French sensibilities

Thirty years ago this week, the "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data," was signed by the Council of Europe in Strasbourg, France.

Convention 108 marked the first major international policy that laid out the issues of privacy and data protection. It laid the foundation for stricter rules currently in place across the European Union.

But the 1981 document didn't just come out of nowhere.

In fact, France was one of the first countries in Europe to enact a privacy law. The French parliament in 1978 decreed that any person company or government agency receiving or processing personal information without authorization could be punishable by up to six months in prison and a maximum fine of 20,000 francs (3,000 euros, $4,115).

The Data Protection and Liberties Act prohibits the processing of so-called sensitive data, which includes racial or ethnic origin, political, philosophical or religious opinions, trade union affiliation, or information related to the health or sexual life of individuals.

French cultural sensibilities

"It wasn't that the French authorities were a particular threat," said Emmanuel Derieux, a law professor at Paris II University. "Perhaps it's more of a sensitivity or sensibility. French people worried about the protection of their private life and their independence."

French cultural attitudes have taken a strong stance on privacy that's been historically supported. An article in the French Napoleonic code, which dates from the beginning of the 19th century, even guaranteed the right to a private life.

But beyond cultural sensibilities, there was also a pragmatic reason for the government to stand up for privacy. In 1974 - seven years before the Council of Europe's Convention 108 - a draft security law known as Project Safari called for the government to use social security numbers to interconnect all personal administrative data.

"It was very, very bad political move to hunt the citizen through their data," said Jeremie Zimmerman, a founder of internet advocacy group La Quadrature du Net.

Data safari

Project Safari unleashed a media storm when the details were published, and the interior minister was forced to scrap it. Zimmerman said the subsequent 1978 privacy law was a reaction against Project Safari.

French privacy experts agree that by the late 1970s, France was concerned about privacy abuses carried out by the government, and now there is an increasing awareness that sensitive data is being made available to more than just government ministries.

"I think the risks are much more serious today when it comes to private companies that can collect information and then use and exploit it," Derieux said.

The CNIL (Commission nationale de l'informatique et des libertes), the French data protection agency, was created as part of the 1978 law. The agency now handles some 5,000 complaints and information requests a year.

Corporate information

Many of these center on companies' access to and use of private data, including financial and medical records and even political views. The CNIL had been monitoring digital developments, but its powers were not sufficient to deal with private companies.

"It's a very different job to control and regulate a system that is very decentralized and mostly composed of private files whereas in the past it was mostly public files," CNIL Vice President Isabelle Falque-Pierrotin said.

The CNIL is entitled to enter companies' premises; it can access documents, ask for copies and even access the company's computers. The agency notifies the companies when they're coming, and the companies can refuse and go through an appeal process.

If CNIL does find evidence of the illegal storage or use of any personal data, it can issue penalties of up to 300,000 euros and notify the public prosecutor.

Last year, CNIL investigated 308 claims and 122 companies were found to be in breach of the law. Four ended up being fined, for a total of 32,500 euros, three received warnings and 111 were given a deadline to conform to the law.

In-house privacy monitors

Another new element of the 2004 revision was a provision allowing companies to appoint an in-house data protection monitor, who can then report any data storage abuses to the CNIL. But some wonder how independent these monitors are, given that they may have to denounce their employers.

"It's a very liberal and hypocritical provision,” said La Quadrature du Net's Zimmerman.

But CNIL's Falque-Pierrotin said this monitoring system, which started in France, works so well that Brussels is considering making it compulsory for all EU companies to appoint an in-house data protection monitor.

"Even if it's a tricky position for the man in charge, he has to obey the manager but he carries with him the privacy culture, and I think it's a delicate balance but most of them succeed in doing it," she said.

Online copyright infringement

Another serious problem for the CNIL has developed in the last year. A package of laws known as Hadopi designed to prevent copyright infringements has raised concern among privacy campaigners.

"We were against some parts of the law," Falque-Pierrotin said. "For example, the idea that Hadopi would lead to exaggerated control of the end users and their activities online."

She added that the CNIL is still vigilant on Hadopi, which is run by another government agency.

Before Hadopi was passed into law, the CNIL delivered an opinion on it to the government, expressing these concerns.

Since becoming law several of Hadopi's controversial passages have been modified or removed, including one that called for sanctions against those accused of copyright infringement before they were convicted of any illegal behavior.

Author: Molly Guinness, Paris

Editor: Sean Sinico