custody and password

Updated November 7, 2022

One person was arrested for possession of narcotics. While in custody, she refused to give investigators codes to unlock two phones believed to have been used in drug trafficking.

This person, prosecuted before a criminal court, was not sentenced for having refused to give his telephone unlocking codes; she was released.

Passwords and encryption conventions allow the protection of data, and their disclosure imposed by the authorities can endanger individual freedom and democracy but also allow the repression of crime.

The Constitutional Council, on QPC where La Quadrature du Net intervenes, judges that the incrimination of refusal to communicate a password is not contrary to the Constitution.

Article 434-15-2 of the Penal Code, in its wording resulting from the law of June 3, 2016 provides:

"Is punished by three years' imprisonment and a fine of €270,000 the fact, for anyone having knowledge of the secret convention of deciphering a means of cryptology likely to have been used to prepare, facilitate or commit a crime or an offence, to refuse to submit said agreement to the judicial authorities or to implement it, on the requisitions of these authorities issued pursuant to Titles II and III of Book I of the Code of Criminal Procedure. 

"If the refusal is opposed while the delivery or the implementation of the convention would have made it possible to avoid the commission of a crime or an offense or to limit its effects, the penalty is increased to five years of imprisonment and a €450,000 fine.
Article 29 paragraph 1 of the 2004 law for confidence in the digital economy (theoi n° 2004-575 of June 21, 2004 for confidence in the digital economy) provides:

Means of cryptology means any hardware or software designed or modified to transform data, using secret conventions or to perform the opposite operation with or without a secret convention. These cryptology means are mainly aimed at guaranteeing the security of the storage or transmission of data, by making it possible to ensure their confidentiality, their authentication or the control of their integrity.

The Council makes a classic reading of the text, that is to say strict, in application of the principle according to which criminal law is to be interpreted strictly, and deduces from this the constitutionality of the provision (in this case paragraph 1 of the article, the only one concerned).
The prosecution must characterize against the suspected person:
– knowledge of the password or the convention (the person who is required is the one who actually knows the password, and not only the person who is supposed to know, or who could, or should, know…the technical intermediaries as companies relying on their machines to manage and access passwords could justify their refusal by opposing the absence of any natural person (human being) having access to the secret agreement);
– the probability that the means of cryptology has been used for criminal or tortious purposes.
The legal authorities concerned are those which intervene within the framework of the preliminary investigation or of flagrance or the instruction (titles II and III of book I of the code of penal procedure). The request must respond to a formalism (official notification of the consequences of a refusal).
Decision 2018-696 of the Constitutional Council of March 30, 2018.
A simple request for the communication of a password by a police officer investigator therefore does not appear to allow the facts to be qualified. And the refusal to communicate the locking code, a "PIN" (for Personal Identification Number) is not a refusal to communicate an encryption convention. In this sense, moreover, Paris 16 April 2019, n°19/09267.
Conventionality. The Court of Cassation ruled that the offense of refusing to hand over a secret cryptological decryption agreement did not in itself infringe the right to remain silent and not to incriminate oneself arising from Article 6 of the European Convention on human rights (Cas. crime, Dec. 10 2019, No. 18-86.878)
The Court of Cassation indicates that the refusal to deliver the PIN may amount to refusing to deliver the decryption agreement (Crim.13 oct.2020, n°20-80150).
This involves distinguishing between the code allowing access to a terminal (computer, telephone, server, SIM card, etc.) and the key used to decipher the stored or circulating data or metadata.
In some cases the PIN or other secret codes and passwords do not prevent access to data, in others yes, the case law is therefore hesitant (CA Paris 16 April 2019, 18-09.267;  Cas. crim., 13 Oct. 2020, no. 20-80.150; Cas. crim., 13 Oct. 2020, n° 19-85.984).

