<plang="en-US">E Foundation develops mobile operating systems, applications and tools designed to protect users' privacy.</p>
<plang="en-US">As part of this effort, /e/OS is a non-profit operating system project, supported by an international team of experienced entrepreneurs, developers and designers, and a growing community of collaborators.</p>
<plang="en-US">But beyond the operating system, applications are also essential elements of a good smartphone experience.</p>
@@ -38,7 +34,7 @@
<plang="en-US">By installing App Lounge and using the Software, Users agree to be bound by these Terms and Conditions and to accept them without reservation.</p>
<plang="en-US">If Users refuse to comply with any of the obligations and conditions contained in the Agreement, they must forfeit access to and use of the Software.</p>
<plang="en-US">Users represent and warrant that they have the legal capacity to contract and, if they are a legal entity, that they are authorized to act on behalf of such entity.</p>
<plang="en-US"><span>The Users declare that they have the right to use the Software.</span></p>
<plang="en-US">The Users declare that they have the right to use the Software.</p>
<plang="en-US">Furthermore, Users declare that they have read the Terms and Conditions of the Google Play Store as indicated at: https://play.google.com/</p>
<plang="en-US">They also declare to respect them, when exercising their right to benefit from a service that is not coupled with the collection and processing of their personal data, as well as when exercising their right to the portability of their data.</p>
<plang="en-US">These General Conditions are concluded for the duration of the use of the Software by the User.</p>
@@ -84,6 +80,8 @@
<plang="en-US">The Software is developed in a standardized way for all Users. It is not designed to be adapted to their personal constraints.</p>
<plang="en-US">E Foundation is not responsible for the use of external software and/or external applications that Users may access through the Software.</p>
<plang="en-US">In case Users are redirected to an external application or to an external Software, the terms of use of the relevant Software shall apply instead of these Terms and Conditions.</p>
<plang="en-US">E Foundation declines all responsibility for any sanctions that may be taken by Google due to the use of personal accounts by Users, and in particular in the event of their banning – ban possibilities being particularly broad with regard to the Terms of Service of the Google Play Store.</p>
<plang="en-US">Users acknowledge and accept that it is their responsibility to manage their accounts in that sense, and if needed, to create additional accounts in order for them to use of the Software.</p>
<olstart="7">
<li>
<h1lang="en-US">PROHIBITED BEHAVIOR</h1>
@@ -158,74 +156,7 @@
</li>
</ol>
<plang="en-US">The formation, existence, validity, interpretation, execution and termination of these General Terms and Conditions of Use and their possible consequences are subject to French law.</p>
<p><spanlang="en-US">IN THE EVENT OF A DISPUTE RELATING TO THE FORMATION, EXISTENCE, VALIDITY, INTERPRETATION, EXECUTION OR TERMINATION OF THESE TERMS AND CONDITIONS AND THEIR POSSIBLE CONSEQUENCES, THE COURTS OF THE JURISDICTION OF THE COURT OF APPEAL OF PARIS SHALL HAVE JURISDICTION NOTWITHSTANDING MULTIPLE DEFENDANTS OR THIRD-PARTY CLAIMS</span><spanlang="en-US"><span>, </span></span><spanlang="en-US"><span>INCLUDING WITH REGARDS TO URGENCY OR PRELIMINARY PROCEEDINGS</span></span><spanlang="en-US"><span>.</span></span></p>
<plang="en-US"></p>
<plang="en-US"><u><strong>Note 1: the prohibition of linkage between a service and the collection of personal data</strong></u></p>
<plang="en-US">While the GDPR only clarified the criterion of manifest imbalance, it also introduced new requirements as to how to ensure that consent is freely given.</p>
<plang="en-US">According to the terms of Article 7 (4), when carrying out such an examination, it is indeed necessary to:</p>
<plang="en-US"><em>"… the utmost account should be taken of the question whether, inter alia, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data which is not necessary for the performance of that contract".</em></p>
