Newsletter Archives

FRED obtient une condamnation en contrefaçon pour la reproduction illicite de certains de ses bijoux

Posted on 23 September 2025 by Valentin Poitou

La société Fred Paris a obtenu, le 18 juin 2025 (TJ Paris, 18 juin 2025, RG n° 23/10855), la condamnation d’une créatrice de bijoux qui commercialisait une gamme de bijoux reproduisant les caractéristiques essentielles du bracelet Force 10 GM et de son modèle communautaire. Nous n’avons pas connaissance d’un éventuel appel interjeté.

Le litige oppose un célèbre joailler et une créatrice de bijoux

La célèbre maison française de joaillerie et d’horlogerie compte, parmi ses créations, deux gammes de bijoux dénommées « Force 10 » et « Chance Infinie ». La maison est titulaire du modèle de l’UE n° 000772819-0001, déposé en 2007, représentant la fameuse boucle en forme de manille stylisée des créations de la gamme Force 10.

La défenderesse est une créatrice de bijoux qui commercialisait, sur son site Internet et sur des marchés locaux, des modèles qui reproduisaient, selon Fred Paris, les caractéristiques essentielles de ses produits.

Fred Paris a ainsi, après mise en demeure, assigné la créatrice de bijoux en contrefaçon de droit d’auteur, en contrefaçon de modèle et en concurrence déloyale.

Des actes de contrefaçon et de concurrence déloyale étaient invoqués

Fred Paris alléguait que la créatrice avait enfreint ses droits d’auteur en reproduisant les caractéristiques essentielles composant l’originalité des produits litigieux. Concernant le modèle de l’UE, la société estimait que les bijoux litigieux reprenaient les caractéristiques essentielles des produits de la marque, de sorte qu’ils créaient une même impression visuelle globale, caractérisant ainsi des actes de contrefaçon.

La créatrice reconnaissait la similitude entre les bijoux mais invoquait la banalisation de la gamme, de nombreux bijoux similaires étant commercialisés par des tiers. Elle arguait, pour sa défense, que l’acheteur moyen n’est pas conscient de la similitude entre les produits litigieux et ceux de Fred Paris.

Le tribunal a reconnu l’ensemble des faits reprochés

Sur la contrefaçon de droits d’auteur

Après avoir reconnu la titularité des droits revendiqués par Fred Paris, qui exploite publiquement sa gamme depuis au moins 2008, les juges caractérisent l’originalité des bijoux la composant.

Ils constatent que les bijoux litigieux reprennent, comme l’alléguait la demanderesse, les caractéristiques essentielles des siens.

Les actes de contrefaçon sont ainsi caractérisés selon les juges, « peu important l’existence d’autres sites proposant des bijoux similaires […], la bonne foi étant indifférente », en particulier dans un contexte où la créatrice avait été mise en demeure par Fred Paris.

Sur la contrefaçon de modèle communautaire

De même, le tribunal reconnait la reproduction des caractéristiques essentielles du modèle dans les bijoux de la créatrice qui produisent, sur l’utilisateur averti, la même impression globale.

Sur la concurrence déloyale et le parasitisme

Le risque de confusion ou d’association dans l’esprit du public créé par l’effet de gamme des bijoux de la défenderesse est reconnu. Il vaut en particulier pour la gamme « Chance infinie » qui n’avait pas fait l’objet d’un dépôt de modèle.

Le parasitisme résulte de la volonté de la défenderesse de se placer dans le sillage de la société Fred Paris pour profiter de ses investissements et de la notoriété de ses bijoux.

La réparation octroyée reste modeste

La créatrice de bijoux est condamnée à réparer le préjudice subi par Fred Paris au titre de la contrefaçon, estimée à hauteur de 3 000 euros, et du parasitisme et concurrence déloyale, à hauteur de 1 000 euros. Le caractère modeste de ces montants résulte notamment du fait que Fred Paris n’avait pas prouvé, selon le tribunal, des conséquences économiquement négatives ; que les bénéfices réalisés étaient limités ; qu’il n’était pas prouvé que les actes reprochés s’étaient étalés dans le temps. Le préjudice réparé est donc circonscrit aux économies d’investissement réalisées et au préjudice moral résultant de la banalisation des bijoux de la demanderesse.

