Enhanced consumer protection on the internet
Consumer protection on the Internet has been improved following the entry into force of Ordinance n°2011-1012 of August 24, 2011 on electronic communications adopted further to the Law n°2011-302 of March 22, 2011 transposing two EC Directives on electronic communications.
The main effect of the Ordinance is to strengthen the protection of consumers who use electronic communication services by reinforcing their right to information and privacy.
Improved consumers’ information
When entering into a contract with a user, providers of electronic communication services, including in particular Internet service providers, must provide specific information, the list of which has been considerably extended by Ordinance of August 24, 2011 (the “Ordinance”).
The information to be mandatorily provided includes, but is not limited, to:
- Termination fees as well as numbers and other identifiers portability fees, the proposed methods of payment and associated terms and conditions; ?
- The possibility to turn to an mediator as a means of amicable dispute resolution (any and all providers of electronic communication services must now appoint an impartial and competent mediator to whom its clients can turn to if a dispute arises in connection with the terms of their contract or performance thereof);
- The procedures put in place by the service provider to measure and shape traffic so as to avoid filling or overfilling a network link, and information on how those procedures could impact service quality;
- the after-sale support services available, as well as the means of contacting these services; ?
- any restrictions imposed on the access to and use of the services, as well as any restrictions on terminal equipment supplied; ?
- the subscriber’s options as to whether or not to include his/her personal data in a directory as well as the concerned data; ?
- Any minimum use or duration required to benefit from promotional terms; ?
- the type of actions that may be taken by the service provider in reaction to security or integrity incidents or threats and vulnerabilities.
The Ordinance also specifies that this information must be communicated by the service provider “in a clear, comprehensive and easily accessible form”, kept up-to-date and made available to consumers in its points of sale and by telephone or electronic means in real time and at a reasonable cost.
In addition, the service provider must be able to provide, at consumer’s request, information on:
- products and services aimed at disabled consumers;
- the legal consequences associated with the use of electronic communication services to engage into unlawful activities or to disseminate harmful content, in particular when it may prejudice respect for the rights and freedoms of others, including infringements of copyrights and related rights;
- the means of protection against risks to personal security, privacy and personal data when using electronic communication services.
Lastly, Article L121-84 of the French Consumer Code stipulates that any contemplated change to the contractual terms and conditions governing the supply of electronic communication services must henceforth be transmitted to the consumer “in writing, or on any other durable media available to him/her”.
If the service providers do not fulfill these information obligations, the Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes (French Directorate General for Competition, Consumer Affairs, and Repression of Fraud) has the power to require the service providers to comply therewith or to annul any unlawful clauses.
Better informed, consumers should now be better positioned to compare the quality of the services offered by the various competing providers of electronic communication services.
Regulation of electronic advertising and prospecting/marketing
The Ordinance also imposes that any advertising communications sent by emails must mention an address or electronic means that effectively enable the addressee to send a request that such communications cease (Article L.121-15-1 of the French Consumer Code).
In addition, the ban on direct prospecting/marketing is henceforth extended and now applies to all automated calling or communication systems in respect of individuals, subscribers or users who have not given their prior consent to receive direct prospecting/marketing messages through such systems (Article L.34-5 of the French Posts and Electronic Communications Code). The lawmakers thus targeted any new technological forms of direct prospecting/marketing automated systems.
These new provisions are welcome but one can doubt of their actual efficiency insofar as only complaints lodged by consumers before competent authorities are likely to ensure the effective enforcement thereof.
Enhanced protection of privacy and personal data
Regulation on “cookies”
The Ordinance strengthens the regulation applicable to “cookies” by modifying Article 32 of the Law of January 6, 1978 on Data Processing, Data Files and Individual Liberties.
Cookies notably allow to track surfers’ browsing habits and to exploit such information in order to subsequently provide surfers with web pages that better match their expectations.
The installation of “cookies” is henceforth only authorized if the subscriber or user, after having been duly informed, has given his/her consent to such installation.
Yet, the user’s consent is not required when:
- the sole purpose of the cookies is to permit or facilitate communication by electronic means;
- the cookies are strictly necessary to provide an online communication service expressly requested by the user.
Protection of personal data
The Ordinance strengthens the obligations imposed on providers of electronic communication services that process personal data and stipulates that the service provider must inform the Commission nationale de l’informatique et des libertés (French Data Protection Authority or “CNIL”) of any personal data breach (alteration, destruction, loss, disclosure or non-authorized access) without delay. Failing to inform the CNIL is punishable by up to five years of imprisonment and a 300,000 Euros fine (Article 226-17-1 of the French Criminal Code).
In addition, the Ordinance specifies that if the breach is likely to impact subscribers’ personal data or privacy, the service provider also must inform the potentially affected individuals without delay.
The relevance of this last provision can be questioned insofar as any personal data breach is, by nature, likely to impact the concerned person’s personal data or privacy…
It can be assumed that the breach shall not be considered as prejudicial if the service provider has immediately taken measures to obliterate the effects of the breach. This seems to be confirmed by the following provisions of the Ordinance according to which the service provider is not required to inform affected individuals if the CNIL determines that appropriate protective measures have been implemented to render the data in question inaccessible or indecipherable by unauthorized individuals.
We can, however, regret the fact that the assessment of whether appropriate measures have been taken is necessarily subjective.
Lastly, the Ordinance stipulates that providers of electronic communication services are henceforth required to maintain – and to make available to the CNIL – a log of all data security breaches they have experienced, including a description of each breach, its impact, and the measures implemented to remediate the situation.