COMPARATIVE GUIDE
19 February 2025

Digital Business Comparative Guide

Bredin Prat

Contributor

Bredin Prat logo
Explore Firm Details
Digital Business Comparative Guide for the jurisdiction of France, check out our comparative guides section to compare across multiple countries
France Corporate/Commercial Law
Juliette Crouzet and Félix Marolleau

1 Legal framework

1.1 Which key legislative and regulatory provisions govern digital business in your jurisdiction?

The French legal and regulatory framework governing digital business is composed of a complex layer of texts, both cross-sector and sector specific. While most of the digital legal framework emanates from EU regulation, France has also adopted some specific provisions, making this a highly regulated environment for digital business.

Key transversal provisions include the Loi Informatique et Libertés, which governs the processing of personal data and refers to the EU General Data Protection Regulation and the e-Privacy Directive, while incorporating French specificities. EU-level regulations are also designed to leverage the value of non-personal data – in particular, the Data Governance Act and the Data Act. Finally, on 1 August 2024, the Artificial Intelligence (AI) Act – the world's first comprehensive regulation applicable to AI systems – came into force.

In business-to-consumer digital businesses, several regulations – in particular, the Consumer Code – address the challenges arising from complex technologies and distance relationships, including transparency. Liability of online stakeholders (eg, internet service providers, hosting providers, online platforms) is now essentially governed by:

  • the EU Digital Services Act; and
  • the Loi pour la Confiance dans l'Economie Numérique for specific topics such as the protection of minors online.

France recently adopted the Loi visant à sécuriser et à réguler l'espace numérique, which addresses a number of issues relating to the digital space including cloud computing and Web 3.0 technologies. Additionally, competition in digital markets is increasingly scrutinised, in particular with the adoption of the EU Digital Markets Act.

1.2 Do any special regimes apply (eg, in specific sectors or to certain types of products)?

Yes, specific regimes apply in France:

  • in certain sectors;
  • for certain products; and
  • to certain stakeholders.

The health sector is regulated by the Public Health Code, which includes specific provisions addressing digital aspects of health business – in particular, with respect to:

  • the hosting of health personal data; and
  • the use of algorithmic data processing.

The financial sector also has specific rules set out, in particular, in the Monetary and Financial Code which includes, among other things, provisions governing digital finance and cybersecurity to strengthen safeguards against growing cyber threats in finance.

Some EU regulations also target specific types of products, such as the Data Act, which aims to promote access and reuse of data generated by connected products.

France is generally inclined to adopt new laws as digital practices evolve and new stakeholders emerge. For instance, influencers are now subject to specific provisions, in particular in relation to:

  • the transparency of their online activities;
  • liability vis-à-vis consumers; and
  • prohibited advertising.

1.3 Which bodies are responsible for implementing and enforcing the digital business regime in your jurisdiction? What is their general approach in doing so and what are their key areas of focus?

In France, several public bodies are responsible for enforcing digital business regulations and/or assisting companies in navigating through the complex regulatory landscape. They include the following:

  • Commission Nationale de l'Informatique et des Libertés (CNIL): The French data protection authority oversees personal data protection matters and is highly active:
    • publishing guidelines;
    • controlling compliance; and
    • issuing sanctions.
  • In 2023, the CNIL issued 42 sanctions totalling €89,179,500, mainly related to online advertising and data security. The CNIL can impose fines of up to €20 million or up to 4% of a company's annual global turnover.
  • Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI): This body is in charge of the security of networks and information systems, publishing:
    • guidelines on cybersecurity; and
    • alerts on vulnerabilities.
  • ANSSI is also the recipient of certain cybersecurity incident notifications, such as those affecting operators of essential services.
  • Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes (DGCCRF): This body enforces consumer protection laws and ensures fair competition on the market. The DGCCRF provides guidance on online advertising and e-commerce and is active in:
    • conducting investigations;
    • imposing fines of up to €300,000; and
    • ordering corrective measures.
  • Autorité de Régulation de la Communication Audiovisuelle et Numérique (ARCOM): This is the regulator for audiovisual and digital communication, which supervises social media and platforms, among other things. ARCOM has sanctioning powers and its role has been expanded with the adoption of new digital regulations on online content.

2 Market snapshot

2.1 How embedded is digital business in your jurisdiction?

In recent years, great emphasis has been placed on fostering and accelerating the growth of the French digital business sector, which is seen as an important component of national sovereignty. The Ministry of Economy has been rebranded as the Ministry of Economy, Finance and Industrial and Digital Sovereignty and published its "Digital Decade" roadmap in March 2024, focusing on four pillars:

  • digital competencies;
  • digital infrastructure;
  • digital transformation of companies; and
  • public digital services.

France hosts a number of important players in the digital sector, from online banking and digital marketing to cloud computing, with major historical players such as Orange, Capgemini, OVH Cloud and Atos. The French fintech industry has also grown exponentially in recent years with the creation of companies such as Qonto and Ledger, which are now well established worldwide in the digital finance sector.

As evidence that digital business is now well embedded in the French ecosystem, France has seen several recent acquisitions of tech companies by traditional companies, such as:

  • the acquisition in September 2024 by Safran of Preligens, an artificial intelligence (AI) leader in aerospace and defence, for €220 million; and
  • the acquisition in July 2023 by Thales of US-based company Imperva, specialising in cybersecurity software and services, for $3.6 billion.

