As part of its mission of controlling the use of personal data, the CNIL has recently scrutinized the provision of free and public Internet access services. The CNIL published an article on December 22 2014 on its website, where, following its controls, it concludes the existence of several breaches by private or public companies which provide such services (in shops, restaurants, hotels, libraries…). In its article the CNIL warns that organizations which provide internet access to their customers should be considered as electronic communications operators which are bound by the requirements of Article L34-1 of the French Postal and Electronic Communications Code, and recalls the 6 main legal requirements to be followed:
- Retention of traffic data only: the CNIL reminds organizations providing free and public Internet access services of the obligation to retain traffic data only which meet the "needs of research, recognition and prosecution of crime" (Article L34-1 of the Code of postal and electronic communications); other data such as exchanged correspondence or information consulted by the users cannot be collected.
- Retention for a limited period of time: the CNIL recalls that traffic data must be retained for a period of one year from the date of registration (Article R10-13 Code Post and Electronic Communications) and other data must be regularly removed when no longer needed.
- Obligation to provide comprehensive information to service users: the CNIL generally found that the information provided to users on the use of their data was inadequate or non-existent; furthermore there should be procedures in place for compliance with access or correction requests by users;
- Ensuring compliance of monitoring tools: the use of monitoring tools in order to ensure the safety of computers, can allow access to personal information which can be disproportionate regarding the purpose of the data collection; such tools must be avoided or their use must be carefully assessed.
- Methods should be put in place in order to ensure the privacy and security of data: operators should in particular include a data protection security and confidentiality clause in their contracts with networks providers, and should define and implement security measures such as securing access to connection logs, more robust passwords, and limitation of the retention period for documents waiting to be printed.
- Organizations which provide internet access to their customers should file a notification with the CNIL – a regular notification “declaration normale”, not a simplified one – otherwise the provision of such services is illegal.