UPDATED: May 2017 | SOURCE: Vodafone Group with support from Hogan Lovells
Provision of Real-time Lawful Interception Assistance
FRENCH CRIMINAL PROCEDURE CODE
The French Criminal Procedure Code (the CPP) states that, for the investigation of felonies and misdemeanours, if the penalty incurred is at least two years’ imprisonment, the investigating judge (juge d’instruction) may authorise the implementation of the interception, recording and transcription of telecommunication correspondence where necessary to conduct the investigation. According to Articles 100 and 100-2 of the CPP, the judge’s decision must be in writing and issued for maximum period of four months (renewable under the same conditions of form and duration).
Article 706-95 of the CPP states that, as part of investigations relating to organised crime and delinquency, public prosecutors may request from the judge in charge of liberties and custody (the juge des libertés et de la détention) an authorisation to implement the interception, recording and transcription of correspondence by telecommunications in accordance with the provisions of Articles 100 ff. of the CPP as mentioned above. The interception may only be ordered for a maximum period of one month, renewable once under the same conditions of form and duration. The judge’s decision must be in writing, setting out the justification and granted for a maximum period of four months (renewable under the same conditions of form and duration).
The CPP states that, further to the judge’s order, the judge or the police officer appointed by the judge or the public prosecutor may issue a judicial order requiring the telecommunications operator to provide assistance in implementing the interception system.
Under the CPP, interceptions can extend to data stored outside France, as long as access to the data is possible via a terminal in France (Article 57-1, CPP).
For organised crime and terrorism, the CPP permits police, after a judge’s approval, to hack into a terminal and create a clone of the computer so as to monitor key strokes from a distance (Article 706-203-1, CPP).
Article 65 of the Customs Code provides that, as part of French customs investigations, the French customs agents may request from telecommunications operators and electronic communication service providers all connection data which the latter retain and process.
FRENCH CODE OF POST AND ELECTRONIC COMMUNICATIONS
Article D98-7-III of the French Code of Post and Electronic Communications (the CPCE) also states that electronic communications networks operators are under an obligation to implement the necessary measures to allow the implementation of interception capabilities as provided for under French legislation.
Disclosure of Communications Data
FRENCH CODE OF POST AND ELECTRONIC COMMUNICATIONS
The CPCE requires, under Article L34-1-III, that electronic communication service providers retain connection data, mainly for the needs of the research, establishment and sanction of criminal offences for a period of up to one year. French law also extends data retention obligations to hosting providers (Article 6-II, law of 21 June 2004). None of these provisions have been modified as a result of the CJEU Digital Rights Ireland case.
Article L32-1-II of the CPCE specifies that electronic communications service providers are required to implement the relevant internal procedures to answer the requests received from public authorities regarding user data. The same applies to access providers.
FRENCH CRIMINAL PROCEDURE CODE
For requests outside the scope of national security, the competent authorities will be required to issue a formal request (réquisition judiciaire) to the electronic communications service provider. The competent authority to issue the request will depend on the exact nature of the investigation conducted:
- Requests made in the context of an investigation in ‘hot pursuit’ (investigations made in ‘hot pursuit’ are defined by the CPP as investigations conducted when an offence is being committed or has just been committed, as well as when very shortly after the act, the suspect is designated or followed by ‘public clamor’, or is found with objects or presents traces or clues leading to believe that he or she participated in the offence) can be issued by the public prosecutor in charge of the investigation or by a judicial police officer (Article 60-1 of the CPP).
- Requests made in the context of a preliminary investigation can only be issued by either the public prosecutor in charge of the investigation or by a judicial police officer (Article 77-1-1 of the CPP).
- Requests made in the context of an investigation conducted by an investigation judge may be issued by the judge him- or herself or by a judicial police officer duly appointed by the judge (Article 99-3 of the CPP).
Requests made in the context of an investigation conducted by French customs may be made by an official having at least the rank of ‘controller’, and do not need the approval of a judge (Article 65 of the Customs Code).
National Security and Emergency Powers
CODE OF NATIONAL SECURITY
France’s rules on data gathering for national security purposes were reformed through Law No. 2015-912 of 24 July 2015.
