lead to claims, disputes or, in some cases, invalidation of the plant variety right.

8.Can an applicant outside the EU apply for a European plant variety right?
Yes, but the applicant must anticipate the phytosanitary, customs and regulatory rules applicable to the export of plant material into the European Union.

This publication is intended to provide general guidance to the public and to highlight certain issues. It is not intended to apply to specific situations nor to constitute legal advice.

Introduction

As the next round of new generic top-level domain (gTLD) applications approaches in 2026, the Registry Service Provider (RSP) Evaluation Program introduced by ICANN is redefining the technical and legal foundations of the domain name ecosystem.

This program marks a structural shift in how registry operators are assessed, certified, and integrated into the global DNS infrastructure. For trademark owners, intellectual property professionals, registries, understanding this framework is now a strategic imperative.

Understanding the registry service provider evaluation program

A new model for technical qualification

The RSP Evaluation Program introduces a decoupled assessment model, separating technical validation from individual gTLD applications.

Under the former framework, each applicant had to demonstrate independently its operational capabilities. This approach generated:

• Redundant technical audits
• Increased compliance costs
• Extended review timelines
• Inconsistent quality benchmarks

The RSP model replaces this with a centralized pre-qualification mechanism, whereby providers are evaluated once and recognized across multiple applications.

Core services covered by the RSP framework

Certified RSPs must demonstrate robust capacity in:

• Domain Name System (DNS) operations
• DNSSEC key management and cryptographic security
• Registry data publication and RDAP compliance
• Registry system continuity and disaster recovery
• Escrow and data integrity mechanisms

These functions are no longer treated as ancillary. They now constitute the technical backbone of gTLD governance.

Evaluation phases and operational framework

Pre-evaluation phase (2024–2025)

The initial pre-evaluation phase enabled early applicants to undergo technical assessment ahead of the main round.

Its objectives included:

• Establishing a pool of vetted operators
• Enhancing transparency for applicants
• Facilitating early contractual negotiations

Successful candidates are listed publicly, creating a reference market for future applicants.

Concurrent evaluation phase (From 2026)

A second evaluation window will operate alongside the 2026 gTLD application round.

This phase targets:

• New entrants
• Late technical providers
• Applicants developing in-house registry systems

Testing infrastructure: OT&E and RST v2.0

ICANN’s Operational Test and Evaluation (OT&E) and Registry System Testing (RST) v2.0 environments are mandatory validation platforms established to verify that a registry operator or RSP provider is genuinely capable of managing a top-level domain in a reliable, secure, and continuous manner.

They assess:

• Load resilience
• Incident response capacity
• Data recovery procedures
• System interoperability

This reinforces operational reliability at the root of DNS governance.

Legal and technical implications for stakeholders

Technical reliability as a legal safeguard

From an IP enforcement perspective, registry stability directly conditions the effectiveness of:

• Uniform Domain-Name Dispute-Resolution Policy (UDRP)
• Uniform Rapid Suspension (URS)
• Trademark Clearinghouse mechanisms (TMCH)
• Sunrise and Claims services

Without a qualified RSP, these instruments lose practical effectiveness.

Impact on enforcement and dispute resolution

Procedures administered in coordination with institutions such as the WIPO depend on accurate registry data and operational continuity.

A certified RSP ensures:

• Reliable registrant identification
• Traceable abuse reporting
• Preservation of evidentiary records

These elements are decisive in litigation and administrative proceedings.

Strategic opportunities for trademark owners and rights holders

Cost rationalization and budget predictability

The pre-certification model significantly reduces:

• Technical audit expenses
• Legal contingency reserves
• Emergency remediation costs

Applicants can reallocate resources toward:

• Trademark architecture
• Defensive registration programs
• Digital compliance policies

Enhancing .trademark governance models

For corporate applicants pursuing .trademark strategies, RSP certification enables:

• Centralized trademark ecosystems
• Controlled distribution channels
• Unified cybersecurity governance
• Integrated compliance frameworks

Practical recommendations for 2026 applicants

We recommend that applicants integrate RSP considerations into early strategic planning.

Key action points

• Identify pre-evaluated RSPs at least 18 months in advance
• Integrate RSP timelines into trademark filing strategies
• Conduct legal audits of registry agreements
• Align DNS governance with trademark protection policies
• Establish internal oversight committees

Internal and external resource integration

Applicants should coordinate:

• Legal teams
• IT governance units
• Cybersecurity departments
• External IP counsel
• Registry operators

This transversal approach reduces operational fragmentation.

Conclusion

The Registry Service Provider Evaluation Program represents a structural evolution in DNS governance. It transforms technical qualification into a strategic legal instrument and places infrastructure reliability at the center of trademark protection.

For domain name stakeholders, this program is no longer optional. It is a prerequisite for sustainable digital positioning.

The Registry Service Provider Evaluation Program must now be understood as a cornerstone of modern domain name strategy.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of attorneys specializing in Intellectual Property.

Nathalie Dreyfus with the support of the entire Dreyfus team

FAQ

1. Does RSP certification guarantee application approval?
No. It only validates technical capacity. Legal, financial, and policy reviews remain applicable.

2. How long does RSP evaluation usually take?
Between 6 and 12 months, depending on system complexity and remediation requirements.

3. Should trademark owners prioritize pre-evaluated providers?
Yes. Early engagement reduces regulatory and operational uncertainty.

4. What are the main legal risks of using a non-certified provider?
Application rejection, enforcement failures, compliance breaches, and reputational damage.

5. When should applicants begin RSP negotiations?
Ideally 24 months before the application window.

This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice.

Introduction

Over the past few years, the double proxy has established itself as one of the most formidable technical mechanisms used by professional cybersquatters. Behind an apparent technical sophistication hides a very concrete legal reality: an organized opacity, intended to slow down the identification of those responsible, to neutralize in practice the actions of withdrawal and to amplify infringements of trademarks, domain names and corporate reputation.

In a context of growing organized crime, the double proxy is no longer a simple tool for anonymization. It now allows the deployment of industrial phishing, employment fraud, digital counterfeiting or identity theft campaigns, designed to resist traditional legal reaction mechanisms.

Understanding the double proxy: a cascade opacity mechanism

The double proxy is based on the successive interposition of several distinct technical intermediaries between the end user and the server effectively controlled by the attacker. In practice, the disputed domain name points to a first proxy, often operated by a CDN or reverse proxy provider, which then redirects to a second intermediary before reaching the final infrastructure.

These actors generally present themselves as mere technical providers and claim, in practice, the benefit of the hosting providers’ liability regime, subject to the legal qualification of their actual functions.. The objective is clear: to sever both the legal and technical link between the unlawful content and its true operator. Each layer acts as an additional screen, making the identification of the true hostng provider and the data controller particularly complex.

Fragmentation of responsibilities and enforcement actions

Unlike a simple proxy, the double proxy is based on a voluntary segmentation of technical and legal roles, which fragments the chain of responsibility and complicates any swift and coordinated action.

In practice, the chain of intermediation follows a well-established pattern. The registrar identifies a technical point of contact and refers to a CDN provider, whose official mission is to optimize the availability and performance of content. This provider then redirects to an intermediate hosting service, which is not necessarily the actual site operator. Finally, this host relies on a hidden origin server, sometimes located outside the European Union.

Each actor then presents himself as a passive intermediary and shifts responsibility to the next link in the chain. This cascading architecture exploits the grey areas of technical intermediaries’ liability law: without formally neutralizing notice-and-takedown mechanisms, it largely deprives them of  effectiveness by diluting the actual knowledge of unlawful content and the capacity for immediate action.

Why the double proxy has become the cybersquatter’s ultimate weapon

The first effect of the double proxy is a systemic neutralization, in practice, of takedown procedures. Each service provider invokes their status as an intermediary, requires local court orders or redirects the complainant to another actor in the chain. A withdrawal request, although well-founded, then turns into a fragmented procedural journey, incompatible with the urgency of ongoing fraud.

The second effect is an accelerator of large-scale fraudulent campaigns. The dual proxy allows for near-instant infrastructure recycling: when a website is suspended, content is replicated elsewhere, the domain name redirected, and the proxy chain reconfigured in minutes.

Finally, this architecture leads to a dilution of legal responsibilities. Each intermediary invokes its local compliance, or lack of actual knowledge, complicating the demonstration of bad faith, which is central to cybersquatting and domain name disputes.

Impact on rights holders

The double proxy weakens the effectiveness of trademark rights and extrajudicial mechanisms. UDRP-type procedures or blocking actions carried out with registrars lose effectiveness when fraudulent content remains accessible despite the suspension or blocking of the disputed domain name.

Each additional day during which a fraudulent website remains online generates immediate economic and reputational damage, marked by a loss of customer trust and an increased risk of personal data being misappropriated.

From an evidentiary standpoint, the double proxy greatly complicates evidence gathering. The rotation of IP addresses, limited log retention and the deliberate instability of intermediation chains make the identification of the real operator particularly challenging.

What solutions are available against double proxying?

Faced with the double proxy, the effectiveness of the response relies on a multi-level legal approach. This combines coordinated notifications with the registrars, CDN providers and hosting providers, legally qualified formal notices and, where justified , targeted extrajudicial or judicial actions. The objective is to identify, within the technical chain, the actors with a concrete capacity for intervention and to avoid the dilution of responsibilities.

Anticipation through technical evidence is decisive. The precise documentation of proxy chains, time-stamped captures of redirects, dynamic DNS analysis and rapid conservation of technical elements make it possible to establish the actual role of each intermediary and to contest usefully the classification as a purely passive intermediary.

In this respect, recent case law confirms the relevance of this approach. In a judgment of October 2^nd, 2025 (RG n° 24/10705) relating to a streaming fraud case, the Paris Judicial Court admitted that an infrastructure provider could be held liable as an indirect host provider, when the latter is duly notified of the illegal content and this qualification remains proportionate to its technical functions and its capacity to act.

Conclusion

The double proxy is today one of the most sophisticated and destabilizing tools of modern cybersquatting. Its impact goes well beyond technical considerations: it undermines the effectiveness of rights, the speed of remedies and user protection.

within response to this weapon, only a global strategy, combining legal expertise, technical mastery and anticipatory evidence gathering, can restore a balanced enforcement framework.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of attorneys specializing in Intellectual Property.

Nathalie Dreyfus with the support of the entire Dreyfus team

Q&A

1. Is the use of double proxying illegal?

No. The use of a proxy, including multiple, is legally neutral in itself. It is not the technology that is unlawful, but its use. On the other hand, when double proxy is used to conceal manifestly unlawful activities, it constitutes a strong indicator of bad faith in the overall legal analysis.

2. Can an intermediary be forced to keep their logs?

In principle, not without judicial intervention. Data retention obligations are strictly regulated. On the other hand, rapid precautionary measures may be requested in order to avoid the automatic deletion of essential technical data.

3. Does the use of non-EU servers prevent any legal action?

No, but it complicates enforcement. It often requires combined actions (administrative, judicial) and more frequent reliance on international assistance or actors located upstream in the technical chain.

4. Are automated detection tools effective against double proxy?

They are useful but insufficient alone. They must be combined with legal and technical analysis, capable to interpret redirections, infrastructure structures and weak signals.

5. Is a website protected by a CDN necessarily suspicious?

No. CDNs are widely used for legitimate purposes. It is the combined use of several layers of proxy, associated with unlawful content, that may become problematic.

6. Are the hosting providers always able to act quickly?

Not necessarily. Some intermediaries have only partial control over the infrastructure and must themselves turn to other providers before they can intervene.

The purpose of this publication is to provide general guidance to the public and to highlight certain issues. It is not intended to apply to particular situations or to constitute legal advice.

Introduction

The Data Protection Act (Loi Informatique et Libertés), of January 6, 1978, has since then evolved to meet the new challenges posed by digital technologies and the management of personal data.

The successive reforms, particularly with the implementation of the General Data Protection Regulation (GDPR), the EU Directive 2016/680’s transposal, and recent amendments, have allowed the law to adapt to contemporary issues.

This article explores the major changes to this legislation and analyzes their impact on personal data protection in France.

The origin and evolution of the data protection Act

The Data Protection Act was initially adopted in 1978 to protect citizens’ privacy in the context of personal data management. This law established the Commission Nationale Informatique & Libertés (CNIL), French independent administrative authority, to ensure that data processing practices comply with the law’s fundamental principles. The original law aimed to regulate the collection and processing of personal data by both public and private sectors and has been amended twice:

• In 2004, with the introduction of new provisions to strengthen data protection, notably through the transposal of the European Directive 95/46/EC, which implemented adjustments to the law.

• In 2016, with the adoption of the General Data Protection Regulation (GDPR) in May, which came into effect in 2018, marking a significant evolution in both French and European legislation.

Major changes brought by the GDPR

The GDPR had a significant impact on the Data Protection Act by strengthening personal data protection and harmonizing rules at the European level. While it is not directly a modification of French law, its application forced national legislation to integrate its core principles.

The GDPR has enabled to guarantee :
• The right to clear and accessible information when collecting data.
• The right to access, rectify, and erase (right to be forgotten).
• Data portability from one service to another.

The GDPR also expanded the CNIL’s powers in terms of enforcement, allowing fines up to 4% of a company’s global turnover for non-compliance. The CNIL now plays a more proactive role in monitoring corporate compliance.

Relationship between national law and the GDPR

The Data Protection Act continues to play a complementary role to the GDPR on issues where the European regulation allows for national discretion.

For example:
• The processing of health data, offense-related data, or journalistic data.
• Criminal law files, governed by specific rules derived from the European directive introduced alongside the GDPR.

These provisions allow the legal framework to adapt to areas where security and protection concerns are particularly high.

The evolution of the Data Protection Act remains dynamic, with regular amendments, notably decrees published since 2018, specifying the operational modalities of the new rules.

New obligations for businesses

The Data Protection Act, as amended by the GDPR, now imposes additional obligations on businesses regarding the management of personal data:

• Appointment of a Data Protection Officer (DPO):
Certain businesses must appoint a DPO to ensure that data processing practices comply with the legislation.

• Explicit and Documented Consent:

Businesses must obtain explicit consent from users before collecting their data, and this consent must be documented and easily accessible.

• Privacy Impact Assessment (PIA):

Businesses must conduct PIAs when data processing presents a high risk to individuals’ rights and freedoms, especially in the case of automated processing.

Challenges of data protection in the digital Age

1) The rise of Big Data and AI

The massive processing of data (Big Data) and the growing use of artificial intelligence (AI) in personal data processing pose new challenges. Businesses must now justify the necessity of collecting data and can no longer rely on a lax approach.

2) The risks of data breaches

Despite efforts to strengthen security, data breaches remain frequent. Companies must not only take preventive measures but also be prepared to notify competent authorities and affected individuals in case of a data breach.

3) International Data Transfers
The transfer of data outside the European Union is strictly regulated. Businesses must implement appropriate mechanisms, such as standard contractual clauses or comply with adequacy regulations (e.g., the Privacy Shield for transfers to the United States), to ensure the security of personal data.

Conclusion

The Data Protection Act, as amended by the GDPR, represents a strengthened legal framework for personal data protection, particularly in the context of rapid technological advancements. Businesses must comply with these new rules, not only to avoid penalties but also to ensure the trust of their users.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of specialized intellectual property lawyers.

Nathalie Dreyfus with the support of the entire Dreyfus team.

Q&A

1.How does the GDPR affect companies that process sensitive data?
Companies that process sensitive data must implement enhanced security measures and obtain explicit consent from the individuals concerned. They must also conduct a Data Protection Impact Assessment (DPIA) to assess the risks associated with these processing activities.

2.Which companies must appoint a DPO?
Companies that process personal data on a large scale or sensitive data must appoint a Data Protection Officer (DPO). It is also mandatory for public organizations and those involved in regular monitoring of individuals.

3.What are the risks for companies in case of non-compliance?
In case of non-compliance, companies risk financial penalties of up to 4% of their global turnover or €20 million, depending on the severity of the violation. They may also face legal action and damage to their reputation.

4.How can companies ensure the security of personal data?
Companies must implement technical and organizational security measures, such as data encryption, strict access controls, and continuous training for employees on security best practices.

5.What is a Data Protection Impact Assessment (DPIA)?
A Data Protection Impact Assessment (DPIA) allows companies to analyze the risks to data protection before launching processing activities that may affect individuals’ privacy. It is mandatory for high-risk processing, particularly in cases of large-scale surveillance.