2.2 Are the main players domestic, foreign and/or international?

The main players in the digital business sector in France remain foreign – in particular, Google, Apple, Facebook, Amazon and Microsoft, which are widely used by French people.

Nevertheless, France boasts several so-called 'licornes' (unicorns), referring to privately held startups valued at over $1 billion. These companies are characterised by rapid growth, innovation and significant market potential. French unicorns include:

  • Doctolib, a leading online platform used by doctors for booking medical appointments and teleconsultations;
  • Contentsquare, a digital experience analytics platform that helps businesses to optimise their websites and apps by analysing user behaviour; and
  • Mirakl, a leading software-as-a-service platform that enables businesses to create and manage online marketplaces.

France is keen to improve its digital sovereignty through the success of French digital actors. The minister of the economy, finance and industrial and digital sovereignty has described technological sovereignty as the "absolute key" to political sovereignty. To this end, France has provided substantial financial support to the digital sector through various initiatives, such as:

  • the National Strategy for Artificial Intelligence (€1.5 billion over five years);
  • the Quantum Plan (€1.8 billion);
  • the National Cybersecurity Strategy (€1 billion); and
  • the 5G Acceleration Strategy (€480 million).

These investments are comparable to those made by countries such as the United Kingdom and Germany.

2.3 Describe the key features of the following digital business sectors in your jurisdiction: (a) E-commerce; (b) Fintech and (c) Digital health.

(a) E-commerce

The e-commerce market in France has experienced significant growth in recent years. As of 2023, over 51 million people out of a population of 68 million actively engaged in online shopping, making France the third-largest e-commerce market in Europe after Germany and the United Kingdom. The estimated value of annual e-commerce sales in France was €159.9 billion.

Traditional and renowned businesses in France are being transformed by e-commerce. For instance, the fashion sector – including second-hand goods – is one of the leading e-commerce segments in France, with 54% to 56% of the population making second-hand purchases online. Prominent international players such as Amazon, Vinted and Shein dominate this sector. However, French companies such as Le Bon Coin, Fnac, Cdiscount and Decathlon have developed robust online marketplaces, further supporting the growth of e-commerce in France.

From a regulatory perspective, French and EU law provide for a comprehensive legal framework for e-commerce, set out in statutes such as:

  • the Consumer Code;
  • the Civil Code; and
  • the EU General Data Protection Regulation (GDPR).

These regulations aim to ensure transparency and consumer protection, setting a framework for online contractualisation and protecting the privacy of consumers while promoting the development of a competitive EU digital market. Recent initiatives at the EU level, such as the Digital Services Act and the Digital Markets Act, aim to:

  • enhance the accountability of online intermediaries, including marketplaces; and
  • prevent unfair competition on the market by imposing ex ante obligations on so-called 'gatekeepers', determined by their importance in both quantitative and qualitative terms.

(b) Fintech

The French fintech market is dynamic, with €630 million in funding raised in the first half of 2024. The sector is close to approximately 490 active fintech companies, including notable players such as Lydia, Qonto, Harvest and Ledger, which lead in areas such as payments, neobanking, wealth management and insurance.

French fintech companies are increasingly investing in emerging technologies such as cybersecurity and AI, as these tools become crucial to innovation and resilience in the sector. AI is being leveraged for predictive analytics, fraud detection and customer service automation; while cybersecurity investments are driven by heightened regulatory scrutiny and the need to protect sensitive financial data from cyber threats.

The regulatory landscape for fintech in France is shaped by both national and EU-level frameworks. Key regulations include:

  • the Second Payment Services Directive, which:
    • promotes open banking (eg, account information services, payment initiation services); and
    • enhances consumer protection;
  • the Markets in Crypto-Assets Regulation, adopted in 2023, which sets the first regulatory framework for crypto-assets at the EU level, promoting:
    • transparency for crypto-asset service providers;
    • consumer protection; and
    • market integrity; and
  • the Digital Operational Resilience Act, which will impose stringent cybersecurity requirements on financial institutions, including fintechs, highlighting the growing importance of IT operational resilience.

(c) Digital health

The health sector in France is experiencing significant growth, driven by both innovation and government support for the digital transformation. This momentum is reinforced by the French government's France 2030 investment plan, which allocates close to €54 billion to enhance France's industrial and technological competitiveness, with digital health being one of the main focuses.

The Public Health Code imposes specific obligations on digital health services to govern the hosting, sharing, security and confidentiality of health personal data. The hosting of health personal data is subject to a strict regime whereby certain entities hosting health personal data must obtain a health data hosting certificate, which confirms that they meet strict security standards for the protection and confidentiality of health personal data. The certification process is complex and comprises multiple steps designed to assess whether the hosting service provider has implemented adequate technical, organisational and contractual measures to safeguard the security and integrity of health personal data. In December 2023, the Digital Health Agency adopted new guidelines on certification, adding a requirement for health personal data hosting services to be located within the European Economic Area.

The Commission Nationale de l'Informatique et des Libertés regularly publishes articles in relation to the processing of health personal data, which is considered as sensitive data under the GDPR, indicating that it considers this topic to be a regulatory priority.