In its judgment of November 7, 2022, the Court of Cassation, plenary assembly, appeal no. K 2183.146, indicates, in its press release:

A " means of cryptology is intended to render information incomprehensible, in order to secure its storage or transmission. A " secret decryption convention allows the clearing of encrypted information. When a mobile phone is equipped with a " means of cryptology », their home screen unlock code may be a " decryption key » if the activation of this code has the effect of clarifying the encrypted data that the device contains or to which it gives access. Therefore, if a mobile phone with these technical characteristics - as is the case with most mobile phones today - is likely to have been used for the preparation or the commission of a crime or offense, its holder, who will have been informed of the penal consequences of a refusal, is required to give the investigators the unlock code for the home screen. If he refuses to communicate this code, he commits the offense of “refusal to deliver a secret decryption agreement ". Therefore, in this case, the decision of the Court of Appeal is quashed and another Court of Appeal is appointed to retry the case.


Supervision of access to data stored by telephone operators

August 6, 2022 Update

Update of 22 September 2022

Update of 6 January 2023

Update of 15 March 2023

In the context of a preliminary investigation or an investigation of flagrante delicto, the public prosecutor has the possibility of requesting from a judicial police officer the transmission of the telecommunications data of a person concerned by the investigation. , including the suspect. This remedy is provided for by the French code of criminal procedure: article 60-1 and article 77-1-1.

Telecommunications data can be crucial in an investigation and reveal a lot of information to investigators. Whether in terms of geolocation data or traffic data, the information helps to advance a judicial investigation.

However, this mechanism could be severely limited following a judgment delivered by the Court of Justice of the European Union on March 2, 2021. This follows a case in Estonia but could nevertheless impact the French procedure.

Do you want to know your rights and obligations with regard to the retention of data by a telephone operator? Pierre de Roquefeuil, a lawyer specializing in information technology law in Paris, supports you to advise you and to ensure that your interests are respected. The specialized lawyer will help you to identify the procedure adapted to your situation.

In which cases can the device for accessing data stored by telephone operators be used?

French law requires telephone operators to retain metadata for one year so that the intelligence services and the authorities can access it in the context of a judicial investigation.

Stone of Roquefeuil, lawyer specializing in digital and communication law in Paris, provides you with some information on the management of access to data stored by telephone operators.

Files list all our telecommunications data: the date and time of telephone communications, the identity of the interlocutors, but also geolocation data. Private companies keep this data for one year in order to allow law enforcement and intelligence services to have the possibility of requesting this information in the context of an investigation.

Three decrees of October 20, 2021 determine the applicable framework for the retention of connection data by electronic communication operators, internet access providers and hosts. They specify the conditions for communicating authorization requests.

The request for authorization to communicate connection data and the prior authorization to access the data must be formulated in writing and transmitted in such a way as to ensure its confidentiality and to be able to certify that it has been received.

Thus, the legislation provides that the request for authorization to communicate connection data can specify for each survey:
– The name of the suspected person or the name of any other person for whom access to the connection data is necessary for the investigation. If necessary, when the name is not known, the IP address or any other connection data may be requested.
– The connection data or types of connection data requested for each person or in each case.
– The periods during which access to connection data is requested.
– The factual and legal elements that justify the request.

These decrees demonstrate the importance of connection data in the context of legal cases. The public prosecutor may, in the context of an investigation, request all the connection data concerning him. This data can allow investigators to obtain key information in an investigation.

Indeed, in the context of the prevention of terrorism, the use of metadata is essential. Location data of suspected individuals as well as wiretaps can provide investigators with key information. This information can prevent individuals from acting out. With a view to preventing national security, the use of this information is authorized by the French internal security code.

The Roquefeuil lawyers firm sheds light on French legislation on access to metadata. The specialized lawyer explains to you the consequences following the judgment of the Court of Justice of the European Union.

What are the consequences following the judgment of the Court of Justice of the European Union?

The Court of Justice of the European Union (CJEU) has ruled practices of “widespread and undifferentiated” retention of login data unlawful. Since these declarations, the conservation of this device in France remains uncertain.

In fact, in the CJEU C-793/19 SpaceNet preliminary ruling case, the Advocate General specified that European law "opposes national regulations which require providers of electronic communications services available to the public to retain, in a preventive, general and undifferentiated way, the traffic data and the location data of the end users of these services for purposes other than those of the protection of national security against an actual and present or foreseeable serious threat”.

