New French data protection act not unconstitutional

On 29 July 2004 the French Constitutional Council decided that the proposed new data protection act is not unconstitutional, except for one provision (article 9.3), which has been suppressed from the law. The law is an adoption of the European privacy directive of 1995 (1995/46/EC), and was accepted by the French Senate on 15 July 2004.

The proposal to examine the law was submitted on 20 July by members of the French parliamentary opposition. They objected particularly against the
powers granted in the new paragraph 9.4 to collecting societies and similar representatives of intellectual property rights to create files with telecommunication traffic data of supposed copyright infringers to ‘mutualise the battle against the piracy of works’.

The Constitutional Council rejects this complaint explicitly, considering that existing safeguards established by other laws are sufficient, like
the fact that the storage of traffic data should not exceed a one year period. Generally the Council ‘confirms that the law does not damage in any legal way the constitutional requirement to respect private life’.
However, the Council does object to the possibility to give all (business) victims of fraud the same powers in the analogue world, i.e. to create private police records without any rights of access and correction,
because the definition of ‘fraud’ lacks precision. But at the same time the Council also remarks that this ban on databases with private infringements (the stricken article 9.3) should not harm the constitutional rights of every person, natural or legal, to defend their rights in court.

A broad coalition of French NGOs and trade-unions, including the French Human Rights League (LDH) and EDRI-member IRIS has objected against many provisions of the new law for a long time, since the first introduction of the pre-draft in September 2000. Amongst their concerns about the act is the fact that genetic and biometric data are not included in the list of sensitive data, and the possibility for companies to appoint a ‘data correspondent’ (privacy officer) in stead of filing a list of personal data with the data protection authority (the CNIL in France). The DELIS-coalition finds it unacceptable that these in-house privacy officers do not have a protected status, necessary to guarantee independence from their employers.

Earlier the DELIS-coalition announced they would file a complaint with the European Commission against France if the Council decision was not found satisfactory.

Constitutional Council full verdict (in French, 29.07.2004)
http://www.conseil-constitutionnel.fr/decision/2004/2004499/2004499dc.htm

DELIS, LDH and IRIS press release (16.07.2004)
http://www.iris.sgdg.org/info-debat/comm-infolib0704-en.html

EDRI-gram 2.8 ‘France to implement 1995 Privacy Directive’ (21.04.2004)
http://www.edri.org/cgi-bin/index?id=000100000148

(Thanks to Meryem Marzouki, EDRI-member IRIS)