Traffic data retained one year

24 May 2006

Jeanne Méhaud

In a recent Decree dated 24 March 2006, the French Ministry of Justice has decided to impose on electronic communications operators and Internet Service Providers a legal obligation to store, for one year, “traffic data” allowing the identification of any individuals using their services and of the recipients of such communications.

This Decree, which, as well as fixing the term of retention also clarified what data are to be retained, is not unexpected, given the current fight against terrorism in France and more widely in Europe. Indeed, two French Acts, namely the Law on daily security of 15 November 2001 and the more recent Law concerning the fight against terrorism of 23 January 2006, both specified that a further Decree would be made to set out in detail how traffic data retention is to be carried out. This Decree at the same time also implements the recent European Directive 2006/24/EC of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The French Decree of 24 March 2006 is compliant with the Directive, which provides for a retention obligation that must be no less than six months and must not exceed a two-year period.

Yet, the scope of the Decree does not confine itself to fight against terrorism, as it has different obligations of retention depending on the purpose of the retention. Consequently, retention requirements vary depending on whether traffic data are retained for prosecution, invoicing or security purposes. Moreover, the Decree imposes the traffic data retention obligation not just on telecommunications operators and internet service providers but also any person who offers to the public access to online communication through a network. This means that cyber-cafés, for instance, are caught by the provisions of the Decree.

In relation to prosecution of potential criminals (including terrorists), there is an obligation to retain for a one-year period the following data: data allowing identification of the user, data allowing identification of the hardware used for the communication, data relating to the technical features, the date, time and duration of the communication, data relating to any complementary service requested or used and the provider of such a service and data allowing identification of the recipient of the communication. As regards telephony services in particular, telecommunications operators are also required to retain for a year any data that allows the identification of the origin and location of the communication.

Any costs incurred by the telecommunications operators as a result of complying with a request by judicial authorities will be compensated. However, the details of how compensation will work in practice will require a further ministerial order.

As regards invoicing or payment purposes, electronic communications operators are granted a right (as opposed to required) to retain any technical data that allows the identification of the user, data relating to the end point equipment used for the communication, data relating to the technical features, the date, time and duration of the communication, data relating to any complementary service requested or used and the provider of such a service. With regard to telephony services in particular, telecommunications operators are also entitled to retain data allowing the identification of the origin and location of the communication, as well as data identifying the recipient of the communication, and data pertaining to the invoices. Any such data may only be retained in so far as they are necessary to the payment and invoicing of the services provided. Moreover, such retention is limited to the time strictly necessary for that purpose and cannot exceed a one-year period.

In relation to the purposes of security of networks and equipment, operators may retain data allowing the identification of the origin of the communication, data relating to the technical features, the date, time and duration of the communication, data that allows the identification of the origin and location of the communication, and data relating to any complementary service requested or used and the provider of such a service.

One question remains unresolved under French Law. Pursuant to article 6-II of French Law on Confidence in the Digital Economy enacted in 2004, internet service providers and hosts are under an obligation to retain and store any data that allows the identification of web content publishers. A decree was due to specify the details of this obligation but the Decree was silent on this point. A further Decree is expected shortly to complete the legislation relating to traffic data retention.