Telecom data to be retained for one year in France
The long-awaited application decree for telecommunication data retention was finally published in France on 26 March 2006. It requires telecommunication data operators (Internet and telephony) to retain data for one year. Concerned data are those allowing the identification of: - the user and its terminal equipment - the recipients of the communication - the date, time and duration of the communication - the additional services used and their suppliers - the origin and the location of the communication (for telephony services).
The decree specifies provisions that were first introduced in the Daily Safety Law ('Loi sur la sécurité quotidienne' or LSQ), in November 2001, as an allegedly urgent procedure to fight terrorism, after the 11 September attacks in the USA. Four years and four months after its adoption, this law becomes applicable. In the mean time, these provisions have been twice modified. In March 2003, the Home Safety Law ('Loi sur la sécurité intérieure' or LSI) made these provisions perennial, while they were supposed to last only until December 2003 and be assessed by the Parliament. In January 2006, the new French anti-terror law has extended the concerned provisions in two ways. First, not only the judicial authority but also the police forces may access the retained data. Secondly, data retention obligations now apply to Internet cafes, hotels, restaurants, and more generally to any person or organisation providing Internet access, free or for a fee, as a main or side activity.
France has then chosen the maximum period of retention allowed by its national law, instead of choosing the minimum period, according to the new EU legislation. The European Directive on telecom data retention, recently adopted by the Parliament and the Council of Justice and Home Affairs, requires a retention period of no less than 6 months and no more than 2 years.
French EDRI member IRIS has qualified this decree as the "maximal penalty for privacy", in a press release issued on the day of the decree publication. The organisation reminds that short after the LSQ adoption, it has filed a complaint with the European Commission against France, for violating the EU legislation. However, this complaint remained in standby, the EC waiting for the application decree to process the complaint. In the mean time, two European Directives on data retention were adopted, in 2002 and 2006 respectively, making this complaint obsolete.
The French ISP association (AFA, French EUROISPA member) announced on 28 March that it would challenge this application decree before the Conseil d'Etat, highest administrative court. The main disputed point is that, while the decree provides for reimbursement of costs incurred by a requirement of law enforcement authorites, on a case by case basis, it remains silent on the general data retention cost which needs important investment from ISPs. In addition, the AFA deplores the lack of transition period to set up the retention system, and more generally the lack of discussion on the decree.
Decree no. 2006-358 of 24 March 2006 regarding electronic communications (in
Decree LSQ - Maximum penalty for private life (in French, 26.03.2006)
ISP Association will file an appeal to Conseil d'Etat (in French,
EDRI-gram : Data Retention Directive Adopted By JHA Council (01.03.2006)
IRIS dossier on data retention (with information on the complaint to EC)
(Contribution by Meryem Marzouki, EDRI-member IRIS)