La défenderesse est également condamnée à verser 3 000 euros à Fred Paris en application de l’article 700 du code de procédure civile.

Cette décision illustre la double protection des créations joaillières (et de toutes les œuvres d’art appliqué) par le droit d’auteur et le droit des dessins et modèles, mais aussi par le droit commun de la responsabilité civile entre concurrents.

Elle incitera peut-être les titulaires de droits qui envisagent d’assigner à opérer une balance entre les coûts de la procédure, les perspectives de réparation potentiellement très modestes et le souhait éventuel de faire de ces condamnations une affaire de principe.

SICKNESS DURING HOLIDAYS: EUROPE FORCES FRANCE TO REVIEW ITS LAW

Posted on 3 July 2025 by Valentin Poitou

According to the CJEU, annual paid leave is intended for rest, while sick leave is for healing. One cannot therefore replace the other.

However, the French Labor Code ignores this situation and case law considers that “if an employee falls ill during their leave, their sick leave is not taken into account. The days of leave cannot be carried over and are lost.”

In view of this gap, the European Commission launched an infringement procedure against France on 18^th June 2025. A letter of formal notice has been sent urging France to comply with Directive 2003/88/EC on working time in order to guarantee the effectiveness of the right to annual leave. France has two months to comply, or risk a referral to the CJEU and a possible sanction. The legislator will therefore have to adapt the Labour Code.

Some lawyers and trade unions in favour of the change see this as an important social step forward in order to guarantee employees a real right to rest, even in the event of illness occurring during the holidays, while sick leave and paid leave pursue two different purposes. Many countries provide for this right to deferral: in Belgium, provided that the employee informs their employer immediately, provides a medical certificate, and reschedules the days later; in Italy, Spain or Switzerland where the right to deferral is strictly regulated with the requirement of rigorous medical proof and without allowing extended holidays.

However, many critics have been raised against this system, fearing a generalization of sick leave during holidays and opportunistic behavior to artificially extend vacations.

The abuse of sick leave is already a worrying reality in France. The Health Insurance has noted an explosion of false work stoppages in recent years. 42 million euros of sick leave fraud were detected in 2024, a figure 2.4 times higher than in 2023. In addition, out of 230,000 sick leaves verified by medical advisors, one in three was unjustified and was suspended.

In order to effectively combat these abuses, the Health Insurance has made available, and then made mandatory from July 2025, a new standardized form for notice of sick leave that is difficult to falsify and more secure (special paper, holographic label, magnetic ink, identification of the prescriber, etc.).

Strengthening the control of sick leave is certainly a reasonable counterpart to the evolution of French law required by the European Commission, to avoid abuses and preserve the credibility of the system. Confidence requires maintaining the balance between individual rights and the prevention of abuse. It is on this condition that this reform can be fully accepted and effective.

DPO Newsletter : march 2025

Posted on 17 March 202518 March 2025 by Valentin Poitou

Click here to download our newsletter.

IN BRIEF:

SANCTIONS– 2024 review of the sanctions and corrective measures pronounced by the CNIL and sanction of a company for the excessive surveillance of its employees.
ARTIFICIAL INTELLIGENCE – Clarification of the definition of AI systems by the European Commission and new recommendations from the CNIL to support responsible AI.
ANONYMIZATION/PSEUDONYMIZATION – A search engine called to order by the CNIL and publication of guidelines by the European Data Protection Board.
RIGHT OF ACCESS – European coordinated action identifies gaps in the implementation of the right of access.
TRANSFER OUTSIDE THE EUROPEAN UNION – Publication of the CNIL guide on impact assessments of data transfers.