<p><spanlang="en-US">The Article 29 Working Party, whose conclusions were endorsed by the European Data Protection Committee on this point (EDPB, Endorsement 1/2018, 25 May 2018, pt 1), deduced from these provisions a </span><spanlang="en-US"><u><strong>principle of prohibition of "coupling" consent</strong></u></span><spanlang="en-US"> [with] the acceptance of general terms and conditions and "subordinating" the provision of a contract or service to a request for consent to the processing of personal data not necessary for the performance of [the same] contract or service."</span></p>
<plang="en-US">By reference to Recital 43 of the GDPR, which expressly states this, it considers that such circumstances result in "consent [being] presumed not to have been freely given" (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 10, pt 3.1.2, § 26. - See previously, Article 29 Panel, Guidelines, Apr. 10, 2018, WP 259 rev.01, p. 9, pt 3.1.2).</p>
<plang="en-US">In doing so, it recognizes the very purpose of Article 7(4) of the EU Regulation, which "seeks to ensure that the purpose of processing personal data is not concealed or associated with the provision of a contract or service for which such personal data are not necessary" (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 10, pt 3.1.2, § 26. - See previously, Article 29 Panel, Guidelines, Apr. 10, 2018, WP 259 rev.01, p. 9, pt 3.1.2).</p>
<plang="en-US">With such provisions, the legislature has thus made the choice to emphasize, "among other things, [that] conditionality" is presumed to be equivalent to a "lack of freedom of consent" (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 11, pt 3.1.2, § 34. - See previously, Article 29 Panel, Guidelines, Apr. 10, 2018, WP 259 rev.01, p. 10, pt 3.1.2).</p>
<plang="en-US">It is therefore important to distinguish between consent and contract, which are "two legal bases" that cannot be "merged [or] amalgamated" (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 10, pt 3.1.2, § 26. - See previously, Article 29 Panel, Guidelines, Apr. 10, 2018, WP 259 rev.01, p. 9, pt 3.1.2).</p>
<plang="en-US">In practice, the reasoning of the European Data Protection Committee is straightforward.</p>
<plang="en-US">It considers that "the obligation to consent to the processing of personal data other than those strictly necessary limits the choice of the data subject”.</p>
<plang="en-US">It does so all the more because it exposes the data subject "to the risk [...] of having the services requested refused".</p>
<plang="en-US"><u><strong>It cannot therefore be considered "as a sine qua non for the performance of a contract or the provision of a service".</strong></u></p>
<plang="en-US">If it were, then it would "impede [a] free consent" (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 10, pt 3.1.2, § 27. - See previously, Article 29 Working Party, Guidelines, Apr. 10, 2018, WP 259 rev.01, p. 9, pt 3.1.2).</p>
<p><spanlang="en-US">This is what the </span><spanlang="en-US"><em>Conseil d'Etat</em></span><spanlang="en-US"> has already ruled, considering that "the fact that children's access to school is subject to their acceptance of the use of temperature measurement by thermal camera excludes in any case that consent can be considered as free" (CE, ord. réf., 26 June 2020, n° 441065, Ligue des droits de l'Homme, cons. 24).</span></p>
<p><spanlang="en-US">This can also be the case for the practice of so-called "cookie walls", which consists of blocking access to a website until the Internet user has accepted - and this is the only choice offered to him, in the absence of a presentation of the different purposes of cookies - the installation of all </span><spanlang="en-US"><span>tracking cookies</span></span><spanlang="en-US"> on his terminal (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 10, pt 3.1.2, § 39 to 41, ex. 6a).</span></p>
<plang="en-US">As this practice is particularly widespread, the European Data Protection Board has therefore deemed it essential to amend the previous guidelines of the Article 29 Working Party that it had endorsed (EPDB, Endorsement 1/2018, 25 May 2018, pt 1).</p>
