Retention of internet traffic data

16 August 2005

Franklin Brousse

On 4 February 2005, the Paris Court of Appeal delivered its judgment on a case concerning the obligations of companies (in this case, BNP Paribas) regarding the retention and disclosure of electronic traffic data. The company was appealing a decision of the Paris Commercial Court, which ordered the bank to disclose information enabling the identification of the sender of an allegedly illegal electronic message sent by an e-mail address which was associated with the IP address of one of its computers.

In reaching its decision, the Court considered the application of the Law of 1 August 2000. Although the Law of 21 June 2004, the digital economic law "loi surl’ économie numérique" ("LEN"), contains similar traffic data retention provisions, this legislation was not considered as it was not in force at the time of the facts of the case in point.

The Court held that the company was a technical service provider within the meaning of Article 43-7 of the Law of 1 August 2000, and was required by Article 43-9, on the one hand, to keep and to store data in order to enable the identification of all persons who have contributed to the creation of the content of the services which it provides and, on the other hand, to disclose such data when ordered to by the courts.

The company was therefore required to disclose its information regarding the email. The company was not, however, required to identify the author of the emails themselves.

The scope of the notion of an ISP

In principal, "persons whose activity is to provide access to communication services to the public online" are considered to be ISPs. This definition excludes, at first sight, companies which do not undertake such activity and which solely provide internet access to their employees for the requirements of their activity, such access being provided by an ISP (except in the case of individuals).

Consequently, one may question the impact of such integration which, in fact, subjects companies to obligations which are generally borne by ISPs and which, at present, fall under the scope of the LEN.

In order to enable all third parties to legally obtain the disclosure of data likely to lead to the identification of the author of a disputed message, as in the case in point, the Court appears to have considered the obligations of an ISP providing internet access to the public, together with the fact that a company provides internet access to its employees.

This approach is clearly useful in the context of searching and identifying the authors of illegal messages, but implies significant practical consequences for companies which could fall outside the usual scope of their activity.

The practical consequences of integrating companies with ISPs

This decision has already led to questions and concerns regarding certain companies. For example:

  • are companies obliged to inform their employees, as ISPs do vis-à-vis their subscribers, of the existence of technical means at their disposal in order to be able to restrict access to certain services or to select them?

  • companies are not subject to a general obligation to monitor the information that they transmit or store, nor are they subject to a general obligation to research the facts or circumstances arising from illegal activities?

Furthermore, may legal authorities prescribe, in summary proceedings or on request, that companies take all measures required to prevent damage (for example, order the blocking of an e-mail box) or to stop damage which has been caused by online content?

The integration of ISPs and companies is likely to lead to new constraints for companies which, in particular, may receive more and more requests from third parties who wish to obtain technical data which they have not had the desire or the technical capability to store. In this regard, it is pertinent to consider that the publication of the Decree, regarding the duration and conditions of storage of data by technical service providers under the LEN, is suspended while waiting for a decision of the European Parliament, which does not facilitate the application nor the implementation of the provisions of the LEN.

Possible limitations of the decision

When considering the potential impact of this decision, it is important to bear in mind that the Court did not decide upon the scope of the notion and the qualification of the persons whose activity is to provide internet access, but merely decided that BNP Paribas was to be classified as a technical service provider.

The fact that the bank did not seem to challenge its capacity as a technical service provider, may suggest that for the moment, the case in point is an independent case.

Impact on the monitoring of employees’ activities

If the integration of ISPs and companies is confirmed, it would have a considerable impact in relation to the storing and archiving of data related to the activities of employees, as the majority of companies do not have sufficient technical resources. In addition, the establishment of adapted resources could become particularly onerous depending on the size of the company and the amount of employees concerned.

This type of obligation to store data would require information on the employees and the representative institutions on the registration and storage of data concerning them as well as a declaration to the CNIL of ancillary treatment of such data.

In the failure to comply with such obligations, the evidence disclosed to a third party by a company, obtained through the order of a court, could be considered inadmissible or illegal, particularly if it was intended to be challenged by an employee of such company.

Other than the practical and legal consequences that may be implied, the decision of the Paris Court of Appeal dated 4 February 2005, opens a new debate on the interpretation of the provisions of the LEN regarding service providers/technical intermediaries, which could broaden to include companies which provide data hosting services but not as their principal activity.