I. SANCTIONS TO REMEMBER

a. 2024 report on the CNIL’s sanctions

In 2024, the Commission Nationale de l’Informatique et des Libertés (“CNIL“) (France) issued 87 sanctions, including 69 under the simplified procedure (here). This significant increase compared to 2023 (42 sanctions) and 2022 (21 sanctions) can be explained by the increasingly frequent use of the simplified procedure (almost three times more than in 2023).

As part of its ordinary procedure, the CNIL has sanctioned companies in particular for:

Commercial prospecting: in particular for the failure to collect prior consent from individuals before sending commercial communications.
Health data processing: in particular with regard to anonymisation (e.g. clarification of the qualification of data processed in health data warehouses).

As part of its simplified procedure, the CNIL has sanctioned (i) the failure to cooperate with the CNIL, (ii) the failure to comply with the exercise of rights, (iii) the failure to minimise data, (iv) the breach relating to the security of personal data, and (v) the breach of the regulations relating to cookies.

b. Excessive surveillance of employees: €40,000 fine for a company in the real estate sector

The CNIL, by deliberation SAN-2024-021 of December 19, 2024 (here), imposed a fine of €40,000 on a company in the real estate sector for having set up excessive surveillance of its employees, by means of software for monitoring working time and employee performance and a continuous video surveillance system set up in employees’ work and break areas. The CNIL has identified several shortcomings, in particular:

Failures	Details
Excessive surveillance	(i) The continuous recording of images and sounds of employees is contrary to the principle of data minimization (Article 5 of the GDPR); and (ii) There is no legal basis for implementing endpoint monitoring software (Article 6 of the GDPR).
Lack of information	Oral information on the implementation of the monitoring software does not meet the conditions of accessibility over time and, in the absence of a written record of it, its completeness is not established (Articles 12 and 13 of the GDPR).
Lack of security measures	The CNIL recalls the reinforced requirement for individualized access to administrator accounts, which have very extensive rights over personal data – here, several employees shared the same access to data from the surveillance software (Article 32 of the GDPR).
Lack of impact assessment (DPIA)	The systematic monitoring of employees at their workstations required the formalization of a DPIA (Article 35 of the GDPR).

II. TOWARDS RESPONSIBLE AI

a. Prohibited practices in artificial intelligence: the new guidelines of the European Commission

On 6 February 2025, the European Commission adopted guidelines on the definition of artificial intelligence (“AI“) systems to help stakeholders identify whether a software system falls under AI. It should be noted that these guidelines do not address general-purpose AI models. The Commission has identified and clarified the 7 elements that make up the definition of ‘AI system’, introduced in Article 3(1) of Regulation (EU) 2024/1689 on AI:

Definition of the AI Act	Commission clarifications
Machine-based system	AI systems must be computationally driven and based on machine operations.
that is designed to operate at varying levels of autonomy	The deductive capacity of systems is key to ensuring their autonomy: an AI system must operate with a certain reasonable degree of independence of action (which excludes systems requiring full manual human involvement and intervention).
and that may exhibit adaptiveness after deployment	The condition of the system’s self-learning capacity is optional and non-decisive.
and that, for explicit or implicit objectives	Explicit (encoded) or implicit (inferred from behavior or assumptions) objectives are internal and refer to the goals and results of the tasks to be performed. They are part of a broader notion of the “purpose” of the AI system, which corresponds to the context in which it is designed and how it must be operated.
infers, from the input it receives, how to generate outputs	This notion refers to the building phase of the AI system, and is therefore broader than just the phase of use of the system. The Commission distinguishes between AI systems and other forms of software that have only a limited capacity to analyse patterns and adjust autonomously their output.
such as predictions, content, recommendations, or decisions	AI systems are distinguished by their ability to generate nuanced results, leveraging complex models or expertly defined rules. The Commission details each of the terms of the definition.
that can influence physical or virtual environments.	AI systems are not passive but actively impact the environments in which they are deployed.