<plang="en-US">As did the Dutch Data Protection Authority, which had already applied it under the terms of a statement made public in March 2019 (See for the original version of the statement only available in Dutch, https ://autoriteitpersoonsgegevens.nl/nl/nieuws/websites-moeten-toegankelijk-blijven-bij-weigeren-tracking-cookies. - The CNIL also anticipated this by introducing this principle in its guidelines on cookies.</p>
<plang="en-US">It then recalled the position of the European data protection authorities that "the practice of blocking access to a website or mobile application for those who do not consent to be tracked ("cookie walls") is not compliant with the GDPR", on the grounds that, "in such a case, users are not able to refuse the use of trackers without suffering negative consequences (in this case the impossibility of accessing the site consulted) (CNIL, deliber. no. 2019-093, 19 July 2019, art. 2).</p>
<p><spanlang="en-US"><u><strong>However, the </strong></u></span><spanlang="en-US"><em><u><strong>Conseil d'Etat</strong></u></em></span><spanlang="en-US"><u><strong> did not see "any binding force" in this reminder.</strong></u></span></p>
<p><spanlang="en-US"><u><strong>In addition, it ruled above all that by "deducing such a general and absolute prohibition from the sole requirement of free consent, laid down by the regulation of April 27, 2016, the CNIL exceeded"</strong></u></span><spanlang="en-US"> - there was therefore a problem of jurisdiction on its part - "what it can legally do, within the framework of an instrument of flexible law, enacted on the basis of 2° of I of Article 8 of the Law of January 6, 1978" and that, consequently, the fourth paragraph of Article 2 of its deliberation was "vitiated by illegality" in this respect (CE, June 19, 2020, n° 434684, Assoc. des agences-conseils en communication et a., cons. 9 and 10).</span></p>
<plang="en-US">In this respect, the Conseil d'Etat limited itself to relying on a more general argument, as invited by its public rapporteur, since the judge did not intend to fully follow the conclusions of the latter, who had been bolder in considering that the prohibition in principle of wall cookies was too broad and too general, in the absence of an express legislative provision in this respect (concl. A. Lallet, p. 5 ff.).</p>
<p><spanlang="en-US">Drawing the consequences of the </span><spanlang="en-US"><em>Conseil d'Etat's</em></span><spanlang="en-US"> decision, the CNIL has thus adopted new guidelines.</span></p>
<p><spanlang="en-US">Although </span><spanlang="en-US"><u><strong>it has toned down its position</strong></u></span><spanlang="en-US">, it still considers the practice of wall cookies to be illegal, but this time not in all circumstances, but only in most cases.</span></p>
<plang="en-US">According to her, this simply results from "making the provision of a service or access to a website conditional on the acceptance of writing or reading operations on the user's terminal".</p>
<plang="en-US">Under these conditions, it considers that such a practice "is likely to infringe, in certain cases, the freedom of consent" (CNIL, Deliberation No. 2020-091, Sept. 17, 2020, art. 2, pt 17).</p>
<p><spanlang="en-US">For this reason, </span><spanlang="en-US"><u><strong>it is necessary to assess the lawfulness of such practices "on a case-by-case basis"</strong></u></span><spanlang="en-US">, particularly regarding "the information provided to the user", which must "clearly indicate the consequences of his choices and, especially, the impossibility of accessing the content or service without consent" (CNIL, Deliberation No. 2020-091, Sept. 17, 2020, art. 2, point 18).</span></p>
<plang="en-US">This reasoning, which is valid in general for the EDPS and in the vast majority of cases for cookie walls, seems particularly well suited to the Google Play Store hypothesis.</p>
<p><spanlang="en-US">In this sense, we can only hope that the limits set by the </span><spanlang="en-US"><em>Conseil d'Etat</em></span><spanlang="en-US"> are not absolute limits, but simply a request for a case-by-case analysis of the situations, especially in view of the concrete importance that this rule of prohibition of coupling could take, which is however purely of praetorian origin.</span></p>