The Advocate General also indicated that legislation is unlawful when it “does not make access by the competent authorities to data relating to traffic and location data stored subject to a control carried out beforehand by a court or by an administrative entity. independent.

Also, the Constitutional Council recalled that the generalized retention of all connection data is contrary to the Constitution.

For example, the Court of Justice of the European Union was seized of a question from a Spanish court in the context of the investigation of a case. This one concerns a robbery during which the victim's mobile phone was stolen. The judge in charge of investigating the case had refused to request the transmission of the telephone numbers activated by the stolen device, considering that the offense was not serious enough to justify access to personal data. Thus, the court of appeal questioned the Court of Justice of the European Union on this subject. The latter then replied that Article 15 of the directive, read in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, "must be interpreted as meaning that access by public authorities to data aimed at identifying the holders of SIM cards activated with a stolen mobile telephone, such as the surname, first name and, where applicable, address of these holders involves an interference with the fundamental rights of the latter, enshrined in those articles of the Charter, which is not so serious that such access should be limited, in matters of prevention, investigation, detection and prosecution of criminal offences, to the fight against serious crime".

Consequently, access to personal data stored by telephone operators cannot be justified by minor offenses seriously infringing the right to privacy.

Nevertheless, the Court of Justice of the European Union specifies that it is up to each nation to apply its national law, specifying that it is up to the criminal court to discard data collected in a way that does not comply with Union law. in the event that the persons being prosecuted are unable to comment effectively on the information and evidence. These come from a field beyond the knowledge of the judges and which are likely to influence in a preponderant manner the assessment of the facts.

Indeed, the Court of Justice of the European Union recognizes that the retention of metadata can be useful for the purpose of preventing a serious threat to national security. However, it insists on the respect of three conditions: the limit of the mechanism in time, the possibility of justifying the seizure of this lever by a serious, real, current or foreseeable threat to national security. Finally, the use of metadata must be carried out under the effective control of a court or an independent administrative authority.

As a result, the automated processing of data relating to the location in the prevention of terrorism provided for by the Internal Security Code is authorized. This must make it possible to filter all the data to bring out only the data making it possible to search for and identify the person.

On the other hand, when there is no serious threat to national security, data retention for prevention must be targeted. For example, telephone tapping is only authorized for organized crime or terrorism investigations. They are possible for crimes and misdemeanors punishable by more than two years of imprisonment. As for the geolocation data, the intelligence services or the police can only use them for offenses punishable by more than five years of imprisonment, or three years in the event of harm to the person.

Your login details have been used as part of an investigation and you would like advice? Stone of Roquefeuil, lawyer specializing in digital and communication law in Paris, accompanies you to advise you and to ensure that your interests are respected. The specialized lawyer will help you to identify the procedure adapted to your situation.

Who keeps what? Operators keep the metadata, and transfer it to the authorities, under what conditions? What metadata?

Between national and community case law, the rules still seem to be floating, but to the advantage of GAFAM who try to uphold the confidentiality due to their subscribers and at the same time an American conception of freedom of expression which consists in admitting all slander , anonymous or not.

For a public opinion still fond of stoning, in defiance of the most basic objectives of social reintegration.

Passwords and custody

Police custody and the right to silence

Negative and disparaging reviews

The new internet regulation in preparation: DSA – DMA

The draft e-privacy regulation


August 6, 2022 Update

Court of Cassation.

Cas. crime, July 12 2022, no. 21-83.710, 
Cas. crime, July 12 2022, no. 21-83.820,
Cas. crime, July 12 2022, no. 20-86.652, 
Cas. crime, July 12 2022, no. 21-84.096, 


EU law Traffic and location data iP addresses Civil identity  
Serious threats to national security Retention by order of the authorities with the possibility of judicial recourse for verification Retention by order of the authorities with the possibility of judicial recourse for verification Retention by order of the authorities with the possibility of judicial recourse for verification  
serious crime

Retention of certain data on limited injunction

Rapid, more extensive retention of certain data on limited injunction, on prior control,  (case law = in any case contestable before an independent judge in the event of a grievance)

Preservation on limited injunction Conservation  
Others No conservation No conservation Conservation  