3 Technologies

3.1 How are the following digital business technologies regulated in your jurisdiction and what key issues should be borne in mind in relation to each? (a) Online payments (including cryptocurrencies and digital wallets); (b) Artificial intelligence; (c) Connected devices/Internet of Things and (d) Other (eg, cloud services, quantum technology, chip technology).

(a) Online payments (including cryptocurrencies and digital wallets)

The French Monetary and Financial Code establishes the legal framework for payment service providers (PSPs) and sets out several categories of PSPs, as follows:

  • credit institutions;
  • account information service providers;
  • electronic money issuers; and
  • payment institutions.

The implementation of the Second Payment Services Directive (PSD2), transposed into French law in 2017, introduced significant changes. Key among these is stronger customer authentication, which mandates multi-factor authentication based on encryption systems to enhance security in electronic payments. The PSD2 also opened the market to 'third-party providers', such as 'account information service providers' and 'payment initiation service providers', enabling them to use apps to access customer account information services and initiate payments, provided that customer consent is obtained.

Crypto-assets and digital wallets, although not yet fully integrated into the traditional regulatory framework for payment services, are subject to increasing oversight. The EU Markets in Crypto-Assets Regulation introduces a comprehensive regulatory framework for crypto-assets, including requirements for issuers and service providers. In France, crypto-related activities are overseen by the Autorité des Marchés Financiers (AMF) and the Autorité de Contrôle Prudentiel et de Résolution. For instance, service providers involved in the exchange or custody of crypto-assets must currently register with the AMF and comply with regulatory requirements, including anti-money laundering regulations.

(b) Artificial intelligence

The Artificial Intelligence (AI) Act adopts a risk-based approach to regulate AI systems:

  • 'Unacceptable risk' AI systems (AIS) are banned;
  • Stringent compliance obligations are imposed on 'high-risk' AIS (including risk management, data quality and technical documentation); and
  • Minimal obligations apply to 'minimal risk' AIS which may voluntarily follow codes of conduct.

The AI Act will be implemented in phases:

  • discontinuation of any prohibited AIS by 2 February 2025;
  • compliance with specific obligations by providers of general-purpose AI models by 2 August 2025;
  • compliance with specific obligations for high-risk and transparency risk AIS by 2 August 2026; and
  • compliance with obligations for certain specific high-risk AIS products or used as product safety components by 2 August 2027.

Non-compliance with these obligations can lead to penalties of up to €35 million or 7% of a company's global annual turnover.

The Commission Nationale de l'Informatique et des Libertés has recently issued guidelines and recommendations to assist companies in:

  • aligning with EU General Data Protection Regulation (GDPR) obligations while developing, providing or deploying AIS; and
  • understanding interactions between personal data processing and AIS.

These include an overview of data protection issues related to AIS, including:

  • qualifications of AIS providers under the GDPR;
  • choice of legal basis;
  • the GDPR and training data; and
  • individuals' GDPR rights in an AI context.

(c) Connected devices/Internet of Things

The legal framework governing connected devices is essentially composed of three layers.

Product regulation: Different product regulations may apply to connected devices, depending on the concerned sector. For instance, connected medical devices are subject to the EU Medical Devices Regulation (2017/745), which requires compliance with International Organization for Standardization standards and cybersecurity transparency due to the sensitive nature of health data. Similarly, when AI systems are embedded as safety components of connected devices, the AI Act may trigger specific obligations – in particular, third-party conformity assessments to ensure that the AI systems comply with safety and ethical standards before they are introduced on the market.

Data laws: If related to an individual, processing of data made through an Internet of Things (IoT) device will be subject to the GDPR and to the Loi Informatique et Libertés, triggering the application of a number of obligations such as privacy by design, data minimisation and impact assessment, to which IoT providers primarily will likely be subject. With respect to non-personal data, the upcoming Data Act, effective in September 2025, will set out a framework for sharing and using data generated by connected devices. In particular, the Data Act will enhance data interoperability between IoT devices to facilitate the switching of service providers by service recipients.

Cybersecurity: IoT cybersecurity requirements are being reinforced under the forthcoming Cyber Resilience Act, which will impose stringent security obligations on manufacturers and service providers of digital products, including requirements for:

  • cybersecurity risk assessments;
  • vulnerability reporting; and
  • the implementation of security measures for those operating within the EU market.

(d) Other (eg, cloud services, quantum technology, chip technology)

Cloud sovereignty has long been a priority for the French government and EU institutions.

In 2016, the Agence Nationale de la Sécurité des Systèmes d'Information created SecNumCloud, a certification for cloud providers that comply with strict data sovereignty and security requirements. It may be obtained by cloud service providers (infrastructure as a service, platform as a service and software as a service) operating within the European Union, requiring data residency within the European Union and compliance with regulations such as the EU GDPR. To obtain certification, the cloud provider must implement robust measures to prevent foreign jurisdiction interference and surveillance. In September 2024, seven cloud providers hold such certification.

At the EU level, the EU cybersecurity certification scheme (EUCS) set out under the Cybersecurity Act in 2019 and still not yet agreed, aims to create a unified cloud certification across the European Union, potentially replacing SecNumCloud. However, France has raised concerns about the lack of protection against extraterritorial laws in the proposed EUCS, particularly the US Cloud Act, which could jeopardise EU data sovereignty.