<p><spanlang="en-US">In other words, if the </span><spanlang="en-US"><em>Conseil d'Etat</em></span><spanlang="en-US"> was keen to intervene regarding the general prohibition of cookie walls, it is precisely because the prohibition of coupling is intended to apply to many other situations, including application stores, and that certain couplings may sometimes prove legitimate.</span></p>
<p><spanlang="en-US"><u><strong>It would then remain for us to demonstrate that this coupling is not necessary for the provision of the service, but that it is only used for commercial purposes</strong></u></span><spanlang="en-US"> - even if, in our legal scheme, it is up to the User to make this demonstration.</span></p>
<plang="en-US">In these circumstances, the European Data Protection Committee has recommended a methodology to be followed.</p>
<p><spanlang="en-US">It must be said that "the phrase 'take the utmost account' used" in Article 7 (4) of the GDPR invites "careful assessment" of the applicable legal basis, in that this term "suggests that the </span><spanlang="en-US"><span>controller </span></span><spanlang="en-US"> must be particularly cautious where a contract (which could include the provision of a service) incorporates a request for consent to the processing of personal data.</span></p>
<p><spanlang="en-US">Caution is even more necessary because "in any event, the burden of proof rests with the </span><spanlang="en-US"><span>controller,</span></span><spanlang="en-US"> both under the specific rules of Article 7(4) and under the more general principle of accountability that they reflect.</span></p>
<plang="en-US">It adds that the wording of these provisions "is not absolute".</p>
<plang="en-US">There may therefore be "a very limited number of cases where conditionality" would not render consent invalid, although the use of "the word 'presumed' in recital 43 makes it clear that such cases will be highly exceptional" (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 10, pt 3.1.2, § 30, 36 and 37. - See previously, Article 29 Panel, Guidelines, Apr. 10, 2018, WP 259 rev.01, pp. 9 and 10, pt 3.1.2).</p>
<plang="en-US">In practice, to "assess whether a [...] situation of coupling or subordination takes place," the European Data Protection Board thus recommends that data controllers "determine the scope of the contract and the data that would be necessary for [its] performance" (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 10, pt 3.1.2, § 29. - See previously, Section 29 Group, Guidelines, Apr. 10, 2018, WP 259 rev.01, p. 9, pt 3.1.2).</p>
<plang="en-US">To do so, one must refer to the previous opinion of the Article 29 Working Party of April 9, 2014 (see in particular, JCl. Communication, fasc. 932-73), which seems to be usefully supplemented by the guidelines of the European Data Protection Committee on the processing of personal data carried out based on Article 6 (1), b) of the GDPR in the context of the provision of online services (EDPS, Guidelines 2/2019, Oct. 8, 2019).</p>
<plang="en-US">In its consent guidelines (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 10, pt 3.1.2, § 30 and 31. - See previously, Article 29 Group, Guidelines, Apr. 10, 2018, WP 259 rev.01, pp. 9 and 10, pt 3.1.2), the European Data Protection Board, however, summarized the main points, namely:</p>
<ul>
<li>
<plang="en-US">that "the phrase 'necessary for the performance of a contract' must be interpreted restrictively";</p>
</li>
<li>
<plang="en-US">that "the processing must be necessary for the performance of the contract concluded with each of the data subjects", which may "for example include the processing of the data subject's address so that goods purchased online can be delivered, or the processing of credit card information in order to enable payment" or, "in the employment context, [...] the processing of salary and bank account information in order to be able to pay salaries";</p>
</li>
<li>
<plang="en-US">in other words, "there must be a direct and objective link between the processing of the data and the purpose of performing the contract";</p>
</li>
<li>
