The law of June 21, 2004, on trust in the digital economy (the so-called LCEN) imposes on ISPs (Internet access providers and hosting services providers) an obligation to keep data that could identify online users.
Its implementation decree came as a surprise on February 25, 2011, almost seven years after the enactment of the law.
The retention obligation extends to various identifiers (connection, equipment, content, user), time and date of connection, type of communication line or protocol, name, first name, pseudonym, contact details (e-mail and postal address, address of associated accounts, phone numbers) as well as to password information (the password itself and recovery and update information) and to payment-related information.
This information must be kept for one year from the date of content creation, contract or account termination or from the date of payment.
The surprise was such that the CNIL dug out an old opinion it expressed on an earlier version of the decree, which dates back December 20, 2007, and published it promptly on its Web site. The CNIL was of the opinion that data relating to payment was irrelevant since it did not allow for the identification of the content creator. However, the final text of regulation has this data element in the list of data to be retained by ISPs.
ISPs must make the data elements available to judiciary authorities and police authorities in charge of terrorism.
