The right of privacy is not explicitly included in the French Constitution of 1958. The Constitutional Court ruled in 1994 that the right of privacy was implicit in the Constitution.[1131]
The Data Protection Act was enacted in 1978 and covers personal information held by government agencies and private entities.[1132] Anyone wishing to process personal data must register and obtain permission in many cases relating to processing by public bodies and for medical research. Individuals must be informed of the reasons for collection of information and may object to its processing either before or after it is collected. Individuals have rights to access information being kept about them and to demand the correction and, in some cases, the deletion of this data. Fines and imprisonment can be imposed for violations.
As a member of the European Union, France should have amended its data protection regime to make it consistent with the European Union Data Protection Directive (95/46/EC) by October 1, 1998.[1133] In July 2000, pre-draft legislation to update the law was sent to the data protection authority for review and consultation.[1134] The Council of Ministers then examined the text on July 18, 2001 which passed the first reading by the National Assembly on January 30, 2002. The bill has been further modified by the Senate on its first reading of April 1, 2003.[1135] A second reading by the National Assembly is expected in Autumn 2003.
The new data protection law would generally increase the powers of the data protection authority by allowing it to investigate, issue warnings, and impose sanctions (by fines of up to EUR150,000). The data protection authority is the Commission nationale de l'informatique et des libertés (CNIL), an independent agency which enforces the Data Protection Act and other related laws.[1136] The Commission takes complaints, issues rulings, sets rules, conducts audits, makes reports, and ensures the public access to information by being a registrar of all data controllers' processing activities. The new law would give the CNIL more authority over commercial data processing files. Further, the bill implements the legal framework for personal data transfers to third countries. It also strengthens individuals' rights of access and correction. However, it would weaken the commission's control over large government information systems by creating a new data system category, known as "sovereignty files" over which the CNIL would loose key powers.[1137] Whereas before the approval of the commission was needed before any government processing system could be established, this would no longer be necessary for these sovereignty files. They are defined to include files relating to the safety of the State, defence, public security or penal repression, or those that use the NIR (social security number). It is thought that this revision is a response to the difficulties experienced by the government in implementing the STIC. This system was first envisioned in 1995 but was not implemented until July 2000 following the reluctant approval of the CNIL.
Since 1978 the CNIL has received over 12,600 requests for advice and 41,270 complaints. It reported in its 2002 annual report that the number of inquiries received annually had more than doubled since 1995.[1138] It received a total of 7,909 inquiries[1139] in 2002. In 2001,[1140] the total of inquiries was 5,729[1141] (raising by 38% from 2001 to 2002).
The CNIL's 2002 report addresses in detail the threats to privacy and freedom by internal safety law, spamming, electronic voting, confidentiality on the Internet, blacklisting of "bad customers," circulation of health data, privacy issues in e-government. While not addressed in details in the report, the CNIL provided a dossier on Passenger Name Record (PNR) data transfer during the press conference that announced the release of the report, where it recommends that airlines companies provides themselves the data to the United States administration, so that they can select only relevant data. Meanwhile, Air France is testing a biometrics-based technique that uses fingerprints to confirm passenger identities on selected flights leaving from the Charles de Gaulle Airport in Paris. The CNIL authorized the biometrics experiment. It accepted the air security and anti-terrorism arguments behind Air France's experiment, but issued confidentiality recommendations aimed at ensuring respect for passenger privacy. These conditions include strict rules against any future use of stored information and tight standards on controlling access to data. Pascal de Izaguirre, Air France's senior vice-president for ground operations, said that the company is "already working with the authorities to extend use of biometrics."[1142]
After a study of 100 e-commerce web sites in 2000, the CNIL noticed a increasing level of awareness on their part, although negative findings included the lack of information on the data subject's right of access and on the purposes of 'cookies'.
In September 2001, the CNIL hosted the 23rd Annual Meeting of the World Data Protection Commissioners.[1143]
Electronic surveillance is regulated by a 1991 law that requires permission of an investigating judge before a wiretap is installed. The duration of the tap is limited to four months and can be renewed.[1144] The law created the Commission Nationale de Contrôle des Interceptions de Sécurité (CNCIS), which sets rules and reviews wiretaps each year. From 1995 to 1999 the number of wiretaps granted annually was between 4,500 and 4,700. This number decreased slightly in 2000. There were 4,767 (4,625 in 2001) requests for wiretaps (3,138 new and 1,629 renewals) in 2002.[1145] In total, 4,654 wiretaps (3,082 new and 1,572 renewals) were authorized by the Commission in 2002 (4,515 in 2001).[1146] The number of identification requests of cellular telephone numbers has been estimated by the Commission to average 8,000 to 25,000 monthly.
The European Court of Human Rights has ruled against France several times for violations of Article 8 of the Convention. The Court's 1990 decision in Kruslin v. France resulted in the enactment of the 1991 law.[1147] Most recently, the court fined France FRF25,000 for wiretap law violations.[1148] There have been many cases of illegal wiretapping, including most notably a long running scandal over an anti-terrorist group in the office of President Mitterand monitoring the calls of journalists and opposition politicians.[1149] The CNCIS estimated that there were over 100,000 illegal taps conducted by private companies and individuals in 1996, many on behalf of government agencies. A decree was issued in 1997 to limit the dissemination of tapping equipment.[1150] In June 2001 the investigative weekly Le Canard Enchaîné reported that a prosecution judge was sued by a lawyer who was wiretapped at the judge's request. The Court found that the wiretap was an unfair act against the lawyer. In France only Government interceptions requests are under review by the CNCIS. There is a separate control scheme for wiretap requests by the judiciary.
