Web 2.0 Companies in France Challenge Data Retention Law in Court

Web 2.0 Companies in France Challenge Data Retention Law in Court

Matt Lonsdale is a JD candidate at Dalhousie University.

A French government decree (English translation via Google Translate) dated February 25th requires online communication service providers to maintain detailed records on their users, including full names, addresses, telephone numbers and passwords. A number of affected organizations, including Google and Facebook, have come together as the French Association of Internet Community Services (ASIC) to challenge the new law.

An existing French law (English translation via Google Translate) from 2004 places a requirement on providers of communication services to maintain records sufficient to identify their users. The recent decree clarifies and arguably expands this provision by specifying what information is to be retained and for how long.

Subscriber information, including the subscriber’s full name, postal address, email address, telephone numbers and password must be maintained for a period of one year following the closure of the subscriber’s account. Payment records, including the date, time, type of payment and amount must be maintained for one year after the transaction. In particular, the obligation to store passwords has alarmed some, with ASIC chief executive Benoit Tabaka saying “[T]his is a shocking measure, this obligation to keep passwords and hand them over to police services”. However, a reading of the law reveals that organizations are only required to store the subscriber and payment information described above to the extent that they already collect it. While the decree does establish a minimum “shelf life” of one year before stored information can be purged, it’s unclear that it creates an obligation to obtain subscriber information beyond what a provider already collects.

This is not the case for information regarding specific communications. For each communication activity, the service provider must maintain a record of the time, date, subscribers involved and network protocols used to transfer the content of the communication. This information must be maintained for a period of one year following the communication. Unlike the subscriber and payment information, the decree mandates exactly what information is to be stored: it does not depend on what the provider would normally collect.

Some of the service providers involved have concerns beyond the privacy implications. Benoit Tabaka stated his disappointment with the lack of consultation with the European Commission: “[O]ur activities target many national markets, so it is clear that we need a common approach”. The case will be heard before Le Conseil D’État, France’s highest administrative court.