Previously, the legal provisions relating to intelligence gathering were scattered across different provisions of the French Internal Security Code (ISC). Moreover, there has been no single overall supervisory authority for intelligence-gathering activities. The 2015 law rectifies that defect by creating a new independent commission called the Commission for Oversight of Intelligence Gathering Techniques (the CNCTR or ‘Commission’). Under the new law, intelligence-gathering measures can be implemented only when a specific authorisation is given by the Prime Minister or his or her designee. The Prime Minister’s authorisation is granted only after the Commission has rendered an opinion on the compatibility of the measure with the principles set forth in the law. But the Commission’s opinion is not binding on the Prime Minister. Nevertheless, if the Prime Minister decides to ignore the recommendation of the Commission, the Prime Minister must be prepared to explain his or her reasons. Moreover, the Commission can file an appeal with France’s Supreme Administrative Court, the Conseil d’Etat, to challenge the Prime Minister’s decision.
The law defines intelligence-gathering activity as a measure necessary to protect France’s national defence, major foreign policy interests, and major economic, industrial and scientific interests, and to prevent terrorism, immediate threats to public order, organised crime and the proliferation of weapons of mass destruction. Economic espionage is expressly recognised as falling within the remit of the law.
The new law maintains a provision in the Internal Security Code stating that the general monitoring of over-the-air radio transmissions falls outside the code. In other words, untargeted listening of the airwaves by intelligence authorities is permitted without prior authorisation.
Intelligence agencies can obtain access to traffic data from telecoms operators and log data kept by hosting providers, including social media services.
The 2015 law permits intelligence agencies to collect traffic data and log data in real time from telecoms operators and hosting providers, but real-time collection is only possible for the prevention of terrorism. The collection of location data in real time is also permitted.
The most controversial provision in the new law relates to so-called black boxes that intelligence agencies can require operators and hosting providers to install. The law permits intelligence agencies, after authorisation from the Prime Minister, to analyse all traffic and log data on an anonymised basis to identify potential terrorist threats. This analysis is done using algorithms designed to detect suspicious patterns of behaviour. When it originally presented this provision, the government argued that the data was anonymous and therefore presented no threat to privacy. It is only when suspicious activity is identified that authorities could ask permission to identify the relevant person, and deploy more targeted surveillance. The French data protection authority disagreed, stating that the analysis of metadata involves the processing of personal data and therefore presents a risk for privacy that had to be analysed under strict rules on proportionality.
The Constitutional Court did not seem troubled by the black box provision. The Court pointed out that the algorithm only deals with metadata and does not permit the identification of individuals. Moreover, the procedure can only be implemented after an authorisation from the Prime Minister and an opinion from the Commission. The authorisation is only granted for a period of two months and its renewal is subject to certain conditions to ensure that the algorithm does not create too many false positives. Finally, the Court points out that this provision is only allowed in connection with anti-terrorism activities. On balance, the Court felt that the black box provision does not represent a disproportionate restriction on the right to privacy.
DETAILED PROVISIONS OF THE ISC:
Article L 871-2 of the ISC states that the competent authorities can request electronic communications network operators provide all necessary information relating to the implementation and exploitation of authorised interceptions.
Article L871-3 of the ISC expressly states that the Ministry in charge of electronic communications must ensure that electronic communication network operators and other electronic communication service providers implement all necessary measures to comply with the obligations imposed as per the provisions of the ISC and of the Code of Criminal Procedure.
The ISC also permits intelligence agencies to require providers of encryption services to provide decryption codes to authorities (Article L 871-1, ISC).
Communications data may be required from the relevant service provider by intelligence agents. The request must in most cases have been authorised by the Prime Minister after a written and justified request sent by the Ministry of Interior, the Ministry of Defence or the Ministry of Economy.
Articles L851-1 and L871-2 of the ISC provide that electronic communications network operators may be asked to provide information and documents processed or retained by their network or electronic communication services, including:
- the technical data relating to the identification of subscription numbers or to the connection to electronic communication services;
- all subscription or connection numbers of a designated individual;
- the location of the terminal equipment used; and
- a subscriber’s communications (list of incoming and outgoing calls, length and date of the communications).
Such requests must be made in writing to the CNCTR by the intelligence agents and must be justified.
A dedicated service within the Prime Minister’s office is in charge of collecting the information and documents from the operators.
Regarding the prevention of terrorist acts, real-time collection and disclosure of information and documents on operators’ networks may be authorised in relation to a specific individual identified as being a threat. The authorisation is granted for a two-month period and renewable under the same conditions.
Operators may also be required, without a court order, to implement automatic processing in order to detect a terrorist threat (Article L851-3 of the ICS), based on parameters defined in the authorisation granted. The automated processing only uses the documents and information referred to by Article L851-1 (see above), only collects the information in accordance with the parameters defined and does not allow user identification. The authorisation is valid for two months and is renewable.
Intelligence agencies have the power to collect metadata (including location data) in real time for terrorism-related investigations (Article L 851-6, ISC).
