Telecom data to be retained for one year in France

By EDRi · March 29, 2006

The long-awaited application decree for telecommunication data retention was
finally published in France on 26 March 2006. It requires telecommunication
data operators (Internet and telephony) to retain data for one year.
Concerned data are those allowing the identification of:
– the user and its terminal equipment
– the recipients of the communication
– the date, time and duration of the communication
– the additional services used and their suppliers
– the origin and the location of the communication (for telephony services).

The decree specifies provisions that were first introduced in the Daily
Safety Law (‘Loi sur la sécurité quotidienne’ or LSQ), in November 2001, as
an allegedly urgent procedure to fight terrorism, after the 11 September
attacks in the USA. Four years and four months after its adoption, this law
becomes applicable. In the mean time, these provisions have been
twice modified. In March 2003, the Home Safety Law (‘Loi sur la sécurité
intérieure’ or LSI) made these provisions perennial, while they were
supposed to last only until December 2003 and be assessed by the Parliament.
In January 2006, the new French anti-terror law has extended the concerned
provisions in two ways. First, not only the judicial authority but also the
police forces may access the retained data. Secondly, data retention
obligations now apply to Internet cafes, hotels, restaurants, and more
generally to any person or organisation providing Internet access, free or
for a fee, as a main or side activity.

France has then chosen the maximum period of retention allowed by its
national law, instead of choosing the minimum period, according to the new
EU legislation. The European Directive on telecom data retention, recently
adopted by the Parliament and the Council of Justice and Home Affairs,
requires a retention period of no less than 6 months and no more than 2
years.

French EDRI member IRIS has qualified this decree as the “maximal penalty
for privacy”, in a press release issued on the day of the decree
publication. The organisation reminds that short after the LSQ adoption, it
has filed a complaint with the European Commission against France, for
violating the EU legislation. However, this complaint remained in standby,
the EC waiting for the application decree to process the complaint. In the
mean time, two European Directives on data retention were adopted, in 2002
and 2006 respectively, making this complaint obsolete.

The French ISP association (AFA, French EUROISPA member) announced on 28
March that it would challenge this application decree before the Conseil
d’Etat, highest administrative court. The main disputed point is that, while
the decree provides for reimbursement of costs incurred by a requirement of
law enforcement authorites, on a case by case basis, it remains silent on
the general data retention cost which needs important investment from ISPs.
In addition, the AFA deplores the lack of transition period to set up the
retention system, and more generally the lack of discussion on the decree.

Decree no. 2006-358 of 24 March 2006 regarding electronic communications (in
French, 26.03.2006)
http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=JUSD0630025D

Decree LSQ – Maximum penalty for private life (in French, 26.03.2006)
http://www.iris.sgdg.org/info-debat/comm-decretlsq0306.html

ISP Association will file an appeal to Conseil d’Etat (in French,
28.03.2006)
http://www.afa-france.com/p_20060328.html

EDRI-gram : Data Retention Directive Adopted By JHA Council (01.03.2006)
http://www.edri.org/edrigram/number4.4/dataretention

IRIS dossier on data retention (with information on the complaint to EC)
http://www.iris.sgdg.org/actions/retention/

(Contribution by Meryem Marzouki, EDRI-member IRIS)