France: Who have they forgotten to control today?
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
The CNIL, the French Data Protection Authority, has published on 20 January 2009 a report on a massive control operation it conducted on the STIC ("Système de traitement des infractions constatées" or "Recorded offences treatment system"), a huge police database. The report reveals that the STIC is consulted by each one of the 100.000 authorised policemen 200 times a year on average. This immediately reminded me the old British Telecom's slogan: "who have you forgotten to call today?"
Police files have been the main concern in France in 2008, especially after the creation, by decrees published on 1st July 2008, of two new intelligence databases, EDVIGE and CRISTINA. CRISTINA aims at "Centralising inland intelligence for homeland security and national interests", and is covered by the defence secret, which means that no one knows any detail on this file. This is not the case of EDVIGE, which has generated such a massive mobilization in the society that the government had finally to withdraw the EDVIGE decree in November 2008.
EDVIGE would have systematically gathered information on any person having applied for or exercised a political, union or economical mandate or playing a significant institutional, economical, social or religious part as well as information on any person, starting from the age of 13, considered by the police as a "suspect" potentially capable of disrupting the public order. After the strong opposition of a large number of associations, political parties, unions and individuals, with a petition signed by almost 220.000 individuals and 1200 associations, a complaint filed by 12 labour unions and rights organizations, among them EDRI-member IRIS, before the French highest administrative court, and a huge national day against EDVIGE on 16 October where 10.000 persons took part in demonstrations in 60 French cities, the government finally had to react. It announced a modified project, called EDVIRSP, not yet published. While the new file would explicitly exclude information related to people's health or sexual orientation, it would keep other sensitive personal data such as ethnical origin, as well as political, philosophical, religious opinions or union affiliation, and would still allow the police to store data on minors starting at the age of 13 if they are considered a threat to public safety.
CNIL's President said that "the STIC is more dangerous than EDVIGE", because of the huge number of errors the CNIL has found in the STIC. But the main difference is that the CNIL will never be able to establish errors in EDVIGE, contrarily to the STIC, because EDVIGE will never contain any fact, but simply presumption of facts that could be committed.
The STIC is dangerous enough, however. The file exists since 1995, but was officially created only in 2001. The CNIL report established that the STIC now concerns half of the French population, without any age limitation. An individual is registered in the STIC by the police after an offence has been committed. The point is that one can be registered either as a victim, or as the suspected author of the offence. Then the file is supposed to be updated after a court decision, which might find that the suspected author is not guilty. But the CNIL report findings are that this update very seldom occurs, and that sometimes a victim is mistakenly registered as a suspect. All in all, the STIC error rate found by the CNIL is 83%. Not only this error rate is 'staggering' as CNIL's President commented, but also it has major social consequences, since in 2003 a law extended the STIC's purposes to the records checking of people applying to a large range of jobs, especially in the security field. The report evaluates to 1 million the number of persons who weren't hired, or were fired from their jobs, simply because they were wrongly recorded in the STIC, sometimes because they actually were a victim, sometimes because their situation wasn't updated after a court decision. STIC opponents warned against these dangers as early as 10 years ago. Here we are now.
In December 2008, another report commissioned by the French Ministry of Interior has inventoried some 45 police files, whereas 34 were already in place in 2006. Some of them contain biometric and genetic data.
Among the biometric files, a centralized population database is currently being established, with the decree on French biometric passport having been published on 30 April 2008. A complaint filed against the French government by EDRI-member IRIS and the French Human Rights League is still pending. Main arguments of the complaint are: the collection of 8 digital fingerprints of the passport holder (whereas the European Council regulation requires only 2), the fact that this also applies to children starting from age 6, and the creation of a centralized database containing all information on the passport holder, including biometric data.
Another pending complaint against the French government concerns the ELOI database, created to manage the expulsion of illegal migrants. The complaint has been filed by EDRI-member IRIS, with the French Human Rights League and two other French organizations for the support of migrants. This database has been created by decree on 26 December 2007, after the same organizations won a previous complaint against a first version of ELOI. For the plaintiffs, a data retention period of 3 years, as well as the collection of migrants' children data, remain violating the French and European legislation on data protection.
These files are only examples of a strong and enduring trend in France, which consist in huge centralized population databases, increased use of biometric and genetic data, considering migrants as a target, and, last but not least, specifically targeting children.
Year 2008 has shown however that the concern is growing in the general public, and this is a good sign. While the French have not really reacted to data retention issues, they seem to start considering that police databases and other files created by other administrations, especially when they concern children, are now going too far. When the government is facing massive citizen mobilisation, it has to go backwards. This is the lesson learnt with EDVIGE in 2008.
Year 2009 needs to be carefully watched out, though. The law implementing the "graduated response" or the "three strikes approach" against filesharers is expected to pass this year. New measures to fight cybercrime have also been announced. EDVIRSP, the new version of EDVIGE, is expected soon. And the draft law on biometric ID cards is ready for months, and will probably be submitted to the Parliament as soon as things will calm down on the privacy front.
CNIL Report: Conclusions on the control of the STIC (only in
IRIS Press Release: ' CNIL's control of the STIC: a healthy exercise, but
timorous conclusions' (only in French, 23.01.2009)
EDRI-gram: French EDVIGE decree withdrawn (3.12.2008)
French Interior Ministry Report: 'Better controlling mechanisms
implementation to better protect freedoms' (11.12.2008, only in French)
EDRI-gram: Complaint Against The French Govt To Annul The Biometric Passport
EDRI-gram: Eloi - A French Database To Manage The Expulsion Of Illegal
(Contribution by Meryem Marzouki, EDRI member IRIS - France)