CJEU 20 September 2022, C793/19, C794/19

CJEU, March 2, 2021, aff. C-746/18, HK/Prokuratuur

Oct. 6, 2020, La Quadrature du net [Assoc.], aff. C-511/18, C-512/18 and C-520/18,
Apr. 5, 2022, Commissioner of An Garda Síochána, aff. C-140/20,
 Oct. 2, 2018, aff. C-207/16

Relevant texts:
Article L. 34-1, III, and III bis of the Postal and Electronic Communications Code

The Law of July 30, 2021 – 2021-998 (art.17) amending the LCEN, art.6 II, (law no. 2004-575 of June 21, 2004) and L34-1 post and electronic communications code
Articles 60-1, 60-1-1, 77-1-1 and 77-1-2, articles 99-3 and 99-4, of the Code of Criminal Procedure

Three decrees of October 20, 2021

Decree No. 2021-1362 of October 20, 2021 relating to the retention of data enabling the identification of any person having contributed to the creation of content put online, taken pursuant to II of Article 6 of Law No. 2004-575 of June 21, 2004 for confidence in the digital economy, replacing (repealed) Decree No. 2011-219 of February 25, 2011 relating to the retention and communication of data allowing the identification of any person who creation of online content

“e-Privacy” Directive 2002/58/EC of the European Parliament and of the Council, of July 12, 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (privacy and communications directive electronic)

cons. const.

May 20, 2022, No. 2022-993 QPC

Board of state

CE, 21 Apr. 2021, n° 394922, 397844, 397851, 393099, 424717 and 424718 (French Data Network)

AC Paris

18 Feb. 2022, n°20/13824, would limit the communication of identification data to criminal matters, confirming interim order on article 145 of the code of civil procedure and article 6 LCEN
April 27, 2022

TJ – TGI Paris

January 30, 2013
April 5, 2022


Comment :

In a judgment of March 2, 2021 (CJEU, March 2, 2021, aff. C-746/18, HK/Prokuratuur), the CJEU stated that access to login data can only be authorized:

– if this data has been kept in accordance with the requirements of European law;
– if it took place for the purpose that justified the storage or a more serious purpose, except for rapid storage;
– if it is limited to what is strictly necessary;
– with regard to traffic and location data, if it is limited to procedures aimed at combating serious crime, and;
– if it is subject to prior control by a court or an independent administrative body.

The Court of Cassation rules that Articles 60-1, 60-1-1, 77-1-1 and 77-1-2 are contrary to EU law in that they do not provide for prior control by a jurisdiction or an independent administrative entity.

Article L. 34-1, III bis, of the Postal and Electronic Communications Code:

"The data retained by the operators pursuant to this article may be the subject of a rapid retention order by the authorities having, in application of the law, access to data relating to electronic communications for prevention purposes. and repression of crime, serious delinquency and other serious breaches of the rules for which they are responsible for ensuring compliance, in order to access this data. »




Update September 22, 2022

Article 60-1-2 of the Code of Criminal Procedure:

Creation LAW n°2022-299 of March 2, 2022 – art. 12

On pain of nullity, requisitions relating to the technical data making it possible to identify the source of the connection or those relating to the terminal equipment used mentioned in 3° of II bis of Article L. 34-1 of the Post and electronic communications or on the traffic and location data mentioned in III of the same article L. 34-1 are only possible, if the necessities of the procedure so require, in the following cases:

1° The proceedings relate to a felony or misdemeanor punishable by at least three years' imprisonment;

2° The proceedings relate to an offense punishable by at least one year's imprisonment committed through the use of an electronic communications network and these requisitions have the sole purpose of identifying the perpetrator of the offence;

3° These requisitions relate to the terminal equipment of the victim and intervene at the latter's request in the event of an offense punishable by imprisonment;

4° These requisitions tend to find a missing person within the framework of the procedures provided for in articles 74-1 or 80-4 of this code or are carried out within the framework of the procedure provided for in article 706-106-4.

