ARCEP vs HDS : discrepancy or convergence in reversibility requirements?

At a time when cloud hosting is growing, two standards intersect: the recommendation relating to the interoperability and portability of cloud computing services published on September 25, 2025 and requirement 27 present in the Health Data Host certification framework in its latest and recent version of May 16, 2024.

‍

Arcep's objective is to facilitate the change of cloud provider and thus to strengthen users' ability to choose, while the objective of the HDS framework is to ensure that health data is returned at the end of the contract in a secure manner.

Adopted in 1985, Directive 85/374/EEC on liability for defective products was, in its day, a major milestone in consumer protection in the European Union.

‍

It was based on a solid principle: the no-fault liability of the producer, which allowed the victim of damage caused by a defective product to be compensated without having to demonstrate negligence.

‍

However, nearly forty years later, this legal framework has proved to be inadequate to the profound changes in the market and to the challenges posed by the digital revolution.

‍

In a 2018 report evaluating the effects of the 1985 directive, the European Commission noted the increasing obsolescence of certain central concepts, such as those of “product”, “producer”, or even “defect” and “damage”.

‍

It also highlighted a worrying imbalance in the distribution of costs between consumers and producers, especially when the burden of proof becomes particularly complex, for example, in disputes involving digital technologies or pharmaceutical products.

‍

To take account of these limitations and the changing context, the European Union adopted Directive (EU) 2024/2853, which repeals and replaces the 1985 text. Entered into force on December 9, 2024, this new directive will apply to products placed on the market or put into service as of December 9, 2026.

‍

It aims to respond to contemporary challenges: the development of electronic commerce, increased circulation of goods on a global scale, and the rise of digital products, software and artificial intelligence.

Recent case law has clarified the contours and limits of the absence of any general monitoring obligation on hosts. Since the European directive of June 8, 2000 on e-commerce, hosts have enjoyed a regime of irresponsibility with regard to the monitoring of hosted content.

‍

Recognized as mere technical vectors of information, hosts cannot be held liable for the illicit content they store.

‍

However, this is on condition that they had no knowledge of their illicit nature or, when they did have such knowledge, that they acted promptly to remove the content as soon as they became aware of it.

‍

This principle was transposed into domestic law in Article 6 of the Law for Confidence in the Digital Economy of June 21, 2004 (the so-called LCEN Law), which confirms the absence of a general obligation to monitor hosted content.

‍

This exemption is based on a fundamental principle: it is appropriate to charge hosts with a responsibility proportional to the resources they have available for monitoring content.

‍

However, additional obligations were added by the law of 16 August 2022 concerning the distribution of terrorist content online: this law again imposed an injunction procedure for the removal of terrorist content on the Internet within one hour.

At a time when the first provisions of the artificial intelligence regulation are coming into force, the compliance of AI systems is becoming an essential issue.‍

‍

Artificial intelligence (AI) is defined by Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 as follows: ” A system designed to work with elements of autonomy and capable, for a given set of human-defined goals, of generating results such as content, predictions, recommendations, or decisions that influence the environments with which it interacts.” The regulation distinguishes between artificial intelligence systems (AIS) and general-purpose AI models.

‍

AIS are AI applications designed for specific tasks or areas, such as medical diagnostic support systems. In contrast, general-purpose AI models are versatile systems, capable of being used in a variety of contexts and for a variety of applications. For example, a natural language processing model can be adapted to perform machine translation.

‍

Artificial intelligence raises complex issues, especially in the area of personal data protection. Indeed, artificial intelligence systems operate using a large or even massive quantity of data, justifying the establishment of a rigorous framework governing their use and processing, while ensuring respect for the fundamental rights of individuals, including respect for privacy.

‍

The challenges are multiple : how to ensure that algorithms do not compromise the privacy of individuals? How can we ensure that the data analysis carried out by AI systems remains ethical and in accordance with the principles of transparency, fairness and accountability?

‍

To face these challenges, which are not the same in the design phase and in the deployment phase, data protection authorities, such as the CNIL in France and the EDPS at the European level, must constantly reassess and adjust their doctrines to inform actors in the field on the compliance procedures to be carried out by integrating technological developments. Here we provide an overview of recent developments in this doctrinal and/or regulatory framework relating to AI and the RGPD.

For many years, the European Council has been calling on Member States to strengthen the implementation of their digital health strategies. In this context, on 3 May 2022, the European Commission presented a proposal for a regulation to establish the European Health Data Area (EHDS).

‍

The draft regulation was adopted by the Member States on 22 March 2024 and then by the European Parliament on 24 April 2024. The publication of the text in the Official Journal is expected in autumn 2024, and its entry into force varies depending on the provisions concerned (between 2 years and 10 years).

For several years, the European Union has sought to oversee the development of artificial intelligence in order to reconcile innovation and the protection of fundamental rights. In this context, Regulation EU 2024/1689 (AI Act) was adopted by the European Parliament and the Council on 13 June 2024, prior to its publication in the Official Journal of the European Union on 12 July 2024.

‍

This text establishes regulations based on a risk-based approach, prohibiting certain practices and imposing strict requirements, especially for high-risk AI systems. The application of this regulation is particularly significant in the field of health, where AI promises major advances while requiring compliance with numerous European laws, such as the RGPD and the MDR regulation.

Through this article, we want to share with you several feedback that can help you prevent the emergence of disputes and, therefore, to secure your commercial relationships.

‍

We will not mention relationships between traders, governed by the Commercial Code. We will focus on a particular, although relatively common, situation, namely commercial relationships between a software publisher and a professional customer.