II. Surveillance policies
National security, government surveillance and law enforcement
Wiretapping, access to, and interception of communications
Electronic surveillance is regulated by a 1991 law that requires permission of an investigating judge before a wiretap is installed. The duration of the tap is limited to four months and can be renewed.1 The law created a national commission controlling security wiretaps (Commission nationale de contrôle des interceptions de sécurité, or CNCIS), which sets rules and reviews wiretaps each year. In 2006, law enforcement conducted 5.985 interceptions (4.176 new interceptions and 1.809 renewals). This represents a 3,5 percent increase over 2005. There was a 15 percent decrease in 2006 in emergency interception requests (714 requests compared to 854 in 2005).2
On 27 May 2009, Michèle Alliot-Marie presented the draft law on orientation and programming for the performance of security (LOPPSI 2) to the Council of Ministers.3 The law allows the Criminal Investigation Police to physically or remotely install spying software on a suspect's computer to listen to electronic communications, gain access to all the data in a computer in real time, and introduces Internet filtering by administrative decision.4 "The law also obliges ISPs to block access, 'without delay', to sites included on a list drafted under the authority of the Ministry of Internal Affairs."5 The law will initially focus on curtailing child pornography.6 ISPs that do not adhere to the law will be fined up to 75.000 Euros and a year in jail.7 LOPPSI 2was adopted by the National Assembly in February 2010 and its last version has been submitted to the Senate in June 2010.8 It provides the possibility for the police, in preliminary investigations relating to organized criminality, to remotely access, record, collect, and transfer any information or personal data stored in IT systems without the concerned individuals being aware of it. The sole exceptions are law firms, the media and court officers, physicians, bailiffs and notaries.
The CNIL, in its opinion of 6 May 2010, pointed out that the possibility, provided by the draft law, to implement such systems also in public areas, such as cyber cafes, is dangerous for privacy. The CNIL insisted that the use of such systems should remain an exception and be supervised.
National security legislation
A new Anti-Terror Act was enacted on 23 January 2006.9 It grants increased powers to the police and intelligence services, allowing them to get telecom data directly from ISPs.10 It also extends telecom data retention possibilities, by assimilating cybercafe owners and WiFi providers (whether for free or with payment) such as bars, restaurants and hotels to telecom operators. Any logged data may be seized directly by the police, without any judicial order, "in order to prevent acts of terrorism." It extends the use of video surveillance, authorizing private parties to install CCTV cameras in public places "likely to be exposed to terrorist acts" and in places open to the public when they are "particularly exposed to risks of aggression or theft." In case of emergency, CCTV cameras may be installed prior to any authorization. Furthermore, the Act allows the police to automatically monitor cars on French roads and highways, taking pictures of license plates and people in the cars, with various purposes ranging from the fight against terrorism to the identification of stolen cars.11 The same article provides for the monitoring of street gatherings during "big events." Finally, the Act provides that the Ministry of the Interior may process PNR (passenger name records) data collected on any travel by air, sea or rail to or from non-EU countries.12 This article's objective is "to improve border controls and to fight against illegal immigration."13
The Daily Safety Law (LSQ) requires Internet Service Providers (ISPs) to store log files on all their customers' activities for up to one year. Electronic communication operators are subject to the legal obligation to retain traffic data of clients during one year for the purposes of research and prosecution of criminal offenses or breaches of authors' intellectual property rights, and allowing access to such data by judicial authorities.14
In addition to the LSQ, the Law on Trust in the Digital Economy (LEN, or "Loi pour la confiance dans l'économie numérique") also provides for data retention provisions. The concerned data are personally identifying information (including name, address, and log data). ISPs (host and access providers) are required to collect and keep identification and log data of their subscribers. These data are covered as a "professional secret," so that they may only be disclosed upon judicial request. The law also requires people wishing to post content on the Internet to identify themselves, either to the public, by publishing their name and address on their website (in the case of a business), or to their host provider (in the case of a private individual). The duration of retention by ISPs and telecommunication providers of identification and log data of subscribers for purposes of investigation, prosecution and determination of criminal offenses has been specified in a Decree of 24 March 2006.15 This duration was set at one year from the recording of the identification and log data.
Soon after the adoption of the Anti-Terror Act,16 in March 2006, the long-awaited application decree regarding the data retention provisions of the LSQ, adopted in November 2001, was published à almost 5 years after their so-called emergency introduction.17 This decree also provides for application measures of some articles of the Anti-Terror Act. It determines the duration of data retention by telecom operators, setting it to the maximum time allowed (one year) and the type of data to be retained (all kinds of data involved in a telephone or Internet communication, except its content) by the LSQ.