As part of its strategy for digital sovereignty, France has established specific protection from foreign investments in relation with critical technologies. Research and development activities relating to critical technologies (ie, cybersecurity, AI, robotics, additive manufacturing, semiconductors, quantum technologies, energy storage, biotechnologies) are considered sensitive and subject to the French foreign investment regime. This means that an authorisation must be obtained from the Treasury Department of the Ministry of Economy if a foreign investment is to be made in a company operating in this sector.

4 Data

4.1 What is the regime in your jurisdiction for regulating the processing of personal data and what specific implications does this have for digital business?

The regulation of personal data processing in France is primarily governed by the EU General Data Protection Regulation (GDPR) and by the Loi Informatique et Libertés at a national level, which includes certain French-specific provisions (eg, in relation to the procession of health personal data). Together, these legal frameworks establish comprehensive rules that apply to personal data processing activities.

Specifically, the data controller – that is, the entity that determines the purposes and means of the processing of personal data – must:

  • implement a range of obligations; and
  • be able to document its compliance with such obligations.

For instance, companies acting as data controllers must:

  • have a legal basis for performing a processing of personal data;
  • comply with transparency obligations;
  • ensure data security and data minimisation; and
  • maintain records of processing activities in certain circumstances.

Data controllers must also facilitate the exercise of data subjects' rights, including:

  • the right of access;
  • the right to erasure; and
  • the right to data portability.

In addition to these general regulations, sector-specific laws impose further obligations in relation to personal data. For example, the e-Privacy Directive, transposed in the Postal and Electronic Communications Code, requires additional transparency regarding the use of cookies and regulates direct marketing, including when conducted online.

Non-compliance with personal data regulations can result in significant fines – up to 4% of global turnover or €20 million under the EU GDPR – imposed by the Commission Nationale de l'Informatique et des Libertés (CNIL). To assist businesses with compliance, the CNIL regularly publishes guidelines and best practices, helping companies to navigate the complex regulatory landscape and avoid costly compliance failures.

4.2 What is the regime in your jurisdiction for regulating the processing and sharing of non-personal data and what specific implications does this have for digital business?

At the EU level, as part of the European Data Strategy, a set of regulations are being adopted to promote the sharing of non-personal data, which is seen as a valuable asset to foster innovation. In particular, the Data Act aims to increase data availability and reuse by granting users of connected devices the right to access and share their non-personal data with third party companies. To this end, connected devices manufacturers are subject to a number of obligations designed to facilitate data access and sharing.

National legal initiatives also support non-personal data sharing. The Loi d'orientation des mobilités, adopted in December 2019, expands the scope of transport and mobility service data from public and private actors, requiring them to make certain information freely accessible to users – such as real-time availability, schedules, locations and pricing data – to promote multimodal mobility and foster innovation in transport services. France also operates an open data platform for data essentially from public administration, but also some private entities (data.gouv.fr); and in 2023, it was ranked first in the European Union for open data by the European Commission according to the following criteria:

  • public policies;
  • national portal;
  • impact; and
  • quality.

IP law can also provide for useful tools for protection and sharing of non-personal data. In particular, when substantial human, material or financial investments have been made in the creation, verification, or presentation of the database, its content – that is, the data – may be protected by a sui generis database right and licensed as an IP asset.

5 Cybersecurity

5.1 Does your jurisdiction have specific cybersecurity legislation and what implications does this have for digital business?

The French cybersecurity legislative framework is dense, mostly emanating from EU regulation. It comprises cross-sector legislation, as well as certain specific laws targeting certain stakeholders or sectors.

For instance, with regard to specific stakeholders, the Defence Code imposes specific cybersecurity obligations on 'operators of vital importance', which are public or private entities deemed critical for the nation. These entities must implement stringent security measures to protect their operations against cyber threats. Furthermore, the Second Networks and Information Systems Directive will strengthen requirements regarding governance and cyber risk management.

With regard to specific sectors, the EU Digital Operational Resilience Act sets uniform requirements for the financial sector to strengthen and harmonise the management of information and communications technology risks and network security. The Second Payment Services Directive also imposes security and safety obligations on online payment services. Additionally, upcoming EU regulations, such as the Cyber Resilience Act, will enhance security requirements for digital products.

The legal framework for cybersecurity in France also includes soft law. The Agence Nationale de la Sécurité des Systèmes d'Information regularly publishes guidelines and recommendations to assist companies in meeting cybersecurity standards. Businesses aiming at a high level of cybersecurity may pursue compliance with international standards such as ISO 27001 or certifications such as SecNumCloud.

Access to cyber insurance has become increasingly challenging. Compensation by insurance companies for losses and damages caused by cyberattacks in the context of professional activities is now contingent upon filing a complaint to police services within 72 hours of discovering the breach (Article L12-10-1 of the Insurance Code).

6 Financial crime prevention

6.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for digital businesses?

Money laundering and other financial crimes (including terrorist financing, corruption and bribery) are criminal offences under French law. Both legal entities and individuals face a risk of prosecution, conviction and criminal sanctions:

  • for individuals, jail time, fines and additional sanctions (including forfeitures, bans, publications); and
  • for legal entities, fines (up to five times higher than for individuals) and additional sanctions.

