Subscribe to regular updates:
A close-up of France's regulatory approach to data governance, content moderation, competition and more.
This is the eighth issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.
Tommaso Giardini, Maria Buza
16 May 2023
France, the European Union's second-largest economy, boasts over 40 million e-consumers. Online purchases comprised EUR 103.4 billion in 2019, an 11.6% year-on-year increase. Still, France is considered one of the OECD countries whose business productivity can gain the most from the adoption of digital technologies. Hence, the digital transition is at the core of France's EUR 100 billion recovery plan and EUR 54 billion investment plan until 2030.
But what do France's domestic digital policies stand for? The eighth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and France-specific points of emphasis.
In data governance, France has introduced cybersecurity audit requirements, scrutinized data transfers to the United States and enforced rules on cookies and consent requirements.
In content moderation, new policies cover hate speech, parental control and minor protection and two new authorities are charged with enforcement.
In competition policy, France is implementing the Digital Markets Act, inquiring into the cloud sector and investigating large technology companies.
France's points of emphasis include cloud computing, the taxation of the digital economy and cryptocurrencies.
Written by Tommaso Giardini and Maria Buza. Edited by Johannes Fritz.
Discover the details of France's approach below and stay informed on our dedicated page: https://digitalpolicyalert.org/countries/france
Remain up-to-date on new and upcoming policy developments with our free notification service: https://digitalpolicyalert.org/subscription
Data protection policy developments
As a member of the European Union, the General Data Protection Regulation (GDPR) applies in France. The French National Commission on Informatics and Liberty (CNIL) rigorously enforces the GDPR (see below) and has published compliance guidance for providers of mobile applications, application programming interfaces and digital payments, among others. CNIL further focused on cookies, publishing guidelines on cookie walls and revising its guidelines on consent requirements for online cookies. In January 2023, CNIL announced a unit on artificial intelligence to study the functioning of AI algorithms and identify privacy risks.
Besides data protection, the amended French Code of Consumers will introduce a cybersecurity audit requirement in October 2023. Operators of "online platforms” must be audited by licensed auditors and present the results to consumers in a “comprehensible format”.
Data transfer/localisation developments
CNIL leads efforts to implement the invalidation of the EU-US Privacy Shield. The agency promptly issued a methodology for data controllers to define an action plan and conduct risk assessments on data transfers outside the EU. In 2022, CNIL ordered French websites to stop using Google Analytics due to the lack of sufficient additional safeguards that would prevent US intelligence services from accessing transferred data. Subsequently, CNIL published guidelines on preventing data transfers through Google Analytics, noting that contractual clauses and IP address processing criteria alteration are insufficient to justify data transfers to the US.
In May 2023, CNIL ordered facial recognition company Clearview AI to pay EUR 5.2 million for not complying with a previous order to cease processing data of users in France and respond to data subject requests. In October 2022, CNIL fined Clearview EUR 20 million for collecting data without an appropriate legal basis and failing to respond to data access and erasure requests.
In December 2022, CNIL fined Apple EUR 8 million for saving advertising identifiers in its App Store without user consent and complicating the deactivation of targeting. On the same day, CNIL fined gaming developer VOODOO EUR 3 million for monitoring users without consent.
Content moderation developments
In March 2023, the National Assembly passed a bill regulating online social networking services. Platforms of all sizes that enable users to connect, communicate, and share content must only allow users over 15 to use their services or obtain explicit parental consent to register younger users. Since September 2022, manufacturers of devices enabling access to content which may be harmful to minors, as well as operating system providers, must enable parental control and cannot commercially use the personal data of minors collected in device activation.
In 2022, the government and several digital platforms signed a Charter and launched a Laboratory on online minor protection. In April 2021, the government implemented a law limiting the commercial exploitation of online images of children under 16. Video-sharing platforms can only distribute such images with approval from the legal representative and must enable users to report images that undermine children's dignity or moral or physical integrity. Since 2021, platforms that display pornographic content must take measures to limit minors' access. Platforms must implement technical measures beyond requiring a self-declaration by users on being over 18. In case of non-compliance, authorities can issue notices and then restrict access.
Since 2022, online platforms with over 10 million users must document and inform authorities of content removal decisions. Platforms must further designate “human and technological resources” to detect and process complaints on illegal content, including a human contact point. Since 2020, the hate speech law requires websites to simplify their content flagging process. Originally, the law required user-content, communication and search platforms to remove “manifestly illegal” content within 24 hours of notification by users. For terrorist content and child sexual abuse material flagged by authorities, all websites were subjected to a one-hour takedown deadline. The constitutional court, however, ruled the takedown requirements and the corresponding fines (up to 4% of global turnover) to be unconstitutional due to concerns regarding free speech and proportionality.
Since 2021, France has established two new agencies. ARCOM, the Audiovisual and Digital Communication Regulatory Authority, was created by merging previous agencies to centralise the fight against online piracy, disinformation and hatred, and to concentrate minor protection efforts. ARCOM has investigative powers, can publicly blacklist infringing sites and can block mirror sites. Viginum, the Vigilance and Protection against Foreign Digital Interference Service, monitors foreign digital threats that interfere with national interests, including citizen information during elections.
In March 2022, ARCOM initiated court proceedings to block access to five pornography websites for failing to comply with the age verification requirement.
