More and more companies are now using new technologies to promote their brands and activities or directly offer their products and services. In this context, virtual reality technologies and other forms of immersive techniques have now reached a level of stability and performance that appeals to many professionals.

France stands out for the proliferation of publishing and marketing companies for this new type of audiovisual content, which are now perfectly integrated with players in the media and video game industries.

Virtual reality (VR) solutions are composed of a host of source code elements, software, SaaS functions, graphic interfaces, technical sensors, and connected objects, each protected by intellectual and even industrial property rules.

To date, there are no legislative texts specifically governing the use of software generating a form of augmented or virtual reality. Given the wide variety of legal texts that may apply and the obligations arising from them, it is of vital importance that professionals contractually regulate their relationships from the creation of VR content regarding their exploitation and licenses.

The challenge for development studios necessarily involves regulating virtual reality licenses and franchises in order to protect their expertise and intellectual property.

For operators of VR rooms or virtual or augmented reality solutions, the challenge concerns the security and reliability of both the software and hardware components that support the VR user experience.

Réalité virtuelle / Réalité mixte / Réalité augmentée / Metavers

These terms are often used to identify similar or even identical technological solutions. In summary, all of these concepts refer to a digitally altered form of physical reality.

Virtual reality refers to all technological tools that allow the user to immerse themselves in an alternative digital environment, whether inspired by the real world or not. Spaces within video games, 360° images and videos, or fully online social networks thus fall within a broad definition of virtual reality.

Mixed reality consists of a combination of elements or objects that blend both digital or virtual objects and elements from the real world.

Augmented reality integrates digital elements or content into the real world, within a real environment accessible from digital devices such as headsets, smartphones, glasses, CAVEs, etc.

The latter is experiencing rapid growth as a convergence point for innovative technologies in distribution (corner shops or fully virtual stores), consumption (advertising, brands, ARsquatting, etc.), and the distinction between public and private spaces.

Finally, the metaverse encompasses all technologies that enable the creation of virtual spaces incorporating immersive 3D experiences. They are generally linked to real-time interconnected services.

Virtual Reality & VR Space – Franchise and Rights License

Many virtual reality studios and software publishers offer their content through franchise and distribution agreements.

Deployed through specialized partners in indoor VR rooms, arcades, amusement parks, or VR spaces adapted for corporate communications, virtual reality solutions are growing massively for recreational and professional use, particularly through SaaS interfaces that facilitate relationships with franchisees, content updates, and product development.

Several financing options for virtual reality projects are now available at the national level, notably through the CNC (Centre for the Promotion of Digital Experiences), local funding, or even private funding (Virtual Reality Venture Capital, Beaumarchais Orange XR Foundation, etc.).

Integrating a publisher into a virtual reality solution

To develop and consolidate the content of their virtual reality solutions, VR studios often offer the integration of third-party content through integration agreements.

This represents a major advantage for software development and distribution companies, benefiting from the studios’ expertise and know-how, particularly in virtual reality software and applications.

These content integration agreements for existing virtual reality offerings involve strict oversight of the products’ intellectual property rights, including any potential or even necessary adaptations of software elements for their porting to VR solutions.

Similarly, issues related to the marketing and advertising of products integrating protected elements must be considered.

Virtual reality contract: the essential clauses

Given the diversity of issues associated with the use and operation of virtual reality tools, virtual reality licensing agreements can include a variety of contractual clauses.

This involves companies considering the distribution and subscription conditions for VR solutions, the types of franchises envisaged, the financial elements, remuneration and royalties of rights holders, any IT developments required to integrate their needs, advertising, maintenance, bug fixes and updates, exclusivity and possible non-compete agreements related to the publisher, and more generally the intellectual property rights of all these obligations.

Issues related to the personal data collected and used must also be addressed in a way that ensures compliance with the GDPR and identifies the responsibility of each partner for the processing implemented and, to a lesser extent, their ownership.

Other, more traditional clauses relating to contract law will also be included.

Virtual reality, collected data and GDPR

The use of virtual reality solutions involves the analysis and collection of a considerable amount of data that may constitute personal data within the meaning of the General Data Protection Regulation (GDPR).

The recording of gestures and movements—micromovements of the head, torso, hands, and eyes, etc.—and the capture of faces and voices are likely to pose very significant challenges: indeed, they can directly or indirectly identify or establish a wealth of personal information about the individual: their identity, profession, information related to their medical condition, their behavior in specific situations, etc.

Several authors refer to an individual cognitive signature or kinematic fingerprint to identify the compilation of this information. Their use is strictly regulated by various laws, which, in the event of a violation, can lead to very severe penalties for both the solution publishers and the operators of virtual reality systems.

Video Games, Esports & Gaming: The Future of Virtual Reality

The video game industry, and its competitive counterpart, esports, quickly became interested in virtual reality techniques that push the boundaries of traditional concepts of video games to increasingly resemble physical activities.

As early as 2016, three companies launched virtual reality technical solutions: HTC Vive (PC), PlayStation VR (Sony), and Oculus Rift, supported by several video game publisher studios dedicated to virtual reality.

Several esports events have been piloted in recent years to create a first VR esports scene: The Unspoken on Oculus Rift launched in May 2017 by Microsoft, Oculus, Asus, Intel, and Insomniac Games; at CES 2016, Virtuix organized a VR esports tournament.

The democratization of the internet has facilitated the creation and availability of content worldwide for all internet users. Relationships between different consumers have gradually become structured through relationship services—social networks—offering everyone the tools to create content and access other users’ published content.

Platforms such as Twitter, TikTok, Instagram, Snapchat, Twitch, and YouTube have fostered a diversification of content and its forms, as well as the emergence of new paid professions related to this content creation: influence and influencers.

As a reminder, influencers are professionals or individuals who offer content published within various social networks, distinguished by very large communities of subscribers or internet users. In this sense, they are considered “opinion leaders,” some of whose content may include promotional or advertising activities for products or services.

Influencers & Law: Professionals with Varied Activities

Influencer marketing is a major challenge for all professional influencers, serving as the primary financial lever for their business.

In this context, numerous commercial practices deemed unfair or misleading have gradually emerged—disguised or clandestine advertising, fake subscriber accounts, content plagiarism, illegal contests, etc.—resulting in platform sanctions and even legal convictions, particularly for counterfeiting or unfair competition.

In the dropshipping sector, for example, it is up to influencers and brand ambassadors to ensure compliance with mandatory consumer law disclosures: identification of the partner, non-incentivization of purchases by young audiences, honest and fair information on product characteristics, exclusion of the promotion of regulated or prohibited products, etc.

Partnerships & Influencer Sponsors: Specific Contracts & Precise Clauses

Providing an exhaustive list of all the clauses likely to appear in an influencer partnership contract appears difficult, given the diversity of influencer profiles, advertisers, and sponsors interested in their services, the types of requests and obligations undertaken, and their terms of application.

Drafting a contract dedicated to the relationship between the influencer and the sponsor/advertiser remains essential to protect the respective interests of each party and to ensure the effective delivery of services that can affect the image and reputation of a company, brand, product, or service.

The contracts drafted may therefore be subject to different legislation and legal codes, including the French Labor Code or civil rules relating to service contracts, depending on the individual’s status: This may involve activities similar to those of a model, actor, athlete, “online audiovisual content creator,” generic promotion, etc.

Law & influencers: specific and personalized promotional contracts

However, a number of distinct services can be identified that may be subject to separate or combined contracts: the one-off promotion of a marketing campaign, the commitment over a given period to publish an identifiable number of free (without any specific style or treatment) or predefined content, the creation of independent and critical content, participation in performances or events, trademark and image rights licensing, etc.

Contracts must include clauses relating to intellectual property, exclusivity, the duration of the partnership, remuneration, the products concerned, the coverage of expenses, etc.

The absence of contractual frameworks can also lead to the criminalization of certain publications. This is particularly the case when the provisions of the French Consumer Code are not respected, particularly the obligation to provide fair and sincere information, which may qualify the operation as a deceptive commercial practice.

Indeed, failure to make advertising clearly identifiable to the public when promoting on behalf of a brand or sponsor is a criminal offense, with penalties of up to two years’ imprisonment, a fine of 300,000 euros, or even percentages of the company’s turnover.

On Child Labor Influencers Read more

Influencers & Social Media: Publisher Responsibility

In France, the Law for Confidence in the Digital Economy (LCEN) reiterates the strict responsibility of influencers for the content they publish, whether or not it is created at the request of third parties.

Indeed, the latter is legally classified as an online content publisher and remains primarily responsible for its publications with regard to the various applicable regulations: press law, image rights and privacy, intellectual property and copyright, defamatory or offensive content, or content constituting other press offenses, etc.

The LCEN recalls on this point the themes which can limit the freedom of expression of influencers, in particular that the latter imply “respect for the dignity of the human person, the freedom and property of others, the pluralist nature of the expression of currents of thought and opinion, the safeguarding of public order, the needs of national defense, the requirements of public service, the technical constraints inherent in the means of communication or even the need, for audiovisual services, to develop audiovisual production”.

Influencers & Social Media: Content Moderation

Governed by contract, the liability of content creators can be mitigated or limited, but it appears very difficult to eliminate it strictly speaking.

Some social media and online content hosting platforms offer tools that facilitate interaction and participation among subscribers, particularly on Twitch and YouTube. The influencer, responsible for all posts on their channel, has a duty to ensure the moderation of content, including that published by a third party.

If they are not the direct author of the post, the influencer, through a so-called cascade of liability, will be co-responsible for their post unless they can prove that they were unaware of the content and removed it promptly, as defined in Article 6 of the LCEN:

“Natural or legal persons who provide, even free of charge, for the purpose of making available to the public through online public communication services, the storage of signals, writings, images, sounds or messages of any kind provided by recipients of these services cannot be held civilly liable for the activities or information stored at the request of a recipient of these services if they were not actually aware of their manifestly illicit nature or of facts and circumstances revealing this nature or if, from the moment they became aware of it, they acted promptly to remove this data or make access to it impossible.”.

Influencers & Social Media: Cyberbullying, Mob Harassment & Digital Raids

Numerous recent practices by influencers encouraging their communities to denigrate or troll people on social media or in real life have prompted legislators to create new specific criminal offenses. Some statements by influencers have been classified as cyberbullying or mass harassment, resulting in prison sentences and fines.

The first court decisions on this matter have been marked by surprising severity on the part of judges in protecting the privacy of victims of cyberbullying: Nadia Daam and Marvel Fitness cases

Designed for start-ups, this guide aims to provide a concise overview of the various steps required to prepare for GDPR compliance.

For more technical information on this topic, we recommend reading all of the firm’s publications.

Find all of PCS Avocat’s publications and advice.

GDPR Compliance: An Obligation for All Businesses

The protection of personal data is primarily governed by the French Data Protection Act of January 6, 1978, and the recent General Data Protection Regulation of April 27, 2016.

In practice, since May 25, 2018, all companies are required to comply with the principles and rules established by these texts, failing which they risk substantial financial penalties: up to €20 million or even 4% of global turnover.

Several examples of CNIL sanctions

Bringing a company into compliance with the GDPR requires addressing several issues, particularly related to its personal data processing, contractual frameworks, IT security, and employee training.

A GDPR audit is the first and most important step for companies that are not yet compliant.

GDPR & businesses: What is personal data?

Personal data legally refers to any data that allows a natural person to be identified, directly or indirectly.

• This usually includes first and last name, photograph, date of birth, video, voice, fingerprints, etc.

• This also includes information that allows a person’s identity to be determined through a third party: this is particularly the case with telephone numbers, license plates, social security numbers, IP addresses, etc.

• It can also be deduced from a combination of various information: age, medical history, and travel records can all together allow a person to be identified.

• Finally, this data can concern customers, employees, interns, suppliers, and external service providers within a company.

Failure to understand the applicable rules can have significant consequences for companies: see our overview of common GDPR errors.

GDPR Audit: Scope of research and analysis

The GDPR imposes accountability on companies, which must be able to demonstrate their data protection compliance in the event of an audit or request from partners. As such, it is no longer necessary to file a CNIL declaration.

The GDPR audit is part of the analysis of all the elements required for any company established or offering its products and services within the European Union. Companies must, in particular, demonstrate:

• The existence of an up-to-date data processing register; this document consolidates all personal information collected for all of the company’s activities: human resources, website, newsletter, customer management, accounting, etc.
• The preparation of impact analyses throughout the company’s development, particularly in the event of a new processing implementation;
• Control of the company’s various service providers and subcontractors and their own compliance with the GDPR in your dealings.

These GDPR audits can be carried out by a member of the company, competent in the matter, or by an external service provider, generally audit firms or specialized lawyers.

GDPR audit in practice: duration and cost

The GDPR audit is designed to provide a comprehensive and complete overview of all of a company’s internal processes regarding personal data.

Mapping the “data flows” collected and processed by the company, it requires the identification of the various relevant stakeholders and departments in order to create the first mandatory document: the processing register.

Young companies and digital startups generally have numerous data processing processes, which require auditing as soon as possible. The duration and cost of audits necessarily vary depending on the complexity and development of the company, ranging from a few hours to several days, or between €1,000 and €10,000.

GDPR Compliance Procedures

To anticipate any audits or requests from a partner company, it is important for each company to adhere to certain practices:

• Appoint a Data Protection Officer (DPO);

• Update contractual documents with clients and partners;

• Secure processing systems;

• Define procedures for access and exercising individual rights;

• Educate and train employees and staff members.

• Update communication materials: website, cookies, newsletters, etc.

Find all the procedures for implementing the GDPR

Cyberattacks & Hospital Health Data

In early September, the APHP-Hopitaux de Paris was the victim of a computer hack that resulted in the theft of more than 1.4 million people’s data related to Covid screening.

The data involved is particularly sensitive, as it relates to the health sector: last name, first name, date of birth, gender, social security number, contact information, postal address, email address, or telephone number, characteristics, and test results.

It should be noted, however, that no other medical information is included in these listings. The stolen files relate almost exclusively to tests carried out in mid-2020 in the Île-de-France region. However, the issues and implications regarding health data remain extremely serious.

Background: Theft of medical data related to Covid

The database was stolen from a download platform hosted in New Zealand, access to which was cut off on September 14, two days after the intrusion was discovered.

According to the APHP, “to transmit to the French National Health Insurance and Regional Health Agencies data from medical biology laboratories useful for monitoring and supporting individuals (contact tracing), this service was used on a very ad hoc basis in September 2020, in addition to the national screening information system (SI-DEP), for which the APHP is responsible for implementation on behalf of the Ministry of Solidarity and Health and which was experiencing technical difficulties with its transmission tools.”

Use of health data and risks for victims

Personal information associated with the hacked account can now be distributed and sold individually or in groups on the internet, particularly the dark web.

This information can also lead to fraud attempts or identity theft for taking out loans or subscriptions. For example, the social security number gives access to the FranceConnect platform, which centralizes more than 800 civil procedures such as taxes, the family allowance fund, or the Health Insurance website.

Finally, phishing attempts, which involve sending people fraudulent emails or text messages, will likely be exploited. Any contact involving the above-mentioned personal data – correspondence from, for example, pharmaceutical companies, hospitals, doctors, healthcare professionals, and public government institutions – may constitute an attempt to hack your data and computer equipment.

Computer Hacking: Actions and Measures to Protect Hospitals

Obliged to directly inform the individuals concerned, the APHP will have notified you of the breach of their information systems. It should be noted that several websites claim to hold the data in question and can identify the individuals concerned.

Public institutions strongly advise against these platforms, some of which are intended to misuse your information for personal purposes.

Technical measures: In the event of a cyberattack, all professionals in the sector recommend, as a precautionary measure, immediately changing the passwords of the targeted users on the various platforms.

To secure their accounts, diversifying passwords and integrating two-step verification via email or text message are encouraged.

Several practical guides and information are regularly updated on existing IT protection measures, password security, etc.

Extended vigilance. It is common for stolen data to be exploited at a significant later date to weaken victims’ vigilance. Public authorities recommend that victims remain vigilant regarding account activity. You can check whether new accounts have been opened in your name via government websites such as the Banque de France or the CNIL.

If you discover unauthorized publication of your personal data, fraudulent use of this data, or attempted fraud, it is important to retain all evidence of these actions, particularly screenshots.

If social media accounts are affected, it is strongly recommended that you directly report the disputed pages, accounts, and messages to the platform moderators.

Complaint and class action: Protection of victims of cyberattacks

As French law does not recognize class actions, victims of the APHP data theft can file individual complaints, claiming the financial and moral damages suffered as a result of this breach. The formation of victims’ associations and the involvement of the CNIL (French Data Protection Authority) in this matter will facilitate, once the identity of those responsible has been established, the award of appropriate compensation.

The proposed offenses, which have already been referred to the Cybercrime Brigade of the Paris Prosecutor’s Office, involve accessing and maintaining an Automated Data Processing System (STAD), fraudulent extraction of data from an STAD, and fraudulent collection of personal data.

The government has made a complaint form available to victims, which can be submitted online to the address plaintiff-befti@interieur.gouv.fr.

However, it is important to note that filing a complaint in the absence of identified damages appears difficult, as a complaint undoubtedly constitutes a first step in the procedure.