6.Is user consent always necessary for the processing of their data?
Explicit consent is required when data is processed based on this consent. However, in certain cases (e.g., for contract execution or legal obligations), other legal bases, such as legitimate interest, can be used without the need for prior consent.

This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice.

Introduction

ICANN (Internet Corporation for Assigned Names and Numbers) established the system of national top-level domains, known as ccTLDs (country code Top-Level Domains), the management of which is entrusted to each country. Specific rules govern the registration and use of these extensions, depending on local legal and regulatory requirements.

Choosing an appropriate ccTLD makes it possible to clearly indicate to search engines and users the intended target audience, thereby strengthening the relevance of content at a national or regional level. As such, the ccTLD constitutes an essential legal, technical, and strategic lever for any company developing an online activity, whether domestic or international.

Definition: what is a ccTLD?

A ccTLD (Country Code Top-Level Domain) is a domain name extension composed of two letters, assigned to a State or territory on the basis of the international ISO 3166-1 standard.

Each ccTLD corresponds to a clearly identified geographical area, for example .fr for France, .de for Germany, .it for Italy, .es for Spain, or .cn for China.

In addition, certain territories have been assigned specific codes under the ISO standard, in particular overseas territories, in order to reflect their particular geographical situation. Accordingly, alongside the French .fr extension, there are also .gf (French Guiana), .mq (Martinique), .re (Réunion), .nc (New Caledonia), .yt (Mayotte), and .gp (Guadeloupe).

Certain exceptions also exist. The United Kingdom, for instance, does not use the standard ISO code .gb, but rather the ccTLD .uk. Likewise, although the European Union is not a State, the ccTLD .eu is widely used by institutions and organisations in order to strengthen their visibility and identification at the European level.

The role of governance authorities

From an institutional perspective, the allocation of all ccTLDs is coordinated by ICANN. However, the management and registration of national domain names are carried out by the respective national registries, commonly referred to as NICs (Network Information Centers).

In France, for example, the .fr extension is administered by AFNIC (Association française pour le nommage Internet en coopération), which sets specific rules relating to eligibility, dispute resolution mechanisms, and the protection of prior rights.

Accordingly, a ccTLD is not merely a technical extension. It is the expression of national digital sovereignty, governed by specific rules that are often firmly rooted in local law.

What are the conditions for registering a ccTLD?

Each ccTLD is subject to its own registration rules, which are often stricter than those applicable to generic top-level domains (gTLDs) such as .com, .net, or .org. Certain extensions require a local presence, a national registration, or the appointment of a legal representative within the relevant territory.

By way of example, the registration of a .fr domain name is limited to holders established within the European Union, as well as in Iceland, Liechtenstein, Norway, or Switzerland.

Registration conditions vary depending on the policy adopted by the relevant registry. For more information about the eligibility rules for the .fr extension, please refer to our previously published article.

Similarly, the Canadian ccTLD .ca is strictly reserved for companies and individuals having their registered office or residence in Canada.

As a result, ccTLDs are not subject to a uniform regime.

What are the advantages of ccTLDs for businesses?

A lever of credibility and local trust

A ccTLD sends a strong signal of geographical proximity to users. It enhances trust, improves the clarity of the offer, and reinforces commercial credibility, particularly in markets where local presence is decisive. For many consumers, a national extension is naturally associated with a company established locally and subject to the applicable national law.

A strategic advantage for search engine optimisation

From an SEO perspective, a ccTLD clearly indicates the geographical target to search engines. It improves rankings for local searches and enables the implementation of a more precise international SEO strategy than reliance on a generic domain name alone.

A tool for protecting trademarks and digital assets

ccTLDs play a key role in the fight against cybersquatting, phishing, and other fraudulent uses. The defensive registration of strategic country-code extensions helps reduce the risk of trademark infringement, traffic diversion, and online impersonation, while facilitating recovery actions based on local law.

Conclusion

The ccTLD (Country Code Top-Level Domain) has become a structuring tool at the heart of corporate digital strategies. Far beyond a simple geographical extension, it serves as a vector of credibility, a lever for local visibility, and an essential legal instrument for protecting trademarks and online intangible assets.

The firm Dreyfus & Associés works in partnership with a global network of intellectual property lawyers.

Nathalie Dreyfus with the support of the entire Dreyfus firm team

Q&A

Does registering a domain name under a ccTLD automatically protect a trademark?
No, but it is an effective tool for preventing and combating online infringements.

Are all ccTLD extensions subject to the same registration requirements?
No. There is no uniform regime applicable to ccTLDs. Registration requirements vary depending on the policy of the relevant registry. Some extensions are open without specific conditions, while others require a local presence, national incorporation, or the appointment of a local representative.

Can a ccTLD be used as an indicator of territorial targeting in a dispute?
Yes. Courts and IP offices frequently take the national extension into account when assessing the intended audience, particularly in cases involving trademark infringement or unfair competition.

Can a ccTLD domain name be deleted if the eligibility requirements are no longer met?
Yes. Many registries provide for the suspension or deletion of a domain name if the holder no longer satisfies the required criteria, in particular where local presence is lost.

Are dispute resolution procedures identical for all ccTLDs?
No. Each ccTLD applies its own mechanisms, which may be based on the UDRP, local alternative dispute resolution procedures, or national courts.

Introduction

In December 2009, the new Montenegrin regulation applicable to .me domain names entered into force, entitled Regulation on Procedures for the Registration and Use of Domain Names under the National .ME Domain. This regulation paved the way for the introduction of an arbitration mechanism in addition to theUDRP (Uniform Domain-Name Dispute Resolution Policy), which had until then been the preferred means of resolving disputes relating to this extension.

