(Apr. 11, 2012) Law 2012-410 of March 27, 2012, on Identity Protection was published in France's official gazette of March 28, 2012, without several of its original provisions. (Loi n° 2012-410 du 27 mars 2012 relative à la protection de l'identité, LEGIFRANCE.) The Constitutional Council, the body that reviews French laws for their constitutionality, had found four of the Law's articles unconstitutional, as well as parts of two other articles. (Décision n° 2012-652 DC du 22 mars 2012, Conseil Constitutionnel website.) The original text adopted by Parliament comprised 12 articles.
Among the provisions struck down were articles 3, 5, and 10. Article 3 authorized the national identity card to contain data to allow its holder to use his or her electronic signature when entering into an electronic transaction. The Council found that the legislators had not specified the nature of the needed data nor had they provided any guarantee of their confidentiality and integrity. (id.) Article 5 provided for the creation of a biometric database containing personal information, including the fingerprints, photograph, address, height, and eye color of each identity card holder. The database would have included most of France's population. Article 10 would have given the police and gendarmerie services broad access to the database. The Council found that “the provision [article 5] infringes upon the right to privacy in a manner that cannot be regarded as proportionate to the aim to be achieved.” (Id.)
Under the remaining provisions that were found constitutional, the national identity card and passport will include the following biometric information to establish the identity of their holders: family names, first names, sex, dates and places of birth, height and eye color, fingerprints, and photographs. Only the agents in charge of researching or verifying the identity of a person and the agents in charge of verifying the validity and authenticity of electronic passports and identity cards will have access to the digital fingerprint data. (Law 2012-410, arts. 1, 2, & 6.)
Finally, the Law complements the provisions of articles 323-1, 323-2, and 323-3 of the Penal Code, concerning unauthorized access to automated data processing systems. Fraudulently accessing an automated data processing system and suppressing or modifying data contained in that system is punishable with five years of imprisonment and a €75,000 fine (about US$98,000) where an automated system has been implemented by the state. The introduction of fraudulent data in an automated data processing system implemented by the state and containing personal data is punishable with seven years of imprisonment and a €100,000 fine (aboutUS$130,000). (Id. art. 9.)