French decree establishes what data must be retained by hosting providers

By EDRi · March 9, 2011

This article is also available in:
Deutsch: [Französische Verordnung legt fest, was Hosting-Provider auf Vorrat speichern müssen | http://www.unwatched.org/EDRigram_9.5_Frankreich_Dekret_zu_Date_die_gespeichert_werden_sollen]

The French Government published on 1 March 2011 the decree establishing the
data that must be retained, at the transmission or modification of online
content, by the hosting companies, including video sharing and blog hosting
services.

The decree related to the conservation of the data “allowing for the
identification of any person having contributed to the creation of online
content” has been expected since the promulgation of the law on the
confidence in the numerical economy (LCEN – implementing the E-commerce
Directive) on 21 June 2004, and stipulates now what data, related to the
creation, modification or suppression of online content, must be retained
by the hosting companies for a period of one year.

According to the decree with immediate application (so in force since 1
March 2011), the data to be preserved include: the identifier of the
connection at the origin of the communication, the identifier attributed by
the information system to the content that makes the object of the
operation, the types of protocols used for the connection and for the
content transfer, the nature of the operation, the date and hour of the
operation and the identifier used by the author of the operation, when
provided. Moreover, the hosting companies must
also preserve, for one year after the deletion of an account, even more
sensitive data such as the date and time when an account is created and the
identifier of the connection, his/her complete name, pseudonyms,
associated post addresses, e-mail and associated addresses, telephone
numbers and even password.

In case the service subscribed is a paid one, the hosting companies must
also retain data related to the payment method, the amount paid and date
and hour of the transaction. Furthermore, they must preserve, for one year
after the contribution to the content creation, data including the
connection identifier, the identifier attributed to the subscriber, the
identifier of the terminal used for the connection, the date and hour of the
beginning and end of the connection and the features of the subscriber’s
line.

Following the critical opinions raised by the decree, CNIL (the French Data
Protection Authority) has made public its opinion on the matter issued in
2007, but in the Official Journal.

At that time, CNIL was emphasizing the ambiguity of the text in relation to
the term “hosting company” which was not yet clearly defined, thus creating
a legal insecurity that could be prejudicial to the protection of Internet
users’ privacy and personal data. CNIL was also warning that only employees
specially designated by the legal or administrative authorities in charge
with making such requests to ISPs or hosting companies should have
access to Internet users’ personal data.

The data protection authority was also drawing attention to the ambiguity
of the term “identifier” as it would not relate to the same type of data if
we refer to an ADSL or free of charge WiFi Internet connection.

Some associations, including one representing Dailymotion, Google France and
Facebook announced they intend to file an appeal to the State Council for
the annulment of the decree. The arguments that will likely lay the
foundation of the appeal are related to the ambiguity of the definitions in
the text, to the effect that the hosting companies are required to store
passwords that are useless in the identification of people, to the
requirement to retain content elements which is explicitly forbidden by law
and to the lack of provisions related to a remuneration of the hosting
companies, having in view the additional work required by the preservation
of the respective data.

LCEN finally has its decree on the data to be retained by the hosting
companies (only in French, 1.03.2011)
http://www.numerama.com/magazine/18191-la-lcen-a-enfin-son-decret-sur-les-donnees-a-conserver-par-les-hebergeurs.html

Cnil pins downs the decree on the data conservation (only in French,
4.03.2011)
http://www.01net.com/www.01net.com/editorial/529385/la-cnil-epingle-le-decret-sur-la-conservation-des-donnees/

The LCEN decree should be attacked to the State Council (only in French,
(2.03.2011)
http://www.numerama.com/magazine/18203-le-decret-lcen-devrait-etre-attaque-devant-le-conseil-d-etat.html