This arbitration mechanism represents a structural development in the domain name dispute resolution framework, as it now makes it possible to address more complex situations that go beyond the strict scope of cybersquatting, and to integrate contractual, commercial, or strategic issues closely linked to contemporary domain name use.

The legal and institutional framework of the .me domain

From its launch in 2007, the .me extension enjoyed immediate and unparalleled success. Although formally attached to Montenegro, it quickly established itself as an extension with a clear international vocation, with more than 320,000 domain names registered within just a few months, an unprecedented pace for a ccTLD and a clear indication of its attractiveness to economic players and trademark owners worldwide.

The .me is a ccTLD operated in accordance with international standards, while remaining subject to Montenegrin law. This hybrid nature explains the early integration of the UDRP and the gradual opening to complementary national mechanisms.

The UDRP procedure as applied to .me domain names

The UDRP and arbitration are not mutually exclusive. They serve distinct yet complementary purposes, offering rights holders a broader strategic range. While the UDRP is often described as a form of arbitration, it is in fact a specific extrajudicial administrative procedure.

The UDRP is characterized by a deliberately narrow scope, limited to situations of manifest abuse, based on strictly defined criteria, and leading exclusively to technical remedies, namely the transfer or cancellation of the disputed domain name. It does not produce res judicata effects, as state courts remain competent in all circumstances. The procedure remains particularly well suited to cases of clear bad faith, but it shows its limits when confronted with complex contractual or commercial disputes.

For further information on the UDRP framework, readers are invited to consult our previously published guide.

The arbitration procedure applicable to .me domain names

The Montenegrin regulation governing .me domain names provides for the implementation of an autonomous arbitration mechanism, distinct from the UDRP procedure. The coexistence of these two dispute resolution avenues requires prior strategic reflection, based on the nature of the dispute, the economic interests at stake, and the legal effect sought.

Fully falling within the scope of arbitration law, this mechanism is based on the existence of an arbitration agreement, whether express or implied. It is distinguished by its ability to address complex disputes involving contractual, commercial, or competitive elements, whereas the UDRP remains confined to cases of abusive registration and use of domain names, in particular cybersquatting. The procedure allows for in-depth examination, extensive administration of evidence, and results in an arbitral award capable of recognition and enforcement at the international level, notably under the New York Convention.

For trademark owners, arbitration therefore constitutes a complementary tool with significant strategic value. It offers a more flexible and structured dispute resolution framework when the domain name forms part of an existing business relationship, while ensuring a comprehensive assessment of the dispute and a decision with enhanced legal force.

Conclusion

The introduction of arbitration for .me domain names, alongside the UDRP procedure in Montenegro, significantly strengthens the enforcement tools available to rights holders. It allows the legal response to be tailored to the increasing complexity of domain name uses.

Dreyfus & Associés law firm assists its clients in designing bespoke strategies that integrate all available mechanisms for resolving digital disputes.

Dreyfus & Associés works in partnership with a global network of specialized intellectual property lawyers.

Nathalie Dreyfus, with the support of the entire Dreyfus team.

Q&A

1. Does arbitration allow remedies other than the transfer or cancellation of the domain name ?

Yes. Unlike the UDRP, arbitration may, depending on the applicable framework, address broader claims, such as contractual obligations, corrective measures, or future commitments between the parties.

2. Is arbitration riskier for a trademark owner than the UDRP procedure ?

Arbitration is not riskier, but it is more demanding. It requires thorough legal preparation, strong factual arguments, and a clear strategic vision, whereas the UDRP is based on strict and limited criteria.

3. Can one freely choose between the UDRP procedure and arbitration for a .me dispute ?

Yes, in most cases. The choice depends on the nature of the dispute, the objectives pursued, and the respondent’s profile. Prior analysis is essential to avoid an inappropriate or ineffective procedure.

4. Is arbitration confidential, unlike the UDRP procedure ?

Yes. Confidentiality is one of the major advantages of arbitration, particularly valued by companies seeking to avoid public exposure of sensitive or strategic disputes.

5. Is arbitration suitable for disputes involving international groups ?

Absolutely. Arbitration offers procedural, linguistic, and legal flexibility, making it particularly well suited to international groups operating across multiple markets and facing cross-border issues.

This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice. 

Introduction

The receipt of fraudulent invoices has become one of the most recurrent and costly risks for intellectual property rights holders. The scheme is now well known : fraudsters exploit public data from official registers, reproduce visual codes and institutional language, and then request payments for services that are either non-existent or devoid of any legal value. Beyond the financial loss, these practices undermine trust in the intellectual property ecosystem and compel companies to adopt genuine risk governance mechanisms.

When invoicing becomes a tool for fraud : heightened vigilance for intellectual property rights holders

A fraudulent invoice is a payment request designed to resemble an official communication, referring to a trademark filing, a publication, an opposition period, or a renewal. It frequently proposes registration in so-called “private registers” presented as mandatory, even though they have no official status whatsoever.

The fraud relies on ambiguity between official fees and optional services lacking any legal relevance, while insinuating that failure to pay could jeopardize rights. Intellectual property offices, including the EUIPO, publish warnings and examples of misleading communications on their websites, identifying companies involved in such scams.

By way of example, in 2023 a series of fraudulent emails was reported. These messages originated from email accounts using domain names closely resembling those of the EUIPO. Such phishing emails falsely claimed to come from the Office’s Deputy Executive Director and requested payment of an alleged registration fee to a foreign bank account that in no way belonged to the Office.

This constitutes identity theft fraud, evidenced in particular by a fake registration certificate imitating the name, acronym, and logo of the Office.

