France: Who have they forgotten to control today?

By EDRi · January 28, 2009

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The CNIL, the French Data Protection Authority, has published on 20 January
2009 a report on a massive control operation it conducted on the STIC
(“Système de traitement des infractions constatées” or “Recorded offences
treatment system”), a huge police database. The report reveals that the STIC
is consulted by each one of the 100.000 authorised policemen 200 times a
year on average. This immediately reminded me the old British Telecom’s
slogan: “who have you forgotten to call today?”

Police files have been the main concern in France in 2008, especially after
the creation, by decrees published on 1st July 2008, of two new intelligence
databases, EDVIGE and CRISTINA. CRISTINA aims at “Centralising inland
intelligence for homeland security and national interests”, and is covered
by the defence secret, which means that no one knows any detail on this
file. This is not the case of EDVIGE, which has generated such a massive
mobilization in the society that the government had finally to withdraw the
EDVIGE decree in November 2008.

EDVIGE would have systematically gathered information on any person having
applied for or exercised a political, union or economical mandate or playing
a significant institutional, economical, social or religious part as well as
information on any person, starting from the age of 13, considered by the
police as a “suspect” potentially capable of disrupting the public order.
After the strong opposition of a large number of associations, political
parties, unions and individuals, with a petition signed by almost 220.000
individuals and 1200 associations, a complaint filed by 12 labour unions and
rights organizations, among them EDRI-member IRIS, before the French highest
administrative court, and a huge national day against EDVIGE on 16 October
where 10.000 persons took part in demonstrations in 60 French cities, the
government finally had to react. It announced a modified project, called
EDVIRSP, not yet published. While the new file would explicitly exclude
information related to people’s health or sexual orientation, it would keep
other sensitive personal data such as ethnical origin, as well as political,
philosophical, religious opinions or union affiliation, and would still
allow the police to store data on minors starting at the age of 13 if they
are considered a threat to public safety.

CNIL’s President said that “the STIC is more dangerous than EDVIGE”, because
of the huge number of errors the CNIL has found in the STIC. But the main
difference is that the CNIL will never be able to establish errors in
EDVIGE, contrarily to the STIC, because EDVIGE will never contain any fact,
but simply presumption of facts that could be committed.

The STIC is dangerous enough, however. The file exists since 1995, but was
officially created only in 2001. The CNIL report established that the STIC
now concerns half of the French population, without any age limitation. An
individual is registered in the STIC by the police after an offence has been
committed. The point is that one can be registered either as a victim, or as
the suspected author of the offence. Then the file is supposed to be updated
after a court decision, which might find that the suspected author is not
guilty. But the CNIL report findings are that this update very seldom
occurs, and that sometimes a victim is mistakenly registered as a suspect.
All in all, the STIC error rate found by the CNIL is 83%. Not only this
error rate is ‘staggering’ as CNIL’s President commented, but also it has
major social consequences, since in 2003 a law extended the STIC’s purposes
to the records checking of people applying to a large range of jobs,
especially in the security field. The report evaluates to 1 million the
number of persons who weren’t hired, or were fired from their jobs, simply
because they were wrongly recorded in the STIC, sometimes because they
actually were a victim, sometimes because their situation wasn’t updated
after a court decision. STIC opponents warned against these dangers as early
as 10 years ago. Here we are now.

In December 2008, another report commissioned by the French Ministry of
Interior has inventoried some 45 police files, whereas 34 were already in
place in 2006. Some of them contain biometric and genetic data.

Among the biometric files, a centralized population database is currently
being established, with the decree on French biometric passport having been
published on 30 April 2008. A complaint filed against the French government
by EDRI-member IRIS and the French Human Rights League is still pending.
Main arguments of the complaint are: the collection of 8 digital
fingerprints of the passport holder (whereas the European Council regulation
requires only 2), the fact that this also applies to children starting from
age 6, and the creation of a centralized database containing all information
on the passport holder, including biometric data.

Another pending complaint against the French government concerns the ELOI
database, created to manage the expulsion of illegal migrants. The complaint
has been filed by EDRI-member IRIS, with the French Human Rights League and
two other French organizations for the support of migrants. This database
has been created by decree on 26 December 2007, after the same organizations
won a previous complaint against a first version of ELOI. For the
plaintiffs, a data retention period of 3 years, as well as the collection of
migrants’ children data, remain violating the French and European
legislation on data protection.

These files are only examples of a strong and enduring trend in France,
which consist in huge centralized population databases, increased use of
biometric and genetic data, considering migrants as a target, and, last but
not least, specifically targeting children.

Year 2008 has shown however that the concern is growing in the general
public, and this is a good sign. While the French have not really reacted to
data retention issues, they seem to start considering that police databases
and other files created by other administrations, especially when they
concern children, are now going too far. When the government is facing
massive citizen mobilisation, it has to go backwards. This is the lesson
learnt with EDVIGE in 2008.

Year 2009 needs to be carefully watched out, though. The law implementing
the “graduated response” or the “three strikes approach” against filesharers
is expected to pass this year. New measures to fight cybercrime have also
been announced. EDVIRSP, the new version of EDVIGE, is expected soon. And
the draft law on biometric ID cards is ready for months, and will probably
be submitted to the Parliament as soon as things will calm down on the
privacy front.

CNIL Report: Conclusions on the control of the STIC (only in
French, 20.01.2009)

IRIS Press Release: ‘ CNIL’s control of the STIC: a healthy exercise, but
timorous conclusions’ (only in French, 23.01.2009)

EDRI-gram: French EDVIGE decree withdrawn (3.12.2008)

French Interior Ministry Report: ‘Better controlling mechanisms
implementation to better protect freedoms’ (11.12.2008, only in French)

EDRI-gram: Complaint Against The French Govt To Annul The Biometric Passport
Decree (16.07.2008)

EDRI-gram: Eloi – A French Database To Manage The Expulsion Of Illegal
Migrants (16.01.2008)

(Contribution by Meryem Marzouki, EDRI member IRIS – France)