These provisions may be extended in the future with a new decree, the draft version of which was published in April 2007 by the French digital rights NGO IRIS. The draft would require webmasters, hosting companies, fixed and mobile telephony operators and Internet service providers to retain all information on Internet users and telephone subscribers and to deliver it to the police or the State at a simple request. It would even require retaining the passwords supplied when subscribing to a telephone service or an Internet account or payment details such as amount, date or type. The draft text establishes that the data retained by ISPs and hosting companies and obtained by the police can be kept by the latter for a period of three years in the automatic processing systems provided by the Ministry of Interior and the Ministry of Defense. Civil liberties organizations, ISP associations and major content provider organizations strongly opposed the provisions of this draft decree.18
A major French daily newspaper revealed in June 2006 that the police and intelligence services had set up their own technical platform allowing them to easily collect traffic data related to text messages, mobiles or the Internet. Security services are now in the position of knowing who has contacted whom, when and where and, by a simple click, they can obtain from the telephone operators the list of all calls from and to a subscriber. They can obtain the subscription documents of the respective person with address and bank information and can also require all the Internet sites or forum addresses the respective person has accessed. The March 2006 Anti-Terror Act makes this platform lawful.19
It results from the draft law dated from 27 May 2009 (Projet de loi d'orientation et de programmation pour la performance (LOPPSI 2)), submitted to the Senate in June 2010,20 that personal data collected by the police for the analysis of the operating methods of authors of serial offenses, could be kept for an indefinite period of time. The law indeed provides that the data shall be deleted at the end of the investigation, or no later than three years from the last operation of updating the data, which means that each time the file is updated, the data can be kept three more years. The CNIL felt the need to remind, in its opinion on LOPPSI 2 of 6 May 2010,21 that personal data should be kept for a limited period of time, to be determined in light of the purpose of the processing.
In its report dated 6 May 2010,22 the CNIL voiced its concerns about the extension of the scope of data matching by police of distinct databases of computerized files of individuals' judicial proceedings. This data matching is the result of the LOPPSI 2 draft, submitted to the Senate in June 2010.23 Initially limited to serious serial criminals, such data processing may now be extended to authors of offenses punished by a minimum sanction of five years of imprisonment.
National databases for law enforcement and security purposes
Between 1987 and 2010 the number of national computerized files created for law enforcement and security purposes has increased continuously.
One of the first databases was the National computerised file of digital fingerprints (Fichier automatisé des empreintes digitales,24 or FAED), created in 1987. It is used by the judicial police for the identification of authors of criminal offenses. In January 2010, the CNIL noted that this file contained more than 3 millions of identified people recorded (the entire population of France is over 64 millions people).25
Then the National computerised file of genetic data (Fichier national automatisé des empreintes génotiques, or FNAEG),was created in 1998. At its creation, the FNAEG was restricted to genetic data of individuals who were condemned for serious sexual crimes, like rape and child abuse. After successive extensions of its use, it can now contain genetic data of individuals simply suspected (but not yet condemned) of infractions related to prejudice against property or people. The Internal Safety Law26 (Loi pour la sécurité intérieure) promulgated on 18 March 2003, has extended the list of infractions leading to the creation of a record in the FNAEG, as well as the list of individuals whose genetic data may be kept in the FNAEG or compared to its content. While the CNIL has obtained a few minor improvements to this regime after its opinion of 16 April 2009 (e.g., the maximum duration of data retention limited to 25 years instead of 40), the FNAEG remains a significant concern in France.
During 2006 the use of FNAEG reached an unprecedented level. Following the 2005 and 2006 protests that took place in various urban neighborhoods throughout France, many individuals were compelled to register their information in the FNAEG, effectively expanding the database to include a register of "civil disobedience."27 Police decided who would be registered, and there was no judicial process authorizing the selection. Failure to oblige with the request carries a penalty of up to 15.000 EUR and up to one year in prison.28
Another national file has been added to the many files already in place, with the adoption in March 2004 of the "Perben II Law"29 (loi portant adaptation de la justice aux évolutions de la criminalité).30 It creates the National judicial computerized record system of sexual offenders (Fichier judiciaire national automatisé des auteurs d'infractions sexuelles, or FNAIS). This file records, for up to 30 years, the identity and addresses of individuals (including minors) who have committed all kinds of sexual offenses, except exhibitionism and sexual harassment. The records system can only be consulted by judicial authorities and specific government agencies.
The Ministry of Education set up as an experiment in 2004 the "Base-élèves," a database containing personal data on children, their families, including psychosocial data and information on competence, skills and problems. Although initially accessed by educators and social actors, the new French law of March 2007 for the prevention of delinquency granted access to such information to Mayors for the purpose of preventing delinquency. However, after important protests, data related to citizenship, language and culture of origin were removed in October 2007. Protests to suppress this file have increased and national petitions have been launched.31 The Conseil déetat, the highest administrative jurisdiction, held in two decisions of 19 July 201032 that the "Base-élèves" and the computerised file of student identifiers ("Base nationale des identifiants des élèves," or BNIE) were not functioning in compliance with the Data Protection Act. Indeed, the Conseil déetat considered that the collection of health data in the "Base-élèves" relating to children was not relevant. The Conseil déetat reminded in its decisions that parents have a right to object to the collection and processing of their children's data. It also held that the retention period of 35 years for the children identifiers contained in the BNIE was excessive.