The vulnerability of rights holders

The exposure of rights holders begins as soon as an application is published and continues through to renewal. Publication acts as a trigger, as it makes visible the applicant’s identity, the filing date, and the procedural status. A second critical phase arises during opposition periods, when internal organizations may hesitate as to the appropriate steps to take in response to earlier rights holders. Finally, the approach of renewal deadlines offers fertile ground for fraudsters, especially when teams receive purported “final reminders” even before the office has issued any official communication. The risk is heightened when intellectual property management is spread across several subsidiaries or brands, and when payment processes prioritize speed over verification.

Identifying warning signs

The most reliable method is to verify structural elements rather than debating the tone or style of the message. Authenticity depends on the identity of the sender, the payment channel, and the beneficiary bank account. Where an office provides a secure online portal, legitimate payments and notifications should be checked primarily through that channel, not through unsolicited emails.

Fraudsters typically use domain names very close to official ones, with minor typographical variations, and attach documents imitating certificates or decisions. Within companies, the decisive reflex is procedural : no payment relating to intellectual property should be approved without verification of the file in the official portal or internal records, and without formal confirmation of the beneficiary’s legitimacy.

The accelerating effect of artificial intelligence (AI)

Generative AI increases both credibility and scalability. It facilitates multilingual drafting of messages with a convincing legal tone, removes obvious errors, and enables mass personalization based on public data. It also allows optimization of timing : by observing corporate processing habits, fraudsters can target periods when the likelihood of payment is highest. Observations by European authorities and anti-fraud cooperation bodies describe a structured phenomenon, fueled by significant gains reinvested in tools, front entities, and international logistics. The practical consequence is clear : awareness alone is no longer sufficient, and security increasingly depends on robust internal controls.

Best practices in combating fraud

When faced with a suspicious request, the appropriate response is not simply to delete the fraudulent email. Internally, legal teams and the person responsible for intellectual property must be informed to verify whether an official fee is genuinely due, and accounting departments should be alerted to block payment execution.

If a payment has already been made, the bank should be contacted immediately to explore cancellation or recovery options, as speed is often decisive. Externally, reporting is not incidental: it feeds investigations, enables offices to issue alerts, and contributes to dismantling fraudulent campaigns. From an evidentiary standpoint, it is essential to preserve the message in its original form in order to retain headers and technical data, as simple forwarding may erase useful information.

Conclusion

Fraudulent invoices exploit the transparency of official registers, which calls for a structured response : validation procedures, secure channels, training, and an internal culture in which urgency never overrides verification.

Dreyfus & Associés law firm assists its clients in implementing preventive measures, managing incidents, liaising with offices and authorities, and analyzing phishing and identity theft components when they overlap.

Dreyfus & Associés works in partnership with a global network of lawyers specialised in intellectual property.

Nathalie Dreyfus, with the support of the entire Dreyfus firm team.

Q&A

1. What types of fraudulent invoices most commonly circulate in the field of intellectual property ?
The most common involve registrations in private registers with no legal value, fake renewal or opposition notices, and purportedly mandatory service offers. Some directly imitate communications from offices or advisors to create confusion as to the official nature of the request.
2. At which key stages in the life of an intellectual property right is the risk of fraud highest ?
The risk is particularly high at the time of publication, during opposition periods, and as renewal deadlines approach. These stages make information public and create time pressure conducive to unchecked payments.
3. How can a legitimate request be distinguished from an attempted fraud ?
Any payment request must be verified through the offices’ official secure channels; unsolicited, urgent emails or those featuring unusual bank accounts should raise immediate concern.
4. How can an effective internal validation process for intellectual property payments be organized ?
All payments should be validated by the legal function or the person responsible for the portfolio, based on official portals or pre-verified banking references. No payment should be made solely on the basis of an unsolicited or purportedly urgent email.
5. Should an attempted fraud be reported even if no payment has been made ?
Yes. Reporting helps fuel investigations, warn other users, and strengthen the effectiveness of collective anti-fraud mechanisms.

This publication is intended to provide general guidance and to highlight certain issues. It is not intended to apply to specific circumstances or to constitute legal advice.

Introduction

Artificial intelligence (AI) is rapidly spreading within companies. Task automation, decision-support tools, content generation and the optimisation of internal processes are becoming increasingly common, often driven by employees themselves in a context where AI tools are widely accessible.

This rapid adoption may create the illusion of freedom of use. In reality, the use of AI in the workplace is subject to a dense and now clearly structured legal framework, resulting from the combined application of labour law, the General Data Protection Regulation (GDPR), collective bargaining agreements (CBAs) and, more recently, the European regulation on artificial intelligence (the AI Act).

AI is therefore neither a neutral tool nor a purely technical instrument. It cannot be freely used in the workplace whenever it affects work organisation, employees’ rights or the processing of data.

The general legal framework governing the use of AI in companies: a multi-level approach

The use of AI in the workplace is governed by an intricate set of national and European rules, which fully apply whenever an algorithmic tool influences work organisation, decision-making processes or the processing of personal data.

The AI Act: a new pillar, but not a standalone one

Regulation (EU) 2024/1689 on artificial intelligence (the AI Act), adopted in June 2024, is the first European legal framework specifically dedicated to AI. It introduces a risk-based approach to AI systems.

In particular, AI systems are classified as high-risk when they are used for:

• recruitment and candidate selection,
• employee evaluation or scoring,
• performance management,
• monitoring or control of professional behaviour.

The Regulation already imposes, for certain provisions, key obligations on employers, including:

• the prohibition of certain AI practices considered incompatible with fundamental rights;
• the obligation to ensure appropriate training for persons using AI systems in a professional context.

However, practical experience shows that the AI Act cannot be considered in isolation. It forms part of a pre-existing legal framework that continues to produce its full effects.