In the context of its commitments (EU and international), France has implemented dedicated regimes, as follows:

  • When it comes to corruption, the Sapin 2 Law (Law 2016-1691 of 9 December 2016) requires large French companies (with at least 500 employees and a turnover of at least €100 million) to implement measures such as:
    • a code of conduct;
    • reporting systems;
    • risk mapping; and
    • internal control and evaluation procedures.
  • The Anti-corruption Agency (AFA) advises and monitors compliance. Digital businesses meeting these thresholds must implement all these measures and are subject to a potential audit by the AFA.
  • When it comes to anti-money laundering/counter-terrorism financing, the legal transposition in France of the different EU directives created a complex legal framework applicable to some industry sectors. This framework includes:
    • customer due diligence;
    • reporting of suspicious transactions;
    • record keeping; and
    • compliance programmes.
  • Although digital businesses are not regulated as a sector, fintech companies can fall under some of the regulated activities such as financial activities and/or money services and be monitored/controlled by administrative and judicial authorities (Tracfin, the Autorité de Contrôle Prudentiel et de Résolution, the Autorité des Marchés Financiers, Banque de France, the Direction Générale du Trésor, the Parquet National Financier) to that extent.

With the contribution of Guillaume Pellegrin.

7 Consumer protection

7.1 Do the consumer protection measures in your jurisdiction have specific implications for digital business?

Key EU consumer protection regulations – including the 1985 Product Liability Directive (which is set to be repealed by a new directive), the E-commerce Directive, the Digital Services Act (DSA) and Digital Markets Act – collectively establish high standards for product safety, transparency requirement and online platform accountability.

These EU directives have been transposed into French law, particularly in:

  • the Consumer Code;
  • the Commercial Code;
  • the Civil Code; and
  • the Loi pour la Confiance dans l'Economie Numérique.

Guiding principles of consumer protection legal framework in France include:

  • transparency;
  • adapted rules for online contracts (eg, order confirmation by double-click, right of withdrawal); and
  • consumer recourse mechanisms such as mediation to resolve disputes.

France has also enacted, on its own initiative, some digital business-specific regulations, such as the Loi visant à encadrer l'influence commerciale et à lutter contre les dérives des influenceurs sur les réseaux sociaux dated 9 June 2023, to regulate the activities of influencers. The spirit of the law is governed by the consumer protection and transparency principles – in particular, by:

  • prohibiting the promotion of certain goods and services, such as cosmetic surgery; and
  • mandating clear labelling of promotional content as 'advertising' or 'commercial collaboration'.

The French competent authority on consumer protection matters is the Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes (with investigative, supervisory and sanctioning powers). The Commission Nationale de l'Informatique et des Libertés is also competent to sanction the use of 'dark patterns' – that is, deceptive design practices that undermine freely given privacy choices and violate the General Data Protection Regulation and the e-Privacy Directive; while the DSA also prohibits online platforms from manipulating users through their interface.

8 Taxation

8.1 Does your jurisdiction impose a digital services or similar tax; and/or in light of digital business structures, has it introduced rules to modify the level of presence or connection required to fall under the tax regime? If so, to what extent has your jurisdiction committed to removing these taxes or measures should the Organisation for Economic Co-operation and Development-negotiated Multilateral Convention on a new taxing right (Amount A of Pillar 1) come into effect?

In 2019, France enacted a digital services tax that applies to:

  • the making available of a digital interface allowing users to interact with each other; and
  • the placement on a digital interface of ads targeted based on users' data.

The digital services tax is due at a rate of 3% on the revenue made for the provision of such taxable services in France. A company is liable to the French digital services tax when it and the members of its group realise in the preceding calendar year more than:

  • €750 million of revenue for the provisions of taxable services globally; and
  • €25 million of revenue for the provision of taxable services in France.

France has committed to remove its digital services tax if an agreement is found at the OECD on Amount A of the Pillar 1 solution.

France has also enacted other taxes applicable to digital business structures, such as the tax for online video broadcasting (the so-called 'YouTube tax' or 'Netflix tax').

With the contribution of Adrien Soumagne.

8.2 What are the main tax measures, trends and developments in your jurisdiction with implications for digital businesses?

France has been fostering innovation by implementing attractive tax regimes that can be relevant to companies operating in the digital industry, such as:

  • the tax credit for research spending;
  • the IP box regime; and
  • the tax regime for the exchange of crypto assets.

Nevertheless, digital businesses are also under close scrutiny from public opinion and Parliament; the French press writes regularly about the mismatch between:

  • the allegedly low amount of corporate income tax paid by foreign digital groups in France; and
  • the allegedly high value created by French users of digital platforms.

During the 2010s, the French tax authorities audited many foreign digital groups operating in France through a French affiliate performing sales and marketing services for their foreign principal and concluded that the latter had a permanent establishment in France. Some of these cases were also criminally prosecuted and resulted in landmark tax and criminal settlements, such as the Google case that was settled in 2019 for more than €1 billion.