b. The CNIL’s new recommendations for responsible AI

On February 7, 2025, the CNIL published new recommendations to support the development of responsible AI, in compliance with the GDPR (here). These relate both to the information of individuals and to the exercise of their rights:

Information: the data controller must inform individuals when their personal data is used to train an AI model. This information can be adapted according to the risks to people and operational constraints and can therefore sometimes be limited to general information (when people cannot be contacted individually) and/or global information (when many sources are used, for example by indicating only categories of sources).
Rights of individuals: the CNIL invites stakeholders to take into account the protection of privacy from the design stage of the model (e.g. anonymization strategy, non-disclosure of confidential data). The implementation of rights in the context of AI models can be difficult and a refusal to exercise rights can sometimes be justified. When these rights must be guaranteed, the CNIL will take into account the reasonable solutions available and may adjust the conditions of delay.

III. ANONYMIZATION AND PSEUDONYMIZATION UNDER DEBATE

a. The new EDPS Guidelines on pseudonymisation

On 16 January 2025, the European Data Protection Board (EDPB) adopted new guidelines 01/2025 on pseudonymisation, which are subject to public consultation until 14 March 2025.

Pseudonymisation means that personal data is no longer attributed to a data subject without additional information (Article 4(5) GDPR). Pseudonymised data is personal data because there is a risk of re-identification of the data subjects.

The EDPB states that pseudonymisation can (i) facilitate the use of the legal basis of legitimate interest, provided that all other requirements of the GDPR are met, (ii) ensure compatibility with the original purpose in the context of further processing, and (iii) help organisations comply with obligations relating to the principles of the GDPR, protection by design and by default, and security.

The EDPB is also analysing a set of robust technical measures to prevent unauthorised re-identification. Recommended techniques include hashing with a secret key or salt, separation of information for attribution, and strict access control.

It will be pointed out that these guidelines are to be read in the light of Case C-413/23 pending before the Court of Justice of the European Union between the European Data Protection Supervisor and the Single Resolution Board (SRB). In this case, pseudonymised data was transferred by the SRB to Deloitte for the purposes of an analysis mission. In his Opinion of 6 February 2025, the Advocate General asks the Court to rule on whether the recipient of pseudonymised data who does not have reasonable means to re-identify the data subjects could be considered not to be processing personal data insofar as the risk of identification is ‘non-existent or insignificant’.

IV. SPOTLIGHT ON THE RIGHT OF ACCESS

The CNIL and the European Data Protection Supervisor participated in a coordinated action of the European Data Protection Board in order to evaluate the implementation of the right of access to personal data.

During 2024, the CNIL inspected public and private bodies, chosen on the basis of complaints received, and issued several reminders of legal obligations. She notes that the organizational measures implemented by these organizations to process right-of-access requests are sometimes insufficient/unsatisfactory. Organizations should both (i) provide information about the processing, (ii) include a copy of the data processed, and (iii) should not systematically exclude certain processing or categories of personal data from their responses.

The EDPS has monitored the processing of requests for the right of access by the EU institutions, bodies, offices and agencies and has highlighted in his report of 16 January 2025 : (i) the low volume of requests, (ii) the decentralisation of the management of requests, (iii) the fact that it is difficult to distinguish between access requests and other types of requests, (iv) the excessive processing of data caused by the verification of the identity of applicants, (v) the difficulty of reconciling the protection of rights and freedoms and respect for the right of access of individuals. Controllers and processors are invited by the EDPS to refer to Guideline 01/2022 on the right of access of data subjects.

V. IMPACT ANALYSIS OF DATA TRANSFERS

On January 31, 2025, the CNIL published the final version of its guide on the Impact Assessment of Data Transfers (AITD) (here) to help data exporters assess the level of protection in destination countries located outside the European Economic Area and the need to put in place additional safeguards. This analysis is necessary when the transfer is based on a tool of Article 46 of the GDPR (standard contractual clauses, binding corporate rules, etc.): the destination country does not benefit from an adequacy decision and the transfer is not carried out on the basis of a derogation from Article 49 of the GDPR.