The GDPR: the central legal foundation of AI in the workplace

In almost all cases, AI used in companies involves the processing of personal data. The GDPR therefore constitutes the unavoidable legal entry point.

As a general rule, the employer remains the data controller, even where the AI tool is provided by a third-party service provider. In this capacity, the employer must in particular:

• define a specific, explicit and legitimate purpose;
• identify a valid legal basis;
• comply with the principles of data minimisation, proportionality and security;
• provide clear and transparent information to employees.

The French Data Protection Authority (CNIL) regularly recalls that algorithmic systems cannot escape the fundamental requirements for the protection of individuals’ rights.

The GDPR also strictly regulates decisions based solely on automated processing that produce legal or similarly significant effects. In practice, human intervention remains mandatory, particularly in recruitment, evaluation or disciplinary processes.

Labour law and collective bargaining agreements: a decisive social framework

Beyond European regulations, labour law and collective bargaining agreements (CBAs) play a central role in governing the use of AI in companies.

From a legal perspective, AI is treated as a new workplace technology. As such, its introduction triggers, in many sectors, specific obligations to inform and consult employee representative bodies.

Collective bargaining agreements frequently regulate:

• the introduction of new technologies affecting work organisation or working conditions;
• employee monitoring, surveillance or evaluation systems;
• measures likely to have an impact on employment, skills or management methods.

As a result, an AI project may comply with the GDPR and the AI Act while still being legally weakened if it fails to comply with applicable collective bargaining obligations. This level of regulation remains too often underestimated by companies.

What obligations do employers face when using AI in the workplace?

Employers may use AI to organise work, improve performance or secure internal processes, provided that they respect a fundamental principle: decision-making responsibility remains human.

AI may assist, inform or automate certain tasks, but it can never replace the employer’s responsibility, whether towards employees or supervisory authorities.

The growing use of generative AI tools also raises a specific risk: the unintentional disclosure of personal or confidential data through prompts. Such data may be processed outside the European Union or reused for model training purposes.

Employers must therefore:

• strictly regulate authorised uses;
• train employees on legal and compliance risks;
• select service providers offering strong guarantees in terms of confidentiality and security.

AI deployer or AI provider: a particularly fragile legal boundary

One of the key structural contributions of the AI Act lies in the distinction between AI deployers and AI providers.

At first glance, the distinction appears straightforward:

• the provider designs or places an AI system on the market;
• the deployer uses that system in the course of its professional activity.

In practice, the AI Act adopts a functional approach. An employer may be classified as a provider when it goes beyond a passive use of the tool, in particular when it:

• trains or retrains a model using its own internal data;
• modifies operating parameters;
• integrates the AI system into an internal decision-making process;
• combines several tools to create a proprietary algorithmic solution.

These situations are common in HR, compliance or performance-management projects and result in enhanced obligations in terms of governance, documentation and risk management.

What measures should companies take to properly govern the use of AI?

To secure the use of AI in the workplace, companies must implement clear legal and organisational governance, including in particular:

• an internal AI use policy or charter;
• precise rules governing data and prompt management;
• training programmes addressing legal and compliance risks;
• robust contractual oversight of AI service providers.

Such an approach significantly reduces litigation risks, strengthens regulatory compliance and fosters trust with employees.

Conclusion

Artificial intelligence is a powerful tool, but it cannot be used freely or without control in the workplace. Its use directly engages the employer’s liability and requires legal mastery that is as rigorous as technical expertise.

A clear strategy, combined with appropriate internal rules, is essential to reconcile innovation, performance and legal certainty. Governing AI in the workplace requires a comprehensive approach, integrating the GDPR, labour law, collective bargaining agreements, intellectual property law and the European regulation on artificial intelligence.

Dreyfus & Associés works in partnership with a global network of lawyers specialised in Intellectual Property.
Nathalie Dreyfus with the support of the entire Dreyfus firm team

FAQ

1. Is the employer responsible for decisions made by an AI system?
Yes. The employer remains fully responsible for decisions taken within the company, even where such decisions are assisted or prepared by an AI system. AI may serve as a decision-support tool, but it can never replace human responsibility, in particular in matters relating to recruitment, employee evaluation or disciplinary measures.

2. Does the AI Act replace the GDPR and labour law?
No. The AI Act does not replace either the GDPR or labour law. It supplements an existing legal framework. A single AI tool may be subject simultaneously to the AI Act, the GDPR, labour law rules and collective bargaining agreements, which requires a combined reading and a comprehensive compliance approach.

3. Can an employee refuse to use an AI tool imposed by the employer?
In principle, employees are required to comply with the employer’s instructions issued under its managerial authority. However, a refusal may be legitimate if the AI tool has not been properly disclosed to employees, if it infringes their fundamental rights, or if it has not been subject to the mandatory consultation of employee representatives. A lack of training or use contrary to data protection rules may also undermine the legitimacy of the tool.

4. What happens if an employee uses an unauthorised AI tool in the course of their work?
The use of an unauthorised AI tool may constitute a breach of professional obligations, particularly with regard to confidentiality and data security. However, any disciplinary measure requires that the applicable rules have been clearly defined, communicated to employees and remain proportionate. In the absence of an internal policy or AI charter, the employer’s disciplinary leeway is reduced.

5. Can an employee claim intellectual property rights over content generated with the assistance of AI?
Yes, but only in very limited circumstances. An employee may claim intellectual property rights over AI-assisted content only where their human contribution is creative, decisive and identifiable. In the absence of a personal intellectual contribution (creative choices, structuring, or substantial modification of the content), the output generated by AI is not protected by copyright. Furthermore, where the content is created in the course of the employee’s duties, the exploitation rights generally belong to the employer or are contractually governed.