Further to the conclusions of the Base Erosion and Profit Shifting initiative and an unfavourable decision of the Administrative Supreme Court in 2019, many foreign digital groups have changed their structure in France by converting their French affiliates providing sales support and marketing services into limited-risk distributors to reduce permanent establishment exposure. As a result, the French tax authorities now mostly focus their audit efforts on transfer pricing matters. Also, several groups from the digital industry have successfully entered in bilateral advance pricing agreements involving the French competent authority.

With the contribution of Adrien Soumagne.

9 Cross-border trade

9.1 Have any legal measures been implemented to facilitate digital cross-border trade in your jurisdiction?

Within the European Union, the single market and Schengen area ensure the free movement of goods, people, services, capital and data. The Digital Single Market initiative, launched in 2015, aims to unify the digital market across member states by:

  • promoting online trade;
  • ensuring fair competition, consumer and data protection; and
  • regulating geo-blocking and copyright barriers.

This initiative fosters growth in sectors such as e-commerce, telecommunications and digital content through a harmonised regulatory framework.

The EU General Data Protection Regulation (GDPR) is central to this strategy by:

  • harmonising data protection laws; and
  • enabling the free flow of personal data across EU borders which facilitates cross-border digital trade.

The Data Act further enhances cross-border digital trade by harmonising the rules regarding the sharing and reuse of non-personal data.

Recent digital EU legal initiatives increasingly tend to be adopted through regulations which are directly applicable in all EU countries (eg, the GDPR and the Data Act), rather than directives which have to be implemented in each EU countries with national specificities, allowing for a high level of harmonisation on these matters and fostering EU cross-border trade and an EU single market.

9.2 What specific challenges or concerns does digital cross-border trade present in your jurisdiction that digital businesses should bear in mind?

One important challenge with regard to digital cross-border trade in the European Union is the complex layer of applicable texts. This complexity can create confusion for businesses operating across borders and hinder their ability to comply effectively with such multiple regulations. Furthermore, despite the global effort for harmonisation, these texts are often supplemented by national laws that introduce local specificities, complicating compliance across all EU countries. France is generally inclined to adopt new laws as the digital practices evolve and new stakeholders emerge.

For example, businesses engaged in online advertising, particularly on social media, face multiple layers of regulation. At the EU level, they must comply with the E-commerce Directive and the Digital Services Act. At the national level, additional obligations arise from laws such as:

  • the Loi pour la Confiance dans l'Economie Numérique; and
  • more recently, the Loi visant à sécuriser et à réguler l'espace numérique and the law on influencers.

Therefore, this regulatory environment creates a complex landscape of national and EU laws that digital businesses must navigate. Ensuring compliance with these diverse regulations can be both challenging and costly. International companies looking to invest or engage in digital business in France must anticipate:

  • the potential costs of compliance with these regulations; and
  • the risk of financial penalties for non-compliance.

In addition, when it comes to cross-border trade with entities located outside the European Economic Area (EEA) involving personal data, one must keep in mind that the transfers of personal data outside the EEA are subject to stringent obligations, requiring non-EU importers to offer an equivalent level of personal data protection through the implementation of appropriate safeguards.

10 Brand protection

10.1 How are brands protected in your jurisdiction? Are there any specific challenges or considerations for digital businesses to bear in mind?

In principle, brands are protected by the filing of:

  • French or international trademarks designating France (national protection); or
  • EU trademarks (unitary protection in the European Union), for certain goods/services identified in the application.

National trademark rights are granted for 10 years, which are renewable indefinitely. Different kinds of signs are eligible for trademark protection in France; there is no requirement for graphic representation. In addition to names, logos and three-dimensional shapes (among other signs susceptible of graphic representation), movements, holograms and videos/animations (among other signs not susceptible of graphic representation) can also be protected as French trademarks.

One of the main challenges specific to digital businesses is the protection of trademarks in the metaverse. To protect against unauthorised 'meta-use', the list of designated goods and/or services in the trademark application must be extended to new classes of virtual goods and/or services (eg, 'clothes' to be extended to 'clothes authenticated by non-fungible tokens'). The question of whether a French trademark is sufficient to grant protection in the entire metaverse is not settled under French law; but provided that the same rules apply as for the Internet, the answer should depend on the target audience.

Exceptionally, if the brand is considered as 'notorious', trademark protection is granted without filing. In addition, if the brand is considered as 'original', it can also be protected by copyright without formality.

11 Innovation

11.1 How is innovation in the digital business space protected in your jurisdiction? What key issues should digital businesses bear in mind in this regard?

Innovation is primarily protected as software (on which this section focuses) and can be protected in France under copyright or patent law. On the one hand, source code, object code and preparatory design material can be protected under the French copyright on software. This right is granted to the author from the creation of the software (subject to its originality) without any formalities; although the source code can be registered with the Agency for the Protection of Programs to evidence its creation date, which may be useful in the event of a dispute.

On the other hand, functionalities – that is, what the code does when it is executed on a computer – can be protected under French or EU patent law by the filing of a patent application. Protection is conditional on functionalities:

  • having a technical effect; and
  • meeting the criteria of:
    • novelty;
    • inventive step; and
    • industrial application.

One of the main challenges specific to digital businesses is the protection of creation or inventions generated by artificial intelligence. French law is not settled, but they should be protected by:

  • copyright, provided that they require a human intervention (eg, a conscious effort); and
  • patent, provided that they solve a technical problem in a certain field of technology (eg, a European patent covering a "method for reliable and precise bone removal in a three-dimensional (3D) medical image" was recently granted).

