The legal framework for electronic records storage in France – Avocat

Transcription

The legal framework for electronic records storage in France – Avocat
The legal framework
for electronic records storage
in France
Pierre Saurel – Avocat
CABINET ALAIN BENSOUSSAN
Overview
Introduction
French Law Concepts
•
•
•
•
•
Integrity
Durability
Identity
Reliability
Authentication
Comparison with the Anglo-Saxon approach
Medium Durability (“Durabilité”)
Data Access Perenniality (“Pérennité”)
• Perenniality of the “digital ecosystem”
• Perenniality when upgrading
Introduction
Introduction (1/8)
Legacy of records storage
regulations in France
- Traditions regarding the preservation of
records by notaries (since the galloroman times)
- Mandatory Church records (August
17th, 1539 Order under the King’s Seal,
said “Villers-Cotterets”)
Introduction (2/8)
Origin of french records
storage regulations
- Based upon highly persistent storage
methods (stone, clay, paper)
- Gradual elaboration through
successive technological advances
Introduction (3/8)
A general framework
French law is a general framework for
any and all human activities occuring in
France.
Records storage is no exception to this.
Introduction (4/8)
A conflict of rights
- Right to erasure of data (“droit à
l’oubli”)
- Obligation of keeping records
Introduction (5/8)
Technological adaptation
Due to the heterogeneity and fast evolution
of technologies for electronic record
storage, French law must take into account
and adapt to very different technical
solutions.
Introduction (6/8)
A conceptual approach
- Legal texts define the rules and
concepts related to record storage
- When necessary, the rules are
interpreted by judicial courts on a bycase basis (based on the results of
technical investigations)
Introduction (7/8)
Main applicable legal references
- Civil Code
- June 21th, 2004 Act “Loi pour la Confiance dans l’Economie Numérique”
- AFNOR Rule Z42-013
- NF Rule 43-400
- NF Rule ISO 15489-1
- EU September 23rd, 2002 directive transposed into French law by the june 7th,
2005 Order
- CNIL Opinion on the “three states” (“trois états”)
Introduction (8/8)
The future of French electronic
records storage law
- AFNOR rule Z42-013 is being reappraised by an
AFNOR workgroup which endeavours to take into
consideration the latest records storage methods
- EU directives which have received transposition to
French law may yet influence the AFNOR
workgroup
French Law Concepts
French Law Concepts (1/10)
- Integrity (“Intégrité”)
- Durability (“Durabilité”)
- Identity (“Identité”)
- Reliability (“Fiabilité”)
- Authentication (“Authentification”)
French Law Concepts (2/10)
Integrity
- No legal definition
- Referred to in articles 1316-1 sq. of
the Civil Code and various tax and
commercial rules
- The NF rule ISO 15489-1 delineates
the concept of “integrity” as a
document’s “complete and unaltered
state”
French Law Concepts (3/10)
Durability
- No legal definition
- Referred to in article 6, II of the
June 21th, 2004 Act “pour la
Confiance
dans
l’Economie
Numérique”, L.121-20-11 of the
Consumer Code, various EU
directives
French Law Concepts (4/10)
Durability
- The 2002/65/EC directive defines “Durable
Medium” as “any instrument which enables
the consumer to store information
addressed personally to him in a way
accessible for future reference for a period
of time adequate for the purposes of the
information and which allows the
unchanged reproduction of the information
stored”
French Law Concepts (5/10)
Durability
- NF rule 43-400 defines
“Durable Medium” as :
- Irreversible
- Long-lasting
- Exploitable
- Readable
a
French Law Concepts (6/10)
Identity
- No legal definition
- Referred to in articles 1316-1, 1316-4,
1369-7, 1369-8 of the Civil Code, and
article 6-1 of the march 30th, 2001 Act
French Law Concepts (7/10)
Reliability
- Referred to in articles 1316-4, 1369-7,
1369-8 of the Civil Code, and article 6 of
the march 30th, 2001 Act
- The march 30th, 2001 Act defines the
concept of “reliability” for digital signatures
as the assumption of document integrity
and author identity guaranteed by a secure
signing system verifiable through the use
of a certificate
French Law Concepts (8/10)
Reliability
- The NF rule ISO 15489-1 defines a
“Reliable Record” as a document of
which contents can be construed as a
complete and true representation of
the operations, activities or deeds that
it attests to, upon which other
operations, activities or ulterior deeds
French Law Concepts (9/10)
Reliability
- The NF rule ISO 15489-1 defines a
“Reliable Record Storage System” as
a system for organizing and
managing records operating in a
continuous, regular and coherent
manner
French Law Concepts (10/10)
Authentication
- No legal definition
- Referred to in articles 1316-1 and
1316-4 of the Civil Code, 56§1 of the
Governent Contracts Code, 29 of the
June 21th, 2004 “LCEN” Act
- Defined as a form of identity
verification by most authors
Comparison with the
Anglo-Saxon approach
Comparison with the AngloSaxon approach (1/9)
French approach
- “Top-Down” Approach
- Conceptual approach generally
applicable to any and all record
storage methods
Comparison with the AngloSaxon approach (2/9)
Anglo-Saxon approach
- “Bottom-Up” Approach
- Practical ruleset
- Immediately functional
Comparison with the AngloSaxon approach (3/9)
US example : SEC Rule 17A-4(F)
- SEC Rule 17A-4(F) edicts a certain number
of obligations for the storage of electronic
records
- Compliance with SEC Rule 17A-4(F) is
assessed according to seven cumulative
criteria
Comparison with the AngloSaxon approach (4/9)
SEC Rule 17A-4(F) Criteria
- 17a-4(f)(2)(ii)(A). Preserve the records
exclusively in a non-rewritable, nonerasable format
- 17a-4(f)(2)(ii)(B).
Verify automatically the
quality and accuracy of the storage media
recording process
Comparison with the AngloSaxon approach (5/9)
SEC Rule 17A-4(F) Criteria
- 17a-4(f)(2)(ii)(C). Serialize the original
and, if applicable, duplicate units of
storage media, and time-date for the
required period of retention the
information placed on such electronic
storage media
Comparison with the AngloSaxon approach (6/9)
SEC Rule 17A-4(F) Criteria
- 17a-4(f)(2)(ii)(D). Have the capacity to
readily download indexes and records
preserved on the electronic storage
media to any medium acceptable under
this paragraph (f) as required by the
Commission or the self-regulatory
organizations of which the member,
broker, or dealer is a member
Comparison with the AngloSaxon approach (7/9)
SEC Rule 17A-4(F) Criteria
- 17a-4(f)(3)(iii). Store separately from the
original, a duplicate copy of the record
stored on any medium acceptable under
Rule 17a-4 for the time required
Comparison with the AngloSaxon approach (8/9)
SEC Rule 17A-4(F) Criteria
- 17a-4(f)(3)(vi). The member, broker, or dealer must
maintain, keep current, and provide promptly upon
request by the staffs of the Commission or the selfregulatory organizations of which the member, broker, or
broker-dealer is a member all information necessary to
access records and indexes stored on the electronic
storage media; or place in escrow and keep current a copy
of the physical and logical file format of the electronic
storage media, the field format of all different information
types written on the electronic storage media and the
source code, together with the appropriate documentation
and information necessary to access records and indexes.
Comparison with the AngloSaxon approach (9/9)
SEC Rule 17A-4(F) Criteria
- 17a-4(f)(3)(vii). For every member, broker, or dealer
exclusively using electronic storage media for some or all
of its record preservation under this section, at least one
third party ("the undersigned"), who has access to and the
ability to download information from the member's,
broker's, or dealer's electronic storage media to any
acceptable medium under this section, shall file with the
designated examining authority for the member, broker, or
dealer the following undertakings with respect to such
records:
Medium Durability (“Durabilité”)
Medium Durability
(“Durabilité”) (1/4)
Media deteriorate over time
Optical disc (CD-ROM, DVD-ROM, BRDROM, HD-ROM, etc.) data is not durable
over centuries, contrarily to paper-based
data
WORM is the solution which French AFNOR
rule Z42-013 has defined as the only
compliant solution for durable medium data
storage
Medium Durability
(“Durabilité”) (2/4)
Therefore, technological solutions
need include, according to WORM
compliance :
- Maintenance in a functional
condition of the medium
- Duplication of the medium
Medium Durability
(“Durabilité”) (3/4)
EU September 23rd, 2002 directive,
transposed into French law by the
june 7th, 2005 Order, indicates
though that durable media notably
include data disks, CD-ROM, DVDROM, and Hard Drives.
However, Hard Drives are not
WORM media.
Medium Durability
(“Durabilité”) (3/4)
Therefore, September 20th, 2005 NF
rule 43-400 defines Medium Durability
as the cumulative qualities of :
- Irreversibility (“Irréversibilité”)
- Longevity (“Longévité”)
- Exploitability (“Exploitabilité”)
- Readability (“Lisibilité”)
Medium Durability
(“Durabilité”) (4/4)
These cumulative criteria define
another, larger concept :
Data Access Perenniality
(“Pérennité”)
Data Access Perenniality
(“Pérennité”)
Data Access Perenniality
(“Pérennité”) (1/3)
Accessing the stored records not
only necessitates a storage
method respectful of the data
itself, but also :
Perenniality of the “digital
ecosystem”
Perenniality when upgrading
Data Access Perenniality
(“Pérennité”) (2/3)
Perenniality
ecosystem”
of
the
“digital
- A fully functional environment, which
involves maintenance of the operating
system, medium, software, data format and
documentation
- The ability to access the stored data,
involving technical ability as well as the
relevant legal and technical permissions
Data Access Perenniality
(“Pérennité”) (3/3)
Perenniality when upgrading
- Software, hardware, protocol, medium
upgrading must ensure data accessibility
- Upgrades must be traced to revert to an
earlier state of the storage system, since
upgrades themselves are irreversible
Conclusion
Conclusion
The French legal framework on electronic records
storage is a heterogeneous non-uniform complex
system.
Technology drives the evolution of concepts regarding
the legal framework of electronic records storage.
This evolution is beginning to take into account that the
records system destined for storage is a “digital
ecosystem” becoming independent from its storage
medium (autonomous system).
THANK YOU
pierre-saurel@alain-bensoussan.com
www.alain-bensoussan.eu