Internet and Data Privacy: The French/European Approach

September 19, 2011

Personal data and the things associated with it may be misused by others, but may I really control this if I have chosen, at one moment or another, to make my personal data publicly available?

If I have rights, such as intellectual property rights, to protect my works and signs against misuse, may I equally prohibit third parties from using without my authorization my personal data, as if it was in some way my creation, my expression, rather than a public instrument of police or of target advertising?

French or European laws, mirroring each other, may give elements of answer and of action. ‘Action’ because any prejudice suffered in France triggers the competency of the French civil courts (Code de procedure civile, art 46) and criminal courts (Code penal, art L113-2), especially when an infraction has a link with France.

Regulations about personal data

Both the French legislation (L2004-801-6 août 2004 modifying art.7 of the loi 78-17 du 6 janvier 1978 ‘Informatique et libertés’) and the European Directive (Directive 95/46 du 24 oct 1995, art 7), recently subordinated the processing of personal data to the previous consent of the concerned person. This is a substantial exception to the freedom of communication stated most notably in the ECHR, art 10. Regulations about personal data protection may give grounds to obtain damages or an injunction, or give rise to penalties against those who do not respect the regulations. Collecting data by unfair means is punished by the criminal law (see code penal, arts 226-18, 226-18-1, 226-19, 226-28 which imposes penalties of up to five years’ imprisonment or a fine of up to 300,000 euros).

Under art 7 of the loi 78-17 du 6 janvier 1978 ‘Informatique et libertés’ (free translation):

Processing personal data must receive the consent of the person concerned or meet one of the following conditions:

1 ° compliance with a legal obligation of the controller;

2 ° preservation of the life of the person concerned;

3 ° fulfilling a public service mission vested in the head of the organization receiving the treatment or the recipient of the treatment;

4 °fulfilling a contract to which the person is a party or precontractual steps at the request of that person;

5 °realization of legitimate interests pursued by the controller or by the recipient, subject to not disregarding the interest or the rights and freedoms of the individual.

French data protection regulations apply where the means of data processing are located in France (Loi informatique et libertés, art 5).

In addition, to the main protection outlined above, other provisions have the effect of protecting personal data against use which is not authorized by the person concerned.

Rights over one’s name and image

Relevant rights prohibit unauthorized use of the name and of the image of a person, as an interference with private life (Code civil, arts 9 and 1382; Code pénal, art 226-1 – with a maximum penalty of one year and 45,000 euros). The Code pénal may apply too in cases of usurpation of identity or confusion (arts 434-23 and 226-4-1), scam (art 313-1) and audio/video editing (art 226-8). Action may also be possible under the Code civil in respect of undue profit (art 1382). There is also a possible recourse in the case of abuse of the use of a name as a domain name (art R.20-44-46 Code des postes).


The keeping of third-party personal data intended for personal use only does not require the previous consent of the contacts concerned (eg a private address book) ( see art 2, L78-17). But an unauthorized disclosure of personal data initially held privately may attract a sanction before civil or criminal courts on the basis of it being an interference with private life. There are variations depending on the sensitivity of the piece of information concerned and the range of its diffusion (Code civil, arts 9 and 1382; Code pénal, art 226-1 – maximum penalty of one year and 45,000 euros). Adding a wider perspective, the unauthorized disclosure of data communicated in the framework of a confidential relationship may attract a sanction on the ground of breach of contract or infringement of a professional secret regime.

Do this means that using third-party personal data without the consent of this third party is prohibited? No. Wide exceptions to the ‘previous consent’ rule exist in order to assure the protection of other legitimate interests, mainly: public order, usual transparency, freedom of expression.

Public order and specific purposes

The keeping of registers is either sometimes prohibited or at least submitted to constraints, notably those provided in the data protection regulations (loi 78-17) and subject to heavy criminal sanctions. Nevertheless the ‘previous consent’ of the concerned person may not be required when the collection of data is needed for fulfilling legal obligations, providing public services, protecting national security, fighting delinquency, organizing health issues, securing the web, allowing scientific research works or, more simply, for allowing the technical operation of a service. In these cases data is usually meant to be kept confidential and is used by authorities or entitled persons on a restrictive basis and through specific procedures and regimes. If data collected by these means is improperly disclosed, the law relating to secrecy may apply and be a ground to obtain sanctions, before civil and criminal courts, or disciplinary bodies (cf. notably, code penal, art 226-13 – 1 year, 15,000 euros; art 226-15 (correspondence) – 1 year, 45,000 euros; arts 226-17 and 226-22 – 5 years, 300,000 euros; L432-9 – 3 years, 45,000 euros).