=> Waivers of anonymity are in principle prohibited, in particular with regard to civil offenses without criminal qualification or minor offenses (typically defamation and insults that do not discriminate against individuals), which goes against the requirements the right to a fair trial provided for by the ECHR. Advances in case law are therefore still to be awaited.

The texts (articles L34-1 and R10-13 of the postal and electronic communications code, L34-1 resulting from the reform Law of July 30, 2022) only allow a waiver of civil identity and data provided when signing the contract (by the prosecution only?) “for the purposes of criminal proceedings”.

The provision of civil identity and contract data (initially provided by the user) by an operator or a host may be insufficient to flush out the perpetrator of an infringement; the so-called technical data for the location and identification of the machines and software used are most of the time essential for the precise identification of the author and the circumstances of the offence.

Several avenues are mentioned to challenge this current approach of the legislator:

  • contesting the applicability of the directive “e-Privacy” 2002/58/EC of the European Parliament and of the Council, of 12 July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications Directive which underlies the reform, but which would not be intended to govern public expression, only private communications;
  • by challenging the constitutionality of the law of July 30, 2022 for infringement of the right to a fair trial;





Update of January 6, 2023:

A remarkable summary order of the Paris judicial court of 21 December 2022 (Tribunal judiciaire de Paris (ref.), 21 December 2022, n° 22/55886, Noctis Event and M. X. c/ Wikimedia Foundation Inc.) issued against Wikimedia recognises the right of access to the civil identity of the author of the malicious content, to his contact details, to his name and address, and to his phone number. but excluding, however, his login data – , in a context of invasion of privacy, denigration and cyberbullying (press offenses are not invoked), violations likely to justify civil and criminal actions.

The judge recalls the conditions of the summary procedure:

Article 145 of the Code of Civil Procedure provides that if there is a legitimate reason to preserve or establish before any trial the proof of facts on which the solution of a dispute could depend, the legally admissible investigative measures may be ordered at the request of any interested party, on request or in summary proceedings.

The summary court, referred to in application of Article 145, has sovereign power to assess whether the plaintiff has a legitimate reason and does not have to determine whether there is urgency. It must verify whether the trial in germ alleged by the plaintiff is not manifestly doomed to failure.

Are legally admissible, investigative measures limited in time and in their purpose and proportionate to the objective pursued. It is his responsibility to verify whether the measure ordered is necessary for the exercise of the right to evidence and proportionate to the conflicting interests involved.

The judge opportunely specifies, as in response to articles L34-1 and R10-13 of the postal and electronic communications code, L34-1 resulting from the reform Law of July 30, 2022:

The mere fact that the prosecutor has the opportunity to prosecute, as the company Wikimedia Foundation Inc. maintains, cannot suffice to render unlawful the measure of investigation requested, which aims to identify the perpetrator of these acts.

> The "legitimate reason" required to justify a request for interim relief prior to a trial, in particular for the purposes of establishing evidence, cannot be annihilated by a prognosis on the prosecutor's decisions regarding future prosecutions, as the judge pointed out .




Update of 15 March 2023:

 Transmission to the Court of cassation of a QPC relating to Article 60-1-2 of the Code of Criminal Procedure 

Cour d’appel de Versailles / 14 déc.2022, pourvoi n°22-90.019 / 6 déc. 2022. pourvoi n°22-90.018

(Defamation of an individual - criminal prosecution)

The examining magistrate recalls that the new provisions of Articles 60-1 and 60-1-2 of the Code of Criminal Procedure (Code de la Cour de l'État) are not applicable to the case of the procedure do not allow for requisitions to be made technical connection data anonymous authors of defamatory content, taking into account the nature of the facts denounced and the penalty (a simple criminal fine).

The Investigating Chamber referred the priority question of constitutionality raised by the civil party to the Court of Cassation, stating that these provisions The new law makes it impossible for victims of defamation to access the search for the truth. the identity of those responsible for offences committed and to a judge to obtain compensation for damage that may be significant in terms of harming the honour and morality of the persons concerned, with repercussions on their life and personal situation, since only by obtaining the technical connection data can an indisputable identification of those responsible. 