Electronic correspondence relating to an individual which is likely to reveal information regarding national security, of major interest in foreign politics and the economy, or for the prevention of criminal organised crime, may be intercepted, without a court order. The interception can be extended to the individual’s close circle if intelligence agents have reasons to believe the persons close to the individual have valuable information (Article L852-1 of the ISC).
On request of the Ministries of Interior, Defence or Economy, the Prime Minister may authorise, for a renewable one-year period, the surveillance of correspondence or connection data sent or received abroad (Law No. 2015-1556 of 30 November 2015). The prior opinion of the CNCTR is not required for surveillance outside France.
Oversight of the Use of Powers
Under Article 100 of the CPP, interceptions are conducted under the authority and supervision of the investigating judge. The same Article expressly states that the decision does not bear the status of a judicial decision and is therefore not subject to appeal before any judge.
Under Article 706-95 of the CPP, interceptions are conducted under the authority and supervision of the judge in charge of liberties and custody. Data subjects are not necessarily informed of the interceptions. Here too, the decision does not bear the status of a judicial decision and is not subject to appeal.
For requests for disclosure of communications data issued in investigations in hot pursuit or in preliminary investigations, the validity of the request may be challenged before the investigations appeal court. The decision itself of issuing a request may not be challenged but its validity (eg if it was not issued by a duly empowered police officer) may be.
For requests issued by an investigation judge, the decision to issue a request may be submitted to appeal by the investigations appeals court.
Requests by the French customs authorities may be challenged before administrative courts.
Interceptions and data collection by intelligence agencies are authorised by the Prime Minister, after a non-binding opinion rendered by the CNCTR. An opinion of the CNCTR is not required, however, if the surveillance measure applies to communications outside French territory. The Prime Minister’s orders may be appealed before French administrative courts.
SHUT-DOWN OF NETWORK AND SERVICES
French Code of Post and Electronic Communications
Under Article L36-11 of the French Code of Post and Electronic Communications, the French Regulatory Authority for Postal and Electronic Communications (ARCEP) may, under its own powers or at the request of the Minister responsible for electronic communications, a professional organisation or an approved user association, sanction network operators or electronic communication service providers, for breaching legislative and regulatory provisions relating to their activities. Such sanctions may extend to ordering a full or partial suspension of the operator or service provider’s activities. ARCEP’s powers could therefore be used to shut down Vodafone’s network or certain of its services should Vodafone be found to be in breach of its legislative or regulatory obligations.
A suspension may range from 1 month to 3 years, depending on the seriousness of the breach. ARCEP may give the network operator or electronic communication service provider time to resolve the breach before ordering the suspension.
BLOCKING OF URLS & IP ADDRESSES
Law on Confidence in the Digital Economy of 21 June 2004 as Amended on 13 November 2004
The Law on Confidence in the Digital Economy of 21 June 2004 imposes upon network operators (such as Vodafone) the obligation to block without delay access to websites containing content featuring child sex abuse listed by the relevant governmental administrative authority.
Article 6 of the Law also obliges network operators to implement an easily accessible and visible scheme allowing users to report websites containing such content or websites promoting terrorism. They shall inform promptly the competent public authorities of any illegal activities, such as those mentioned above, as well as publicise the means they deploy to fight the said activities.
Law No. 2014-1353 of 13 November 2014 now allows French judicial police to order network operators to block access to content promoting terrorism, through DNS blocking. The police may also order that the content be delisted from search engines. Police already had this power for child pornography. The 13 November 2014 law extends the powers to content promoting terrorism.
Law No. 2015-1501 Extending State of Emergency
Article 4 of Law No. 2015-1501 adds Article 11 in Law No. 55-385, allowing the Ministry of Interior to block websites promoting terrorism.
Law No. 2010-476 on Online Gambling
The French online gaming agency (ARJEL) also has the power to seek a blocking order for illegal gambling websites pursuant to Article 61 of Law No. 2010-476 of 12 May 2010 (which is the French law relating to online gambling). In the event that ARJEL identifies an unauthorised gambling website, it will send a cease and desist letter to the online gambling operator. Should the online gambling operator fail to comply with the letter within eight days, the president of ARJEL may request the President of the Paris Tribunal of First Instance to issue a court order for network providers (such as Vodafone) to block access to the offending website.
POWER TO TAKE CONTROL OF VODAFONE’S NETWORK
The French government does not have legal authority to take control of Vodafone’s network.