12 Competition

12.1 Does the applicable competition regime in your jurisdiction have specific implications for digital business?

Digital companies are subject to the same competition law rules as any other company, but the French Competition Authority (FCA) has recently paid particular attention to the competitive challenges of the digital economy and confirmed in its roadmap for 2023-2024 that digital will remain one of its priorities for action.

As part of its enforcement powers, the FCA issued decisions for abusive conduct against digital operators. In particular, Google has been fined twice (totalling €750 million):

  • following an investigation regarding the remuneration of press publishers; and
  • for favouring its own advertising services (fine of €220 million).

The FCA also imposed interim measures on digital players pending its decision on the merits of the case (eg, it ordered Meta to modify its ad verification criteria). To support its efforts and develop in-depth expertise as well as new investigation tools, the FCA created a digital economy unit in 2020.

In relation to merger control, the FCA can review all transactions involving digital business that:

  • exceed the French thresholds; and
  • do not fall within the competence of the European Commission

Approximately 25 transactions have been reviewed over the last three years, all of which were unconditionally approved.

The FCA recently:

  • conducted sector-specific inquiries into many digital fields (eg, cloud computing and generative artificial intelligence); and
  • signed a joint declaration with the Commission Nationale de l'Informatique et des Libertés to deepen their cooperation in relation to digital challenges raising personal data and competition concerns.

Finally, the FCA can cooperate with the European Commission as regards the Digital Market Rules and investigate possible infringements thereof.

With the contribution of Benoît Gerard

13 Employment

13.1 Does the applicable employment regime in your jurisdiction have specific implications for digital business?

The French employment regime has substantial implications for digital business, particularly those operating via digital platforms. French labour law is known for its strong employee protection and this protective framework applies equally to digital enterprises.

Recent case law has shown that French judges are increasingly attentive to the realities of digital work environments. Although classified as independent contractors, workers on digital platforms may be requalified as employees if their work relationship demonstrates a characteristic of subordination ('lien de subordination'), which is defined by the ability of the employer to give orders, control the execution of tasks and impose penalties (Supreme Court, 13 November 1996, 94-13.187).

Numerous recent judicial decisions highlight this trend. For instance, the Supreme Court, in cases involving Uber and Take Eat Easy, reclassified service contracts as employment contracts due to the significant control that these platforms exert over workers (Supreme Court, 4 March 2020, 19-13.316 and 28 November 2018, 17-20.079). This shift is pivotal as it grants workers additional rights and protections, such as paid leave and social security benefits. More generally, it reflects a growing movement to ensure that digital workers receive treatment comparable to traditional employees.

As digital platforms expand and influence various sectors, from transportation and delivery to social media and e-commerce, companies must navigate these legal complexities carefully.

With the contribution of Alexandra Lereau.

13.2 What rules and restrictions apply to remote working in your jurisdiction?

In France, remote working is regulated by the Labour Code, which sets forth specific rules to protect employee rights and maintain workplace standards.

First, remote work arrangements must be formally agreed between the employer and employee, through either an individual agreement or a collective bargaining agreement. This agreement should outline the terms of remote work, including the employee's rights and obligations and work hours.

Employers are responsible for ensuring that remote workers have the necessary equipment and resources to perform their tasks effectively. French law also stipulates that remote work must not result in any reduction in employee rights. This includes preserving the right to disconnect, which guarantees that employees are not required to be available beyond their agreed working hours. Furthermore, employers must provide remote workers with equal access to training, career development and promotion opportunities as on-site employees.

With the contribution of Alexandra Lereau.

13.3 How can digital business attract specialist talent from overseas where necessary?

In France, startups can grant employees the rights to purchase shares at a fixed price through a scheme known as 'bons de souscription de parts de créateur d'entreprise'. This scheme is appealing for startups because it provides preferential social and tax treatment on the amounts paid to employees. Moreover, it serves as a motivational tool, encouraging recipients to actively contribute to the company's growth during its development phase.

With the contribution of Alexandra Lereau.

14 Environmental, social and governance (ESG)

14.1 What specific challenges or concerns does digital business present from an environmental perspective? What key considerations should be borne in mind in this regard?

Digital businesses present significant environmental challenges, particularly in terms of energy consumption and electronic waste (e-waste).

Data centres, servers and networks consume substantial energy to work, accounting for 6%-12% of global electricity usage. Emerging technologies such as quantum technology, artificial intelligence (AI) and blockchain consume significant amounts of energy due to the need for extreme cooling and complex infrastructure, thereby increasing energy and water demand and raising important environmental concerns.

In addition, the rapid turnover of digital devices has an adverse impact on the environment by contributing to increasing e-waste, which contains hazardous materials that can harm the environment. The EU Waste Electrical and Electronic Equipment Directive addresses this by setting recycling and recovery targets for electronic goods.

In 2016, France introduced a liability regime for ecological damage, setting out a principle of compensation in case of significant damage to:

  • the components or functions of ecosystems; or
  • the collective benefits derived by humans from the environment.

