New French laws on security/privacy - Personally Identifiable Information

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
greggles's picture

Crossposted to security group and France group, my apologies for not being able to write this in French. Comments are welcome in French or English, of course.

There are some new French laws on user information and how it is handled which seem to have implications for security.

Hacker News has a thread about this that talks about the actual requirements which seem to be compatible with the way Drupal core works.

On the other hand, this BBC article (which may not be very accurate...) suggests that sites that operate in France need to keep a lot more information on file.

A seemingly more level headed take on it talks about a strategy for password retention that meets the laws.

A related topic is the proper encryption of personally identifiable information. I know a recent site that launched on Microsoft servers where they required that e-mail addresses were encrypted. This required a small hack to Drupal core and the use of the AES module (they could have used any encryption, but that's what they did). What, if anything, are folks using to encrypt personally identifiable information?

Comments

My understanding is that the

beeradb's picture

My understanding is that the law has passed, and is now available online:

http://www.legifrance.gouv.fr/affichTexte.do;jsessionid=?cidTexte=JORFTE...

I don't speak french, but from reading comments elsewhere on the web, this looks has been pointed to as the relevant line:

g) Le mot de passe ainsi que les données permettant de le vérifier ou de le modifier, dans leur dernière version mise à jour ;

Which translates into:

g) The password and the information needed to verify or change, in their latest updated version;

I'm not a lawyer, but it would seem Drupal core is already covered in those respects.

France

Group organizers

Group categories

Chantiers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: