Photo of Stéphanie Faber

Stéphanie Faber

Contact:Read more about Stéphanie Faber

Context

Businesses are under pressure from a range of internal and external stakeholders to create and maintain genuinely diverse and inclusive workplaces. Consequently, more and more businesses want to collect and track Diversity and Inclusion (“D&I”) data about their staff. This may include information about gender, sexual orientation, race, ethnic origin, religion, socio-economic background health, and disability. This information may help organizations better understand the current profile of their workforce, assess the impact of their equal opportunities policies, determine what steps they may need to take to address any barriers to change and measure progress against any objectives/targets set.

However, in some countries, collection and tracking of such data is regulated by various laws and it is socially and culturally inappropriate to ask certain questions in this area.

In France, various regulations and case law restrict the collection of such data, including the EU General Data Protection Regulation (“GDPR”). There is a particular sensitivity in relation to origin/race/ethnicity data (as notably stated in a decision from the French Constitutional Council of 15 November 2007 sanctioning the collection of such data in this context).

Draft recommendation

To guide organizations wishing to implement diversity measurement surveys, the CNIL is submitting a recommendation for public consultation until September 13, 2024 (the “Draft Recommendation”).

It notably includes GDPR-specific recommendations that were not in the guide “Measuring to progress towards equal opportunities” that the CNIL had published with the Defender of Rights twelve years ago (the “Guide”).

The recommendation addresses the following issues in relation to diversity surveys.Continue Reading Measuring Diversity at Work in France: the CNIL Launches a Public Consultation on a Draft Recommendation

Shortly after the publication of the Artificial Intelligence (AI) Act, the EU Commission published the AI Pact’s draft commitments with a view of anticipating compliance with high-risk requirements for AI developers and deployers.

Publication and timeline for the AI Act

The EU AI Act was published in the Official Journal of the European Union on July 12, 2024, as “Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonized rules on artificial intelligence.”  We have presented the main provisions and purposes of the AI Act in our publication here.

The EU AI Act will enter into force across all 27 EU Member States on August 1, 2024, but has variable transition periods depending on the relevant parts of the AI Acts; starting with February 2, 2025, at which point, prohibited AI practices must be withdrawn from the market, and with the enforcement of the majority of its provisions commencing on August 2, 2026.

The call for participation on the AI Pact by the EU commission

In this context, the EU Commission issued a press release on July 22, 2024, promoting the “AI Pact”, seeking the industry’s voluntary commitment to anticipate the AI Act and to start implementing its requirements ahead of the legal deadline.  The press release can be found here.

The AI Pact was first launched in November 2023, obtaining responses from over 550 organizations of various sizes, sectors, and countries.

The AI Office has since initiated the development of the AI Pact, which is structured around two pillars:Continue Reading The EU Commission’s Draft AI Pact anticipating compliance with newly published AI Act

In November 2023, the National Commission on Informatics and Liberty (CNIL), the French data protection authority, has announced having issued 10 new sanctions under its new simplified procedure following complaints with respect to geolocation of vehicles and video surveillance of employees, data minimization, right to object and lack of response to CNIL requests.

The New

The French National Commission on Informatics and Liberty (CNIL) – the French data-protection authority – finally updated its standard of best practice on whistleblowing in July 2023, to accompany the significant changes introduced to the whistleblower protection regulation in the second half of 2022.Continue Reading The French CNIL’s New Guidance on Whistleblowing

On July 10, the European Commission formally adopted the EU-U.S. Data Privacy Framework (DPF). The Commission’s adequacy decision (and the documentation package accompanying it, including the FAQ) brings welcome news: for certified DPF participants, personal data can flow between the European Economic Area (EEA) and the United States (U.S.

Each year, the French data protection authority, “CNIL”, conducts hundreds of investigations (345 in 2022) on the basis of complaints received, notification of data breaches, information conveyed by press or other media, but also annual priority topics set by the CNIL. These topics are the following for 2023.
Continue Reading Priority Topics for French CNIL Investigations in 2023: “Smart” Cameras, Mobile Apps, Bank and Medical Records

The French government has decided to act in the fight against the resurgence of cyberattacks, together with ransom demands, which have a significant impact on the economy. By anticipating the development of the cyber risk insurance market in France, the French government has decided to make the payment of insurance compensation conditional on the filing

Congratulations to Privacy World’s Kristin Bryan and Stephanie Faber, recognized as Legal Influencers (Q3 and Q4, respectively) by Lexology. Both lawyers were recognized regionally in the Technology, Media and Telecommunications category (TMT), with Kristin being acknowledged for the US and Stephanie for Europe. Lexology Legal Influencers recognizes industry thought leaders each quarter who

In a decision on October 27, 2022, the European Court of Justice has clarified the operators’ obligations regarding consent and the right to object in relation to public directories and information services.

Legal Context

The ePrivacy Directive contains several provisions relating to public directories and information services of telecommunications operators.

In particular, EU Member States