April 7, 2011 - Updated on January 20, 2016

Internet companies challenge decree requiring them to store personal data

The French Association of Internet Community Services (ASIC), which groups more than 20 Internet companies including Facebook, Dailymotion, PriceMinister and Google, filed a complaint with the Council of State on 6 April challenging a new addition to the 2004 Law on Confidence in the Digital Economy (LCEN) that requires them to keep large amounts of user data.

The LCEN has already turned commercial web-hosting companies into Internet censors by requiring them to act as judges and evaluate the legality of the content on the sites they host (more information in French:,09011.html).

The new decree, which took effect on 1 March, requires hosting companies and Internet Service Providers (ISPs) to keep the personal data of users for a year “to permit the identification of any individual or entity that contributed to the creation of online content.” Any change to the data automatically restarts the year-long period during which it must be kept,

As users of online services are urged to change their passwords frequently for security reasons, this provision means that a great deal of data will have to be stored indefinitely, and in an unencrypted form. The courts, some sections of the police and gendarmerie, the social security services, the customs, fraud investigators and the tax department are all allowed to access this data.

ISPs are required to keep the connection and subscriber details, the IP address, the connection dates and times and the characteristics of the user’s line. Web hosting companies are required to keep the protocol types used for the connection, the identifier assigned by the information system to the content, the connection responsible for a communication, and information about the “nature of the operation” (photos, videos, texts and so on).

Both ISPs and hosting companies have to keep the information provided by the user when a contract is signed or an account is created, including the user’s name, postal address, “username,” email address, phone number and password.

“ISPs and hosting companies should not have to perform a general surveillance service or act as online policemen,” Reporters Without Borders said. “Their primary duty is to serve Internet users. Personal data should be protected and should be retained only in exception circumstances. The effect of imposing additional duties on ISPs and hosting companies will be to erode the protection of personal data." The press freedom organisation added: "The volume of data that is supposed to be kept is considerable. The law cites terrorism and national security as justification, but these concerns should not be used as pretext for an increasingly repressive policy towards new media. The privatization of Internet regulation is an international threat to free speech. Democratic countries should be setting an example.”

The decree does not specify what rules foreign web-hosting companies have to follow and says nothing about securing the stored user data. This law could be windfall for hackers who specialize in the theft of online personal data. In 2008, the data of 17 million Deutsche Telekom clients were stolen. In France, the mobile operator SFR drew attention to the danger of storing unencrypted client data on 5 April when it posted a map of its hotspots and WiFi access points online that inadvertently included the location of clients’ apartments and the entry codes to their apartment buildings.

The National Commission for Information Technology and Freedoms (CNIL) gave a mixed assessment of the draft decree in December 2007. It was not released until 3 March, after the decree was issued. Several of the points raised by the CNIL were not taken into account in the decree’s final version.

One of the points made by the CNIL was that the stored data should not contain any information about actual content, Reporters Without Borders has reservations about the requirement for hosting services to keep data about the “nature of the operation” as it does not help to identify the author.

This is a concern that was also voiced by the Electronic Communications and Posts Authority (ARCEP) in an opinion issued in March 2008. Both the CNIL and ARCEP also question the logic of forcing ISPs and hosting companies to keep details about the type and amount of payment made by the client.

France, which is on the Reporters Without Borders list of countries “under surveillance” because of their Internet policies, seems determined to reinforce its control of the Internet.

A decree posing a threat to personal data was already adopted in March 2010. It was one of the latest of the so-called “implementation decrees” for the controversial HADOPI law, under which Internet users suspected of illegal file-sharing could end up having their Internet connection suspended after being sent warnings by email and certified letter.

Under the HADOPI “implementation decree” adopted on 7 March 2010, the personal data of suspected illegal downloaders can be kept for 14 months after an initial warning is sent by email and can be kept for 20 months after a final warning is sent by certified letter.