Usual transparency: Universal directories: A mitigated approach

According to the CNIL (Commission Nationale Informatique et Libertés) – Deliberation No. 97-060 of July 8, 1997 (free translation):

Considering that the publication of lists of subscribers or users of telecommunications networks or services is free, subject to the protection of data of persons concerned; that the treatments used for compiling these lists are automated treatments of personal data as defined in the Loi 78-17 of 6 January 1978; as a result, the protective provisions of individual liberty and privacy under this Loi shall apply to lists of subscribers which, regardless of the medium on which they are published (print or electronic), are commonly called directories;’-

Articles L34 and L34-5 of the Code des postes et communications électroniques (Code PCE) specify that the publication of lists of subscribers or users of the networks or electronic communications services is free, subject to the protection of individual rights. Among those rights are the right for everyone to be mentioned on the lists of subscribers or users published in directories or available through an information service or not to be mentioned, to oppose the entry of certain data or certain uses of personal mentions, to prohibit any use of personal data concerning him or her in commercial operations, as well as the right to obtain disclosure of such personal information and require the data to be rectified, completed, clarified, updated or deleted, in accordance with arts 39 and 40 of Law No. 78-17 of 6 January 1978 relating to data, files and freedoms (which then triggers the procedures and criminal sanctions provided for the breach of this law: 5 years, 300,000 euros and other misdemeanors).

The prior consent of subscribers to a mobile operator is required for all entries in the lists of subscribers or users sent out by their mobile operator for publication in directories or made searchable via a service of information as personal data concerning them.

To summarize: Some personal mentions are published by default, others are not, and in all cases the subscriber is entitled to intervene, without charge, to modify the default options (cf. also decree 2005-606, 27 mai 2005 modifying Code PCE, arts R10, R10-12).


Harmful web site content available in France may be condemned by French criminal or civil jurisdictions. Failure to remove the links to of such content may be ground for damages, cf. the LICRA v Yahoo saga (see for a partial account).

Is a web site, a search engine or similar entitled to show personal data in hyperlinks or comments of hyperlinks? There is a principle of non responsibility for hyperlinking, which is considered as an activity constitutive of Internet. However, when notice that the content linked is illicit is given to the installer, the installer takes on responsibility if it fails to withdraw the link and the associated contents.

Freedom of expression

This fundamental right is stated most notably in art. 10 of the ECHR, and has been explained by the European Court of Human Rights. Writing about others in the framework of the exercise of the freedom of expression or artistic creation is allowed as a rule. The freedom is complemented by a series of exceptions to author rights (see for instance art. L112-5 of the Code de la propriété intellectuelle which allows anyone to mention the existence of a creation and its author on the condition of complying with certain rules), and by a series of derogations to data protection regulations (see art.67 of Loi 78-17).

This freedom is however limited by the classical regulations on press freedom (as illustrated for instance by French Loi 29 juillet 1881 sur la liberté de la presse), and there may be criminal sanctions, notably through the defamation and insult qualifications.

Thus, if the publication of personal data is made without the consent of the person concerned, it must be made for the purpose of information / creation / education / scientific discussion/ political or syndical debate, and in the respect of the press freedom regulations requiring the application of a strict deontology. This deontology may be a ground to require criminal and civil sanctions, a posteriori, or even preventive measures. Basically it is meant to prohibit any use which could damage the reputation and dignity of a person, interfere with his private life or private correspondence, or incite violence. Here it is rather what surrounds personal data than the use of personal data itself which is sanctioned.

The sole omission of obtaining a prior consent is not sanctioned but the obtaining or the attempt of obtaining a prior consent will be obviously taken into account when considering criminal or civil sanctions against, for instance, acts of defamation. It is only once the disputed content is disclosed that invasion of privacy or damage to honor and reputation may possibly be condemned in the framework of a litigation process. For an illustration of the issue of prior consent and freedom of expression, see ECHR, Mosley v UK, 10 may 2011, n°48009/08 (comment at, where the state is unsuccessfully criticized for not providing a sanction for the non respect of the prior consent rule. This affair concerned the broadcasting of articles and videotape interfering with the private and sexual life of a citizen, by the way punished on other grounds.