Dans ses décisions du 14 mars 2023 pourvoi n° 22-90.018 et pourvoi n°22-90.019 la Cour de cassation ne renvoie pas la question au Conseil constitutionnel en indiquant que : 

quand les réquisitions ont pour seul objet d’identifier l’auteur de l’infraction, l’article 60-1-2 du code de procédure pénale limite, y compris au cours d’une information, la possibilité de requérir les données techniques permettant d’identifier la source de la connexion ou celles relatives aux équipements terminaux utilisés, mentionnées au 3° du II bis de l’article L. 34-1 du code des postes et des communications électroniques, aux procédures portant sur un délit puni d’au moins un an d’emprisonnement commis par l’utilisation d’un réseau de communications électroniques. Ces dispositions ont été introduites par le législateur afin de renforcer les garanties répondant aux exigences constitutionnelles, compte tenu du caractère attentatoire à la vie privée de telles mesures, en tenant compte de la gravité de l’infraction recherchée et des circonstances de sa commission (Cons. const., 3 décembre 2021, décision n° 2021-952 QPC) 

> il s’agit des données techniques ou « métadonnées » telles l’adresse IP et les adresses mac, les logs de connexion, d’activité, de géolocalisation ; le législateur estime que leur communication constitue une intrusion grave dans la vie privée (« ingérence dans le droit au respect de la vie privée ») et doit donc être limitée. L’accès aux données d’identité civile collectées par les opérateurs reste disponible (tels le nom, adresse, adresse mél).


The draft e-Privacy regulation, electronic communications and private life

Updated Sep 23, 2022

Meanwhile, Directive 2002/58 continues to inspire case law, in particular with regard to the lifting of anonymity on the Internet for the purpose of researching the authors of illegal comments published on the Internet, even though the directive concerns communications between people (private correspondence) and not the writing of public statements online (CJEU, gde. ch., Oct. 6, 2020, aff. C-511/18, C-512/18 and C-520/18) 


The Draft Regulation ePrivacy proposed by the European Parliament and Council on
January 10, 2017, aims to respond to the concerns of European citizens  on the protection of their data
personal information stored on their smartphones, tablets, laptops,
etc., by strengthening the rules applicable to communications
electronic and commercial canvassing.

In an information note, the European Commission officially launches the
legislative process devoted to the proposed regulation. The Commission
calls on the European Parliament and the Council to press ahead with the
work on their proposals and to ensure their adoption by 25 May 2018
at the latest (date from which, moreover, the general EU regulation
n°2016/679 of April 27, 2016 on data protection will come into force
This will be an update of the provisions of the directive ePrivacy 2002/58/EC
of July 12, 2002 (revised on November 25, 2009 by Directive 2009/136/EC).
The provisions of this old directive will therefore take
a new youth through this regulation, which will make them directly
applicable, this time to all Member States and without a transposition deadline,
thus making it possible to fight against inequalities and differences
assessment in matters of personal data protection. Furthermore,
this regulation will supplement the Regulation 
General EU n°2016/679 of April 27, 2016 on data protection which will come into force on May 25, 2018.

The old directive ePrivacy 2002/58/EC of July 12, 2002 had however already been the subject of scattered transpositions into French law from 2004 to 2012
through 11 texts, the new regulation will therefore have the merit of serving as a single reference text on the subject and directly applicable:

Law No. 2004-575 of June 21, 2004 for trust in the digital economy
   Law No. 2004-669 of July 9, 2004 relating to electronic communications and
audiovisual communication services
   Law No. 2004-801 of August 6, 2004 relating to the protection of natural persons
with regard to the processing of personal data and amending Law no.
78-17 of January 6, 1978 relating to data processing, files and freedoms
   Decree No. 2005-862 of July 26, 2005 relating to the conditions of establishment and
operating networks and providing communications services

Decree No. 2009-834 of July 7, 2009 establishing a service with national competence
referred to as the “National Information Systems Security Agency”

Law No. 2011-302 of March 22, 2011 containing various provisions for adapting the
legislation to European Union law on health, work and
electronic communications
  Law No. 2011-901 of July 28, 2011 tending to improve the functioning of the houses
departments for people with disabilities and containing various provisions relating to
disability policy