Competition policy developments
The French government, as evidenced in the Roadmap for 2023-2024 of the competition authority (Autorité de la concurrence), is focused on the implementation of the European Union's Digital Markets Act (DMA) rather than additional domestic policies. The DMA imposes rules for “gatekeepers” and requires competition authorities to inform the European Commission of all their acquisitions, without thresholds. The French competition authority plans to closely monitor digital platforms' obligations in online advertising and, more broadly, the role of data.
The competition authority's inquiries reveal France's upcoming points of focus. Since 2022, the competition authority is conducting an ex-officio inquiry into cloud computing. Particularly, the inquiry focuses on the public or hybrid cloud and on the Infrastucture-as-a-Service and Platform-as-a-Service business models.
With the stated goal of increasing competition between brick-and-mortar and online vendors, France will mandate a minimum fee on book deliveries from October 2023. Shipping charges on new books must include a fee of EUR 3 for all orders of a value below EUR 35.
One focus of the French competition authority is the online advertising market. In May 2023, it issued interim measures against Meta/Facebook following complaints of denying access to independent advertising verification services. Within two months, Meta must publish objective, transparent, non-discriminatory, and proportionate criteria for entering into "viewability" and "brand safety" partnerships. In June 2021, the competition authority fined Google EUR 220 million for abusing its dominant position in the online advertising market. Google discriminated against competitors in favour of its own services in algorithmic auctions for online advertising. In addition to the fine, Google's commitments to end the special treatment of its own services and improve interoperability with other advertisement providers become legally binding. In the same year, Google was ordered to pay EUR 1.27 million in damages to Oxone, a directory enquiry service provider, for abusing its dominant position in search advertising.
Besides online advertising, the French competition authority investigates Google and Apple for dominant app store positions. A joint probe alleges that the app store providers impose tariffs on French start-ups, collect their data and subject them to unilaterally modifiable contracts. The investigation is currently litigated in courts that do not provide public, official sources. In March 2022, Google was reportedly fined EUR 2 million for abusive trade practices against software developers on the Google Play store and required to update contractual clauses. In December 2022, Apple was reportedly fined EUR 1 million for maintaining a "significant imbalance" with developers, including unilateral changes to the Developer Program License Agreement. The court did not, however, take into account charges regarding the app store payment system exclusivity, due to both lack of evidence and upcoming rules to rebalance app store providers' relationship with developers in the DMA.
In an investigation into the retail sector, in October 2022, a court dropped one of the main charges related to Apple product price-fixing and reduced the competition authority's fines on Apple (from EUR 1.1 billion to EUR 371.6 million) and its two wholesalers in France, Ingram Micro (from EUR 62.9 million to EUR 19.5 million) and Tech Data (from EUR 76.1 million to EUR 24.9 million). The competition authority originally found anti-competitive behaviour in the distribution and retail network, since Apple required authorised resellers to align prices with those charged by Apple in its own store and website.
The competition authority is further investigating Apple's App Tracking Transparency feature for self-preferencing. The feature, motivated by protecting user privacy, requires apps and websites that are not owned by Apple to ask for iPhone holders' explicit consent to receive access to Apple's Identifier for Advertisers. In March 2021, the French competition authority rejected a request for interim measures but continued investigating the matter. Reportedly, the authority is currently preparing a formal “statement of objections”.
Further points of emphasis
In 2021, France announced a National Cloud Strategy to support "technological sovereignty" which includes support for local cloud computing projects, increased government digitalisation and a trust label. Two investment programmes pledge direct financial support to domestic projects with a strong value-added for the French technology sector. The government pursues a “ cloud at the centre” approach in digitising governmental projects. Digital administration services are to be hosted on cloud infrastructure provided either by the government or by private providers that meet strict security criteria. To host projects involving personal or corporate data, cloud services must be certified with the new ”trusted cloud” label. The label is awarded to services of high technical and legal security, based on the “SecNumCloud” certificate of the French cybersecurity agency (ANSSI). The strategy references two related initiatives to achieve technological sovereignty in Europe: GAIA-X, the European data infrastructure created by the French and German governments, and the “Next Generation Cloud Infrastructure and Services”.
In 2019, France adopted a 3% Digital Services Tax on revenue generated from either digital intermediation services that enable direct user interaction (marketplaces and networking services) or targeted digital advertising services. The DST applies to companies exceeding annual revenue thresholds of EUR 750 million (global) and EUR 25 million (local). The DST prompted an investigation by the United States Trade Representative into the DST’s potential discrimination, inconsistency with international taxation principles and burden on US commerce, leading to the announced but then deferred tariffs on French products. In 2021, the US reached a political agreement with France and other European countries in view of negotiations on the OECD/G20 Inclusive Framework. France agreed to withdraw the DST upon entry into force of Pillar 1 of the Inclusive Framework, while the US agreed to defer its tariffs.
Since 2022, France imposes value-added-tax (VAT) on the gig economy, namely ride-sharing and the delivery of goods (including food) by motorbike, scooter and bicycle. Digital platforms that facilitate such services must register and pay VAT of up to 0.5%. The tax rate is determined on a yearly basis by decree and is currently 0.46%.
In March 2023, the president signed a law harmonising French and EU policy, including stricter licensing rules for crypto firms. The law adapts the domestic requirements to obtain a license as digital asset provider from the financial regulator (autorité des marchés financiers) to the upcoming EU Regulation on Markets in Crypto Assets (MiCA). Providers must uphold requirements regarding anti-money laundering, fund segregation, cybersecurity and reporting, including risk and conflicts of interest. In 2022, France granted Binance a license to operate.