Special provisions apply in the context of the protection of the presumption of innocence, and of the dignity of the person (see art 35 ter, 35 quarter, Loi 29 juillet 1881):

(a) when done without the consent of the individual, the dissemination by any means whatsoever, and regardless of the medium, of the image of an identified or identifiable suspect in criminal proceeding, indicating either that the person is wearing handcuffs or shackles or is in custody, is punishable by a 15,000 euro fine;

(b) the same penalty applies where a person performs, publishes or comments on a poll, or any other consultation, regarding the guilt of a defendant at a criminal proceeding or as to what sentence should be imposed against him or where a person publishes information enabling access to surveys or consultations of that type;

(c) dissemination by any means whatsoever, and regardless of the medium, of a reproduction of the circumstances of a crime or misdemeanor when such reproduction seriously undermines the dignity of a victim and lacks the victim’s consent is punished by a fine of 15,000 euros.


LCEN procedures

Certain procedures are specific to Internet users and are provided by the ‘Loi sur la Confiance dans l’Economie Numérique’ (LCEN). The fact that data is divulged through the Internet implies the application of specific regulations, providing procedures to allow the person concerned to obtain a faster removal of the relevant content directly from the other person involved. Interested persons may notify irregularities, in a subsidiary order, to the editor, the hosting provider and the internet provider in order to trigger their different responsibilities (eg technical intermediaries such as hosting providers have no general obligation to oversee the information they host) and ask for rectification or removal of the content, in accordance with specific procedures. The providers have the obligation to alert the public authorities about the most sensitive data (eg crimes against humanity).

The notified persons have to deal with these notifications quickly. A refusal by the notified person may be contested before a court but it must be noted that the alleged victim has the burden of producing evidence to demonstrate the inappropriate nature of the content. The notified person has no obligation to provide a legal advice to the alleged victim, and may even sue the alleged victim for abuse of notification, punished by article 226-10 code penal (5 years, 45,000 euros).

The ‘référé internet’ is an accelerated procedure allowing persons to obtain preventive or curative measures (art 6.I.8, LCEN) before the civil courts.

Press regulation

Criminal regulations apply (notably the right of reply, art. 13 loi 1881, art.6 loi 29 juillet 1982), and their scope is not restricted to professionals of the press. However, the press statute generates specific fiscal and social regimes which do not apply to non press.

Responsibility of the publishing director (see art 6 V of the loi 2004-575 (loi LCEN)) extends criminal press regulations to online services, including the system of responsibility according to which the publishing director is to some extent presumed liable. This regime is detailed in art 93-3 of the Loi n°82-652 du 29 juillet 1982 sur la communication audiovisuelle, as recently modified by the loi HADOPI, 2009-669, dated 12 june 2009, art 27.II. , which describes a regime adapted from the classical one (art 42 of the loi de 1881).

In order to balance the freedom of the press, whenever an article mentions somebody, a right of reply is also provided. This right is adapted to online services by art 6 IV de la LCEN (and décret 2007-1527).

Usual time bar for action: three months from the publication

CNIL Procedures

The CNIL procedure may be begun by any citizen with a simple letter. The CNIL is an organisation which intervenes in order to monitor the implementation of the data privacy regulations. It has counterparts in the other EU countries – the ICO in the UK. The CNIL may issue warnings, rulings, injunctions, pecuniary penalties (different from the criminal sanctions which may be pronounced by a criminal court), norms, and may take action in a competent court in order to obtain emergency measures. It may decide whether to publish the sanctions. The CNIL may issue recommendations which will stand as a standard or a criterion of interpretation of the data protection regulations and the notion of private life, for instance about the use of personal data in public archives or in judicial decisions.

Criminal courts

We have seen that personal data protection rules and the protection of secrets may be covered by penalties: prison, pecuniary penalties, prohibitions and the right of reply. The main criminal provisions about data protection are contained in arts 226-16 et seq and R625-10 et seq of the Code pénal.

Usual time bar for action; three years / one year.

Civil courts:

Under the Civil code, if specific damage can be shown and there is a link to an inappropriate use of personal data, damages may be sought in the civil courts. It may even be possible to seek preventive measures and answer rights, especially through emergency procedures ‘référé’ and ‘requête’, which are specific to the Internet (art 6.I.8. LCEN). However, as regards the freedom of expression, the Civil code cannot be a pretext for additional restrictions on the freedom of expression other than those already provided by the specific and criminal laws about the freedom of the press and about the related abuses.

Usual time bar for action; three years: five years.

Pierre Roquefeuil is an avocat specialising in intellectual property based in Paris.