The guide proposes a six-step methodology:

Identify the data concerned and the actors involved;
Choose the appropriate transfer tool;
Analyze risks related to the laws and practices of the third country;
Determine and apply additional measures (e.g. encryption or anonymization);
Implement these additional measures;
Reassess the compliance of the transfer at appropriate intervals.

This publication follows a public consultation that allowed the CNIL to adapt its guide to the practical realities of companies, and to modify it in order to take into account the latest opinions of the European Data Protection Board.

DPO NEWSLETTER: AN UPDATE FROM THE IT-DATA TEAM

Posted on 10 October 202311 October 2023 by Valentin Poitou

Download the newsletter here.

1) CNIL SANCTION: COMPANY SAF LOGISTICS FINED 200,000 EUROS

On 18 September 2023, the Commission Nationale de l’Informatique et des Libertés (CNIL) fined the Chinese air freight company SAF LOGISITIC €200,000 and published the penalty on its website.

The severity of this penalty is justified by the seriousness of the breaches committed by the company:

Failure to comply with the principle of minimisation (article 5-1 c of the GDPR): the data controller must only collect data that is necessary for the purpose of the processing. In this case, the company was collecting personal data on members of its employees’ families (identity, contact details, job title, employer and marital status), which had no apparent use.

Unlawful collection of sensitive data (article 9 of the GDPR) and data relating to offences, convictions and security measures (article 10): in this case, employees were asked to provide so-called sensitive data, i.e. blood group, ethnicity and political affiliation. As a matter of principle, the collection of sensitive data is prohibited. By way of exception, it is permitted if it appears legitimate with regard to the purpose of the processing and if the data controller has an appropriate legal basis, which was not the case here. Furthermore, SAF LOGISITIC collected and kept extracts from the criminal records of employees working in air freight, who had already been cleared by the competent authorities following an administrative enquiry. Therefore, such a collection did not appear necessary.

Failure to cooperate with the supervisory authority (Article 31 of the GDPR): The CNIL also considered that the company had deliberately attempted to obstruct the control procedure. Indeed, SAF LOGISITIC had only partially translated the form, which was written in Chinese. The fields relating to ethnicity or political affiliation were missing. It should be noted that a lack of cooperation is an aggravating factor in determining the amount of the penalty imposed by the supervisory authority.

2) THE CONTROLLER AND THE PROCESSOR ARE LIABLE IN THE EVENT OF FAILURE TO CONCLUDE A DATA PROTECTION AGREEMENT

On 29 September 2023, the Belgian Data Protection Authority (DPA) issued a decision shedding some interesting light on (i) the data controller’s and processor’s obligations and the late correction of the GDPR breaches. In this regard, the ADP stated that:

Both the controller and the processor have breached the provisions of Article 28 of the GDPR by failing to enter into a data protection agreement (DPA) at the outset of data processing. The obligation to enter into a contract or to be bound by a binding legal act falls on both the controller and the processor and not on the controller alone.
The retroactive clause provided for in the DPA does not compensate for the absence of a contract at the time of the event: only the date of signature of the DPA should be taken into account to determine the compliance of the processing concerned. The ADP pointed out that allowing such retroactivity would allow companies to avoid the application of the obligation outlined in Article 28.3 of the GDPR over time. However, the GDPR itself provided for a period of 2 years between its entry into force and its entry into application for gradual compliance by all the entities concerned with a view to guaranteeing the protection of data subjects’rights.

3) A NEW COMPLAINT HAS BEEN LODGED AGAINST THE OPENAI START-UP BEHIND THE CHATGPT GENERATIVE ARTIFICIAL INTELLIGENCE SYSTEM

The Polish Data Protection Office has opened an investigation following the filing of a complaint by Polish researcher Lukasz Olejnik against the start-up Open AI in September 2023. The complaint highlights the chatbot’s many failings to comply with the General Data Protection Regulation (GDPR).

Breaches of the GDPR raised by the complaint

The complaint identifies numerous breaches of the GDPR, including a violation of the following articles:

Article 5 on the obligation to ensure data accuracy and fair processing (there is an obligation to limit the purposes);
Article 6 on the legal basis for processing;
Articles 12 and 14 on information for data subjects;
Article 15 on the data subject’s right of access to information on the processing of his or her data;
Article 16 on the right of data subjects to rectify inaccurate personal data.

The legitimate interests pursued by OpenAI hardly seem to outweigh the invasion of users’ privacy.

Repeated complaints against OpenAI

This is not the first time that ChatGPT has been the target of such accusations since it went online. Eight complaints have been lodged worldwide this year for breaches of personal data protection. These include:

The absence of consent from individuals to the processing of their data
Inaccurate data processing
No filter to check the age of individuals
Failure to respect the right to object.

The “scraping” technique used by this artificial intelligence (a technique that automatically extracts a large amount of information from one or more websites) was highlighted by the CNIL back in 2020 in a series of recommendations aimed at regulating this practice in the context of commercial canvassing. These inspections led the CNIL to identify a number of breaches of data protection legislation, including :

Failure to inform those targeted by canvassing ;
The absence of consent from individuals prior to canvassing;
Failure to respect their right to object.

Towards better regulation of artificial intelligence?

In April 2021, the European Commission put forward a proposal for a regulation specifying new measures to ensure that artificial intelligence systems used in the European Union are safe, transparent, ethical and under human control. The regulation classifies systems as high risk, limited risk and minimal risk, depending on their characteristics and purposes.

Pending the entry into force of this regulation, the CNIL is working to provide concrete responses to the issues raised by artificial intelligence. To this end, in May 2023 it deployed an action plan designed to become a regulatory framework, the aim of which is to enable the operational deployment of artificial intelligence systems that respect personal data.

Repeated complaints against OpenAI

The absence of consent from individuals to the processing of their data
Inaccurate data processing
No filter to check the age of individuals
Failure to respect the right to object.

Failure to inform those targeted by canvassing ;
The absence of consent from individuals prior to canvassing;
Failure to respect their right to object.

Towards better regulation of artificial intelligence?

4) TRANSFER OF DATA TO THE UNITED STATES

On 10 July 2023, the European Commission adopted a new adequacy decision allowing transatlantic data transfers, known as the Data Privacy Framework (DPF).

Since 10 July, it has therefore been possible for companies subject to the GDPR to transfer personal data to US companies certified as “DPF” without recourse to the European Commission’s standard contractual clauses and additional measures.

It should be noted that the United Kingdom has also signed an agreement with the United States on the transfer of data, which will come into force on 12 October.

As a reminder, on 16 July 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield, the previous adequacy decision allowing the transfer of personal data to the United States.

1)The content of the Data Privacy Framework

The decision of 10 July 2023 formalises a number of binding guarantees in an attempt to remedy the weaknesses of the Privacy Shield, which was invalidated two years earlier.

a)The new obligations

In order to benefit from this new framework and receive personal data from European residents, American companies will have to :

Declare that you adhere to the DPO’s personal data protection principles (data minimisation, retention periods, security, etc.).
Indicate a certain amount of mandatory information: the name of the organisation concerned, a description of the purposes for which the transfer of personal data is necessary, the personal data covered by the certification and the verification method chosen.
Formalise a privacy policy in line with the CFO principles and specify the type of relevant independent recourse available to primary data holders, as well as the statutory body responsible for ensuring compliance with these principles.

On Monday 17 July, the US Department of Commerce launched the Data Privacy Framework website, offering companies a one-stop shop for signing up to the DPF and listing the companies that have signed up.

Participating US companies must conduct annual self-assessments to demonstrate their compliance with the DPF requirements. In the event of a breach of these principles, the US Department of Commerce may impose sanctions.