The ELOI file, a database aimed at facilitating the expulsion of illegal migrants, created initially by a ministerial order of 30 July 2006, has been invalidated twice by the Conseil d'Etat, the highest administrative court. On 13 March 2007, the Conseil d'état cancelled the ministerial order ("Arrêté") allowing the Interior Ministry to create the ELOI file. While the database creation itself was allowed by the French code on immigration and asylum, NGOs argued that the ELOI file would contain excessive and inadequate personal data on foreigners, their children, the citizens with whom they were staying, and, for those in retention centers, their visitors. Moreover, this data would be kept for an excessive duration. The law further introduced DNA testing to prove family links for foreign candidates applying for a more than three months visa on family regrouping grounds. Beneficiaries of financial support were to have their photograph and digital fingerprints taken and stored in yet another biometric database.33 The Conseil d'Etat's order was based on a procedural issue and did not address privacy concerns. As a result, the French Ministry of Interior announced the next day that it planned to submit a new draft text.34 A decree of 26 December 2007 was then submitted by the Prime Minister to the Conseil d'Etat after the CNIL published its opinion. Still, the Conseil d'Etat decided to partly invalidate the decree because of two provisions violating the French Data Protection Act.35 Indeed, the Conseil déetat considered that the collection of the "AGDREF" number (the national identification number of foreigners on French Territory), was neither relevant nor proportionate to the aim of the processing. Moreover, it stated that it was excessive to retain during three years data relating to the identification of foreigners, their children, the application and characteristics of the measures of eviction, the exercise of recourse and the request for a residence permit before consular authorities.
A new database, "EDVIGE," (Exploitation Documentaire et Valorisation de l'Information Génorale) created in 200836 has given rise to mass protest. It was initially established for use by the French intelligence agencies and the administrative police. EDVIGE was supposed to file individuals, groups and organisations, which, due to their individual or collective activity, are likely to attempt disrupting public order, or have "direct and non fortuitous relations" with such entities.37 The database was intended to centralize various categories of data, including data relating to health and sexual orientation. This has already led in 2008 to a mass protest against its creation, including more than 40 parliamentarians opposing its creation.38 As a consequence the decree that created the EDVIGE database was cancelled in November 2008.39 However, EDVIGE has been replaced by new databases created by two decrees of October 2009.40 One of these databases is intended to file individuals who, due to their individual or collective activity, are likely to attempt disrupting public order. The other database will be used for administrative investigations to control whether an applicant for a security job with a public authority did not act in contradiction with such mission in the past. These databases will not contain personal data relating to sexual orientation or health, but other sensitive data relating to geographical origins, political, religious and philosophical opinions or trade union affiliations. The data of the first database may be kept during 10 years for adults and three years for minors (from 13 to 18). Their creation has led to new mass protest.41
Another database, "CRISTINA," was also created at the same time as EDVIGE and provides for "[c]entralising inland intelligence for homeland security and national interests."
On 20 January 2009, the CNIL published a report on the police database "STIC" (Système de traitement des infractions constatées, or recorded offences treatment system).42 The report "reveals that STIC is accessed by each one of the 100.000 authorised policemen 200 times a year on average."43 A major problem with the database is the amount of errors à 83 percent à in the system.44 The database records the name and other information of both the victim and the assailant in any case where an offence has been committed. The CNIL found that sometimes individuals are mistakenly placed in the wrong category. The database is supposed to be updated after a court decision but frequently is not. Furthermore, there are no restrictions on who is included in the database. Employers in a large range of job sectors are allowed by law to search the database when considering whether to hire an individual.45
In February 2009, the Ministry of Justice sent a reminder to prosecutors confirming the shortcomings of the STIC updates, and asked them to be vigilant in view of the important human and social issues involved. The CNIL announced that it would carry out new audits of the database before the end of 2011.46
A draft law of 27 May 2009 (Projet de loi d'orientation et de programmation pour la performance (LOPPSI 2)), submitted to the Senate in June 201047 contemplated that genetic data could be used for criminal investigations purposes, medical and scientific research, and research about, and identification of, deceased individuals. Biological data could also be collected for the identification of deceased people. Agents of the technical and scientific police would be entitled to register genetic data in the FNAEG. As the CNIL noted in its opinion of 6 May 2010,48 the data collected in a judiciary context can not be used for civil or administrative identification purposes; genetic data relating to members of the family of people whose identification is searched for are recorded separately in the FNAEG and their recording is subject to their consent.
A law promulgated on 10 March 2010 in order to fight against serial crimes (loi tendant à amoindrir le risque de récidive criminelle et portant diverses dispositions de procedure pénale49) specifies the cases in which genetic data can be recorded in the FNAEG. This law permits the recording of not only genetic data of perpetrators of serious criminal offenses (e.g., sexual abuse, attempted murder, crimes against humanity, etc.), but also of authors of infractions related to prejudice against property (e.g., robbery and vandalism), individuals suspected of such crimes, individuals concerned by a decision of criminal irresponsibility, and deceased people who may correspond to a missing person or presumed deceased.
A French database called "OSCAR" ("Outil de Statistiques et de contrôle de l'Aide au Retour" in French, or Tool for Repatriation Aid Statistics and Control) was created by decree in October 2009.50 The database collects biometric data à digital photograph and 10 fingerprints à of foreigners expelled from France or leaving it voluntarily, with the benefit of a small grant. In the case of EU citizens, the grant takes the form of a "humanitarian repatriation help" of 300 EUR per person, with an additional 100 EUR for each accompanying child. If the child is more than 12 years old, his biometric data are also collected and stored in OSCAR for 5 years.51
National and international data disclosure agreements
Nothing to report under this section.
The Daily Safety Law (LSQ) also provides the government access to private encryption keys; import and export of encryption software are restricted, and strict sanctions are imposed for using cryptographic techniques to commit a crime.
