Back to Blog
 Data Retention Law

Data Retention Law in France Raises Privacy Concerns

April 11, 2011

Large technology businesses including Google, Facebook and eBay are fighting a new law in France (Google translation) that would require internet companies to keep user data for a year. The French Association of Internet Community Services (ASIC) is to challenge the law in front of the State Council.

Data must be retained so that it can be handed over to the authorities on demand, and must be kept for at least one year, so that it can be used by the authorities if necessary. The data that the law will require the sites to retain includes personal information such as customer names, addresses, telephone numbers and even passwords.

However, Google and over 20 other companies want to reverse the new legislation. The ASIC argues, “It doesn’t make sense to have different requirements in France than what we have in Spain and England. Also we do not feel comfortable turning our customers’ passwords over to the police”

The new law raises a number of concerns over privacy, something for which Google and Facebook have already faced criticism as a result of their collection and retention of personal information. In fact Google has been the target of legal action brought by France itself, and was last month fined $142,000 after collecting data through wireless access points around the world.  On a related note, Facebook has found it necessary to change is privacy settings in light of concerns over access to user information.

With a number of the companies affected by the legislation having suffered damage to their reputation themselves following the efforts of privacy advocates, it is no surprise that they are objecting to a new law which will now require them to retain, and release on demand, their users’ personal data.

The new law could be could prove particularly problematic in cases where security is breached. If companies are bound to retain a broader range of user data, including passwords which might be used with a variety of services, it is more likely that an attacker would be able to gain complete access to millions of Internet users’ accounts across not only social networking sites, but email, intranets and possibly even online banking.

The head of ASIC, Benoit Tabaka, has highlighted a range of problems with the new law. One issue he raises is that ‘there was no consultation with the European Commission.’ He goes on to explain that, ‘Our companies are based in several European countries. Our activities target many national markets, so it is clear that we need a common approach’. And he claims that collecting and retaining passwords is a ‘shocking measure’.

In light of the increasing concern over privacy online it is not surprising that the new law has caused a stir. Especially among those companies which have come under attack as a result of their collecting personal information.  Furthermore, is this yet another burden for new IT business to bear, as touched on previously in our post covering Regulation and Start Up Britain, and could it lead to a less competitive marketplace here if similar measures are adopted in the UK?