It should be noted that companies already affiliated to the Privacy Shield are automatically affiliated to the DPF provided that they update their privacy policy before 10 October 2023.

b) The creation of a Data Protection Review Court

The DPF is innovative in that it establishes a Data Protection Review Court (DPRC) to provide EU residents with easier, impartial and independent access to remedies, and to ensure that breaches of the rules under the EU-US framework are dealt with effectively. The Court has investigative powers and can order binding corrective measures, such as the deletion of illegally imported data.

c) A new appeal mechanism for EU nationals

The planned appeal mechanism will operate at two levels:

Initially, the complaint will be lodged with the competent national authority (for example, the CNIL in France). This authority will be the complainant’s point of contact and will provide all information relating to the procedure. The complaint is forwarded to the United States via the European Data Protection Committee (EDPS), where it is examined by the Data Protection Officer, who decides whether or not there has been a breach.
The complainant may appeal against the decision of the Civil Liberties Protection Officer to the DPRC. In each case, the DPRC will select a special advocate with the necessary experience to assist the complainant.

Other remedies such as arbitration are also available.

2) Future developments: new legal battles?

This new legal framework will be subject to periodic reviews, the first of which is scheduled for the year following the entry into force of the adequacy decision. These reviews will be carried out by the European Commission, the relevant American authorities (U.S. Department of Commerce, Federal Trade Commission and U.S. Department of Transportation) and by various representatives of the European data protection authorities.

Despite the introduction of these new safeguards, the legal response has already taken place.

On 6 September 2023, French MP Philippe Latombe (MoDem) lodged two complaints with the CJEU seeking the annulment of the DPF.

Max Schrems, president of the Austrian privacy protection association Noyb, which brought the actions against the previous agreements (Safe Harbor and Privacy Shield), is likely to follow suit.

5) ISSUES SURROUNDING THE MATERIAL SCOPE OF THE GDPR

A divisive position by an Advocate General concerning the material scope of the GDPR could, if followed by the CJEU, clearly limit the application of the GDPR to many sectors of activity (Case C-115/22).

In this case, the full name of an Austrian sportswoman, who had tested positive for doping, was published on the publicly accessible website of the independent Austrian Anti-Doping Agency (NADA).

The sportswoman has asked the Austrian Independent Arbitration Commission (USK) to review this decision. In particular, this authority questioned the compatibility with the GDPR of publishing the personal data of a doping professional athlete on the Internet. A reference for a preliminary ruling was therefore made to the CJEU.

The Advocate General considers that the GDPR is not applicable in this case insofar as the anti-doping rules essentially regulate the social and educational functions of sport rather than its economic aspects. However, there are currently no rules of EU law relating to Member States’ anti-doping policies. In the absence of a link between anti-doping policies and EU law, the GDPR cannot regulate such processing activities.

This analysis is based on Article 2.2.a) of the GDPR, which states:

“This Regulation shall not apply to the processing of personal data carried out :

a)in the context of an activity that does not fall within the scope of Union law;”.

The scope of the Union’s intervention is variable and imprecise, leading to uncertainty as to its application to certain sectors.

In the alternative, and assuming that the GDPR applies, the Advocate General believes that the Austrian legislature’s decision to require the public disclosure of personal data of professional athletes who violate anti-doping rules is not subject to a proportionality test under the terms of the regulation.

However, the Advocate General’s conclusions are not binding on the CJEU. The European Court’s decision is therefore eagerly awaited, as it will clarify the application of the GDPR.

1Last March, the Italian CNIL went so far as to temporarily suspend ChatGPT on its territory because of a suspected breach of European Union data protection rules.

OpenAI failed to implement an age verification system for users. Following on from this event, on 28 July a US class action denounced the accessibility of services to minors under the age of 13, as well as the use of “scraping” methods on platforms such as Instagram, Snapchat and even Microsoft Teams.

2 Proposal for a Regulation laying down harmonised rules on artificial intelligence

A dynamic semester for the Joffe & Associés Team!