The LEN includes the LSQ provisions on cryptography, with the following two additions: first, a lower penalty is applicable (jail and fine) in cases where cryptography has been used to commit or prepare an infraction, where the suspect herself provided decryption keys to the police, thus allowing for self-incrimination; second, some uses of cryptography for research or professional purposes are not specifically mentioned anymore, therefore assimilating these categories of people to cybercriminals, when they conduct such activities.52
On 14 February 2008, the French Internal Affairs Minister announced new measures to combat cybercrime. Among other efforts, it will increase the black list of websites with child pornography information and racial hate speech, terrorist propaganda and making explosives and chemical weapons information available. The Minister will also move forward with computer online investigations without the authorization of the country of the hosting company.53
A new criminal offense, the fraudulent use of someone else's identity on an electronic communications network in order to infringe on that person's peace, honor or dignity, was created by a bill of 27 May 2009 (Projet de loi d'orientation et de programmation pour la performance (LOPPSI 2)), then adopted by the National Assembly in February 2010, and submitted to the Senate in June.54
Nothing to report under this section.
A new Anti-Terror Act of 23 January 200655 extends the use of video surveillance for police and intelligence services, authorizing private parties to install CCTV cameras in public places "likely to be exposed to terrorist acts" and in places open to the public when they are "particularly exposed to risks of aggression or theft." In case of emergency, CCTV cameras may be installed prior to any authorization. Furthermore, the Act allows the police to automatically monitor cars on French roads and highways, taking pictures of license plates and people in the cars, with various purposes ranging from the fight against terrorism to the identification of stolen cars.56 The same article provides for the monitoring of street gatherings during "big events."
Video surveillance (CCTV) is increasingly used in the French society. In October 2008, the Paris City Council announced its project to install 1.226 video cameras in the streets of Paris.57 Their presence will be made clear and an ethics committee will supervise their use.
Two distinct set of rules co-exist and intermingle with regard to CCTV. On the one hand, the Law of 21 January 1995, which subjects video surveillance cameras located in public places to prior authorization by a local administrative authority, and, on the other, the Data Protection Act, which applies to video cameras implemented either in "private" areas such as business premises or in association with biometrics. Moreover, the CNIL considers that all systems, if digital, are subject to the Data Protection Act. The superposition of texts creates great confusion.
The CNIL has recommended that the government subject all CCTV devices to the control of the CNIL, pointing to a public survey whereby 79 percent of individuals would like CCTV to be under the control of an independent body to prevent risks of misuse and guarantee civil liberties. That recommendation is supported by the Legislative Committee of the Senate.
The LOPPSI 258 extends the possibilities of use of video surveillance (called video protection in the draft law) in public areas. According to a law of 1995 relating to security on the French territory,59 authorised uses of video cameras in public areas were initially limited to the surveillance of public and military buildings, road traffic and infringements on public roads, areas that are particularly exposed to aggression, robbery or terrorist attacks. According to the draft LOPPSI 2, the use of video surveillance in public areas would also be extended in order to monitor areas particularly exposed to drug traffic, to prevent natural or technological disasters and to fight against fire.
LOPPSI 2 also provides the possibility for public authorities, after mere notification to the mayor, to delegate to public or private operators the operation of their video surveillance systems. The CNIL pointed out in its opinion of 6 May 201060 the danger of such outsourcing, especially if made to other countries, as it would make their control by public authorities impossible. As a result, it may give rise to serious issues in terms of security of data processing, national security and sovereignty.
The CNIL has been lobbying for several years to be the Authority in charge of regulation and control of video surveillance.61 However, LOPPSI 2 creates a new Authority, the "Commission nationale de la vidéoprotection" in charge of controlling video surveillance systems on the French territory. The CNIL will still have the power, on its own initiative or at the request of the "Commission nationale de la vidéoprotection," to analyze and control compliance of video surveillance systems with the Data Protection Act and order sanctions in case of violation.
The video surveillance system installed in city buses in the city of Lille in the north of France recorded images and sound in a continuous way to ensure drivers and passenger's safety. The CNIL considered that continuous sound recording was disproportionate to the purpose of the system and invasive of drivers' privacy in their workplace. Instead, the recording could simply be triggered by the bus driver in case of an assault.
Location privacy (GPS, mobile phones, location-based services, etc.)