<p><spanlang="en-US">so that "if a </span><spanlang="en-US"><span>data controller</span></span><spanlang="en-US"> seeks to process data that is actually necessary for the performance of a contract, then consent is not the appropriate legal basis.</span></p>
</li>
</ul>
<plang="en-US"><u><strong>It follows that "Article 7(4) is only relevant where the data required are not necessary for the performance of a contract (including the provision of a service) and the performance [of such a] contract is conditional on obtaining [the] data [at issue] on the basis of consent.</strong></u></p>
<p><spanlang="en-US">On the contrary, </span><spanlang="en-US"><u><strong>"if the processing is necessary for the performance of the contract (including the provision of a service)", these provisions no longer apply</strong></u></span><spanlang="en-US"> (EDPB, Guidelines 05/2020, 13 May 2020, v.1.1, p. 11, pt 3.1.2, § 32. - See previously, Article 29 Panel, Guidelines, Apr. 10, 2018, WP 259 rev.01, p. 10, pt 3.1.2).</span></p>
<plang="en-US"><u><strong>As an example, the European Data Protection Committee cites the case of a "bank [that] requests consent from its customers to allow third parties to use their payment information for direct marketing purposes."</strong></u></p>
<plang="en-US">In its view, such "processing is not necessary for the performance of the contract with the customer and the provision of ordinary bank account services.</p>
<plang="en-US">It deduced that, "if the customer's refusal to give consent to this purpose of processing would result in the denial of banking services, the closure of the bank account, or, as the case may be, an increase in charges, then consent would not be freely given" (EDPB, Guidelines 05/2020, 13 May 2020, v.1 .1, p. 11, pt 3.1.2, § 33, ex. 6. - See previously, Article 29 Group, Guidelines, Apr. 10, 2018, WP 259 rev.01, p. 10, pt 3.1.2, ex. 6).</p>
<plang="en-US"><u><strong>The analogy here is quite important to Google's app store.</strong></u></p>
<p><spanlang="en-US">In the end, it could only be on condition that the </span><spanlang="en-US"><span>controller</span></span><spanlang="en-US"> operates "truly equivalent" services in practice, thus guaranteeing "a genuine choice for data subjects [...] between a service that includes consent to the use of personal data for additional purposes and an equivalent service offered by the same </span><spanlang="en-US"><span>controller.</span></span></p>
<plang="en-US"><u><strong>Except that in this case, Google does not offer any alternative service.</strong></u></p>
<plang="en-US">They can reason in "competition law" mode and indicate that they would be lawful because others provide an alternative service.</p>
<plang="en-US"><u><strong>However, this is not the case for the European Data Protection Committee when "the equivalent service offered" is carried out "by another controller".</strong></u></p>
<p><spanlang="en-US">In such a case, it considers that "freedom of choice would depend on what other market players are doing and whether the data subject finds the services of the other </span><spanlang="en-US"><span>controller</span></span><spanlang="en-US"> truly equivalent", not to mention the additional obligation this would entail "for </span><spanlang="en-US"><span>controllers</span></span><spanlang="en-US"> to monitor market developments to ensure that consent to their processing activities is still valid, since a competitor may subsequently modify its services" (EDPB, Guidelines 05/2020, 13 May 2020, v.1 .1, p. 11, pt 3.1.2, § 37 and 38. - See previously, Section 29 Group, Guidelines, Apr. 10, 2018, WP 259 rev.01, p. 11, pt 3.1.2).</span></p>
<plang="en-US"></p>
<plang="en-US"></p>
<p><spanlang="en-US">IN THE EVENT OF A DISPUTE RELATING TO THE FORMATION, EXISTENCE, VALIDITY, INTERPRETATION, EXECUTION OR TERMINATION OF THESE TERMS AND CONDITIONS AND THEIR POSSIBLE CONSEQUENCES, THE COURTS OF THE JURISDICTION OF THE COURT OF APPEAL OF PARIS SHALL HAVE JURISDICTION NOTWITHSTANDING MULTIPLE DEFENDANTS OR THIRD-PARTY CLAIMS</span><spanlang="en-US">, </span><spanlang="en-US">INCLUDING WITH REGARDS TO URGENCY OR PRELIMINARY PROCEEDINGS</span><spanlang="en-US">.</span></p>
