The legal framework for electronic records storage in France – Avocat
Transcription
The legal framework for electronic records storage in France – Avocat
The legal framework for electronic records storage in France Pierre Saurel – Avocat CABINET ALAIN BENSOUSSAN Overview Introduction French Law Concepts • • • • • Integrity Durability Identity Reliability Authentication Comparison with the Anglo-Saxon approach Medium Durability (“Durabilité”) Data Access Perenniality (“Pérennité”) • Perenniality of the “digital ecosystem” • Perenniality when upgrading Introduction Introduction (1/8) Legacy of records storage regulations in France - Traditions regarding the preservation of records by notaries (since the galloroman times) - Mandatory Church records (August 17th, 1539 Order under the King’s Seal, said “Villers-Cotterets”) Introduction (2/8) Origin of french records storage regulations - Based upon highly persistent storage methods (stone, clay, paper) - Gradual elaboration through successive technological advances Introduction (3/8) A general framework French law is a general framework for any and all human activities occuring in France. Records storage is no exception to this. Introduction (4/8) A conflict of rights - Right to erasure of data (“droit à l’oubli”) - Obligation of keeping records Introduction (5/8) Technological adaptation Due to the heterogeneity and fast evolution of technologies for electronic record storage, French law must take into account and adapt to very different technical solutions. Introduction (6/8) A conceptual approach - Legal texts define the rules and concepts related to record storage - When necessary, the rules are interpreted by judicial courts on a bycase basis (based on the results of technical investigations) Introduction (7/8) Main applicable legal references - Civil Code - June 21th, 2004 Act “Loi pour la Confiance dans l’Economie Numérique” - AFNOR Rule Z42-013 - NF Rule 43-400 - NF Rule ISO 15489-1 - EU September 23rd, 2002 directive transposed into French law by the june 7th, 2005 Order - CNIL Opinion on the “three states” (“trois états”) Introduction (8/8) The future of French electronic records storage law - AFNOR rule Z42-013 is being reappraised by an AFNOR workgroup which endeavours to take into consideration the latest records storage methods - EU directives which have received transposition to French law may yet influence the AFNOR workgroup French Law Concepts French Law Concepts (1/10) - Integrity (“Intégrité”) - Durability (“Durabilité”) - Identity (“Identité”) - Reliability (“Fiabilité”) - Authentication (“Authentification”) French Law Concepts (2/10) Integrity - No legal definition - Referred to in articles 1316-1 sq. of the Civil Code and various tax and commercial rules - The NF rule ISO 15489-1 delineates the concept of “integrity” as a document’s “complete and unaltered state” French Law Concepts (3/10) Durability - No legal definition - Referred to in article 6, II of the June 21th, 2004 Act “pour la Confiance dans l’Economie Numérique”, L.121-20-11 of the Consumer Code, various EU directives French Law Concepts (4/10) Durability - The 2002/65/EC directive defines “Durable Medium” as “any instrument which enables the consumer to store information addressed personally to him in a way accessible for future reference for a period of time adequate for the purposes of the information and which allows the unchanged reproduction of the information stored” French Law Concepts (5/10) Durability - NF rule 43-400 defines “Durable Medium” as : - Irreversible - Long-lasting - Exploitable - Readable a French Law Concepts (6/10) Identity - No legal definition - Referred to in articles 1316-1, 1316-4, 1369-7, 1369-8 of the Civil Code, and article 6-1 of the march 30th, 2001 Act French Law Concepts (7/10) Reliability - Referred to in articles 1316-4, 1369-7, 1369-8 of the Civil Code, and article 6 of the march 30th, 2001 Act - The march 30th, 2001 Act defines the concept of “reliability” for digital signatures as the assumption of document integrity and author identity guaranteed by a secure signing system verifiable through the use of a certificate French Law Concepts (8/10) Reliability - The NF rule ISO 15489-1 defines a “Reliable Record” as a document of which contents can be construed as a complete and true representation of the operations, activities or deeds that it attests to, upon which other operations, activities or ulterior deeds French Law Concepts (9/10) Reliability - The NF rule ISO 15489-1 defines a “Reliable Record Storage System” as a system for organizing and managing records operating in a continuous, regular and coherent manner French Law Concepts (10/10) Authentication - No legal definition - Referred to in articles 1316-1 and 1316-4 of the Civil Code, 56§1 of the Governent Contracts Code, 29 of the June 21th, 2004 “LCEN” Act - Defined as a form of identity verification by most authors Comparison with the Anglo-Saxon approach Comparison with the AngloSaxon approach (1/9) French approach - “Top-Down” Approach - Conceptual approach generally applicable to any and all record storage methods Comparison with the AngloSaxon approach (2/9) Anglo-Saxon approach - “Bottom-Up” Approach - Practical ruleset - Immediately functional