This publication is intended to provide general guidance to the public and to highlight certain issues. It is not intended to apply to specific situations nor to constitute legal advice.

Introduction

This issue is central for companies facing alleged infringements of their trademarks, patents, designs and models, or copyrights. In a context of intensified competition and rapid circulation of information, the temptation to act quickly, sometimes too quickly, is strong. Recent case law, however, firmly reiterates that the enforcement of intellectual property rights is subject to strict limits, particularly when exercised outside judicial proceedings and when it involves third parties.

Enforcing intellectual property rights without a court decision: an accepted but regulated principle

Extrajudicial action as a legitimate tool for rights protection

French law does not systematically require a prior court decision to enforce intellectual property rights.
In practice, numerous mechanisms allow for a swift response to an alleged infringement, including the sending of a cease-and-desist letter, notice-and-takedown requests addressed to online platforms, removal procedures involving technical intermediaries, or customs actions.

These measures pursue a clear economic objective: to promptly bring an allegedly unlawful practice to an end, limit damage to the value of the right, and preserve the right holder’s competitive position.

Freedom of action subject to loyalty and caution

This freedom, however, is neither absolute nor discretionary.

Case law requires that any extrajudicial action be based on a solid factual foundation, conducted with restraint, and comply with the principle of fair dealing in commercial relations. Failing this, the enforcement of rights may amount to a civil fault engaging the author’s liability.

Legal limits to the extrajudicial enforcement of intellectual property rights

The principle: prohibition of discrediting a competitor

On the basis of Article 1240 of the French Civil Code, disparagement is established whenever a company disseminates information to third parties that is likely to discredit a competitor’s products, services, or activities.

Case law is consistent: the tone used or the absence of malicious intent is irrelevant where the information disseminated has not been judicially established.

The boundary between legitimate information and abusive action

Directly informing the alleged infringer of the existence of prior rights and requesting the cessation of the disputed acts is generally accepted.

By contrast, alerting third parties—such as distributors, customers, or commercial partners—to an alleged infringement places the action in a zone of significant legal risk.

Allegations of infringement and abusive actions: key lessons from recent case law

Clear confirmation by the Court of Cassation

In a decision dated October 15, 2025 (No. 24-11.150), the Court of Cassation firmly reiterated that notifying third parties of an alleged infringement, in the absence of a court decision, constitutes an act of disparagement.

In this case, a company holding copyright in wooden wind chimes had been authorised to carry out a copyright seizure (“saisie-contrefaçon”) against a competing company and its subcontractor. Following this seizure, it sent cease-and-desist letters to several distributors of the targeted competitors, requesting that they cease marketing the allegedly infringing products.

The competing companies, considering that they had been unfairly implicated while no infringement had yet been legally established, brought an action for disparagement against the copyright holder.

At first instance, the lower courts considered that the wording of the letters sent to the resellers was measured and did not, as such, constitute disparagement. However, the Court of Cassation overturned the appellate decision, holding that “in the absence of a court decision recognising the existence of copyright infringement, the mere fact of informing third parties of a possible infringement of such rights constitutes disparagement of the products alleged to be infringing.”

Principles derived from case law

The Court thus reaffirmed three key principles governing any extrajudicial intellectual property enforcement strategy:

• The defence of rights does not justify everything: invoking an intellectual property right does not confer any entitlement to publicly disseminate unproven accusations.
• Pre-litigation communications must remain targeted: they must be strictly limited to the person suspected of infringement and must not extend to economic third parties.
• Good faith is irrelevant: even if measured, cautious and devoid of animosity, the dissemination of an unadjudicated allegation of infringement constitutes a civil fault.

Best practices for protecting rights without incurring liability

Structuring a legally secure extrajudicial action

An effective strategy is based on a graduated sequence of actions that complies with judicial requirements:

• Objectively assess the risk: evaluate the strength of the asserted rights and the reality of the alleged infringement.
• Limit exchanges to the alleged infringer: any cease-and-desist letter must be addressed exclusively to the presumed author of the acts.
• Adopt factual and proportionate wording: avoid definitive characterisations of “infringement” until recognised by a court.
• Preserve evidence: bailiff reports, seizures, and technical or comparative analyses should precede any communication.

When turning to the courts becomes essential

Where the economic risk is high or the infringement spreads through a distribution network, promptly seising a court often becomes the only secure course of action.

A judicial decision offers a dual benefit: it legitimises subsequent communications and protects the right holder against any allegation of disparagement.

Conclusion

Can intellectual property rights be enforced without a court decision? Yes, but only subject to strict limits. Case law reiterates that the defence of rights cannot justify communications liable to harm a competitor’s reputation in the absence of prior judicial recognition.

In this context, a controlled, legally framed and proportionate strategy remains essential. Anticipation and support from specialists help secure rights enforcement while preserving fair competition.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of attorneys specializing in Intellectual Property.

Nathalie Dreyfus with the support of the entire Dreyfus team

FAQ

1. Is legal risk limited to litigation exposure?
No. It also includes reputational, commercial and sometimes structural risks for the company.

2. Is extrajudicial action always less risky than court proceedings?
No. If poorly handled, it may expose its author to civil liability that can be more costly than initially contemplated litigation.

3. Does good faith protect against an action for disparagement?
No. Case law considers good faith to be irrelevant.

4. Is a seizure for infringement sufficient to communicate with third parties?
No. It is an evidentiary tool, not a judicial recognition of infringement.

5. Can freedom of expression be relied upon?
It is limited by the principles of loyalty and protection against disparagement.

This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice.