French decree establishes what data must be retained by hosting providers
This article is also available in:
Deutsch: Französische Verordnung legt fest, was Hosting-Provider auf Vorrat sp...
The French Government published on 1 March 2011 the decree establishing the data that must be retained, at the transmission or modification of online content, by the hosting companies, including video sharing and blog hosting services.
The decree related to the conservation of the data "allowing for the identification of any person having contributed to the creation of online content" has been expected since the promulgation of the law on the confidence in the numerical economy (LCEN - implementing the E-commerce Directive) on 21 June 2004, and stipulates now what data, related to the creation, modification or suppression of online content, must be retained by the hosting companies for a period of one year.
According to the decree with immediate application (so in force since 1 March 2011), the data to be preserved include: the identifier of the connection at the origin of the communication, the identifier attributed by the information system to the content that makes the object of the operation, the types of protocols used for the connection and for the content transfer, the nature of the operation, the date and hour of the operation and the identifier used by the author of the operation, when provided. Moreover, the hosting companies must also preserve, for one year after the deletion of an account, even more sensitive data such as the date and time when an account is created and the identifier of the connection, his/her complete name, pseudonyms, associated post addresses, e-mail and associated addresses, telephone numbers and even password.
In case the service subscribed is a paid one, the hosting companies must also retain data related to the payment method, the amount paid and date and hour of the transaction. Furthermore, they must preserve, for one year after the contribution to the content creation, data including the connection identifier, the identifier attributed to the subscriber, the identifier of the terminal used for the connection, the date and hour of the beginning and end of the connection and the features of the subscriber's line.
Following the critical opinions raised by the decree, CNIL (the French Data Protection Authority) has made public its opinion on the matter issued in 2007, but in the Official Journal.
At that time, CNIL was emphasizing the ambiguity of the text in relation to the term "hosting company" which was not yet clearly defined, thus creating a legal insecurity that could be prejudicial to the protection of Internet users' privacy and personal data. CNIL was also warning that only employees specially designated by the legal or administrative authorities in charge with making such requests to ISPs or hosting companies should have access to Internet users' personal data.
The data protection authority was also drawing attention to the ambiguity of the term "identifier" as it would not relate to the same type of data if we refer to an ADSL or free of charge WiFi Internet connection.
Some associations, including one representing Dailymotion, Google France and Facebook announced they intend to file an appeal to the State Council for the annulment of the decree. The arguments that will likely lay the foundation of the appeal are related to the ambiguity of the definitions in the text, to the effect that the hosting companies are required to store passwords that are useless in the identification of people, to the requirement to retain content elements which is explicitly forbidden by law and to the lack of provisions related to a remuneration of the hosting companies, having in view the additional work required by the preservation of the respective data.
LCEN finally has its decree on the data to be retained by the hosting
companies (only in French, 1.03.2011)
Cnil pins downs the decree on the data conservation (only in French,
The LCEN decree should be attacked to the State Council (only in French,