Insurance companies and car manufacturers are now interested in implementing geo-location technologies into their customers' cars. The objective is to propose "pay-as-you-drive" services to customers in order to adapt the amount of their insurance premiums in light of new criteria such as mileage, driving duration without break, speed and way of driving. One of the risks is that such technologies would enable insurance companies to access and process data relating to driving offences. such as driving over the speed limit, whereas the Data Protection Law prohibits such collection. The CNIL has authorized their use by insurance companies and car manufacturers, and recommended in a decision of 8 April 2010 to limit the collection to the average speed, to the exclusion of any data that may help characterize offences.62
Travel privacy (travel identification documents, biometrics, etc.) and border surveillance
The use of biometric identifiers is increasing for immigration and border control.63 Since November 2003, the Immigration Law has set out the use of biometric techniques for visa delivery and border controls, and the storing of all visa requesters' fingerprints and biometric pictures in databases for further processing. As part of the implementation of this law, and at the request of the European Commission, an experimental file was created from November 2004 to November 2006 as a complement to the French worldwide visa requests management system called RMV2 (Réseau Mondial Visas 2). The RMV2 links central administration to French Consulates abroad and communicates with the Schengen Information System (SIS). This experimental file contains the digitized photograph and all fingerprints of persons who requested visas at select French consulates during that time period. This data is retained for two years for a short-stay visa request, five years for a long-stay visa request or in case of visa denial. Access to this file is allowed to some border police officers at some French airports, harbors or land frontiers. Biometric identifiers may be included in an electronic chip on the visa. In 2006, a new decree further extended the use of the file so as to allow identity controls by the police everywhere in France, not only upon entry at the borders. The same decree also extended the collection of biometric identifiers of other EU member State consulates, and the access of these data to other police officers than border control ones.64
France has issued biometric passports since 30 March 2006, following ICAO requirements. Because the chip included in the passport only contains a digitized photograph, as provided by a 30 December 2005 Decree, and does not include fingerprints, it is officially called an "electronic" passport. In February 2007, the government created the "National Agency for secured identity documents." The agency's missions include the definition, control and assessment of technical standards and tools used for the creation of electronic and biometric identity and travel documents.65
A new Anti-Terror Act enacted on 23 January 200666 provides that the Ministry of the Interior may process PNR (passenger name records) data collected on any travel by air, sea or rail to or from non-EU countries.67 The objective of the law is "to improve border controls and to fight against illegal immigration."68
A French database called "OSCAR" ("Outil de Statistiques et de contrôle de l'Aide au Retour" in French, or Tool for Repatriation Aid Statistics and Control) was created by decree in October 2009.69 The database collects biometric data à digital photograph and 10 fingerprints à of foreigners expelled from France or leaving it voluntarily.70
(See more details under the "National databases for law enforcement and security purposes" section.)
National ID and smart cards
The French biometric ID card project (INES) is still in a frozen state after it received strong criticisms from civil rights NGOs and the French Data Protection Authority, and through a report synthesizing a public debate commissioned by the Ministry of Interior. The only public presentation document of the project is dated March 2005. According to this document, the project aimed at providing the whole population with a new ID card by 2007, with a RFID chip containing the civil status of the citizen as well as two biometric identifiers: photograph and fingerprints. This data would be filed in centralized databases. The card would be mandatory and would also include the address of the holder. It would also be programmable, to become an electronic portfolio that could be used for e-administration as well as commercial electronic transactions.71
From 2008 several maternity hospitals started using electronic bracelets on new-born babies to deter kidnapping.72 Reviewing their legality in light of data protection principles, the CNIL raised the issue of their proportionality with regard to the risks at stake. It feared that legitimizing these systems by compromising the children's vulnerability could lead society to extend their use for other reasons later in children's lives, when they are at kindergarten or school, and subject any child from his earliest age to constant tracking. Because of the difficult issues these new devices raise - elderly people included - the CNIL wants to start a discussion about the implications of electronic tracking devices for vulnerable persons.
The draft law of 27 May 2009 (Projet de loi d'orientation et de programmation pour la performance (LOPPSI 2)), adopted by the National Assembly in February 2010 and submitted to the Senate in June 201073 provides the possibility to experiment with the use of body scanners, in areas of airports not freely accessible to the public for a duration of three years. This system enables the agent to see a schematic image of the person as opposed to a real image of the naked person. The images would not be stored and would be watched by agents located in a dedicated room who do not know the identification of the person on the screen. The travelers can choose between the use of the body scanner or other security measures such as a body frisk.
From February 2010 body scanners have been trialed at Paris Roissy Airport. The CNIL has audited the airport and stated that the body scanners74 were used in compliance with its recommendations, which were taken into consideration in the LOPPSI 2 draft law.
Biometrics devices are subject to the prior authorization of the CNIL, which favours devices using biometrics without tracks (vein, face, hand shape and so on) over those leaving tracks such as fingerprints. It is easier for the CNIL to authorise devices where fingerprint data (transformed into an algorithm) is stored on an individual media (e.g., a card) that the individual holds himself, than devices involving the storage of fingerprint data in a central database. In this latter case, the requester has a higher burden of proof to meet since the stakes go well beyond the interest of the data controller, and there are rigorous conditions to comply with in order to obtain the CNIL's authorisation.
On 18 June 2009, the CNIL granted an authorization75 to the testing company GMAC (Graduate Management Admission Council) to use biometric technology in France to control access to examination centers for the GMAT test used for student selection by business schools around the world. The authorized system uses a palm vein identification technology and stores students' biometrics in a central database for five years for the purpose of fighting exam fraud.
Biometrics systems are now used in hospitals to identify radiotherapy patients in order to avoid risks of excessive irradiation. On 11 February 2010, the CNIL authorized for the first time such use of biometrics by a hospital.76
- 1. Loi no 91-646 du 10 juillet 1991 relative au secret des correspondances émises par la voie des communications électroniques, available at http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEXT000006077780&dateTexte=20090623 ">http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEXT000006077780&dateTexte=20090623 (in French).
- 2. Commission nationale de contrôle des interceptions de sécurité - 15ème rapport d'activité 2006, 21 mars 2007, available here http://www.ladocumentationfrancaise.fr/rapports-publics/074000237/index.shtml (in French).
