Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, Cybersecurity & Data Breaches, International/EU Privacy

France Enacts Law to Facilitate Real-Time Collection of Metadata

Ethernet connection

France’s December 18, 2013 law on military spending contains two provisions that facilitate the collection of data by the French military and intelligence services. The first provision relates to the collection of passenger name records (PNRs). Under the new law, airlines are required to send PNRs to authorities in accordance with a yet to be adopted government decree. The data may be held for up to five years and may not contain sensitive data (i.e., data relating to the passenger’s racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, health, or sexual orientation. The French data protection authority, the CNIL, was consulted in connection with these new PNR provisions).

The second and more controversial government data collection provision is article 20 of the December 18 law that permits French intelligence and security agencies to collect metadata from telecom operators and hosting providers, including in real time. The request must first be cleared by the Prime Minister’s office, by a person specially named by the Prime Minister after nomination by France’s independent wiretap commission, the CNCIS (Commission Nationale de Contrôle des Interceptions de Sécurité). Security officials can request real-time access to metadata for reasons linked to terrorism, national security, and defense of France’s economic and scientific potential. The requests are not reviewed by a court. However, the CNCIS is informed within 48 hours afterwards, and can then make recommendations to the Prime Minister, such as suggestions to discontinue data collection or to limit its scope. The CNCIS recommendations are not binding.

This second provision of the December 18 law attracted controversy, in part because France’s data protection authority, the CNIL, was not consulted. The CNIL published its concerns about the new law on December 20, indicating that the terms of the law seemed broad enough to cover content data, and not just traffic data. The CNIL said that the Chairman of the Senate’s Commission on Laws had indicated that the real-time collection of metadata would only concern location data (a point that does not appear clear from the wording of the law). The CNIL also said that it believed that the text would not result in massive, vacuum-cleaner type, collection because the collection mechanism would be controlled by the network operators. The CNIL said it will be “extremely vigilant” in connection with the government decrees that are necessary to implement the law.

While attracting controversy, the new provisions do not fundamentally change the powers of France’s intelligence agencies, who already have extensive power to collect metadata without court authorization. What changes under the December 18 law is the ability for intelligence agencies to collect the data in real time, directly from the network.