Law no 2004-575 of June 21st 2004, on confidence in the digital economy, stipulates that any person or entity whose activity is to provide the public with access to online communication services (Internet service providers) and any
person or entity that hosts data provided by its users in order to make it available to the public through online communication services (hosting providers) shall retain data allowing the identification of any person who has contributed to the creation of online content using their services.
Pursuant to said law, the legal regime of this duty was to be determined at a later date by decree. More than seven years after the law for confidence in the digital economy was passed, decree no 2011-219 of February 25th 2011 on the retention and communication of data allowing the identification of any person contributing to the creation of online content has finally been adopted.
This decree lists the data that must be retained by Internet service providers and hosting providers and details the conditions of such retention. Internet service providers must now retain data relating to all client connections, contract signature, account creation or payment operation. Similarly, hosting providers must retain data relating to the creation, modification or deletion of content, contract signature, account creation or payment operation by a client.
The decree states that the data must be stored for a one-year period, the starting point being different for each category of data. For example, whereas data relating to account creation must be retained for a one-year period as from the termination date of the concerned account, data relating to the creation of content must be retained for a one-year period as from the creation date of the concerned content.
This data being of a personal nature, Internet service providers and hosting providers must respect the provisions of Law no 78-17 of January 6th 1978 on Data Processing, Data Files and Individual Liberties, and shall in particular ensure that the confidentiality and security of data is maintained.
The decree also details the conditions under which data shall be communicated in the event of an administrative request.
Finally, failure to retain data listed by the decree exposes the Internet service provider or hosting provider to a fine of 375 000 Euros, with managers punishable by a year’s imprisonment and a fine of 75 000 Euros.