Web hosting service providers do not have to retain and to supply the authorities with a user’s password

Pursuant to the Law for Trust in the Digital Economy of June 21, 2004, service providers that provide access to online communication services or that store information provided by users of such services, shall hold and retain any kind of data that is likely to help identify a person who has contributed to creating the content of the services.

The main purpose of this obligation is to allow the communication of such data to the judicial authorities.

A decree published on March 30, 2012 has restricted the login information that web hosting service providers must retain: they shall now only retain data that allows a user to check or to change his password, but not the password itself. In practice, the decree is aimed at retaining and supplying the authorities with secret questions and answers relating to a user’s account.

This text does not meet the expectations of the Conseil National du Numérique (CNN), which advised the Government, in an opinion dated November 21, 2011, to suppress the obligation to retain any kind of data relating to passwords, including data that allows a user to check or to change his password.

The CNN pointed out that such an obligation would result in the retention of sensitive data in a non-encrypted form, and that supplying the judicial authorities with such data would violate one’s privacy rights, as the information collected by web hosting service providers (notably through the secret questions and answers) is not necessarily data that is likely to help identify a person.