Legal obligations to keep logs

Quick Access to Content – Summary

Whether you want to provide an excellent internet connection to your employees or to the audience you host, there are solutions that are easy to set up and administer. However, they must meet certain regulatory constraints that we will discuss.

Logs and regulations

The problem of keeping certain data is of interest to more and more companies. Let’s find out what the main issues are.

The constant need to be connected

Nowadays, the internet is present almost everywhere! Consult an address on a mapping service, send a quote to a prospect, respond to an e-mail at the end of a business meeting … These actions and so many others are carried out by professionals as by individuals when they are outside their home.

Therefore, companies and institutions are practically obliged to provide free wifi to their employees and to the people who frequent their premises. However, these same protagonists are required to comply with the legislation in force and in particular to take into account the rule for keeping logs.

What are logs?

The very name of log may be foreign to you. The log corresponds to a classic text file which lists chronologically all events (server, software, application, etc.) that have affected a computer system and all the actions (authentication, date, etc.) which resulted from these events. The log is similar to a system’s logbook. For example, when you access the web through a restaurant’s public wifi, the moment you use the connection is recorded and detailed in this text file.

The 2006 law

ISPs (Internet Service Providers) are obliged to organize the preservation of data “such as to allow the identification of anyone who has contributed to the creation of the content or one of the content of the services for which it is is a provider ”(Article 6 II). A rule which gives it the possibility, if necessary, of deconfidentialising the stored data. An approach only implemented if the judicial authority requests it in this regard, for the needs of research, observation and prosecution of criminal offenses.

This obligation to which ISPs are subject by article 6 of the law for confidence in the digital economy (LCEN) has the particularity of having been extended to all those who offer access to the internet according to the anti-terrorism law. of 23 January 2006. Including if it is a question of access to the network granted free of charge! What about the duration? The data retention period (from their registration in the information system) has been set at one year by the decree of March 24, 2006, beyond which they are necessarily anonymized.

The audiences concerned

The former magistrate and French deputy Alain Marsaud detailed the audiences affected by this regulation. These are first of all entities providing access to electronic communication networks accessible via a free wifi terminal or through the use of prepaid cards. Then there are accommodation solutions, airlines or even catering establishments that provide an internet connection, not to mention cybercafés whose very activity is to provide a paid online connection service. All of them have the advantage of being able to comply with legal log retention obligations, for example by using the captive portal of ADW Network.

The contents

The decree of March 24, 2006 is at the origin of a new article R.10-13 of the CPCE, which mentions the type of data to be kept. They are first of all the e-mail addresses, IP addresses or even the telephone number, that is to say information intended to identify the user. These are then the day, time and duration of each access to the service and all of the data inherent in the communication terminal equipment used by the user.

Data relating to additional services requested or used and their suppliers are also concerned, as well as information making it possible to identify the recipient (s) of the communication. What about the e-mails exchanged as well as the content of the web pages visited by the user of this wifi access? Retention of these last data is prohibited!

The risks

Failure to comply with the obligations exposes the company providing access to two main risks. On the one hand, it is inherent in access to content that has no place on the web. These are for example the platforms whose the news goes beyond the limits of freedom of expression and breaks the law (racism, etc.).

We are also referring to illicit gambling websites, not to mention the dealers of drugs and other substances that do not have the authorization to distribute such products. In addition, we must not obscure the considerations related to HADOPI. The access provided must not therefore give the user the possibility of infringing intellectual property rights by illegal downloading (video games, software, films, ebooks, etc.).


Negligence or the assumed will to break the law exposes offenders to severe penalties. They are liable to be imposed up to one year of imprisonment and a fine of 75,000 euros for natural persons, and 375,000 euros for legal persons (in application of article 131-38 of the Penal Code).

The advantages of a captive portal

Most often, the captive portal presents the user with the conditions of service that he must necessarily accept, in order to enjoy the company’s wireless access point. A password is potentially required, it allows for example to provide a connection only to the customers of an establishment or to the participants within the framework of an event, and thus to prevent passers-by from being able to use it.

In addition, the functions generally associated make it possible to limit the connection time for each user, which favors better control of the bandwidth. It is a marketing weapon that companies can use to convey a specific message or highlight an advertiser’s advertisement.

To conclude, and this is one of the most significant advantages to be credited with, current solutions include a reliable security device and guarantee the conservation of the logs which are the main subject of this article.

Scroll to Top