Information technology law

The DPO lawyer

The lawyer can perform the function of Data Protection Officer.
According to Article 37 of the Regulation, the appointment of a DPO is mandatory when a) the processing is carried out by a public authority or a public body, with the exception of courts acting in the exercise of their judicial function;
b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope and / or purposes, require regular and systematic monitoring of individuals concerned; or
c) the core activities of the controller or processor consist of large-scale processing of special categories of criminal or sensitive data.
In addition, it is always possible to appoint a Data Protection Officer for prophylaxis.
The added value of a Data Protection Lawyer
The complexity and rapid evolution of the field of data protection and information technology law, require that "compliance" is always "up to date". In addition, a lawyer’s code of ethics guarantees secrecy and prohibits any conflict of interest.

Information technology law

In theory, Internet law does not exist. Indeed, by analogy with the fax, a new means of communication is not supposed to transform the legal relations. In practice, information technologies raise new questions that the legislation has not addressed. On the one hand, the possibilities of communicating create new legal relationships. This is illustrated by blockchains, which can serve as a means of proof or integrate "smart contracts". On the other hand, the web tests the limits of classic legal concepts. For example, the loan between individuals online is clearly distinguished from the loan contract as envisaged by the Civil Code. Finally, particularly complex questions may arise for web designers and web entrepreneurs in terms of competent court and applicable law.

Faq

For a professional site, the mandatory information is as follows: for an individual entrepreneur: name, first name, domicile;for a company: company name, legal form, address of the establishment or head office (and not a simple post office box), amount of share capital;e-mail address and telephone number;for a commercial activity: registration number in the trade and companies register (RCS);for a craft activity: registration number in the trades directory (RM);in the event of commercial activity: individual tax identification number intra-community VAT numberfor a regulated profession: reference to the applicable professional rules and the professional title;name and address of the authority which issued the authorization to practice when this is necessaryname of the director of the publication and contact details of the site host (name, denomination or company name, address and telephone number) for blogs and forums;for a merchant site, general conditions of sale (GTC): price (expressed in euros and including tax), costs and delivery date, method of payment, after-sales service, right of withdrawal, duration of the offer, cost of the remote communication technology;Cnil simplified declaration number, in the case of customer data collection (not compulsory, but recommended).Before placing or reading a cookie, the editors of sites or applications must:inform internet users of the purpose of cookies;obtain their consent;provide Internet users with a way to refuse them.The period of validity of this consent is 13 months maximum. However, some cookies are exempt from the collection of this consent.Failure to comply with one of these obligations can be penalized up to one year's imprisonment, a fine of € 75,000 for individuals and € 375,000 for legal persons.For a personal site, the mandatory information is as follows:name, first name, address and telephone number of the host.In this case, the creator of the site can:- or indicate the legal notices concerning him in addition to those of the host;- or keep his anonymity as soon as he has correctly transmitted the legal notices concerning him to the host.The host will be required to communicate this information, but only in the context of legal proceedings.

The 'normal' images are protected by copyright. They can only be used with the consent of the author.

Images under Creative Commons License: The CC0 license allows the rights holder to waive them as much as possible within the limits of applicable laws, in order to place his work as close as possible to the public domain4. For example, it is not possible in France to waive one's moral rights.

The moral right in question is defined in article L.121-1 of the intellectual property code. Which states: “The author enjoys the right to respect for his name, his quality and his work."

In practice there are sites such as pixabay.com, which provide images under the CCO license. The authors have waived their partrimonial rights, but not their moral rights. Thus, these images are usable, but strictly speaking are not free of rights.

In principle, “The use of the means of cryptology is free. " (L 2004-575 art.30 I)

With regard to the import of means of cryptology , it is necessary to distinguish.

If these means are intended only for authentication and integrity control, the import is free.

Otherwise, the import must be declared to the National Agency for the Security of Information Systems. If this is not done an offense is committed. It seems unlikely to be difficult to ensure that the editors of the Tructypt forks have taken care of the prior declaration to ANSSI. Therefore, downloading these tools constitutes an offense.

In addition, cryptology is also covered by the code of criminal procedure in article 230-1, which provides:

the public prosecutor, the court investigation, the judicial police officer, with the authorization of the public prosecutor or the examining magistrate, or the trial court hearing the case may designate any qualified natural or legal person, in order to carry out the technical operations making it possible to obtain access to this information, its unencrypted version as well as, in the case where a means of cryptology has been used, the secret decryption convention, if this appears necessary.

In short, the judicial authority can ask experts to crack the code (which supposes that this is possible).

More prosaically, the judicial authority can ask the holder of encrypted objects to hand over the key. This in application of article Article 434-15-2 of the penal code, which provides:

Is punished by three years of imprisonment and a 270,000 € fine the fact, for anyone having knowledge of the secret convention of decryption of a means of cryptology likely to have been used to prepare, facilitate or commit a crime or an offense, to refuse to deliver said convention to the judicial authorities or to implement it, on requisitions from these authorities issued in application of Titles II and III of Book I of the Code of Criminal Procedure. If the refusal is opposed while the postponement or the implementation of the convention would have made it possible to avoid the commission of a crime or an offense or to limit the effects thereof, the penalty is increased to five years of imprisonment and a € 450,000 fine.

With regard to intrusion into systems, article 323-1 of the Penal Code provides: The fact of accessing or remaining, fraudulently, in all or part of an automated data processing system is punished by two years' imprisonment and a fine of € 60,000. When this results in either the deletion or modification of data contained in the system, or an alteration in the functioning of this system, the penalty is three years' imprisonment and a fine of € 100,000. When the offenses provided for in the first two paragraphs have been committed against a system for the automatic processing of personal data implemented by the State, the penalty is increased to five years' imprisonment and € 150,000. of fine.

With regard to the import, possession, offer, transfer or making available allowing intrusion, article 323-3-1 of The Penal Code provides: The fact, without a legitimate reason, in particular for research or computer security, to import, hold, offer, transfer or make available an equipment, an instrument, a computer program or any data designed or specially adapted to commit one or more of the offenses provided for in articles 323-1 to 323-3 is punishable by the penalties provided respectively for the offense itself or for the most severely punished offense.

Clearly, unless you have a legitimate reason, being in possession of Kali Linux for example is a offense punished as if there had been an intrusion.

The person responsible for the file is bound by a security obligation: in particular, he must take the necessary measures to guarantee the security of the data he has collected and prevent their disclosure to unauthorized third parties.

Yes, in application of article 1358 of the Civil Code as has been confirmed (CA Paris, 4 Feb. 2016, RG no 14/04663; CA Montpellier, 19 Oct. 2016, RG no 14/08031)