Ordinance No. 2011-1012 of August 24, 2011 relating to electronic communications
     Decree No. 2012-436 of March 30, 2012 transposing the new regulatory framework
european electronic communications
   Decree No. 2012-488 of April 13, 2012 amending the obligations of operators to
electronic communications in accordance with the new regulatory framework

In the regulation in preparation, three sections are planned :
  • 1er
    : eavesdropping, interception, analysis and storage
    text messages, e-mails or voice calls will be prohibited without
    of user consent: this will concern the content of the
    communication but also the data relating to the place, the time and the
    recipient. (this will also concern applications such as WhatsApp,
    Facebook, Skype, Gmail, etc.).
  • 2th
    : the
    transparency in the use of cookies. The objective is to offer
    users a digital environment less “invaded” by
    cookie banners that are displayed on each page visited. In this regard,
    the user will have the possibility to accept or refuse cookies and
    should be able to do it more
    systematically by configuring the navigation parameters (concerning the
    so-called “third-party cookies”, which are essentially intended to
    communicate data to third parties for commercial purposes, browsers
    must be able to block them by default)

Remark : the
cookie is the equivalent of a small text file, stored on the
user's terminal. Their appearance dates from the 90s and allow
thus allowing website developers to retain user data in order to
to facilitate navigation and to allow certain functionalities. The
cookies have always been more or less controversial because they contain
personal information that could potentially be exploited by

2 guidelines to consider
account :

Directive 2002/58 on privacy: it contains rules on
the use of cookies. Article 5 §3 requires that the storage of data
(like cookies) on the user's computer can only be
done if: the user is informed of how the data is used
; it is given to the user the possibility of refusing this operation of
storage. However, this article also states that the storage of data for
technical reasons is exempt from this law. According to the opinion of the G29 n° 2/2010 of
2010, this directive remains very poorly applied: most sites
limited to a simple "banner" informing of the use of
"cookies" without giving information on the uses, without
differentiate "technical" cookies from cookies of
"tracking", nor to offer any real choice to the user.

Directive 2009/136/EC of 25 November 2009 therefore strengthens the obligations
prior to placing cookies on the Internet user's computer provided
that the latter has given his consent after having received clear information and
complete. However, despite the will of the European legislator to the contrary, no
browser does not yet allow the dissociation of technical cookies and cookies
  • 3th
    : prohibition of electronic communications
    unsolicited, whatever the medium used (emails, SMS, calls
    telephones, etc.). Except prior consent of the user. Thus, for
    the sending of spams, the Net surfer will be able to materialize his consent by ticking
    a box and thus receive offers
    of the society. Similarly, the consumer who has actively registered his number
    on the red list shall not receive targeted telephone calls
This 3th shutter poses
useful questions for France: in fact, sending spam is
already governed by consumer law in France, as well as the implementation of
place of telephone restrictions (“Platform “ ”, resulting from the law n ° 2014-344 of March 17, 2014
on consumption). Text messages and voice messages are not affected, but
depend on another procedure (Platform of the 33 700).
The main targets of this text,
are the actors of targeted advertising and
the GAFAs. Indeed, the commission's new proposal intends to include
within its scope all service providers
telecommunications: such as Facebook (Facebook Messenger), WhatsApp, Google
Hangouts etc.
For some observers, this
proposal does not go far enough in terms of data protection.
As Lukasz Olejnik explains,
British PhD researcher
IT from INRIA, specializing in security and privacy issues,
the commission's proposal does not take not
take into account the technical developments awaiting browsers
and this
finally content to validate the status quo: “ For example, this new update of the directive does not take
not take into account the fact that browsers will soon have
much more powerful features, such as access to sensor data
or the pairing between the browser and the user's device, via
Thus, browsers will be able to enter data via the
connected devices, including the collection of cookies.
Thus, this new regulation
would simply seem to renew some bases already acquired in 2009 or with
the new Directive coming into force in 2018, without really bringing any

See also:

The states
announce that they will take a position on this regulation only from the end of April 2017.
On February 9, 2017, the G29 declared that they would publish their opinion on the regulation " maybe in April, surely before
summer [Editor's note: 2017]