Comparison with the AngloSaxon approach (3/9) US example : SEC Rule 17A-4(F) - SEC Rule 17A-4(F) edicts a certain number of obligations for the storage of electronic records - Compliance with SEC Rule 17A-4(F) is assessed according to seven cumulative criteria Comparison with the AngloSaxon approach (4/9) SEC Rule 17A-4(F) Criteria - 17a-4(f)(2)(ii)(A). Preserve the records exclusively in a non-rewritable, nonerasable format - 17a-4(f)(2)(ii)(B). Verify automatically the quality and accuracy of the storage media recording process Comparison with the AngloSaxon approach (5/9) SEC Rule 17A-4(F) Criteria - 17a-4(f)(2)(ii)(C). Serialize the original and, if applicable, duplicate units of storage media, and time-date for the required period of retention the information placed on such electronic storage media Comparison with the AngloSaxon approach (6/9) SEC Rule 17A-4(F) Criteria - 17a-4(f)(2)(ii)(D). Have the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable under this paragraph (f) as required by the Commission or the self-regulatory organizations of which the member, broker, or dealer is a member Comparison with the AngloSaxon approach (7/9) SEC Rule 17A-4(F) Criteria - 17a-4(f)(3)(iii). Store separately from the original, a duplicate copy of the record stored on any medium acceptable under Rule 17a-4 for the time required Comparison with the AngloSaxon approach (8/9) SEC Rule 17A-4(F) Criteria - 17a-4(f)(3)(vi). The member, broker, or dealer must maintain, keep current, and provide promptly upon request by the staffs of the Commission or the selfregulatory organizations of which the member, broker, or broker-dealer is a member all information necessary to access records and indexes stored on the electronic storage media; or place in escrow and keep current a copy of the physical and logical file format of the electronic storage media, the field format of all different information types written on the electronic storage media and the source code, together with the appropriate documentation and information necessary to access records and indexes. Comparison with the AngloSaxon approach (9/9) SEC Rule 17A-4(F) Criteria - 17a-4(f)(3)(vii). For every member, broker, or dealer exclusively using electronic storage media for some or all of its record preservation under this section, at least one third party ("the undersigned"), who has access to and the ability to download information from the member's, broker's, or dealer's electronic storage media to any acceptable medium under this section, shall file with the designated examining authority for the member, broker, or dealer the following undertakings with respect to such records: Medium Durability (“Durabilité”) Medium Durability (“Durabilité”) (1/4) Media deteriorate over time Optical disc (CD-ROM, DVD-ROM, BRDROM, HD-ROM, etc.) data is not durable over centuries, contrarily to paper-based data WORM is the solution which French AFNOR rule Z42-013 has defined as the only compliant solution for durable medium data storage Medium Durability (“Durabilité”) (2/4) Therefore, technological solutions need include, according to WORM compliance : - Maintenance in a functional condition of the medium - Duplication of the medium Medium Durability (“Durabilité”) (3/4) EU September 23rd, 2002 directive, transposed into French law by the june 7th, 2005 Order, indicates though that durable media notably include data disks, CD-ROM, DVDROM, and Hard Drives. However, Hard Drives are not WORM media. Medium Durability (“Durabilité”) (3/4) Therefore, September 20th, 2005 NF rule 43-400 defines Medium Durability as the cumulative qualities of : - Irreversibility (“Irréversibilité”) - Longevity (“Longévité”) - Exploitability (“Exploitabilité”) - Readability (“Lisibilité”) Medium Durability (“Durabilité”) (4/4) These cumulative criteria define another, larger concept : Data Access Perenniality (“Pérennité”) Data Access Perenniality (“Pérennité”) Data Access Perenniality (“Pérennité”) (1/3) Accessing the stored records not only necessitates a storage method respectful of the data itself, but also : Perenniality of the “digital ecosystem” Perenniality when upgrading Data Access Perenniality (“Pérennité”) (2/3) Perenniality ecosystem” of the “digital - A fully functional environment, which involves maintenance of the operating system, medium, software, data format and documentation - The ability to access the stored data, involving technical ability as well as the relevant legal and technical permissions Data Access Perenniality (“Pérennité”) (3/3) Perenniality when upgrading - Software, hardware, protocol, medium upgrading must ensure data accessibility - Upgrades must be traced to revert to an earlier state of the storage system, since upgrades themselves are irreversible Conclusion Conclusion The French legal framework on electronic records storage is a heterogeneous non-uniform complex system. Technology drives the evolution of concepts regarding the legal framework of electronic records storage. This evolution is beginning to take into account that the records system destined for storage is a “digital ecosystem” becoming independent from its storage medium (autonomous system). THANK YOU pierre-saurel@alain-bensoussan.com www.alain-bensoussan.eu