- 3. EDRI-gram, Number 7.11, 3 June 2009, "The French Government Wants to Spy on Electronic Communications," available at http://www.edri.org/edri-gram/number7.11/france-law-on-spying .
- 4. Id.
- 5. Id.
- 6. Id.
- 7. Id.
- 8. Projet de loi adopté par l'Assemblée Nationale, d'orientation et de programmation pour la performance de la sécurité intérieure, 2 June 2010, available in French at http://www.senat.fr/leg/pjl09-518.html.
- 9. Loi No. 2006-64 du 23 janvier 2006 relative à la lutte contre le terrorisme et portant dispositions diverses relatives à la sécurité et aux contrôles frontaliers, available at http://www.senat.fr/apleg/pjl05-109.html.
- 10. Id. at art.6.
- 11. Id. at art. 8.
- 12. Id. at art. 7.
- 13. See generally EDRI-gram No. 4.2, February 2006, "French Anti-Terrorism Law Not Anti-Constitutional," available at http://www.edri.org/edrigram/number4.2/frenchlaw.
- 14. Articles L 34-1 and L34-1-1 of the Post and Electronic Communications Code. Decree no 2006-358 of 24 March 2006.
- 15. http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=6A2770A08970ED1638D37F4F77195FF8.tpdjo02v_1?cidTexte=JORFTEXT000000637071&categorieLien=id.
- 16. Loi No. 2006-64 du 23 janvier 2006 relative à la lutte contre le terrorisme et portant dispositions diverses relatives à la sécurité et aux contrôles frontaliers, supra.
- 17. décret no2006-358 du 24 mars 2006, relatif à la conservation des données des communications électroniques, available at http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=JUSD0630025D; see also EDRI-gram No. 4.6, March 2006, "Telecom Data To Be Retained For One Year In France," available at http://www.edri.org/edrigram/number4.6/franceretantion.
- 18. Projet de décret portant application de l'article 6 de la loi no2004-575 du 21 juin 2004 pour la confiance dans l'économie numérique (document de travail version de janvier 2007), available at http://www.iris.sgdg.org/actions/len/ProjetDecretLCEN0107.pdf; see also EDRI-gram No. 5.8, April 2007, "French Government Decree On Data Retention - Another Big Brother Act,"available at http://www.edri.org/edrigram/number5.8/france-data-retention.
- 19. Le Figaro, 28/05/07, available at http://www.lefigaro.fr/france/20070528.WWW000000165_lantiterrorisme_espionne_aussi_mails_et_textos.html; see also EDRI-gram No. 5.11, June 2007, "The French Ministry of Interior has a new interception platform,"available at http://www.edri.org/edrigram/number5.11/french-interior-interceptation.
- 20. Projet de loi adopté par l'Assemblée Nationale, d'orientation et de programmation pour la performance de la sécurité intérieure, 2 June 2010, available in French at http://www.senat.fr/leg/pjl09-518.html.
- 21. CNIL, "L'enregistrement des conversations téléphoniques sur le lieu de travail", http://www.cnil.fr/la-cnil/actu-cnil/article/article/12/les-observations-de-la-cnil-sur-les-nouvelles-dispositions-de-la-loppsi/.
- 22. CNIL, supra at 51.
- 23. Projet de loi adopté par l'Assemblée Nationale, d'orientation et de programmation pour la performance de la sécurité intérieure, 2 June 2010, available in French at http://www.senat.fr/leg/pjl09-518.html.
- 24. CNIL, "Les collectivités locales et la protection des données personnelles", http://www.cnil.fr/dossiers/police-justice/les-grands-fichiers/article/34/fichier-automatise-des-empreintes-digitales/.
- 25. CNIL, supra at 54.
- 26. Loi No. 2003-239 du 18 mars 2003, Loi pour la sécurité intérieure, available at http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=INTX0200145L (in French).
- 27. "Les insoumis du fichier génotique," dossier de candidature au Prix Voltaire des Big Brother Awards France, available at http://bigbrotherawards.eu.org/Les-insoumis-du-fichier-genetique-FNAEG.html; see also L'association "Refus ADN," http://refusadn.free.fr.
- 28. "Prélèvements de salive : le front du refus s'organise", Le Figaro, 16 May 2007, available at http://www.lefigaro.fr/france/20070516.FIG000000039_prelevements_de_salive_le_front_du_refus_s_organise.html.
- 29. Called "Perben II" after the name of the French Minister of Justice, Dominique Perben.
- 30. Loi No. 2004-204 du 9 mars 2004, Loi portant adaptation de la justice aux évolutions de la criminalité, available at http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000249995&dateTexte= ">http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000249995&dateTexte= (in French).
- 31. EDRI-gram, No. 6.2, January 2008, "Key Privacy Concerns in France," available athttp://www.edri.org/edrigram/number6.2/privacy-france-2007 ; see also website detailing all the protests against this database http://www.ldh-toulon.net/spip.php?rubrique141 (in French).
- 32. Conseil d'Etat, "Education nationale : fichiers 'Base élèves 1er degré' et 'BNIE'", http://www.conseil-etat.fr/cde/node.php?articleid=2099.
- 33. EDRI-gram, No. 6.2, January 2008, "Key Privacy Concerns in France," available athttp://www.edri.org/edrigram/number6.2/privacy-france-2007.