Oversight of the Use of Powers (Censorship-related)
FRENCH CODE OF POST AND ELECTRONIC COMMUNICATIONS
ARCEP’s decisions may be subject to appeal before the highest French administrative court, the Conseil d’Etat.
THE LAW ON CONFIDENCE IN THE DIGITAL ECONOMY OF 21 JUNE 2004 AS REVISED BY THE LAW OF 13 NOVEMBER 2015
The blocking or delisting of content that promotes terrorism or that contains child pornography is ordered by a special unit of the judicial police, without court supervision. A person designated by the French data protection authority, the CNIL, is informed of each blocking measure and is able to make comments. The CNIL issued its first report on its oversight role on 15 April 2016.
Any person that wishes to challenge a blocking measure ordered by French police may challenge the order before a court. According to the CNIL’s report, so far no appeals have been lodged.
LAW NO. 2010-476 ON ONLINE GAMBLING
The government’s request for a court order requiring network providers to block access to an unauthorised gambling website is reviewed by the court presiding over the request; a court will only make the order if satisfied that it is lawful.
Encryption and Law Enforcement Assistance
1. Does the government have the legal authority to require a telecommunications operator to decrypt communications data where the encryption in question has been applied by that operator and the operator holds the key?
Yes. The wording of Article 230-1 of the Criminal Procedure Code (the CPP) has changed slightly (changes italicized here) though the essence is the same:
Where it appears that data seized or obtained during the course of an investigation has been altered, preventing access to or understanding of the information that it contains, the public prosecutor, the investigation court, the police officer authorised by the public prosecutor or the investigation judge, or the court hearing the case, may appoint any qualified legal or natural person to carry out the technical operations necessary to obtain a readable version of this information, and also, where a method of encryption has been used, the secret key for decrypting it, if this appears necessary.
If the penalty applicable to the offence investigated is of at least two years’ imprisonment and the needs of the investigation justify it, the public prosecutor or the examining judge or the relevant court may order the use of ‘means protected by official State secrecy’. Subject to restrictions associated with State secrecy, the results of the operations must be provided with technical instructions so that they can be understood and used, as well as a statement provided by the entity which carried out the technical operations certifying the veracity of the results.
Article L871-1 of the Code of National Security (the CNS) states that legal or natural persons providing encryption services have to give the decryption keys and decryption methods within 72 hours to competent officers, on the written and specific request of the Prime Minister or of his or her closest authorised member of staff.
2. Does the government have the legal authority to require a telecommunications operator to decrypt data carried across its networks (as part of a telecommunications service or otherwise) where the encryption has been applied by a third party?
Article 230-1 of the CPP and what follows as well as Article L871-1 of the CNS are broad enough in their scope to include the telecommunications operator (‘may appoint any qualified legal or natural person to carry out the technical operations necessary to obtain a readable version of this information’).
In addition, a person or entity who is aware of the details of an encryption method which may have been used to prepare, facilitate or commit a crime or a misdemeanour is under an obligation to communicate such information or to assist the authorities upon request according to Article 434-15-2 of the Criminal Code. Failure to do so can give rise to criminal sanctions which may include between three and five years of imprisonment and a criminal fine of between EUR 45,000 and 75,000. This could apply to the telecommunications operator in the present scenario.
3. Can a telecommunications operator lawfully offer end-to-end encryption on its communications services when it cannot break that encryption and therefore could not supply a law enforcement agency with access to cleartext metadata and the content of the communication on receipt of a lawful demand?
Yes, both on ‘business as usual’ communication services (where the communication routes over the network as a data packet) and ‘over the top’ communication services (where the delivery of a communication is made via Internet Protocol (IP) over the network) – as French law does not distinguish (Article L32 of the Postal and Electronic Communications Code). It is possible to offer end-to-end encryption on your communication services without breaching French legislation.
However, in order for a telecommunications operator to be compliant with French law, a number of preliminary formalities may be required, depending on the characteristics of the encryption technology. This would mainly include having to potentially file a declaration with the French Network and Information Security Agency (ANSSI). Indeed, given the heightened level of encryption allowed by end-to-end technology, French authorities (ANSSI for instance) have expressed concerns in relation to such technology, and we understand that they would require a declaration prior to the supply of any end-toend technology in France.
4. Please provide examples in this jurisdiction where legislation which predated the advent of commercial encryption (which Vodafone estimate to be circa 1990) has been applied to contemporary cases involving encryption.
Upon initial brief consideration, we are not aware of any specific examples. Given the specific legal provisions available under French law to tackle the sort of situations covered in the area of law enforcement assistance, it is arguably not necessary for the French courts to have to resort to old legislation.