On 17 October 2023, the French National Assembly adopted the Law to Secure and Regulate the Digital Space (the "Loi SREN"). The Loi SREN aims to enhance users' online safety by adopting new requirements that are intended to reinforce the regulation of online platforms, including provisions on cloud computing, online misinformation, online pornography, and digital assets.

Below are some of the key takeaways of the Loi SREN, including some of the provisions that were introduced by the National Assembly in its adopted version of the text.

I. Designating the competent regulators who shall enforce the Digital Services Act

  • The Audiovisual and Digital Communication Authority (ARCOM) will become the main Digital Services Coordinator in France for the implementation of the Digital Services Act, assisted by the French data protection authority (CNIL) and the Directorate-General for Competition, Consumer Affairs and Fraud Control (DGCCRF).
  • The CNIL will see its scope of competence expand as it becomes the competent regulator to enforce Article 26 of the DSA on the detailed information that online platforms must provide to recipients of their services in their advertisements and the prohibition to display advertisements based on profiling of special categories of personal data and data on minors.
  • The DGCCRF shall monitor online marketplace providers' compliance with the DSA (e.g., traceability of sellers, detailed information regarding product safety, trader's identity and contact details, pre-contractual information (in compliance with Art. 31 of the DSA)).
  • In addition, the Loi SREN establishes a national network of competent authorities to oversee online services whose main goal is to reinforce communication and synergy between the competent bodies. This national network is composed of, amongst others, the ARCOM, the CNIL, the French Competition Authority, the French Authority for Electronic Communications and Postal Services (ARCEP), and the French National Cybersecurity Agency (ANSSI). They shall meet at least 3 times a year.

II. Securing and opening the cloud computing sector

  • Imposing the concept of French "Digital Sovereignty" to cloud service providers
    • Public administration bodies who resort to private cloud service providers for their information systems or applications must ensure that those cloud computing service providers are able to provide robust security standards and measures that are aimed at preventing non-authorized access by government authorities in foreign countries outside the UE to data that is processed by those public administration bodies where such processing involves sensitive information, whether personal data or not, (i.e., protected secrets, critical state functions such as national security or the protection of individuals' health and/or life) and where such access is likely to constitute a threat to public order, public safety, health and life of persons, or to the protection of intellectual property.
  • Facilitating cloud computing interoperability

In line with Article 26 of the upcoming EU Data Act, the Loi SREN also provides that cloud computing service providers shall :

  • ensure interoperability with the customer's services or with those of competitors for similar functionalities; and,
  • provide access, free of charge, to customers and to third party providers designated by them,
    • to the necessary application programming interface for the implementation of interoperability and portability; and,
    • to sufficient detailed information on the relevant cloud computing service to enable customers or third-party service providers to communicate with that service.

III. Imposing stricter obligations to moderate the content of online platforms

  • Criminalizing deep fakes that are generated by an AI systems

The Loi SREN prohibits the public sharing of deepfakes depicting an individual's image or voice without his/her consent, where such content is generated by an artificial intelligence and (i) there is no clear mention that such content was generated by an AI or (ii) where it is not obvious that the content was generated by AI. Any violation of this obligation would be criminally sanctioned by up to 2 years' imprisonment and a fine up to EUR 45.000.

The Loi SREN further prohibits the public sharing of deepfakes depicting pornographic content that uses an individual's image or voice without his/her consent. Any violation of this prohibition would be criminally sanctioned by 2 years' imprisonment and a EUR 60.000 fine.

  • Temporary online banishment for certain online criminal activity

Criminal courts may prohibit users of online platforms (such as social media platforms) who are convicted of certain online criminal offences (e.g., online harassment, hate speech etc.) from accessing or creating a new account on the online platform that was used to commit those criminal offences. This online banishment may be pronounced for a maximum period of 6 months.

Next steps:
Members of the National Assembly and the Senate shall meet in a mixed joint committee to reach a final agreement on the Loi SREN. Once adopted, the loi SREN is expected to come into force within days following its publication in the Official Journal.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.