- 34. Text of the Conseil déetat decision of 13 March 2007, available at http://www.conseil-etat.fr/ce/jurispd/index_ac_ld0712.shtml; see also EDRI-gram No. 5.7, March 2007, "French High Court Cancels The Creation of Illegal Migrants Database," available at http://www.edri.org/edrigram/number5.5/france-cancels-database.
- 35. Conseil d'Etat, "Section du contentieux, 10ème et 9ème sous-sections réunies, Séance du 4 décembre 2009, Lecture du 30 décembre 2009, Nos 312051, 313760. Association SOS Racisme à Groupe d'Information et de Soutien des Immigrés et autres", available at http://www.conseil-etat.fr/cde/node.php?articleid=1906.
- 36. décret no 2008-632 du 27 juin 2008 portant création d'un traitement automatisé de données à caractère personnel dénommé "EDVIGE", JORF no 0152, 1st July 2008, available at http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000019103207.
- 37. décret no 2008-632 du 27 juin 2008 portant création d'un traitement automatisé de données à caractère personnel dénommé "EDVIGE", supra at 66; see also EDRI-gram, Number 6.14, July 2008, "Edvige French Database," available at http://www.edri.org/edrigram/number6.14/edvige-french-database.
- 38. EDRI-gram, Number 6.15, August 2008, "More than 50000 Signatures against EDVIGE," available at http://www.edri.org/edrigram/number6.15/50000-signatures-edvige.
- 39. décret no 2008-1199 du 19 novembre 2008 portant retrait du décret no 2008-632 du 27 juin 2008 portant création d'un traitement automatisé de données à caractère personnel dénommé "EDVIGE", available at http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000019774085&dateTexte=.
- 40. décret no 2009-1250 du 16 octobre 2009 portant création d'un traitement automatisé de données à caractère personnel relatif aux enquêtesadministratives liées à la sécurité publique, JORF no 0242, 18 October 2009, at 17245, available at http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000021163904&fastPos=10&fastReqId=353873481&categorieLien=id&oldAction=rechTexte ; décret no 2009-1249 du 16 octobre 2009 portant création d'un traitement de données à caractère personnel relatif à la prévention des atteintes à la sécurité publique, JORF no 0242, 18 October 2009, at 17244, available at
- 41. Pour obtenir l'abandon du fichier "EDVIGE" http://www.nonaedvige.sgdg.org/.
- 42. CNIL, "Conclusions du contrôle du système de traitement des infractions constatées (STIC)," available at http://www.cnil.fr/fileadmin/documents/approfondir/dossier/Controles_Sanctions/CNIL-Conclusions_des_controles_STIC.pdf (in French).
- 43. Meryem Marzouki, "France: Who have They Forgotten to Control Today?" EDRI-gram, 7.2, 28 January 2009, available at http://www.edri.org/edri-gram/number7.2/france-+forgotten-to-control-today .
- 44. Id.
- 45. Id.
- 46. CNIL, 30e Rapport d'Activité2009 (2010) at 14, available in French at http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL-30erapport_2009.pdf.
- 47. Projet de loi adopté par l'Assemblée Nationale, d'orientation et de programmation pour la performance de la sécurité intérieure, 2 June 2010, available in French at http://www.senat.fr/leg/pjl09-518.html.
- 48. CNIL, "Les observations de la CNIL sur les nouvelles dispositions de la LOPPSI", 21 June 2010 http://www.cnil.fr/la-cnil/actu-cnil/article/article/les-observations-de-la-cnil-sur-les-nouvelles-dispositions-de-la-loppsi/.
- 49. LOI no 2010-242 du 10 mars 2010 tendant à amoindrir le risque de récidive criminelle et portant diverses dispositions de procédure pénale, JORF no 0059, 11 March 2010 at 4808, available at : http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000021954436&dateTexte=&categorieLien=id.
- 50. décret no2009-1310 du 26 octobre 2009 portant création d'un traitement automatisé de données à caractère personnel relatives aux étrangers bénoficiaires du dispositif d'aide au retour géré par l'Office français de l'immigration et de l'intégration (J.O. of 28 October 2009), available in French at http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=IMIK0922946D.
- 51. See generally CNIL, "OSCAR : Outil de Statistique et de contrôle de l'Aide au Retour",
26 August 2010, available in French at http://www.cnil.fr/en-savoir-plus/fichiers-en-fiche/fichier/article/oscar-outil-de-statistique-et-de-controle-de-laide-au-retour/, IRIS, "Fichiers et étrangers" http://www.iris.sgdg.org/actions/fichiers/.
- 52. The LEN has also added a definition of electronic mail, as part of the transposition of the EU Directive on Privacy and Electronic Communications (2002/58/EC). This definition does not provide that e-mail is a correspondence, notwithstanding the fact that all the legislation on privacy (including the already cited 1991 law) refers to correspondence.
- 53. EDRI-gram, No. 6.4, 27 February 2008, "French Police Extends the Internet Blacklist," available at http://www.edri.org/edrigram/number6.4/french-internet-blacklist ; see also "Guerre contra la criminalité sur Internet," Le Figaro, 12 December 2008, available at http://www.lefigaro.fr/actualites/2008/02/13/01001-20080213ARTFIG00013-guerre-contre-lacriminalite-surinternet.php (in French).