The tort of privacy was first recognized in France as far back as 1858[1151] and was added to the Civil Code in 1970.[1152] There are additional specific laws on administrative documents,[1153] archives,[1154] video surveillance,[1155] correspondence,[1156] and employment.[1157] There are also protections incorporated in the Penal Code.[1158]
The French Liberty of Communication Act was adopted on June 28th, 2000.[1159] The Act requires all persons wishing to post content on the Internet to identify themselves, either to the public, by publishing their name and address on their website (in the case of a business) or to their host provider (in the case of a private individual). Earlier provisions, which would have imposed large penalties and jail sentences on anybody violating this requirement and required Internet Service Providers (ISPs) to check the accuracy of the personal details given to them, were dropped in the final version of the legislation.[1160] The law requires ISPs to keep logs of all data that could be used to identify a content provider in the case of later legal proceedings. This provision will enter into force when its implementing decree (décret d'application) is published. ISPs are subject to the "professional secret" rule regarding this data, meaning that they cannot disclose it to anyone except a judge. The law, as passed, also held ISPs liable for failing to delete content once ordered to do so by a judge or for failing to "take appropriate actions" once informed by a third party that they are hosting illegal or harmful content. In a review of this law, however, brought before it on June 29, 2000 by sixty opposition members of Parliament, the French Constitutional Council struck down this provision as contrary to Article 34 of the Constitution.[1161] This article states that any measures that could impact upon civil liberties must be detailed in the law. In this case, the Council ruled that the "appropriate actions" to be taken by ISPs should have been specified in the law. As a result, the law was subsequently amended to remove the impugned provision and ISPs may now only be made liable if they fail to delete content having been told to do so by a judge. The passage of this law provoked widespread criticism from civil liberties groups and privacy advocates who argued that it would restrict rights to anonymity and free speech. In June 2000, Imaginons un Réseau Internet Solidaire (IRIS), a French civil liberties group, drew up a petition in opposition to the law.[1162]
On June 13, 2001, the Government introduced the draft Law on the Information Society (Loi sur la société de l'information or LSI).[1163] This law, which purports to implement the European Union E-Commerce Directive (2000/31/EC) and includes many provisions affecting data protection rules, seeks to expand liability for illegal content on the Internet. ISPs would now be made civilly liable for failing to delete or deny access to content once they have been informed that it is illegal. This liability would extend not only to host providers but also to access providers and telecoms operators. The proposed law would also have a negative impact on privacy and anonymity. ISPs would be required to store log files on all their customers' activities for up to one year. In submitting comments to the Government on this proposal early 2002, the CNIL recommended that a distinction should be drawn between information necessary for invoicing purposes and information kept solely for law enforcement purposes and that there should be a three-month limitation for retention of the latter. The draft law also proposes government access to private encryption keys, import and export restrictions on encryption software, and strict sanctions for using cryptographic technique to commit a crime. Another section of the bill compels government ministries to give access to their digital data to all citizens free of charge. It also sets forth short mandatory delays for the publication of classified information in public archives. IRIS launched a campaign against this law, arguing among other things that the data retention provisions of the law violate the European Union Telecommunications Privacy Directive (97/66/EC). IRIS made a comprehensive dossier of all relevant documents publicly available.[1164]
On November 15, 2001, theParliament enacted theDaily Safety Law(Loi sur la Sécurité Quotidienne or LSQ)[1165], a legislation in which new anti-terrorism provisions were added, in direct response to the September 11, 2001 terrorist attacks. The enacted law includes provisions on data retention[1166] and compelled access for the government to cryptography keys. These provisions have been extracted from the draft Law on the Information Society (LSI). The data retention provisions still need, however, the publication of an implementing decree (décret d'application) to enter into force. The LSQ was contested by many civil liberties groups because it heavily curtails human rights, was adopted hurriedly in defiance of regular legislative procedure, and under the pretext of the fight against terrorism.[1167]
After a change of political majority in Spring 2002, the LSI draft law was abandoned and replaced by the draft Law on Digital Economy (Loi pour la confiance dans l'économie numérique or LEN), with the same purpose of implementing the E-Commerce Directive.[1168] This draft law raises the same concerns as the former LSI, on both ISP liability and cryptography issues. Again, IRIS made a dossier on this draft law, and launched a campaign against it.[1169] This draft law passed on first reading at both the National Assembly and the Senate. Second reading is expected in Autumn 2003.
On February 13, 2003, the Internal Safety Law (Loi sur la sécurité intérieure) was adopted by the Parliament. Among the many provisions infringing privacy and other human rights, one authorizes the immediate access by law enforcement authorities to the computer data of telecommunications operators, including Internet access providers, as well as of almost any public or private institute, organization or company. The second important measure authorizes the search without warrant of any information system, provided that its data are accessible through a network from a computer being searched with a warrant. If the data is stored in a computer located in a foreign country, its access remains subject to applicable international agreements.[1170]
Two laws in France provide for a right to access administrative documents held by public bodies.[1171] The Commission d'accès aux documents administratifs (CADA) is charged with enforcing the acts.[1172] It can mediate and issue recommendations but its decisions are not binding. According to the CADA, it handled 4,000 inquiries per year between 1996 and 1999, and 4,900 in 2000.[1173] The law was amended in April 2000 to clarify access to legal documents and also identify the civil servant processing the request.[1174]
Case law in the field of surveillance at the workplace significantly progressed in clarity with a landmark decision by the Cour de cassation in 2001. The French Supreme Court established that an employee has the right to privacy even at the workplace and during working hours, and that, as a result, deserves respect of the secrecy of his correspondence by his employer. The employer is now prohibited from getting access to his employee's e-mails if they are labeled private, even if the employer were to provide that the e-mail is limited to professional matters.[1175]
France is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[1176] and earlier, the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1177]In November 2001, the French government signed, but has not ratified, the Council of Europe Cyber-crime Convention.[1178] France is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.