In October 2005, CNIL had rejected applications for the installation of 4 peer-to-peer surveillance systems filed by royalties collection and copyrights distribution institutions in the music industry (SACEM, SDRM, SPPF and SCPP). The organisations later appealed the Commission's decisions to the Conseil d'Etat who overturned them partially on 23 May 2007. The Conseil d’Etat ruled that CNIL had made an “error of judgement” by finding that the data processing intended to search for and detect illicit access to musical works on peer-to-peer networks was disproportionate with its purpose. Conversely, the Conseil d’Etat endorsed CNIL's analysis regarding the principle of mailing educational messages to targeted internet users. Thus the Conseil d’Etat ruled that such mailings were unlawful as they were not covered under the terms of the authorisation granted to internet service providers to retain login data on internet users.
Further to this ruling, the Commission contacted the royalties collection organisations to find out about their intentions. Three of them (SACEM, SDRM and SCPP) re-applied for approval, removing the invalidated educational messaging clause from their requests. Thus in November 2007, in pursuance of the ruling of the Conseil d’Etat, CNIL had to authorise these three organisations to implement their search and detect process for copyrights violations on internet. The last organisation concerned (SPPF) re-applied for approval in December 2007 and their own surveillance system, identical to the previous three, should be authorised in early 2008.
In July 2007, the French Minister of Culture and Communication created an adhoc committee to investigate solutions intended to “fight against illicit downloads and develop lawful music offerings”, under the leadership of Mr. Denis OLIVENNES and with the participation of Mrs. Isabelle Falque-Pierrotin, CNIL member and President of the “Guidance Council” and representing the “Forum des droits sur l'Internet” (Internet Rights Forum). The committee issued several recommendations in November 2007, which, once taken on board by the Government, should lead to legal and technical adjustments, to be subsequently reviewed by CNIL.
E. de Givry : I testified before a hearing in October 2007, similarly to other public officials. Our goal was to enable the committee members to mainstream as best as possible issues of data protection into their investigations and recommendations. The hearing was an ideal opportunity to respond to many technical and legal questions related to privacy protection on the internet.
I. Falque-Pierrotin : As a member of both CNIL and the Olivennes committee, I was able to share my expertise with the committee on issues of personal data protection. The committee members were not necessarily aware of the assets offered by the French and European data protection systems, their constraints or the guarantees they provide. This particular dimension of combating illicit music downloads needed to be clearly incorporated into the committee's enquiry, particularly since it is a major concern for internet users.
I. Falque-Pierrotin : In view of the proposals contained in the committee's report, the Government and later the Parliament will have to discuss these issues and make choices. They will need to decide on the necessary reconciliation between the defence of copyrights and the defence of individual liberties. Those will be difficult choices that will impact more broadly the vision of our country regarding internet regulation. CNIL will of course play its rightful role in this decision-making process.
E. de Givry : The Commission has duly noted that the report issued by the Olivennes committee includes repeated reminders that any systems considered will have to be submitted to CNIL for approval, and that the fight against music pirating must rely on “proportionate and pragmatic solutions, respectful of individual liberties”, which is precisely what CNIL has always advocated.
In two successive rulings issued in April and May 2007, the Court of Appeal of Paris judged that IP addresses collected during searches and findings of internet counterfeiting acts do not enable, even indirectly, any identification of physical persons, and that consequently they do not constitute personal data. Concerned about the consequences of such an analysis of Internet privacy protection, CNIL contacted the Minister of Justice and the Public Prosecutor to the Cour de Cassation (Supreme Court) in an attempt to lodge an appeal against both rulings in the interest of the law. In a letter dated 8 October 2007, the Minister of Justice agreed to lodge the appeal to the Cour de Cassation who should issue its ruling sometime in 2008. It should be noted that, in an opinion published on 20 June 2007, the data protection authorities of EU Member States issued a reminder that IP addresses were indeed to be regarded as personal data.
Internet has become a part of our daily lives: whether to find the dream holiday destination, the best tiramisu recipe or the reviews on the latest Georges Clooney film, search engines are inescapable! Searching for childhood friends, networking or simply publicising ourselves on the web... so many reasons among others that explain the current success of community sites. Yet, these “free” sites actually exploit web surfers' personal data for commercial or advertising purposes without any clear information provided about it to the surfers.
Every time you carry out a search on internet, search engines generally collect numerous data about you: personal cookie, IP address of the computer and contents of the query. These data are frequently retained over long periods of time, i.e. over one year for all major industry players. These personal data can then be deleted or anonymised.
This means that a search engine knows exactly what searches you have submitted for at least the past year, including all ads that you may have accessed to...
Whether we're talking about search engines like Google or Yahoo! or about community sites like Facebook, MySpace or LinkedIn, all these web-based services operate with the same business model: they offer free services in counterpart for financing revenue from advertisers, who in turn exploit these sources of personal data supplied by the users themselves, sometimes unbeknownst to them, in order to increasingly fine-tune their marketing targets.
Accordingly, it was perfectly natural for CNIL, similarly to other data protection authorities, to be concerned about actual compliance of such sites and services with the principles of data protection, and to scrutinise the conditions under which personal data are processed and internet users are informed about the processing and about ways to exercise their privacy rights.
When personal data on life style, personal relationships, leisure activities or even political and religious opinions are disclosed to search engines or site networks, internet users make their private life visible for all to see on the web, enabling web sites to compile huge data mines liable to be tapped for multiple commercial uses. We are insufficiently aware of this reality, though at times we may witness outright rejections of tactless invasions of advertisements. But our awareness of the challenges facing our public and private liberties is very inadequate, particularly among the younger generations.
The risk is very real indeed and further amplified by the fact that internet users are not always familiar enough with these new tools. For instance, even if parameter settings can be personalised on the web service, the default configuration frequently facilitates a broad dissemination of the data, in such a way that data supposed to remain within your sphere of privacy often end up displayed publicly on the web.
CNIL has contacted all major industry players and urged them to take into better consideration the data privacy issues, whether for the protection of sensitive data, information of private users and their rights to refuse any commercial exploitation of their personal data, or on data retention time. However, we cannot afford to restrict our action on a purely national scale. Consequently, the Article 29 Working Party (group of European data protection authorities) will be publishing an opinion on search engines in early 2008. This opinion will reassert the rules of data protection applicable to search engines and formulate a number of practical recommendations. The G29 further intends to adopt an equivalent approach for community sites.
Concurrently, internet users also need to enhance their basic knowledge on personal data protection. Information and awareness measures are therefore needed and will be conducted by CNIL, particularly for younger users.
The non-profit “Association Française pour le Nommage Internet en Coopération” (AFNIC) is the institution in charge of administrative and technical management of the domain names ending with “.fr” (France) and “.re” (Reunion Island).
Practices involving so-called cybersquatting (abusive use of domain names owned by known brands or renowned companies) and typosquatting (registration of a domain name similar to a known domain, e.g. “legifrance.fr” instead of “legifrance.gouv.fr”) have been multiplying. In an effort to curb these practices, AFNIC has set up a system providing for automatic updates of a watch-list of physical persons resorting to such methods in violation of its Naming Charter, whose normative character has been confirmed by courts of law. The Charter specifies the rules relative to the registration and maintenance of domain names administered by AFNIC.
Individuals recorded on this watch-list are no longer authorised to register any new “.fr” domain names for one year, the one-year period corresponding to the normal lifespan of a domain name. In the event of repeated violations during a period of 7 years, the ban will be extended to 3 years. In case of attempted ID misappropriation of registered .fr domain names in violation of the exclusion decision, the ban period will be extended to 5 years.
In its decision issued on 13 September 2007, CNIL authorised AFNIC to set up this watch-list, after having duly noted the guarantees provided, in particular as regards the information of the internet users concerned about the implementation of this procedure.
CNIL has conducted several on-site investigations of internet service providers who practice peer-to-peer network surveillance. Investigations on the elements collected during these investigations should be completed in the first quarter of 2008.
When internet users request a web site publisher to remove their personal data from publication lists, the publisher will dereference the relevant page, but the data may remain available on the web for some time, resulting sometimes in reactions and complaints filed with CNIL from users who believe their request was not taken into account.
So what really happens? Search engines retain a temporary copy of all pages visited by their indexing engines. Questioned by CNIL on the subject, Google explained that when a web page is removed by the site publisher, this copy called a “cache page” is also deleted from search results but only after the next site indexing process is completed by the search engine robot. The re-indexing time lag varies depending on various factors, such as site popularity or update frequency, but takes place on average every 2 to 3 weeks (some news sites may be updated virtually every day). During this time interval, it may still be possible to view the cache version of the deleted page even though the actual page is not longer published on the original site.