- 54. Projet de loi adopté par l'Assemblée Nationale, d'orientation et de programmation pour la performance de la sécurité intérieure, 2 June 2010, available in French at http://www.senat.fr/leg/pjl09-518.html.
- 55. Loi No. 2006-64 du 23 janvier 2006 relative à la lutte contre le terrorisme et portant dispositions diverses relatives à la sécurité et aux contrôles frontaliers, available at http://www.senat.fr/apleg/pjl05-109.html.
- 56. Id. at art. 8.
- 57. "Paris : la carte des 1200 caméras de surveillance", Le Parisien, 20 October 2008, available at http://www.leparisien.fr/une/paris-la-carte-des-1200-cameras-de-surveillance-20-10-2008-283302.php.
- 58. Projet de loi adopté par l'Assemblée Nationale, d'orientation et de programmation pour la performance de la sécurité intérieure, 2 June 2010, available in French at http://www.senat.fr/leg/pjl09-518.html.
- 59. Loi no95-73 du 21 janvier 1995 d'orientation et de programmation relative à la sécurité, available at http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=LEGITEXT000005617582&dateTexte=20100812.
- 60. CNIL, "Les observations de la CNIL sur les nouvelles dispositions de la LOPPSI",
- 61. Supra at 112.
- 62. CNIL, Délibération 2010-096 du 8 avril 2010 portant recommandation relative à la mise en oeuvre, par les compagnies d'assurance et les constructeurs automobiles, de dispositifs de géolocalisation embarqués dans les véhicules, 8 April 2010, JORF no 0114, 19 May 2010, available at http://www.cnil.fr/en-savoir-plus/deliberations/deliberation/delib/224/.
- 63. Loi no 2003-1119 du 26 novembre 2003 relative à la maitrise de l'immigration, au séjour des étrangers en France et à la nationalité, available at http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=INTX0300040L (in French); décret no 2004-1266 du 25 novembre 2004 portant création à titre expérimental d'un traitement automatisé des données à caractère personnel relatives aux ressortissants étrangers sollicitant la délivrance d'un visa, available at http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=INTD0400325D (in French).
- 64. décret no 2006-470 du 25 avril 2006 modifiant le décret no 2004-1266 du 25 novembre 2004, available at http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=INTD0600085D (in French).
- 65. décret no 2005-1726 du 30 décembre 2005 relatif aux passeports électroniques, available at http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=INTD0500343D; décret no 2007-240 du 22 février 2007 portant création de l'Agence nationale des titres sécurisés, available at http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=INTA0700020D (in French).
- 66. Loi No. 2006-64 du 23 janvier 2006 relative à la lutte contre le terrorisme et portant dispositions diverses relatives à la sécurité et aux contrôles frontaliers, available at http://www.senat.fr/apleg/pjl05-109.html.
- 67. Id. at Art. 7.
- 68. See generally EDRI-gram No. 4.2, February 2006, "French Anti-Terrorism Law Not Anti-Constitutional," available at http://www.edri.org/edrigram/number4.2/frenchlaw.
- 69. décret no2009-1310 du 26 octobre 2009 portant création d'un traitement automatisé de données à caractère personnel relatives aux étrangers bénoficiaires du dispositif d'aide au retour géré par l'Office français de l'immigration et de l'intégration (J.O. of 28 October 2009), available in French at http://www.legifrance.gouv.fr/WAspad/UnTexteDeJorf?numjo=IMIK0922946D.
- 70. See generally CNIL, "OSCAR : Outil de Statistique et de contrôle de l'Aide au Retour",
26 August 2010, available in French at http://www.cnil.fr/en-savoir-plus/fichiers-en-fiche/fichier/article/oscar-outil-de-statistique-et-de-controle-de-laide-au-retour/, IRIS, "Fichiers et étrangers" http://www.iris.sgdg.org/actions/fichiers/.
- 71. See website of the NGO campaign with relevant documents, available at http://www.ines.sgdg.org/.
- 72. CNIL, "Antivols pour nouveau-nos : pour ou contre les bracelets électroniques dans les maternités ?",
- 73. Projet de loi adopté par l'Assemblée Nationale, d'orientation et de programmation pour la performance de la sécurité intérieure, 2 June 2010, available in French at http://www.senat.fr/leg/pjl09-518.html.
- 74. CNIL, "Body scanner : quel encadrement en France et en Europe ?", 8 June 2010 http://www.cnil.fr/la-cnil/actu-cnil/article/article/body-scanner-quel-encadrement-en-france-et-en-europe/.
- 75. CNIL, Déliberation no 2009-360 du 18 juin 2009, autorisant la mise en oeuvre par le Graduate Management Admission Council (GMAC) représenté par Pearson Education France déun traitement de données à caractère personnel reposant sur la reconnaissance du réseau veineux de la paume de la main et ayant pour finalité de contrôler l'accès à des salles déexamen et déempécher la substitution de candidat à l'examen GMAT (demande déautorisation no 1323460), available at http://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000020972764&fastReqId=1603510912&fastPos=1.
- 76. CNIL, "40.000 euros d'amende pour DirectAnnonces", 28 July 2009 http://www.cnil.fr/dossiers/sante/actualites/article/552/la-biometrie-entre-a-lhopital-pour-identifier-des-patients-traites-par-radiotherapie-1/.