Furthermore, the Loi visant à réduire l'empreinte envrionnementale du numérique en France (REEN) mandates that large and medium-sized companies annually reduce their digital equipment's energy consumption and increase recycling While non-compliance with the REEN carries no penalties, it poses reputational risks with business partners and environmentally conscious customers.

14.2 What specific challenges or concerns does digital business present from a social perspective? What key considerations should be borne in mind in this regard?

The key social considerations that digital business present include the following.

Digital divide: The rapid expansion of digital technologies has exacerbated the digital divide, highlighting disparities in access to technology across regions and socio-economic groups. National and EU programmes are being implemented to address these challenges.

Cybersecurity and trust: The increase of cybersecurity incidents can lead to:

  • identity theft;
  • financial loss; and
  • the erosion of trust in digital services.

The General Data Protection Regulation serves as a cornerstone for addressing these issues by:

  • enforcing stringent data protection requirements; and
  • imposing penalties for non-compliance.

Additionally, the Second Networks and Information Systems Directive (NIS 2) extends cybersecurity obligations to a broader range of sectors.

Mental health: The increasing time spent online, especially by minors, raises concerns about mental health. Excessive screen time has been linked to sleep disruption, anxiety and depression. The Digital Services Act addresses these concerns by requiring large platforms to conduct annual risk assessments on the impact of their services on public health, particularly for minors. Platforms must mitigate risks such as harmful content and provide better user controls.

Bias and discrimination: Algorithmic bias poses another social challenge, potentially leading to unfair or discriminatory outcomes. When algorithms are trained on biased data, they can reinforce inequalities, especially in hiring, lending and law enforcement, affecting vulnerable people. Addressing algorithmic bias, which is one of the goals of the AI Act, is essential to ensuring fairness and equity in automated decision-making.

14.3 What specific challenges or concerns does digital business prevent from a governance perspective? What key considerations should be borne in mind in this regard?

Digital business poses several challenges and concerns from a governance perspective, primarily due to the increasing challenges caused by cyber threats.

Organisations must establish effective governance frameworks that clearly define policies, roles and responsibilities to safeguard their security of their information systems and ensure business continuity – particularly when the organisation is deemed to have a vital interest or an essential role in the economy, public safety or national security.

Administrators face direct liability under NIS 2 and the EU Digital Operational Resilience Act for implementing and maintaining effective cybersecurity measures. Therefore, administrators must ensure that adequate resources are allocated for:

  • developing and monitoring cybersecurity protocols;
  • engaging in risk assessment; and
  • planning for incident response.

Failure to fulfil these responsibilities can lead to significant financial penalties and reputational damage, highlighting the importance of governance, accountability and proactive management in enhancing the organisation's overall cyber resilience.

15 Trends and predictions

15.1 How would you describe the current landscape for digital business and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The current digital business landscape in France, closely aligned with the European Union, focuses on three main areas:

  • Cybersecurity: There has been a significant increase in cybersecurity regulations at both EU and national levels, alongside numerous guidelines from relevant authorities. This trend responds to the rising number of cyberattacks across various sectors, including digital businesses. Governance bodies are also increasingly involved in internal cybersecurity strategies, given that they can be held directly liable for failure to comply.
  • Artificial intelligence (AI): There is no doubt that AI is and will be an essential part of the digital business landscape and compliance with the AI Act will be a real challenge for companies. Some topics remain to be discussed and potentially legally defined, such as personal data concerns and copyright protection.
  • Data: Data remains central, with a strong focus on personal data protection. The enforcement of the EU General Data Protection Regulation has intensified with more frequent and stricter sanctions from data protection authorities. Additionally, non-personal data is gaining prominence, driven by the European Union's push to enhance data access and sharing. The forthcoming Data Act and the recently applied Data Governance Act are pivotal developments that will shape data practices.

While certain pieces of EU legislation are still awaited – such as regulations on privacy in electronic communications and the updated product liability regime in light of AI developments – a period of legislative calm is called for in order for businesses to digest and adapt to the recent intense evolutions of the digital legislative and regulatory framework.

16 Tips and traps

16.1 What are your top tips for digital businesses in your jurisdiction and what potential sticking points would you highlight?

Our main tips for digital businesses are as follows:

  • Legal monitoring: The regulatory landscape for digital sectors is rapidly evolving, making it crucial for companies to stay informed about new and upcoming regulations. Digital businesses must monitor these developments closely or engage with legal experts who can provide timely guidance.
  • Methodology: One of the key challenges in this regulatory framework is the diversity of regulated services and activities, each with varying requirements depending on the company's size and sector of activity. To navigate this complexity, digital businesses should adopt a methodical approach to compliance. This begins with a mapping of all activities and services to identify applicable regulations and obligations. Following this, companies should develop a comprehensive action plan to cover all relevant obligations.
  • Increasing scrutiny: Businesses should be mindful of the increasing scrutiny on issues such as:
    • data protection;
    • cybersecurity; and
    • competition law.
  • Failure to comply with these can result in severe penalties, including significant fines and reputational harm. Therefore, it is essential to integrate compliance into the company's operational strategy, regularly updating practices as new regulations arise. Furthermore, digital issues are often multidisciplinary and require the alignment of different areas of law and approaches such as data privacy and competition law or labour law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Juliette Crouzet
Juliette Crouzet
Photo of Félix Marolleau
Félix Marolleau
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More